Edit tour

Windows Analysis Report
LisectAVT_2403002A_482.exe

Overview

General Information

Sample name:	LisectAVT_2403002A_482.exe
Analysis ID:	1482213
MD5:	8121ad7d4b71fae42dd6c4309774c4b7
SHA1:	3ef344fc8aca4cd2d024d5f389e7a7325e2242dc
SHA256:	cf3f993a1f57ff01cc5ba08b79282ece75860c3cfa7ab1339857b51db172cc66
Tags:	exe
Infos:

Detection

PureLog Stealer, RedLine, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

AI detected suspicious sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Enables security privileges

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

LisectAVT_2403002A_482.exe (PID: 1664 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_482.exe" MD5: 8121AD7D4B71FAE42DD6C4309774C4B7)

MSBuild.exe (PID: 4684 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

MSBuild.exe (PID: 4324 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

conhost.exe (PID: 5640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
LisectAVT_2403002A_482.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
LisectAVT_2403002A_482.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
LisectAVT_2403002A_482.exe	INDICATOR_EXE_Packed_DotNetReactor	Detects executables packed with unregistered version of .NET Reactor	ditekSHen	0x1848bd:$s2: is protected by an unregistered version of .NET Reactor!" );</script>
LisectAVT_2403002A_482.exe	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x184519:$s1: file:/// 0x184475:$s2: {11111-22222-10009-11112} 0x1844a9:$s3: {11111-22222-50001-00000} 0x1651c4:$s4: get_Module 0x15c3ec:$s5: Reverse 0x14b942:$s6: BlockCopy 0x16052b:$s7: ReadByte 0x18452b:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.1286915263.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1269206159.0000000005286000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1269206159.0000000004C02000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000000.1257963712.0000000000AA2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: LisectAVT_2403002A_482.exe PID: 1664	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: MSBuild.exe PID: 4324	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.MSBuild.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.LisectAVT_2403002A_482.exe.4f33660.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.LisectAVT_2403002A_482.exe.4f33660.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.0.LisectAVT_2403002A_482.exe.aa0000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.LisectAVT_2403002A_482.exe.aa0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.0.LisectAVT_2403002A_482.exe.aa0000.0.unpack	INDICATOR_EXE_Packed_DotNetReactor	Detects executables packed with unregistered version of .NET Reactor	ditekSHen	0x1848bd:$s2: is protected by an unregistered version of .NET Reactor!" );</script>
0.0.LisectAVT_2403002A_482.exe.aa0000.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x184519:$s1: file:/// 0x184475:$s2: {11111-22222-10009-11112} 0x1844a9:$s3: {11111-22222-50001-00000} 0x1651c4:$s4: get_Module 0x15c3ec:$s5: Reverse 0x14b942:$s6: BlockCopy 0x16052b:$s7: ReadByte 0x18452b:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.LisectAVT_2403002A_482.exe.4c027d0.3.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 3 entries

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.127.169.103 - Destination IP: 192.168.2.7

Timestamp:	2024-07-25T19:36:04.889246+0200
SID:	2022930
Source Port:	443
Destination Port:	49706
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.127.169.103 - Destination IP: 192.168.2.7

Timestamp:	2024-07-25T19:36:43.685277+0200
SID:	2022930
Source Port:	443
Destination Port:	49710
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002A_482.exe

Avira: detected

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.0% probability

Machine Learning detection for sample

Source: LisectAVT_2403002A_482.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E98DEE0 CryptReleaseContext,	0_2_6E98DEE0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E98DE00 CryptGenRandom,__CxxThrowException@8,	0_2_6E98DE00
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E98DD20 CryptReleaseContext,	0_2_6E98DD20
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E98DBB0 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,	0_2_6E98DBB0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E98D9D0 CryptAcquireContextA,GetLastError,	0_2_6E98D9D0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E98D7D5 CryptReleaseContext,	0_2_6E98D7D5
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E98D7F0 CryptReleaseContext,	0_2_6E98D7F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E9B35E0 CryptReleaseContext,	0_2_6E9B35E0

Source: LisectAVT_2403002A_482.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: LisectAVT_2403002A_482.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\Win32\Release\Protect32.pdb source: LisectAVT_2403002A_482.exe, 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmp, LisectAVT_2403002A_482.exe, 00000000.00000002.1269206159.0000000004C02000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_482.exe, 00000000.00000002.1302733673.0000000006014000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_482.exe, 00000000.00000002.1328134433.0000000006E50000.00000004.08000000.00040000.00000000.sdmp, Protect544cd51a.dll.0.dr
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.1331873403.0000000003ED5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\x64\Release\Protect64.pdb source: LisectAVT_2403002A_482.exe, 00000000.00000002.1328134433.0000000006F0A000.00000004.08000000.00040000.00000000.sdmp, LisectAVT_2403002A_482.exe, 00000000.00000002.1302733673.00000000060D1000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_482.exe, 00000000.00000002.1302733673.0000000005F46000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 4x nop then jmp 0329A33Ah	0_2_0329A288
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_03291930
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_03291B48
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_03299F58
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_03291B50
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_03299F50
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_03291A38
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_03291A40
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 4x nop then jmp 03299B42h	0_2_03299A88
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 4x nop then jmp 0329A33Ah	0_2_0329A280
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 4x nop then jmp 03299B42h	0_2_03299A90
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_03291929
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_03290560
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_03290554
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_03291C60
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_03291C5A

Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: MSBuild.exe, 00000004.00000002.1294504509.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000004.00000002.1294504509.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\ equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000004.00000002.1294504509.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldbh equals www.youtube.com (Youtube)
Source: LisectAVT_2403002A_482.exe	String found in binary or memory: copyFrom+https://me.yahoo.com/Khttps://www.google.com/accounts/o8/id3https://www.myopenid.com/;https://pip.verisignlabs.com/+https://myvidoop.com/ equals www.yahoo.com (Yahoo)
Source: MSBuild.exe, 00000004.00000002.1294504509.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000004.00000002.1294504509.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\ equals www.youtube.com (Youtube)

Source: global traffic

DNS traffic detected: DNS query: time.windows.com

Source: LisectAVT_2403002A_482.exe	String found in binary or memory: http://axschema.org/birthDateQhttp://axschema.org/contact/country/homeChttp://axschema.org/contact/e
Source: LisectAVT_2403002A_482.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: LisectAVT_2403002A_482.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: LisectAVT_2403002A_482.exe	String found in binary or memory: http://docs.oasis-open.org/xri/xrd/2009/01#canonicalize-raw-octets
Source: LisectAVT_2403002A_482.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: LisectAVT_2403002A_482.exe	String found in binary or memory: http://reltype.google.com/openid/xrd-op
Source: LisectAVT_2403002A_482.exe	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier
Source: LisectAVT_2403002A_482.exe	String found in binary or memory: http://specs.openid.net/auth/2.0_Provider
Source: LisectAVT_2403002A_482.exe	String found in binary or memory: http://www.iana.org/assignments/relation/describedby
Source: LisectAVT_2403002A_482.exe	String found in binary or memory: http://www.idmanagement.gov/schema/2009/05/icam/openid-trust-level1.pdfuhttp://www.idmanagement.gov/
Source: MSBuild.exe, 00000004.00000002.1294504509.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.s
Source: MSBuild.exe, 00000004.00000002.1294504509.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: MSBuild.exe, 00000004.00000002.1294504509.0000000002FCE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: LisectAVT_2403002A_482.exe	String found in binary or memory: https://me.yahoo.com/Khttps://www.google.com/accounts/o8/id3https://www.myopenid.com/;https://pip.ve
Source: LisectAVT_2403002A_482.exe	String found in binary or memory: https://myvidoop.com/
Source: LisectAVT_2403002A_482.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: LisectAVT_2403002A_482.exe	String found in binary or memory: https://www.google.com/accounts/o8/.well-known/host-meta?hd=

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: MSBuild.exe, 00000004.00000002.1294504509.00000000030C7000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_19dc8be6-2

System Summary

Malicious sample detected (through community Yara rule)

Source: LisectAVT_2403002A_482.exe, type: SAMPLE	Matched rule: Detects executables packed with unregistered version of .NET Reactor Author: ditekSHen
Source: LisectAVT_2403002A_482.exe, type: SAMPLE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.0.LisectAVT_2403002A_482.exe.aa0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables packed with unregistered version of .NET Reactor Author: ditekSHen
Source: 0.0.LisectAVT_2403002A_482.exe.aa0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

.NET source code contains very large array initializations

Source: 0.2.LisectAVT_2403002A_482.exe.4f33660.2.raw.unpack, Strings.cs

Large array initialization: Strings: array initializer size 6160

Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E95B6B0	0_2_6E95B6B0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E984EE0	0_2_6E984EE0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E9AAC29	0_2_6E9AAC29
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E952D70	0_2_6E952D70
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E974AC0	0_2_6E974AC0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E9A0B89	0_2_6E9A0B89
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E938B30	0_2_6E938B30
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E974970	0_2_6E974970
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E936650	0_2_6E936650
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E93C7B0	0_2_6E93C7B0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E93A7E0	0_2_6E93A7E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E974550	0_2_6E974550
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E9AA54D	0_2_6E9AA54D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E9863B0	0_2_6E9863B0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E992310	0_2_6E992310
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E94A0C0	0_2_6E94A0C0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E985EB9	0_2_6E985EB9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E973E50	0_2_6E973E50
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E9A9FFC	0_2_6E9A9FFC
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E9ABFF1	0_2_6E9ABFF1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E973C90	0_2_6E973C90
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E991CA0	0_2_6E991CA0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E9A5DD2	0_2_6E9A5DD2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E985DD0	0_2_6E985DD0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E9A9AAB	0_2_6E9A9AAB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E9858D5	0_2_6E9858D5
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E9858D7	0_2_6E9858D7
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E985830	0_2_6E985830
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E9AB964	0_2_6E9AB964
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E973460	0_2_6E973460
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E985274	0_2_6E985274
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E973260	0_2_6E973260
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E985050	0_2_6E985050
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_0175A578	0_2_0175A578
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_01758C78	0_2_01758C78
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_01750EAF	0_2_01750EAF
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_0175E000	0_2_0175E000
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_017573FA	0_2_017573FA
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_01752524	0_2_01752524
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_0104A593	4_2_0104A593

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: String function: 6E99D520 appears 31 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: String function: 6E9990D8 appears 51 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: String function: 6E999B35 appears 141 times

Source: LisectAVT_2403002A_482.exe, 00000000.00000002.1269206159.0000000004C02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePyrophobia.exe" vs LisectAVT_2403002A_482.exe
Source: LisectAVT_2403002A_482.exe, 00000000.00000002.1328134433.0000000006FD8000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameWindowsApp1.dll8 vs LisectAVT_2403002A_482.exe
Source: LisectAVT_2403002A_482.exe, 00000000.00000000.1258343665.0000000000E58000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamestationmainsoftware_wave.exeT2 vs LisectAVT_2403002A_482.exe
Source: LisectAVT_2403002A_482.exe, 00000000.00000002.1302733673.00000000061E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePyrophobia.exe" vs LisectAVT_2403002A_482.exe
Source: LisectAVT_2403002A_482.exe, 00000000.00000002.1298985795.0000000005770000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameProtect.dll8 vs LisectAVT_2403002A_482.exe
Source: LisectAVT_2403002A_482.exe, 00000000.00000002.1302733673.0000000006014000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWindowsApp1.dll8 vs LisectAVT_2403002A_482.exe
Source: LisectAVT_2403002A_482.exe, 00000000.00000002.1264804436.0000000001417000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameProtect.dll8 vs LisectAVT_2403002A_482.exe
Source: LisectAVT_2403002A_482.exe, 00000000.00000002.1302733673.00000000061A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWindowsApp1.dll8 vs LisectAVT_2403002A_482.exe
Source: LisectAVT_2403002A_482.exe, 00000000.00000002.1331252332.00000000073A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameProtect.dll8 vs LisectAVT_2403002A_482.exe
Source: LisectAVT_2403002A_482.exe, 00000000.00000002.1268496958.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameProtect.dll8 vs LisectAVT_2403002A_482.exe
Source: LisectAVT_2403002A_482.exe	Binary or memory string: OriginalFilenamestationmainsoftware_wave.exeT2 vs LisectAVT_2403002A_482.exe

Source: LisectAVT_2403002A_482.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: LisectAVT_2403002A_482.exe, type: SAMPLE	Matched rule: INDICATOR_EXE_Packed_DotNetReactor author = ditekSHen, description = Detects executables packed with unregistered version of .NET Reactor
Source: LisectAVT_2403002A_482.exe, type: SAMPLE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.0.LisectAVT_2403002A_482.exe.aa0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_EXE_Packed_DotNetReactor author = ditekSHen, description = Detects executables packed with unregistered version of .NET Reactor
Source: 0.0.LisectAVT_2403002A_482.exe.aa0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: LisectAVT_2403002A_482.exe, AES128CBC.cs	Cryptographic APIs: 'TransformBlock'
Source: LisectAVT_2403002A_482.exe, TripleDESCBC.cs	Cryptographic APIs: 'CreateDecryptor'
Source: LisectAVT_2403002A_482.exe, TripleDESCBC.cs	Cryptographic APIs: 'TransformBlock'
Source: LisectAVT_2403002A_482.exe, Certificate.cs	Cryptographic APIs: 'TransformBlock'
Source: LisectAVT_2403002A_482.exe, iQni2irWV7wBVewwPJ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: LisectAVT_2403002A_482.exe, Ssl3CipherSuites.cs	Cryptographic APIs: 'CreateDecryptor'
Source: LisectAVT_2403002A_482.exe, W4tm6BPxnCpSlBMF6w1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: LisectAVT_2403002A_482.exe, W4tm6BPxnCpSlBMF6w1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: LisectAVT_2403002A_482.exe, Tls1CipherSuites.cs	Cryptographic APIs: 'CreateDecryptor'

Source: MSBuild.exe, 00000004.00000002.1331873403.0000000003ED5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
Source: MSBuild.exe, 00000004.00000002.1331873403.0000000003ED5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: MSBuild.exe, 00000004.00000002.1331873403.0000000003ED5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: MSBuild.exe, 00000004.00000002.1331873403.0000000003ED5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: *.sln
Source: MSBuild.exe, 00000004.00000002.1331873403.0000000003ED5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MSBuild MyApp.csproj /t:Clean
Source: MSBuild.exe, 00000004.00000002.1331873403.0000000003ED5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: /ignoreprojectextensions:.sln
Source: MSBuild.exe, 00000004.00000002.1331873403.0000000003ED5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/3@1/0

Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LisectAVT_2403002A_482.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Protect544cd51a.dll
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5640:120:WilError_03

Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe

File created: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll

Jump to behavior

Source: LisectAVT_2403002A_482.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: LisectAVT_2403002A_482.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LisectAVT_2403002A_482.exe	String found in binary or memory: InstalledLabel-InstalledPackagesLabel/InstallLicenseAgreement
Source: LisectAVT_2403002A_482.exe	String found in binary or memory: InstalledLabel-InstalledPackagesLabel/InstallLicenseAgreement
Source: LisectAVT_2403002A_482.exe	String found in binary or memory: ~/packages/Install.cshtml
Source: LisectAVT_2403002A_482.exe	String found in binary or memory: @import url(../installer.css);
Source: LisectAVT_2403002A_482.exe	String found in binary or memory: background:url("../images/Installer_body_bg.png") #e3e4e8;
Source: LisectAVT_2403002A_482.exe	String found in binary or memory: @import url(../installer.css);
Source: LisectAVT_2403002A_482.exe	String found in binary or memory: include "./InstallCustomizationProductListGrid.tis";
Source: LisectAVT_2403002A_482.exe	String found in binary or memory: <td><button type="checkbox" checked style="foreground-image:url(../images/Install_Antivirus_small.png);"></button>Install COMODO Antivirus</td>
Source: LisectAVT_2403002A_482.exe	String found in binary or memory: <td><button type="checkbox" checked style="../images/Install_Antivirus_small.png);"></button>
Source: LisectAVT_2403002A_482.exe	String found in binary or memory: <td><button type="checkbox" checked style="foreground-image:url(../images/installer_min_ui_icon.png);"></button>
Source: LisectAVT_2403002A_482.exe	String found in binary or memory: <td><button type="checkbox" checked style="foreground-image:url(../images/installer_min_ui_icon.png);"></button>2. I want PrivDog block</td>
Source: LisectAVT_2403002A_482.exe	String found in binary or memory: foreground-image:url("../images/installer_min_ui_icon.png");
Source: LisectAVT_2403002A_482.exe	String found in binary or memory: <body class="SingleFrameBase" caption="Post-install call offer">

Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe "C:\Users\user\Desktop\LisectAVT_2403002A_482.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: LisectAVT_2403002A_482.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: LisectAVT_2403002A_482.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: LisectAVT_2403002A_482.exe

Static file information: File size 4309415 > 1048576

Source: LisectAVT_2403002A_482.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x3b4200

Source: LisectAVT_2403002A_482.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\Win32\Release\Protect32.pdb source: LisectAVT_2403002A_482.exe, 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmp, LisectAVT_2403002A_482.exe, 00000000.00000002.1269206159.0000000004C02000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_482.exe, 00000000.00000002.1302733673.0000000006014000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_482.exe, 00000000.00000002.1328134433.0000000006E50000.00000004.08000000.00040000.00000000.sdmp, Protect544cd51a.dll.0.dr
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 00000004.00000002.1331873403.0000000003ED5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\x64\Release\Protect64.pdb source: LisectAVT_2403002A_482.exe, 00000000.00000002.1328134433.0000000006F0A000.00000004.08000000.00040000.00000000.sdmp, LisectAVT_2403002A_482.exe, 00000000.00000002.1302733673.00000000060D1000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_482.exe, 00000000.00000002.1302733673.0000000005F46000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: LisectAVT_2403002A_482.exe, W4tm6BPxnCpSlBMF6w1.cs

.Net Code: Type.GetTypeFromHandle(wDU0EbogyWA7JtKLO1X.oo3HjQ1hqvrBD(16778042)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(wDU0EbogyWA7JtKLO1X.oo3HjQ1hqvrBD(16777323)),Type.GetTypeFromHandle(wDU0EbogyWA7JtKLO1X.oo3HjQ1hqvrBD(16777281))})

Source: LisectAVT_2403002A_482.exe

Static PE information: 0x9E8E16EE [Sat Apr 18 08:01:50 2054 UTC]

Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe

Code function: 0_2_6E94B6C0 GetModuleHandleW,GetModuleHandleW,LoadLibraryW,GetProcAddress,__cftoe,GetModuleHandleW,GetProcAddress,

0_2_6E94B6C0

Source: LisectAVT_2403002A_482.exe

Static PE information: real checksum: 0x428614 should be: 0x42861b

Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E99CC2B push ecx; ret	0_2_6E99CC3E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E99D565 push ecx; ret	0_2_6E99D578
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_0175573C push es; iretd	0_2_01755742
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_010447F0 push edx; retf	4_2_010447F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_010447F3 push edx; retf	4_2_010447F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4_2_01044889 push esp; retf	4_2_0104488A

Source: LisectAVT_2403002A_482.exe, Wk7omsouO9sW1HSvghQ.cs	High entropy of concatenated method names: 'x0eHjQvz2hFAM', 'dBLveOhkNnJudtMfT1D', 'YnyxONhvjxAs0xYUmFr', 'g0kAXNheTNVa9ZpuJq7', 'PYisQqhhw7WGsdB8maX', 'Vsp5eBhRTnreKKM25Rl', 'WjMeDShWDXSGLrqvk5h'
Source: LisectAVT_2403002A_482.exe, iQni2irWV7wBVewwPJ.cs	High entropy of concatenated method names: 'pGvgndBxQ', 'JgdsLGuuY', 'GGnJjiMLS', 'G3DOMUoJO', 'fbdaLexq3', 'MlAf38ddWCPBosvKtI', 'TsBop8qDU30jJe10XG', 'Pr76oU6v4', 'iJ8PDDDnI', 'eGfcfqGIJ'
Source: LisectAVT_2403002A_482.exe, ylCXOioY29y90xbXFlu.cs	High entropy of concatenated method names: 'P6Y0TwFLgZ', 'arR0qo9Ew5', 'mO808R9OAa', 'JAr0dY9hUQ', 'jdl0gy7sED', 'bJd0sFmRiB', 'V770Jlhwhm', 'Pos0OZMT3Z', 'Xur0afX2uW', 'qJG06pUotd'
Source: LisectAVT_2403002A_482.exe, W4tm6BPxnCpSlBMF6w1.cs	High entropy of concatenated method names: 'dxM0K5n2Ci', 'CTX3QRhu4PI6wBcxhPi', 'fHSkdAnkJf', 'v9H0nQor0h', 'qJG0vcs0uu', 'PFh0N7Qpim', 'w9y0osVsjK', 'otuHjQv1eYUm0', 'dQpS45ErC9', 'ImISjtGC1D'
Source: LisectAVT_2403002A_482.exe, bgBWyDP8QoBRBnjm9Z.cs	High entropy of concatenated method names: 'BS1UFMaFd', 'DaW2theb3', 'Equals', 'GetHashCode', 'WrrHv4yDl', 'ToString', 'WaYQm5wWWvJDVQFNnc', 'FGOBNEbF4f6UiYwi1D', 'N1bbkhJS68pnlgAsKN', 'MtNo7rQgIPqSASnfyl'
Source: LisectAVT_2403002A_482.exe, Resources.cs	High entropy of concatenated method names: 'VHCUIEMkt354Gv9IMl', 'wd9QZNFV0w7wG0XWrr', 'RnWb5qNgYVHmUEqdKE', 'zn0EW6ouXBKymfynJo', 'B1DKrcpKW723vhPRdC', 'Ddxg7n52r94EYLer4M', 'MM3VZaAjQoEbPJi3pY'

Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe

File created: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll

Jump to dropped file

Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: LisectAVT_2403002A_482.exe PID: 1664, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: MSBuild.exe, 00000004.00000002.1294504509.0000000002FCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE`,
Source: MSBuild.exe, 00000004.00000002.1294504509.0000000002FCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE
Source: MSBuild.exe, 00000004.00000002.1294504509.0000000002FCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE@\

Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Memory allocated: 1710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Memory allocated: 32F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Memory allocated: 18B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Memory allocated: 5D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Memory allocated: 6D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 1020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 13D0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll

Jump to dropped file

Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe TID: 4872	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe TID: 6956	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4340	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: MSBuild.exe, 00000004.00000002.1294504509.0000000002FCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe
Source: MSBuild.exe, 00000004.00000002.1294504509.0000000002FCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe`,
Source: MSBuild.exe, 00000004.00000002.1294504509.0000000002FCE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe@\

Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe

API call chain: ExitProcess graph end node

graph_0-55963

Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe

Code function: 0_2_6E99948B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_6E99948B

Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe

Code function: 0_2_6E94B6C0 GetModuleHandleW,GetModuleHandleW,LoadLibraryW,GetProcAddress,__cftoe,GetModuleHandleW,GetProcAddress,

0_2_6E94B6C0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E99948B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_6E99948B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Code function: 0_2_6E99B144 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_6E99B144

Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 42E000	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 48A000	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: C3B008	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe			Jump to behavior

Source: MSBuild.exe, 00000004.00000002.1294504509.00000000030C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: MSBuild.exe, 00000004.00000002.1294504509.00000000030C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow

Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe

Code function: 0_2_6E9984B0 cpuid

0_2_6E9984B0

Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Queries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe

Code function: 0_2_6E99A25A GetSystemTimeAsFileTime,__aulldiv,

0_2_6E99A25A

Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: LisectAVT_2403002A_482.exe, type: SAMPLE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_482.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1257963712.0000000000AA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_482.exe.4f33660.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_482.exe.4f33660.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_482.exe.4c027d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1286915263.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1269206159.0000000005286000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1269206159.0000000004C02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4324, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: LisectAVT_2403002A_482.exe, type: SAMPLE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_482.exe.aa0000.0.unpack, type: UNPACKEDPE

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: LisectAVT_2403002A_482.exe, type: SAMPLE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_482.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1257963712.0000000000AA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 4.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_482.exe.4f33660.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_482.exe.4f33660.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_482.exe.4c027d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1286915263.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1269206159.0000000005286000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1269206159.0000000004C02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4324, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: LisectAVT_2403002A_482.exe, type: SAMPLE
Source: Yara match	File source: 0.0.LisectAVT_2403002A_482.exe.aa0000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\LisectAVT_2403002A_482.exe

Code function: 0_2_6E94A0C0 CorBindToRuntimeEx,GetModuleHandleW,GetModuleHandleW,__cftoe,GetModuleHandleW,GetProcAddress,

0_2_6E94A0C0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	312 Process Injection	1 Masquerading	11 Input Capture	1 System Time Discovery	Remote Services	11 Input Capture	22 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	312 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	23 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LisectAVT_2403002A_482.exe	100%	Avira	TR/Kryptik.rwznm
LisectAVT_2403002A_482.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://discord.com/api/v9/users/	0%	Avira URL Cloud	safe
https://www.google.com/accounts/o8/.well-known/host-meta?hd=	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier	0%	Avira URL Cloud	safe
https://myvidoop.com/	0%	Avira URL Cloud	safe
http://axschema.org/birthDateQhttp://axschema.org/contact/country/homeChttp://axschema.org/contact/e	0%	Avira URL Cloud	safe
https://api.ip.s	0%	Avira URL Cloud	safe
http://www.iana.org/assignments/relation/describedby	0%	Avira URL Cloud	safe
https://me.yahoo.com/Khttps://www.google.com/accounts/o8/id3https://www.myopenid.com/;https://pip.ve	0%	Avira URL Cloud	safe
http://reltype.google.com/openid/xrd-op	0%	Avira URL Cloud	safe
http://specs.openid.net/auth/2.0_Provider	0%	Avira URL Cloud	safe
http://www.idmanagement.gov/schema/2009/05/icam/openid-trust-level1.pdfuhttp://www.idmanagement.gov/	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/xri/xrd/2009/01#canonicalize-raw-octets	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false		unknown
time.windows.com	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	LisectAVT_2403002A_482.exe	false	URL Reputation: safe	unknown
https://api.ip.sb/ip	MSBuild.exe, 00000004.00000002.1294504509.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/accounts/o8/.well-known/host-meta?hd=	LisectAVT_2403002A_482.exe	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	LisectAVT_2403002A_482.exe	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	LisectAVT_2403002A_482.exe	false	URL Reputation: safe	unknown
http://www.iana.org/assignments/relation/describedby	LisectAVT_2403002A_482.exe	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	LisectAVT_2403002A_482.exe	false	URL Reputation: safe	unknown
https://me.yahoo.com/Khttps://www.google.com/accounts/o8/id3https://www.myopenid.com/;https://pip.ve	LisectAVT_2403002A_482.exe	false	Avira URL Cloud: safe	unknown
https://discord.com/api/v9/users/	MSBuild.exe, 00000004.00000002.1294504509.0000000002FCE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myvidoop.com/	LisectAVT_2403002A_482.exe	false	Avira URL Cloud: safe	unknown
https://api.ip.s	MSBuild.exe, 00000004.00000002.1294504509.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://reltype.google.com/openid/xrd-op	LisectAVT_2403002A_482.exe	false	Avira URL Cloud: safe	unknown
http://axschema.org/birthDateQhttp://axschema.org/contact/country/homeChttp://axschema.org/contact/e	LisectAVT_2403002A_482.exe	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier	LisectAVT_2403002A_482.exe	false	Avira URL Cloud: safe	unknown
http://specs.openid.net/auth/2.0_Provider	LisectAVT_2403002A_482.exe	false	Avira URL Cloud: safe	unknown
http://www.idmanagement.gov/schema/2009/05/icam/openid-trust-level1.pdfuhttp://www.idmanagement.gov/	LisectAVT_2403002A_482.exe	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/xri/xrd/2009/01#canonicalize-raw-octets	LisectAVT_2403002A_482.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482213
Start date and time:	2024-07-25 19:34:48 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002A_482.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/3@1/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 116 Number of non-executed functions: 201
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, audiodg.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.101.57.9, 184.28.90.27, 40.127.169.103, 199.232.210.172, 13.95.31.18, 93.184.221.240, 52.165.164.15
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, twc.trafficmanager.net, wu.ec.azureedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, e16604.g.akamaiedge.net, glb.cws.prod.dcat.dsp.trafficmanager.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: LisectAVT_2403002A_482.exe

Simulations

Behavior and APIs

Time	Type	Description
13:35:42	API Interceptor	1x Sleep call for process: LisectAVT_2403002A_482.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	https://we.tl/t-RErWU1YgQS	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://link.edgepilot.com/s/ffd2b499/yDWVkbNI4U2Q4sOU_SttcQ?u=https://app.smartdraw.com/share.aspx/?pubDocShare=ADCD2AD01498233B06F10716AAA07D9C1E6	Get hash	malicious	Unknown	Browse	199.232.214.172
	LisectAVT_2403002A_495.dll.dll	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://docusign.net	Get hash	malicious	Unknown	Browse	199.232.214.172
	LisectAVT_2403002A_80.exe	Get hash	malicious	GuLoader	Browse	199.232.214.172
	https://call.imoim.net/CdogBQ	Get hash	malicious	Unknown	Browse	199.232.210.172
	LisectAVT_2403002B_127.exe	Get hash	malicious	Bdaejec	Browse	199.232.210.172
	LisectAVT_2403002B_203.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://forms.office.com/Pages/ResponsePage.aspx?id=2zW8lMsRrkyqi7IHHVNhLgILSZ8nyRhPs0os36GqVFNURElXNEQwRldKWjdYM0cwRERLSFFETE9ERy4u	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	LisectAVT_2403002B_236.exe	Get hash	malicious	Unknown	Browse	199.232.210.172

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll	86KZvDaOZR.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse
	CHA0VZiz8y.exe	Get hash	malicious	CryptOne, Djvu, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, Vidar	Browse
	SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe	Get hash	malicious	CryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse
	SecuriteInfo.com.Win32.Malware-gen.198.6512.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse
	BI6oo9z4In.exe	Get hash	malicious	CryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse
	t0R4HiIJp7.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse
	file.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse
	file.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LisectAVT_2403002A_482.exe.log

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_482.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	522
Entropy (8bit):	5.358731107079437
Encrypted:	false
SSDEEP:	12:Q3La/hz92n4M9tDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:MLU84qpE4KlKDE4KhKiKhk
MD5:	93E4C46884CB6EE7CDCC4AACE78CDFAC
SHA1:	29B12D9409BA9AFE4C949F02F7D232233C0B5228
SHA-256:	2690023A62F22AB7B27B09351205BA31173B50B77ACA89A5759EDF29A1FB17F7
SHA-512:	E9C3E2FCEE4E13F7776665295A4F6085002913E011BEEF32C8E7065140937DDE1963182B547CC75110BF32AE5130A6686D5862076D5FFED9241F183B9217FA4D
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MsBuild.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1119
Entropy (8bit):	5.345080863654519
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
MD5:	88593431AEF401417595E7A00FE86E5F
SHA1:	1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
SHA-256:	ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
SHA-512:	1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_482.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	760320
Entropy (8bit):	6.561572491684602
Encrypted:	false
SSDEEP:	12288:wCMz4nuvURpZ4jR1b2Ag+dQMWCD8iN2+OeO+OeNhBBhhBBgoo+A1AW8JwkaCZ+36:wCs4uvW4jfb2K90oo+C8JwUZc0
MD5:	544CD51A596619B78E9B54B70088307D
SHA1:	4769DDD2DBC1DC44B758964ED0BD231B85880B65
SHA-256:	DFCE2D4D06DE6452998B3C5B2DC33EAA6DB2BD37810D04E3D02DC931887CFDDD
SHA-512:	F56D8B81022BB132D40AA78596DA39B5C212D13B84B5C7D2C576BBF403924F1D22E750DE3B09D1BE30AEA359F1B72C5043B19685FC9BF06D8040BFEE16B17719
Malicious:	false
Joe Sandbox View:	Filename: 86KZvDaOZR.exe, Detection: malicious, Browse Filename: CHA0VZiz8y.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.198.6512.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, Detection: malicious, Browse Filename: BI6oo9z4In.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: t0R4HiIJp7.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v...2...2...2...]...6....f..0...)=..,...)=....;...;...2.~.C...)=..i...)=......)=..3...)=..3...Rich2...........PE..L....#da...........!.....(...n...............@......................................(.....@.............................C.......x................................n...B..................................@............@...............................text....&.......(.................. ..`.rdata......@.......,..............@..@.data...`...........................@....rsrc...............................@..@.reloc..R...........................@..B........................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.386031487787678
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LisectAVT_2403002A_482.exe
File size:	4'309'415 bytes
MD5:	8121ad7d4b71fae42dd6c4309774c4b7
SHA1:	3ef344fc8aca4cd2d024d5f389e7a7325e2242dc
SHA256:	cf3f993a1f57ff01cc5ba08b79282ece75860c3cfa7ab1339857b51db172cc66
SHA512:	f1a80999bdd2de30faa5265e0004a6c61f66dd43c696ce5a3cd28e4ec31524e9fd8175f56bd05502f7d40188fe6669dda0c1a3c0d881665f5451b9c91cd2fcb5
SSDEEP:	49152:UZpwrL+M9T9fSRvgwJl5FQsSRWZwpx1BcRj0wRUAAV7DW1lDj66Na0BYrM4:UyL9aUsSRCw/1Bc1opVDWvfNaOyM4
TLSH:	7D16BF12F6D4CB12C1EF9676C9F2141817B5EBA79762C31E36AC27B90F537264E83242
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................P..B;..........`;.. ....;...@.. .......................`A.......B...@................................

File Icon


Icon Hash:	13fb5393db199053

Static PE Info

General

Entrypoint:	0x7b60be
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x9E8E16EE [Sat Apr 18 08:01:50 2054 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3b6070	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3b8000	0x5af98	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x40f600	0xcba0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x414000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x3b40c4	0x3b4200	bbc120952b0a2a35c2a4855fe67c420d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x3b8000	0x5af98	0x5b000	855338dac1e06faeda65c1b75a1dca37	False	0.3160896720467033	data	6.473464533290732	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x414000	0xc	0x200	2055cd03711e771291fc4144e793f767	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3b93e4	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384			0.3914737836561171
RT_ICON	0x3bd60c	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536			0.3217053117236484
RT_ICON	0x3cde34	0xd343	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9967272525562562
RT_GROUP_ICON	0x3db178	0x30	data			0.8541666666666666
RT_VERSION	0x3db1a8	0x3bc	data			0.3912133891213389
RT_HTML	0x3db564	0x57d5	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.17513898154325105
RT_HTML	0x3e0d3c	0x1921	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.3342142079900513
RT_HTML	0x3e2660	0xaa7	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.39053905390539057
RT_HTML	0x3e3108	0x60b	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.45701357466063347
RT_HTML	0x3e3714	0x850	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.43139097744360905
RT_HTML	0x3e3f64	0x609	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.4414239482200647
RT_HTML	0x3e4570	0x5fa	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.44248366013071894
RT_HTML	0x3e4b6c	0x98c	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.3248772504091653
RT_HTML	0x3e54f8	0x5a6	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.43084370677731676
RT_HTML	0x3e5aa0	0xaab	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.40388136213841086
RT_HTML	0x3e654c	0x657	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.39063462723351816
RT_HTML	0x3e6ba4	0xa5f	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.40451977401129946
RT_HTML	0x3e7604	0x6b0	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.4322429906542056
RT_HTML	0x3e7cb4	0x15f2	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.30758276966892134
RT_HTML	0x3e92a8	0x7b3	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.4140030441400304
RT_HTML	0x3e9a5c	0x703e	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.147038351778381
RT_HTML	0x3f0a9c	0x6c8	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.4274193548387097
RT_HTML	0x3f1164	0x666	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.4365079365079365
RT_HTML	0x3f17cc	0x767	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.41055408970976254
RT_HTML	0x3f1f34	0x852	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.4103286384976526
RT_HTML	0x3f2788	0xb09	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.400353982300885
RT_HTML	0x3f3294	0x9ca	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.41101356743814843
RT_HTML	0x3f3c60	0xf44	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.38996929375639716
RT_HTML	0x3f4ba4	0x1bad	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.3340860973888497
RT_HTML	0x3f6754	0xecb	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.30895167678901503
RT_HTML	0x3f7620	0xf84	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.3230110775427996
RT_HTML	0x3f85a4	0xbe9	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.3604460478845523
RT_HTML	0x3f9190	0xc1b	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.3607615359793482
RT_HTML	0x3f9dac	0xe11	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.3140794223826715
RT_HTML	0x3fabc0	0x1094	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.3124410933081998
RT_HTML	0x3fbc54	0x4d5	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.44543249797898143
RT_HTML	0x3fc12c	0x6f0e	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.14403798804080198
RT_HTML	0x40303c	0xca1	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.4002474481905351
RT_HTML	0x403ce0	0x198d	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.332365081791775
RT_HTML	0x405670	0x893	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.40865603644646925
RT_HTML	0x405f04	0x9da	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.39413164155432195
RT_HTML	0x4068e0	0x6f0e	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.14403798804080198
RT_HTML	0x40d7f0	0x172d	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.32782740603404686
RT_HTML	0x40ef20	0x84a	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.410933081998115
RT_HTML	0x40f76c	0x8d8	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.4218197879858657
RT_HTML	0x410044	0xf2c	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.345005149330587
RT_HTML	0x410f70	0x69e	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.43506493506493504
RT_HTML	0x411610	0x701	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.40936977133296154
RT_HTML	0x411d14	0x580	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.43110795454545453
RT_HTML	0x412294	0x459	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.4384546271338724
RT_HTML	0x4126f0	0x476	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.44833625218914186
RT_MANIFEST	0x412b68	0x42e	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1010), with CRLF line terminators			0.5037383177570094

Imports

DLL	Import
mscoree.dll	_CorExeMain

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T19:36:04.889246+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49706	40.127.169.103	192.168.2.7
2024-07-25T19:36:43.685277+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49710	40.127.169.103	192.168.2.7

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 19:35:40.295391083 CEST	49674	443	192.168.2.7	104.98.116.138
Jul 25, 2024 19:35:40.295414925 CEST	49675	443	192.168.2.7	104.98.116.138
Jul 25, 2024 19:35:40.357851982 CEST	49672	443	192.168.2.7	104.98.116.138
Jul 25, 2024 19:35:40.514085054 CEST	49671	443	192.168.2.7	204.79.197.203
Jul 25, 2024 19:35:44.530168056 CEST	49677	443	192.168.2.7	20.50.201.200
Jul 25, 2024 19:35:44.904706001 CEST	49677	443	192.168.2.7	20.50.201.200
Jul 25, 2024 19:35:45.326679945 CEST	49671	443	192.168.2.7	204.79.197.203
Jul 25, 2024 19:35:45.654716015 CEST	49677	443	192.168.2.7	20.50.201.200
Jul 25, 2024 19:35:47.155658960 CEST	49677	443	192.168.2.7	20.50.201.200
Jul 25, 2024 19:35:49.967246056 CEST	49674	443	192.168.2.7	104.98.116.138
Jul 25, 2024 19:35:49.967279911 CEST	49675	443	192.168.2.7	104.98.116.138
Jul 25, 2024 19:35:50.014130116 CEST	49672	443	192.168.2.7	104.98.116.138
Jul 25, 2024 19:35:50.154778004 CEST	49677	443	192.168.2.7	20.50.201.200
Jul 25, 2024 19:35:52.408023119 CEST	443	49699	104.98.116.138	192.168.2.7
Jul 25, 2024 19:35:52.408932924 CEST	49699	443	192.168.2.7	104.98.116.138
Jul 25, 2024 19:35:55.018215895 CEST	49671	443	192.168.2.7	204.79.197.203
Jul 25, 2024 19:35:56.105889082 CEST	49677	443	192.168.2.7	20.50.201.200
Jul 25, 2024 19:36:01.326742887 CEST	49699	443	192.168.2.7	104.98.116.138
Jul 25, 2024 19:36:01.327512026 CEST	49705	443	192.168.2.7	104.98.116.138
Jul 25, 2024 19:36:01.327543974 CEST	443	49705	104.98.116.138	192.168.2.7
Jul 25, 2024 19:36:01.327636957 CEST	49705	443	192.168.2.7	104.98.116.138
Jul 25, 2024 19:36:01.330766916 CEST	49705	443	192.168.2.7	104.98.116.138
Jul 25, 2024 19:36:01.330780029 CEST	443	49705	104.98.116.138	192.168.2.7
Jul 25, 2024 19:36:01.331645012 CEST	443	49699	104.98.116.138	192.168.2.7
Jul 25, 2024 19:36:08.021456957 CEST	49677	443	192.168.2.7	20.50.201.200
Jul 25, 2024 19:36:44.082539082 CEST	443	49705	104.98.116.138	192.168.2.7
Jul 25, 2024 19:36:44.082664967 CEST	49705	443	192.168.2.7	104.98.116.138

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 19:35:50.364857912 CEST	53304	53	192.168.2.7	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 25, 2024 19:35:50.364857912 CEST	192.168.2.7	1.1.1.1	0x1174	Standard query (0)	time.windows.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 19:35:50.373223066 CEST	1.1.1.1	192.168.2.7	0x1174	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 19:36:02.741749048 CEST	1.1.1.1	192.168.2.7	0x4cd9	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jul 25, 2024 19:36:02.741749048 CEST	1.1.1.1	192.168.2.7	0x4cd9	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	13:35:42
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_482.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_482.exe"
Imagebase:	0xaa0000
File size:	4'309'415 bytes
MD5 hash:	8121AD7D4B71FAE42DD6C4309774C4B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1269206159.0000000005286000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1269206159.0000000004C02000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1257963712.0000000000AA2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:35:43
Start date:	25/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
Imagebase:	0x2d0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:35:43
Start date:	25/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
Imagebase:	0x9d0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.1286915263.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:35:43
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.7%
Dynamic/Decrypted Code Coverage:	3.3%
Signature Coverage:	5.3%
Total number of Nodes:	1230
Total number of Limit Nodes:	17

Executed Functions

Function 6E95B6B0 Relevance: 35.2, APIs: 23, Instructions: 669
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6E95B73F
VariantInit.OLEAUT32(?), ref: 6E95B748
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6E95B7BE
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6E95B7F5
VariantClear.OLEAUT32(?), ref: 6E95B801

Part of subcall function 6E95C850: VariantInit.OLEAUT32(?), ref: 6E95C88F
Part of subcall function 6E95C850: VariantInit.OLEAUT32(?), ref: 6E95C895
Part of subcall function 6E95C850: SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6E95C8A0
Part of subcall function 6E95C850: SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6E95C8D5
Part of subcall function 6E95C850: VariantClear.OLEAUT32(?), ref: 6E95C8E1

VariantClear.OLEAUT32(?), ref: 6E95BA15
SafeArrayDestroy.OLEAUT32(?), ref: 6E95BE90
VariantClear.OLEAUT32(?), ref: 6E95BEA3
VariantClear.OLEAUT32(?), ref: 6E95BEA9

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Init$CreateElementVector$Destroy
String ID:
API String ID: 2012514194-0
Opcode ID: 1ee2ab6e975db9976f390fc5abf978d28d8eccd44e7678be9d683b66eb835943
Instruction ID: 9e2e82af70abb3791ec160e0641f259fe1c7cc426fbc2e752d2823289defb857
Opcode Fuzzy Hash: 1ee2ab6e975db9976f390fc5abf978d28d8eccd44e7678be9d683b66eb835943
Instruction Fuzzy Hash: D5525B71900219DFDB10DFA8C894BEEBBB9BF99304F148599E509AB345EB30E945CF90

Function 6E94B6C0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 245
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(mscoree.dll,64F62E83), ref: 6E94B711
LoadLibraryW.KERNEL32(mscoree.dll), ref: 6E94B71C
GetProcAddress.KERNEL32(00000000,CLRCreateInstance), ref: 6E94B730
__cftoe.LIBCMT ref: 6E94B870
GetModuleHandleW.KERNEL32(?), ref: 6E94B88B
GetProcAddress.KERNEL32(00000000,C8F5E518), ref: 6E94B8D7

Strings

v4.0.30319, xrefs: 6E94B767
mscoree.dll, xrefs: 6E94B70C, 6E94B717
CLRCreateInstance, xrefs: 6E94B72A

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: AddressHandleModuleProc$LibraryLoad__cftoe
String ID: CLRCreateInstance$mscoree.dll$v4.0.30319
API String ID: 1275574042-506955582
Opcode ID: 7323df13b161314859b01139595c3e5d44cdadd4119bf64955cc1fafc7c18110
Instruction ID: c53b504c52e9a84e942350a1e09dc51e4a6bc92568194b1194c048887749fd76
Opcode Fuzzy Hash: 7323df13b161314859b01139595c3e5d44cdadd4119bf64955cc1fafc7c18110
Instruction Fuzzy Hash: 5C9136B1D0424ADFDB04DFE8C8809AEBBB5BF89314F10866CE119EB254E730A946CF55

Function 0175A578 Relevance: 7.1, Strings: 5, Instructions: 828COMMON

Download Yara Rule

Strings

,q, xrefs: 0175ACC7
Hq, xrefs: 0175AFA0
(oq, xrefs: 0175AF29
(oq, xrefs: 0175AF33
,q, xrefs: 0175ACB7

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID: (oq$(oq$,q$,q$Hq
API String ID: 0-962059274
Opcode ID: 5ef474468f21e4bd92bd64578b4b45f7f8d8491f75e03cabe05dfdd0960814c0
Instruction ID: 64ab230827beb3423f706d34c3386eace89268daf00baed0f60aba4f7350e751
Opcode Fuzzy Hash: 5ef474468f21e4bd92bd64578b4b45f7f8d8491f75e03cabe05dfdd0960814c0
Instruction Fuzzy Hash: C6629075A00215DFDB59DF69C484A6EBBB2FF88310B158269ED06DB3A4CB71EC41CB90

Function 0329A280 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(?,?), ref: 0329A311

Memory Dump Source

Source File: 00000000.00000002.1266702418.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: eb0c2a199189ccc3bdd88401c64cb60f3229ea72114092469bb97e4e929453fe
Instruction ID: 9634826842061e5ad33add0c53dec43e52398d218cb1f0dc1a74b19560b49302
Opcode Fuzzy Hash: eb0c2a199189ccc3bdd88401c64cb60f3229ea72114092469bb97e4e929453fe
Instruction Fuzzy Hash: 9E21BDB4D152489FDB20CFA9D584ADEFBF4EB49310F24902AE818B3310C735A945CF65

Function 0329A288 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(?,?), ref: 0329A311

Memory Dump Source

Source File: 00000000.00000002.1266702418.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 00e7fca2393bb658915a6c588469393bbd5832aee05eebd9f441debb3dd8d396
Instruction ID: 1889469a101e3821df3ac7137d2c54281c00e9de0d15ff03a61392a4f17a2137
Opcode Fuzzy Hash: 00e7fca2393bb658915a6c588469393bbd5832aee05eebd9f441debb3dd8d396
Instruction Fuzzy Hash: 59219BB5D152089FDB20CFA9D584ADEFBF4EB49310F24901AE818B3350C775A945CF65

Function 03291929 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

8q, xrefs: 0329198F

Memory Dump Source

Source File: 00000000.00000002.1266702418.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID: 8q
API String ID: 0-4083045702
Opcode ID: 8c4b2fc2b6768a8c8d7af538b4d128bce8f3bb462243c1f506e999da70d61d5c
Instruction ID: 54d9e307ae97ca5c4924f61ea238b92cd8d7d6c041da000707bc41d3eec900d2
Opcode Fuzzy Hash: 8c4b2fc2b6768a8c8d7af538b4d128bce8f3bb462243c1f506e999da70d61d5c
Instruction Fuzzy Hash: 9831D275E01208AFDB04CFA5D484AEEFBF1FF89300F10906AE915BB260DB709A05CB95

Function 03291930 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

8q, xrefs: 0329198F

Memory Dump Source

Source File: 00000000.00000002.1266702418.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID: 8q
API String ID: 0-4083045702
Opcode ID: 53cfcbf9bc780553648201caec81f8368cf08a452c119fbf431cd948c1641b48
Instruction ID: e57d65944616a69e35d670a6209dfb156e6da2ec7f80e94231e3de2f24a67c7a
Opcode Fuzzy Hash: 53cfcbf9bc780553648201caec81f8368cf08a452c119fbf431cd948c1641b48
Instruction Fuzzy Hash: 0531C275E01208AFDB04CFA5D484AEEFBF5FF49310F10906AE915B7260DB70AA04CB95

Function 01750EAF Relevance: .7, Instructions: 735COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f59f6c193b01cbfc0179af47eca2c99aeca48ae4079717f02d5410a49516f738
Instruction ID: f750996ab54356862237fed9d938cb493c15fd06ab40b4a7db0e1a76ded370a2
Opcode Fuzzy Hash: f59f6c193b01cbfc0179af47eca2c99aeca48ae4079717f02d5410a49516f738
Instruction Fuzzy Hash: 3192ECB4A01329CFDB25DF24E958BA9BB72FB49310F5081E9E80967364CB365E81CF51

Function 01758C78 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f16c6b2a17fcbe05c2d7b0b2c7c6ecd547aded3e2db806d772d7153edb59f206
Instruction ID: b4376d8e1541a9fe012af7bf37d3b9511c545f84956e405744279ebd6fc33825
Opcode Fuzzy Hash: f16c6b2a17fcbe05c2d7b0b2c7c6ecd547aded3e2db806d772d7153edb59f206
Instruction Fuzzy Hash: 3051B274E05318CBEB58CFAAD944A9EFBF2AF89300F14C0A9D809AB355DB705981CF01

Function 6E959357 Relevance: 41.0, APIs: 21, Strings: 1, Instructions: 2492COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6E9584BF
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E9584D2
SafeArrayGetElement.OLEAUT32 ref: 6E95850A
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6E9594C1
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E9594D4
SafeArrayGetElement.OLEAUT32(?,?,00000000), ref: 6E95950C
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6E9597A4
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E9597B7
SafeArrayGetElement.OLEAUT32(?,?,00000000), ref: 6E9597F2

Part of subcall function 6E953A90: SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6E953B71
Part of subcall function 6E953A90: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E953B83

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6E959D5F
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E959D72
SafeArrayGetElement.OLEAUT32(?,?,00000000), ref: 6E959DAF

Part of subcall function 6E953A90: SafeArrayDestroy.OLEAUT32(?), ref: 6E953BCF

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6E95A1BC
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E95A1CF
SafeArrayGetElement.OLEAUT32(?,?,00000000), ref: 6E95A20C
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEBF

Strings

A, xrefs: 6E95AD44

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArraySafe$Bound$Destroy$Element
String ID: A
API String ID: 959723449-3554254475
Opcode ID: b6d6daa1f9b8a284b476af6384402f255812add4cd403d4fb683155e23daea7a
Instruction ID: 166916fe361e6a87bb919c5e6c0f3a1b896790998c51d6df8359839f706d1586
Opcode Fuzzy Hash: b6d6daa1f9b8a284b476af6384402f255812add4cd403d4fb683155e23daea7a
Instruction Fuzzy Hash: 03236C71A00205DFEB40DFA8C894F9977BDAF89304F148494EA09AF396DB71E985CF60

Function 6E952970 Relevance: 25.8, APIs: 17, Instructions: 335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6E9529F6
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E952A08
SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6E952A2F
VariantInit.OLEAUT32(?), ref: 6E952ABB
VariantInit.OLEAUT32(?), ref: 6E952B3F
VariantClear.OLEAUT32(?), ref: 6E952C04
VariantClear.OLEAUT32(?), ref: 6E952C0B
VariantClear.OLEAUT32(?), ref: 6E952C12
VariantClear.OLEAUT32(?), ref: 6E952C96
VariantClear.OLEAUT32(?), ref: 6E952C9D
VariantClear.OLEAUT32(?), ref: 6E952CD6
VariantClear.OLEAUT32(?), ref: 6E952CDD
VariantClear.OLEAUT32(?), ref: 6E952CE4
SafeArrayDestroy.OLEAUT32(?), ref: 6E952D1B
VariantClear.OLEAUT32(?), ref: 6E952D45
VariantClear.OLEAUT32(?), ref: 6E952D4C
VariantClear.OLEAUT32(?), ref: 6E952D53

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Variant$Clear$ArraySafe$BoundInit$DestroyElement
String ID:
API String ID: 214056513-0
Opcode ID: e03920b0b39269b7eff9eb472a3162767ed3332a5be5890c7ed575042712f088
Instruction ID: f8ce797d19d22fa9190f6866ffa257e508fddb838b40ffba5b23c2bef6fee504
Opcode Fuzzy Hash: e03920b0b39269b7eff9eb472a3162767ed3332a5be5890c7ed575042712f088
Instruction Fuzzy Hash: 48C134716083429FD700CFA8C884A5BBBF9AF9A304F20895DF695CB361D675E845CF62

Function 6E94AF30 Relevance: 24.3, APIs: 16, Instructions: 335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6E94AF75
VariantInit.OLEAUT32(?), ref: 6E94AF7C
VariantInit.OLEAUT32(?), ref: 6E94AF83
VariantCopy.OLEAUT32(?,?), ref: 6E94B00D
VariantClear.OLEAUT32(?), ref: 6E94B027
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6E94B19C
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E94B1AA
SafeArrayAccessData.OLEAUT32(?,?), ref: 6E94B1C5
_memmove.LIBCMT ref: 6E94B1E6
SafeArrayUnaccessData.OLEAUT32(?), ref: 6E94B1EF
VariantClear.OLEAUT32(?), ref: 6E94B237
VariantClear.OLEAUT32(?), ref: 6E94B23E
VariantClear.OLEAUT32(?), ref: 6E94B245
VariantClear.OLEAUT32(?), ref: 6E94B29D
VariantClear.OLEAUT32(?), ref: 6E94B2A4
VariantClear.OLEAUT32(?), ref: 6E94B2AB

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Variant$Clear$ArraySafe$Init$BoundData$AccessCopyUnaccess_memmove
String ID:
API String ID: 3403836469-0
Opcode ID: c150c9ddc94ce6417053b2374e1d79fad2afda4a2079c08d1f02a048efe66c38
Instruction ID: 49ed0142bbeacabb40a3e1ede245e11fdfc17cadb91968123866cea06d652b8c
Opcode Fuzzy Hash: c150c9ddc94ce6417053b2374e1d79fad2afda4a2079c08d1f02a048efe66c38
Instruction Fuzzy Hash: 78C145B26082429FD704DFA8C88495BB7F9FF99304F144A6DE659CB254E730E905CFA2

Function 6E95D410 Relevance: 24.3, APIs: 16, Instructions: 290
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32 ref: 6E95D4B3
VariantInit.OLEAUT32 ref: 6E95D4C5
VariantInit.OLEAUT32(?), ref: 6E95D4CC
_malloc.LIBCMT ref: 6E95D551
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6E95D58B
SafeArrayCreateVector.OLEAUT32 ref: 6E95D5A6
SafeArrayAccessData.OLEAUT32 ref: 6E95D5B8

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayInitSafeVariant$CreateVector$AccessData_malloc
String ID:
API String ID: 1552365394-0
Opcode ID: 9696ff04e29100f8a749d48338bf5ecc206d2f1a27a8041e0579d86cf23f5f83
Instruction ID: 8d5c1f898373db56aaa4ee72ed95e26002942da4d61edf98241cb49091d45689
Opcode Fuzzy Hash: 9696ff04e29100f8a749d48338bf5ecc206d2f1a27a8041e0579d86cf23f5f83
Instruction Fuzzy Hash: B8B123B66083019FD314CFA8C880A5BB7E9FF99314F14895DE8999B351E731E906CF92

Function 6E95D468 Relevance: 21.2, APIs: 14, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32 ref: 6E95D4B3
VariantInit.OLEAUT32 ref: 6E95D4C5
VariantInit.OLEAUT32(?), ref: 6E95D4CC
_malloc.LIBCMT ref: 6E95D551
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6E95D58B
SafeArrayCreateVector.OLEAUT32 ref: 6E95D5A6
SafeArrayAccessData.OLEAUT32 ref: 6E95D5B8
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6E95D601
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6E95D63E

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArraySafe$InitVariant$CreateElementVector$AccessData_malloc
String ID:
API String ID: 2723946344-0
Opcode ID: fa12a8d2eeb4823809285ddd461739e7bd97cf46ce4f0710e0060b39c3f70cf0
Instruction ID: 9a0451654b52be5dd5510e51ce929e7ae43ef347f2a227345c0991fa40b77b42
Opcode Fuzzy Hash: fa12a8d2eeb4823809285ddd461739e7bd97cf46ce4f0710e0060b39c3f70cf0
Instruction Fuzzy Hash: 0E9123B56083019FD314CFA8C880A5BB7E9BF89304F14895DE9958B351E770E946CF92

Function 6E955140 Relevance: 21.2, APIs: 14, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6E955177

Part of subcall function 6E962820: _malloc.LIBCMT ref: 6E962871

SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000004), ref: 6E9551B9
SafeArrayCreateVector.OLEAUT32(00000011,00000000,00000000), ref: 6E9551D5
SafeArrayAccessData.OLEAUT32(00000000,00000000), ref: 6E9551E5
_memmove.LIBCMT ref: 6E9551FF
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 6E955208
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6E95522C
SafeArrayPutElement.OLEAUT32(00000000,00000001,?), ref: 6E955263
VariantClear.OLEAUT32(?), ref: 6E95526C
SafeArrayPutElement.OLEAUT32(00000000,00000002,?), ref: 6E9552AD
VariantClear.OLEAUT32(?), ref: 6E9552B6
SafeArrayPutElement.OLEAUT32(00000000,00000002,00000002), ref: 6E9552D2
SafeArrayDestroy.OLEAUT32(00000000), ref: 6E95534E
VariantClear.OLEAUT32(?), ref: 6E955358

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArraySafe$ElementVariant$Clear$CreateDataVector$AccessDestroyInitUnaccess_malloc_memmove
String ID:
API String ID: 452649785-0
Opcode ID: c21ba0d9fb5ea7024da08d72a71577d759310a10d1fd2cde17525b5db3124efd
Instruction ID: 6380ee2998c611cf1585923add77773b233a5d8151507e478196a47353db5517
Opcode Fuzzy Hash: c21ba0d9fb5ea7024da08d72a71577d759310a10d1fd2cde17525b5db3124efd
Instruction Fuzzy Hash: 3E71F9B1A0061AEBDB00DFA5C884AEFBBB8FF59304F108119E9159B241E774E955CBA0

Function 6E9544C0 Relevance: 19.8, APIs: 13, Instructions: 261
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6E9544FF
VariantInit.OLEAUT32(?), ref: 6E954505
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6E954516
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6E954551
VariantClear.OLEAUT32(?), ref: 6E95455A
SafeArrayCreateVector.OLEAUT32(0000000D,00000000,00000002), ref: 6E954579
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6E954594
SafeArrayPutElement.OLEAUT32(?,00000000,?), ref: 6E9545B5
SafeArrayPutElement.OLEAUT32(?,00000000,?), ref: 6E9545CE
std::tr1::_Xweak.LIBCPMT ref: 6E95475A
SafeArrayDestroy.OLEAUT32(?), ref: 6E954777
VariantClear.OLEAUT32(?), ref: 6E954787
VariantClear.OLEAUT32(?), ref: 6E95478D

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArraySafe$Variant$Element$Clear$CreateInitVector$DestroyXweakstd::tr1::_
String ID:
API String ID: 1304965753-0
Opcode ID: ff5244bc4c867e700305557c7dacb2deb3f19e9c66c7d6b502730c8f64f61b6a
Instruction ID: 37555561fd8be0e24ff0c55c4fe10353783e83100fc79a369e7131fab2ab1d96
Opcode Fuzzy Hash: ff5244bc4c867e700305557c7dacb2deb3f19e9c66c7d6b502730c8f64f61b6a
Instruction Fuzzy Hash: 39A13C75A0020A9BDB54DBE8C984EAFB7B9BF88710F14462DE506EB784C630E941CF60

Function 6E95BF00 Relevance: 18.2, APIs: 12, Instructions: 215
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6E95BF3D
VariantInit.OLEAUT32(?), ref: 6E95BF4A
VariantInit.OLEAUT32(?), ref: 6E95BF50
VariantInit.OLEAUT32(?), ref: 6E95BF56
VariantInit.OLEAUT32 ref: 6E95C04D
VariantCopy.OLEAUT32(?,?), ref: 6E95C054
VariantInit.OLEAUT32 ref: 6E95C085
VariantCopy.OLEAUT32(?,?), ref: 6E95C08C
VariantClear.OLEAUT32(?), ref: 6E95C118
VariantClear.OLEAUT32(?), ref: 6E95C11E
VariantClear.OLEAUT32(?), ref: 6E95C124
VariantClear.OLEAUT32(?), ref: 6E95C12A

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Variant$Init$Clear$Copy
String ID:
API String ID: 3833040332-0
Opcode ID: f553b9d26eafa249a2a447f912578450e2145bf83d9c412390e5fde1f3ec54e9
Instruction ID: d199602a7ecbc2b70c2d81e59bc54b89f94e87e9ca1234232590a0a768b8d9d1
Opcode Fuzzy Hash: f553b9d26eafa249a2a447f912578450e2145bf83d9c412390e5fde1f3ec54e9
Instruction Fuzzy Hash: CB8127B1900619AFDF04DBE8C884AEEBBB9FF89304F144559E905AB340EB75E915CF90

Function 6E9564D0 Relevance: 18.2, APIs: 12, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32 ref: 6E95650C
VariantInit.OLEAUT32(?), ref: 6E956519
VariantInit.OLEAUT32(?), ref: 6E956520
SafeArrayCreateVector.OLEAUT32(0000000C), ref: 6E956531
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6E95656D
VariantClear.OLEAUT32(?), ref: 6E956576
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6E9565B6
VariantClear.OLEAUT32(?), ref: 6E9565BF
SafeArrayDestroy.OLEAUT32(00000000), ref: 6E956666
VariantClear.OLEAUT32(?), ref: 6E956677
VariantClear.OLEAUT32(?), ref: 6E95667E
VariantClear.OLEAUT32(?), ref: 6E956685

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Variant$Clear$ArraySafe$Init$Element$CreateDestroyVector
String ID:
API String ID: 1625659656-0
Opcode ID: 9b19496333f3e4ed08710ab581d645777145f4846ea499b364880d9f30758592
Instruction ID: 7b04bded68ac21463490a57feafd7a1e3ee2cb9180a1b5b500f4c1cf7e5badc2
Opcode Fuzzy Hash: 9b19496333f3e4ed08710ab581d645777145f4846ea499b364880d9f30758592
Instruction Fuzzy Hash: F35127B25187059FC700DFA8C880A5BBBE8EFD9710F00891EF9558B251EB71E906CF92

Function 6E95CB90 Relevance: 18.1, APIs: 12, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6E95CBCA
VariantInit.OLEAUT32(?), ref: 6E95CBD3
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6E95CBE4
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6E95CBF6
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6E95CC0D
SafeArrayPutElement.OLEAUT32(?,?,?), ref: 6E95CC39
VariantClear.OLEAUT32(?), ref: 6E95CC42
SafeArrayPutElement.OLEAUT32(00000000,00000001,?), ref: 6E95CC5D
SafeArrayPutElement.OLEAUT32(00000000,00000001,?), ref: 6E95CC77
SafeArrayDestroy.OLEAUT32(00000000), ref: 6E95CCEC
VariantClear.OLEAUT32(?), ref: 6E95CCFC
VariantClear.OLEAUT32(?), ref: 6E95CD02

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArraySafe$Variant$Element$Clear$CreateInitVector$Destroy
String ID:
API String ID: 3548156019-0
Opcode ID: 1b7f6f502bc79fbc183bfb1b6afdc4bbce7ac6f4edc3db90cd49e3963c82dcf4
Instruction ID: 4a1d2f4ad1a525fde229dee201a5c3bb61d7f731595bc84ca6a039f680cdf10b
Opcode Fuzzy Hash: 1b7f6f502bc79fbc183bfb1b6afdc4bbce7ac6f4edc3db90cd49e3963c82dcf4
Instruction Fuzzy Hash: A8514FB5D0420A9FDB00DFA4C880EDEBBB8FF59710F04855AEA15AB340D770A905CFA0

Function 6E94A350 Relevance: 16.7, APIs: 11, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6E94A393
VariantInit.OLEAUT32(?), ref: 6E94A39A
VariantInit.OLEAUT32(?), ref: 6E94A3A1
VariantCopy.OLEAUT32(?,?), ref: 6E94A3EF
VariantClear.OLEAUT32(?), ref: 6E94A409
VariantClear.OLEAUT32(?), ref: 6E94A50A
VariantClear.OLEAUT32(?), ref: 6E94A511
VariantClear.OLEAUT32(?), ref: 6E94A518
VariantClear.OLEAUT32(?), ref: 6E94A55E
VariantClear.OLEAUT32(?), ref: 6E94A565
VariantClear.OLEAUT32(?), ref: 6E94A56C

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Variant$Clear$Init$Copy
String ID:
API String ID: 3214764494-0
Opcode ID: 86deee5680b066050b167e6a1a87a459e18bd385780833b12e751509b7855eeb
Instruction ID: fe61af998048ad9689f7110dcf148ce5edc54e096e640f58dca8ce5c2f46140c
Opcode Fuzzy Hash: 86deee5680b066050b167e6a1a87a459e18bd385780833b12e751509b7855eeb
Instruction Fuzzy Hash: 367134726083459FD300DFA9C880A5BB7E8AF99714F008A6DFA55CB390E770E905CF62

Function 6E95CD20 Relevance: 15.5, APIs: 10, Instructions: 485
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6E95CD5C
VariantInit.OLEAUT32(?), ref: 6E95CD65
VariantInit.OLEAUT32(?), ref: 6E95CD6B
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6E95CD76
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6E95CDAA
VariantClear.OLEAUT32(?), ref: 6E95CDB7
SafeArrayDestroy.OLEAUT32(00000000), ref: 6E95D2A5
VariantClear.OLEAUT32(?), ref: 6E95D2B5
VariantClear.OLEAUT32(?), ref: 6E95D2BB
VariantClear.OLEAUT32(?), ref: 6E95D2C1

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Variant$Clear$ArrayInitSafe$CreateDestroyElementVector
String ID:
API String ID: 2515392200-0
Opcode ID: d1bf9abca8ac93de9bb3262bd0fa803174ba9cbc02fcb52d6089e30b1800b91c
Instruction ID: a0e62530217ee565e93edf015182c51d3cec62ec0222a9cdc96cadb795cc1450
Opcode Fuzzy Hash: d1bf9abca8ac93de9bb3262bd0fa803174ba9cbc02fcb52d6089e30b1800b91c
Instruction Fuzzy Hash: 4112E475A15706AFC758DBD8DD84DAAB3B9BF8D300F144668F50AABB91CA30F841CB50

Function 6E9566A0 Relevance: 15.2, APIs: 10, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32 ref: 6E9566DB
VariantInit.OLEAUT32 ref: 6E9566EA
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6E956700
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6E95673A
VariantClear.OLEAUT32(?), ref: 6E956747
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6E956787
VariantClear.OLEAUT32(?), ref: 6E956794
SafeArrayDestroy.OLEAUT32(00000000), ref: 6E956849
VariantClear.OLEAUT32(?), ref: 6E95685A
VariantClear.OLEAUT32(?), ref: 6E956861

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Variant$ArrayClearSafe$ElementInit$CreateDestroyVector
String ID:
API String ID: 551789342-0
Opcode ID: 2a187d62fbc25a3a86014ba1e200b97eba074adde4749578b121a50f38adb2d5
Instruction ID: f363936a3c32418ba4848efd62b9cdaf6174cdfd3aaadd8744d6353c3ba1d48e
Opcode Fuzzy Hash: 2a187d62fbc25a3a86014ba1e200b97eba074adde4749578b121a50f38adb2d5
Instruction Fuzzy Hash: AE514576508606AFCB00CFA4C844A9BBBE9EFD9714F008A19F9559B351E730E905CFA2

Function 6E95840E Relevance: 13.8, APIs: 9, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6E9584BF
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E9584D2
SafeArrayGetElement.OLEAUT32 ref: 6E95850A

Part of subcall function 6E953A90: SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6E953B71
Part of subcall function 6E953A90: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E953B83

Part of subcall function 6E9569C0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6E956A08
Part of subcall function 6E9569C0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E956A15
Part of subcall function 6E9569C0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6E956A41

SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEBF

Part of subcall function 6E94DFB0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6E94DFF6
Part of subcall function 6E94DFB0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E94E003
Part of subcall function 6E94DFB0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6E94E02F

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArraySafe$Bound$Destroy$Element
String ID:
API String ID: 959723449-0
Opcode ID: c477648a8f9492cdec8f2c61d2348547638dd73bb929dec49f49b6a6302433a5
Instruction ID: 47ae46d190bd3246fb6dbb2aa893da5b1f046accc0a2d8a8dda90d67142eb275
Opcode Fuzzy Hash: c477648a8f9492cdec8f2c61d2348547638dd73bb929dec49f49b6a6302433a5
Instruction Fuzzy Hash: 92C14D70A002059FDB54DFA8CC90FADB7BDAF88304F204598E919AB386D771E945CF54

Function 6E954170 Relevance: 13.8, APIs: 9, Instructions: 277COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E9541AF
VariantInit.OLEAUT32(?), ref: 6E9541B5
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6E9541C0
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6E9541F5
VariantClear.OLEAUT32(?), ref: 6E954201
std::tr1::_Xweak.LIBCPMT ref: 6E954450
SafeArrayDestroy.OLEAUT32(?), ref: 6E95446D
VariantClear.OLEAUT32(?), ref: 6E95447D
VariantClear.OLEAUT32(?), ref: 6E954483

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Init$CreateDestroyElementVectorXweakstd::tr1::_
String ID:
API String ID: 1774866819-0
Opcode ID: a9c33b29b0304fd8c5240fdba2be13343f2cf702bd1d2211fa829754e9073297
Instruction ID: 760bee00cf5acbe6c809a9e332ea0b1b42636131bec06ed4afcf94d6c4a1e463
Opcode Fuzzy Hash: a9c33b29b0304fd8c5240fdba2be13343f2cf702bd1d2211fa829754e9073297
Instruction Fuzzy Hash: F9B12675604609AFCB54DF98C884DEAB7FABF8D310F158568E50AAB790DA34F841CF60

Function 6E95C850 Relevance: 13.8, APIs: 9, Instructions: 271COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E95C88F
VariantInit.OLEAUT32(?), ref: 6E95C895
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6E95C8A0
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6E95C8D5
VariantClear.OLEAUT32(?), ref: 6E95C8E1
std::tr1::_Xweak.LIBCPMT ref: 6E95CB1C
SafeArrayDestroy.OLEAUT32(?), ref: 6E95CB39
VariantClear.OLEAUT32(?), ref: 6E95CB49
VariantClear.OLEAUT32(?), ref: 6E95CB4F

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Init$CreateDestroyElementVectorXweakstd::tr1::_
String ID:
API String ID: 1774866819-0
Opcode ID: 5697bfe0b8233956ccf7aa58344c22d5d7b80674323679effd07016b8e5d4205
Instruction ID: 167c82f370498e78f5da131acc304886c22ae628478d438423ea3efd72c933d3
Opcode Fuzzy Hash: 5697bfe0b8233956ccf7aa58344c22d5d7b80674323679effd07016b8e5d4205
Instruction Fuzzy Hash: 72B11775A00609AFCB14DF98C884DEAB7F9BF8D310F158569E606AB791DA34F841CF60

Function 6E95C530 Relevance: 13.8, APIs: 9, Instructions: 259COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E95C56F
VariantInit.OLEAUT32(?), ref: 6E95C575
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6E95C580
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6E95C5B5
VariantClear.OLEAUT32(?), ref: 6E95C5C1
std::tr1::_Xweak.LIBCPMT ref: 6E95C7D4
SafeArrayDestroy.OLEAUT32(?), ref: 6E95C7F1
VariantClear.OLEAUT32(?), ref: 6E95C801
VariantClear.OLEAUT32(?), ref: 6E95C807

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Init$CreateDestroyElementVectorXweakstd::tr1::_
String ID:
API String ID: 1774866819-0
Opcode ID: 530bfa129fb6324d4d09f5d73c1a3c21b484d6ec0b24baf384b68cf3f4525f52
Instruction ID: ceb68ec60eb8190f067fba6970bdf486c44d3e5fb3403a22b5419e3317717047
Opcode Fuzzy Hash: 530bfa129fb6324d4d09f5d73c1a3c21b484d6ec0b24baf384b68cf3f4525f52
Instruction Fuzzy Hash: 0EA13775A046099FCB14DFA8C884DEAB7B9BF8D310F14856CE506ABB90DA34F841CF60

Function 6E956880 Relevance: 13.6, APIs: 9, Instructions: 117COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E9568B2
VariantInit.OLEAUT32(?), ref: 6E9568BD
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6E9568D7
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6E9568FD
VariantClear.OLEAUT32(?), ref: 6E956909
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6E956923
SafeArrayDestroy.OLEAUT32(00000000), ref: 6E956981
VariantClear.OLEAUT32(?), ref: 6E95699E
VariantClear.OLEAUT32(?), ref: 6E9569A4

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Variant$ArraySafe$Clear$ElementInit$CreateDestroyVector
String ID:
API String ID: 3529038988-0
Opcode ID: 4729a6ebaa3c2d0ec656ac6cbc6818cb884c326330119c916aa3d1d19dbb3e82
Instruction ID: bd1424a5ab7942a554524e664391e5fa23b37c3d0fd6c88f7eea7c1c29ecc7c7
Opcode Fuzzy Hash: 4729a6ebaa3c2d0ec656ac6cbc6818cb884c326330119c916aa3d1d19dbb3e82
Instruction Fuzzy Hash: 4B412CB2900619AFDB00DFA5C844AEFBBB8EF99314F144119E905A7341E775E906CFA1

Function 6E94C020 Relevance: 12.3, APIs: 8, Instructions: 309COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E94C074
VariantInit.OLEAUT32(?), ref: 6E94C07B
VariantInit.OLEAUT32(?), ref: 6E94C082
VariantInit.OLEAUT32(?), ref: 6E94C089
VariantClear.OLEAUT32(?), ref: 6E94C312
VariantClear.OLEAUT32(?), ref: 6E94C319
VariantClear.OLEAUT32(?), ref: 6E94C320
VariantClear.OLEAUT32(?), ref: 6E94C327

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Variant$ClearInit
String ID:
API String ID: 2610073882-0
Opcode ID: 7d865bc034583f9adb607b4e5d5ccb9327259141ebf5bc701dcab594318491cc
Instruction ID: 8731a119e35639db5acb22d50148ee9395b9f84113442622f161ecf1bca46793
Opcode Fuzzy Hash: 7d865bc034583f9adb607b4e5d5ccb9327259141ebf5bc701dcab594318491cc
Instruction Fuzzy Hash: 59C136B1608701DFD300DFA9C88095AB7E9BFC9304F248A4DE9949B365D775E849CF92

Function 6E956B10 Relevance: 9.4, APIs: 6, Instructions: 364COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(00000000,?,?), ref: 6E956C8B
SafeArrayGetUBound.OLEAUT32(00000000,?,?), ref: 6E956CA6
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 6E956CC7

Part of subcall function 6E955760: std::tr1::_Xweak.LIBCPMT ref: 6E955769

SafeArrayUnaccessData.OLEAUT32(00000000), ref: 6E956CF9

Part of subcall function 6E999BB5: _malloc.LIBCMT ref: 6E999BCF

SafeArrayDestroy.OLEAUT32(00000000), ref: 6E956F13
InterlockedCompareExchange.KERNEL32(6E9DC6A4,45524548,4B4F4F4C), ref: 6E956F34

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArraySafe$BoundData$AccessCompareDestroyExchangeInterlockedUnaccessXweak_mallocstd::tr1::_
String ID:
API String ID: 2722669376-0
Opcode ID: d8fd73754f34a3ddf67799db44f17c81b793d591a12567e69ba4722bbd7ee399
Instruction ID: e3123eb035c9e439eeddeac9e59b4c18b50221b948bba0316cb4f115d9e1373f
Opcode Fuzzy Hash: d8fd73754f34a3ddf67799db44f17c81b793d591a12567e69ba4722bbd7ee399
Instruction Fuzzy Hash: 87D1B0B1A102099FDB01CFE4C890BEE77BCAF95304F148869E909AB381D774E954CFA1

Function 6E9416B0 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 487COMMON

Download Yara Rule

APIs

Part of subcall function 6E999BB5: _malloc.LIBCMT ref: 6E999BCF

std::tr1::_Xweak.LIBCPMT ref: 6E941B53
std::_Xinvalid_argument.LIBCPMT ref: 6E941B5D
std::exception::exception.LIBCMT ref: 6E941C43
__CxxThrowException@8.LIBCMT ref: 6E941C58

Strings

invalid vector<T> subscript, xrefs: 6E941B58

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argumentXweak_mallocstd::_std::exception::exceptionstd::tr1::_
String ID: invalid vector<T> subscript
API String ID: 3098024973-3016609489
Opcode ID: 5e1eb879702312fdcfcd4e7d7b3b84ad7e79ba1b1479cc87cda31c42bcbeb907
Instruction ID: 2febbd9658137b54d7a3c68e4652b4ebb38febfd42f6c571d3d554cd4bd0980b
Opcode Fuzzy Hash: 5e1eb879702312fdcfcd4e7d7b3b84ad7e79ba1b1479cc87cda31c42bcbeb907
Instruction Fuzzy Hash: 1B2205B1800709DFCB14DFE4C4909DEBBF9BF84314F148A59D55AAB254E734AA88CF90

Function 6E94DB30 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(6E9531EC), ref: 6E94DB5E
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6E94DB6E
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6E94DB82
SafeArrayDestroy.OLEAUT32(00000000), ref: 6E94DBF1
VariantClear.OLEAUT32(?), ref: 6E94DBFB

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArraySafe$Variant$ClearCreateDestroyElementInitVector
String ID:
API String ID: 182531043-0
Opcode ID: d295c53225649e6d487eb242177c423335022f2690fa7b30565e1733f995ce6b
Instruction ID: a05d415326808a48d1513d72ba5ddbe8405522b9236168858989d0b9a2c14c2d
Opcode Fuzzy Hash: d295c53225649e6d487eb242177c423335022f2690fa7b30565e1733f995ce6b
Instruction Fuzzy Hash: 21316F7AA04605EFD701DF95C944EEBB7B9EF9A710F11815AE911AB340D734E901CFA0

Function 6E99A42D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

__CRT_INIT@12.LIBCMT ref: 6E99A463
__CRT_INIT@12.LIBCMT ref: 6E99A493
__CRT_INIT@12.LIBCMT ref: 6E99A4B3

Strings

a0, xrefs: 6E99A4FF

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: T@12
String ID: a0
API String ID: 456891419-3188653782
Opcode ID: a43b3d3eb80cf9c245e6dc0779ae73b8d41b723c948179220d809934c0f85ab4
Instruction ID: 78ebb761431437e37931dd2a4e3a448f38f7632646ed537d744ef43736c0ca15
Opcode Fuzzy Hash: a43b3d3eb80cf9c245e6dc0779ae73b8d41b723c948179220d809934c0f85ab4
Instruction Fuzzy Hash: 3411F170D102536ADB709AF64C5CFAF7BBCDF85754F049814A425E6284D7A4C541EE60

Function 6E999BB5 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6E999BCF

Part of subcall function 6E999D66: __FF_MSGBANNER.LIBCMT ref: 6E999D7F
Part of subcall function 6E999D66: __NMSG_WRITE.LIBCMT ref: 6E999D86
Part of subcall function 6E999D66: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00000000,?,6E999BD4,6E931290,64F62E83), ref: 6E999DAB

std::exception::exception.LIBCMT ref: 6E999C04
std::exception::exception.LIBCMT ref: 6E999C1E
__CxxThrowException@8.LIBCMT ref: 6E999C2F

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID:
API String ID: 615853336-0
Opcode ID: 71c75d752d054b6d1535de24d739fbd647acdb658e9ec57816cc8ab3d3e600d9
Instruction ID: 80806e7059917ee602a89d4a416d372485290c3acb1b7014040a6c946b0f1917
Opcode Fuzzy Hash: 71c75d752d054b6d1535de24d739fbd647acdb658e9ec57816cc8ab3d3e600d9
Instruction Fuzzy Hash: 9EF0A435400A59AFDF44EBE5CC55ADE7AFCAF9271CF0C0819E4009A294FB75CA41BE51

Function 6E946C60 Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

SafeArrayCreateVector.OLEAUT32(00000011,00000000,00000000), ref: 6E946C73
SafeArrayAccessData.OLEAUT32(00000000,6E946C3C), ref: 6E946C87
_memmove.LIBCMT ref: 6E946C9A
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 6E946CA3

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArraySafe$Data$AccessCreateUnaccessVector_memmove
String ID:
API String ID: 3147195435-0
Opcode ID: 81ab86f990a43691d386447a6ccaeb438dc7304f227e4619f8c2b27202aebc36
Instruction ID: abd61ccab8515ea4380dc65cd25b5cdc4366d34e036a7929919978ad80a7cbbf
Opcode Fuzzy Hash: 81ab86f990a43691d386447a6ccaeb438dc7304f227e4619f8c2b27202aebc36
Instruction Fuzzy Hash: 97F0FE75614218BBEB105F91DC89F9B7BACEF96765F008115FA188E241E670D500DFB1

Function 6E961FD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

Part of subcall function 6E999BB5: _malloc.LIBCMT ref: 6E999BCF

std::exception::exception.LIBCMT ref: 6E962206
__CxxThrowException@8.LIBCMT ref: 6E962221

Part of subcall function 6E966480: __CxxThrowException@8.LIBCMT ref: 6E966518
Part of subcall function 6E966480: __CxxThrowException@8.LIBCMT ref: 6E966558

Strings

ILProtector, xrefs: 6E962045

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Exception@8Throw$_mallocstd::exception::exception
String ID: ILProtector
API String ID: 84431791-1153028812
Opcode ID: 293ca2dcc8ac5ac2f2997c1543ef9410bd5873714ecb424de83e324c5fd96d0e
Instruction ID: 61753311d87c46f991563f81aa4828d7f7a96b52979155cdf754c18d9016469f
Opcode Fuzzy Hash: 293ca2dcc8ac5ac2f2997c1543ef9410bd5873714ecb424de83e324c5fd96d0e
Instruction Fuzzy Hash: F5713971908659DFDB14CFA8C844BDEBBB8FF99300F1085AAE419A7340DB30AA44CF91

Function 6E949110 Relevance: 5.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6E94913B
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6E94915C
EnterCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 6E949170
LeaveCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 6E949191

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 89e39edbf7ff0d6d0a1991f204da2da4a11b0471f2200b9245a7bdbb3f31e20f
Instruction ID: 4b18cc2b3433da6370b507684e7a558c637e94525bc4f0622b02225761687c98
Opcode Fuzzy Hash: 89e39edbf7ff0d6d0a1991f204da2da4a11b0471f2200b9245a7bdbb3f31e20f
Instruction Fuzzy Hash: E94134B590020ADFCB44DF95D5848EEBBB8FF89210B50455ED915AB740D730EA05CFD1

Function 6E948E20 Relevance: 4.7, APIs: 3, Instructions: 162COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 6E948E89
LeaveCriticalSection.KERNEL32(?,00000000), ref: 6E948EAD
_memset.LIBCMT ref: 6E948ED2

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: CriticalSection$EnterLeave_memset
String ID:
API String ID: 3751686142-0
Opcode ID: da7b549808fb5f03300217771eb5d456edc410047e1fc05b51aa3a795005f43e
Instruction ID: 55495fa40d44cd47f7a26b1f1290f7b5811cfcb0fe9d1f1beb52c48d5ae02d46
Opcode Fuzzy Hash: da7b549808fb5f03300217771eb5d456edc410047e1fc05b51aa3a795005f43e
Instruction Fuzzy Hash: ED516DB5A00206EFCB58CF98C490E9AB7B6FF89304F108599E91A9B781D731E955CFD0

Function 6E94D920 Relevance: 4.6, APIs: 3, Instructions: 81COMMON

Download Yara Rule

APIs

SafeArrayCreateVector.OLEAUT32(0000000D,00000000,00000002), ref: 6E94D949
SafeArrayPutElement.OLEAUT32(00000000,?,00000000), ref: 6E94D96C
SafeArrayDestroy.OLEAUT32(00000000), ref: 6E94D9CF

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArraySafe$CreateDestroyElementVector
String ID:
API String ID: 3149346722-0
Opcode ID: 20e83d91cbea1d905c60d506ba87bd6ff8fcb0277a86fd131659b01b2cf2336f
Instruction ID: e7b8861347fb4d65f8107913eb6c5d8c3e5a90ec6c6a2b2984b68e5ff6e032d5
Opcode Fuzzy Hash: 20e83d91cbea1d905c60d506ba87bd6ff8fcb0277a86fd131659b01b2cf2336f
Instruction Fuzzy Hash: 13219D39601619EFEB11CF98C894FAB77A8EF8A740F104098E944DB344E771D901CFA1

Function 6E95DB10 Relevance: 4.6, APIs: 3, Instructions: 63COMMON

Download Yara Rule

APIs

SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6E95DB2D
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6E95DB45
SafeArrayDestroy.OLEAUT32(00000000), ref: 6E95DBA2

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArraySafe$CreateDestroyElementVector
String ID:
API String ID: 3149346722-0
Opcode ID: 078cab14904a5d6e21ecb953d62a9acf97df6edaa16c8b8b36da493aeb577838
Instruction ID: 5e2a9f6318bc9d0454f4618c537fa4e78507f5ce0900242d4f64e34dae2d9e06
Opcode Fuzzy Hash: 078cab14904a5d6e21ecb953d62a9acf97df6edaa16c8b8b36da493aeb577838
Instruction Fuzzy Hash: 9F115B75645205AFD700DFA9C888FABBBA8BF5A310F048199E9089B341D730E911CFA0

Function 0175F600 Relevance: 4.2, Strings: 3, Instructions: 472COMMON

Download Yara Rule

Strings

Hq, xrefs: 0175F7AC
$q, xrefs: 0175F70C
$q, xrefs: 0175F700

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID: Hq$$q$$q
API String ID: 0-405414136
Opcode ID: c1649339eb7ad711813459010ba131ecde0e28f0a0f2c2ddf5f56aa454e3aacd
Instruction ID: 4557542e85d90d689ce2838d7dcb176e152d8b4084ae9a88412109cd0ab87aca
Opcode Fuzzy Hash: c1649339eb7ad711813459010ba131ecde0e28f0a0f2c2ddf5f56aa454e3aacd
Instruction Fuzzy Hash: AEF18F30B042098FDB55DF78D8546AEBBB6EF89341F144469E902EB3A4DB71DD02CBA1

Function 6E963EB0 Relevance: 3.2, APIs: 2, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 6E999BB5: _malloc.LIBCMT ref: 6E999BCF

std::exception::exception.LIBCMT ref: 6E964042

Part of subcall function 6E999533: std::exception::_Copy_str.LIBCMT ref: 6E99954E

__CxxThrowException@8.LIBCMT ref: 6E964059

Part of subcall function 6E99AC75: RaiseException.KERNEL32(?,?,6E999C34,64F62E83,?,?,?,?,6E999C34,64F62E83,6E9C9C90,6E9DB974,64F62E83), ref: 6E99ACB7

Part of subcall function 6E999BB5: std::exception::exception.LIBCMT ref: 6E999C04
Part of subcall function 6E999BB5: std::exception::exception.LIBCMT ref: 6E999C1E
Part of subcall function 6E999BB5: __CxxThrowException@8.LIBCMT ref: 6E999C2F

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$Copy_strExceptionRaise_mallocstd::exception::_
String ID:
API String ID: 2813683038-0
Opcode ID: 9c81680314b486385e74d749a64630c561db2e3a05ddd740cdba96201d62a4fa
Instruction ID: fc881b8311c402bf3c1c31c3524e48651d1b49ebed1ebb60bdf4006df70a8024
Opcode Fuzzy Hash: 9c81680314b486385e74d749a64630c561db2e3a05ddd740cdba96201d62a4fa
Instruction Fuzzy Hash: 1991ABF18043049FE700DFE9C841B9AFBF8EF95740F15896AE5199B290E7B1D9448F92

Function 6E94BDF7 Relevance: 3.2, APIs: 2, Instructions: 200COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E94BE2D
IsBadReadPtr.KERNEL32(00000000,00000008,?,?,?), ref: 6E94BE6D

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroyReadSafe
String ID:
API String ID: 616443815-0
Opcode ID: 7f74ff2b3beeb28a8134cc2bcec8c6a0f271b3df7c68e2628a6c816c7645a224
Instruction ID: 7abb1a69dd3881b5ead198c7211a9a01bb6ff1fed042030e213138b58e4b026f
Opcode Fuzzy Hash: 7f74ff2b3beeb28a8134cc2bcec8c6a0f271b3df7c68e2628a6c816c7645a224
Instruction Fuzzy Hash: DD713671D04656DEDB51CFB4885065EFBB9AF86220F088798DAE9972CDE331D482CF90

Function 6E9462C0 Relevance: 3.1, APIs: 2, Instructions: 149COMMON

Download Yara Rule

APIs

Part of subcall function 6E999BB5: _malloc.LIBCMT ref: 6E999BCF

std::exception::exception.LIBCMT ref: 6E946466

Part of subcall function 6E999533: std::exception::_Copy_str.LIBCMT ref: 6E99954E

__CxxThrowException@8.LIBCMT ref: 6E94647D

Part of subcall function 6E99AC75: RaiseException.KERNEL32(?,?,6E999C34,64F62E83,?,?,?,?,6E999C34,64F62E83,6E9C9C90,6E9DB974,64F62E83), ref: 6E99ACB7

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Copy_strExceptionException@8RaiseThrow_mallocstd::exception::_std::exception::exception
String ID:
API String ID: 2299493649-0
Opcode ID: 50afb4c95c15e68c888f69abc5ea6d906960dcf3e352938a73aa211fd00bf257
Instruction ID: 05d493e6fe24185c2d47f5674588ead3324871102aa3088255c15fdfabdfee7a
Opcode Fuzzy Hash: 50afb4c95c15e68c888f69abc5ea6d906960dcf3e352938a73aa211fd00bf257
Instruction Fuzzy Hash: 095146F2918340DFD704CF99C881A8ABBE8BF95740F44496EE9998B291E371D944CF93

Function 6E95D2E0 Relevance: 3.1, APIs: 2, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 6E999BB5: _malloc.LIBCMT ref: 6E999BCF

std::exception::exception.LIBCMT ref: 6E95D3E8
__CxxThrowException@8.LIBCMT ref: 6E95D3FF

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID:
API String ID: 4063778783-0
Opcode ID: 81bc13d25d38082df6f89a00b7a491881860094c74dfdcd540fcd52ca8db5aed
Instruction ID: 1772bc08061e092ec07210b6146509ad506d6cf856673cf00f4ee0ea0493ef61
Opcode Fuzzy Hash: 81bc13d25d38082df6f89a00b7a491881860094c74dfdcd540fcd52ca8db5aed
Instruction Fuzzy Hash: E93137715087059FC704DF69C48099ABBF8EF99618F548A2EF8558B350E731EA06CF92

Function 6E9627B0 Relevance: 3.0, APIs: 2, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 6E999BB5: _malloc.LIBCMT ref: 6E999BCF

std::exception::exception.LIBCMT ref: 6E9627FA
__CxxThrowException@8.LIBCMT ref: 6E96280F

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID:
API String ID: 4063778783-0
Opcode ID: 6257fbe1c6ca1ad73b456dc0c30bd889a4ccc6c85ef3aeab68943e78f6a99b2a
Instruction ID: 80e7ff15ba28557b18c4c355452ee59d84be089bfdba75ea8a9b957cff944a9a
Opcode Fuzzy Hash: 6257fbe1c6ca1ad73b456dc0c30bd889a4ccc6c85ef3aeab68943e78f6a99b2a
Instruction Fuzzy Hash: 04018174900205DFC708CF98D9508AAB7F9FF98300B18C5ADC81A4B751EB31EA01DF96

Function 0175EB08 Relevance: 3.0, Strings: 2, Instructions: 491COMMON

Download Yara Rule

Strings

Hq, xrefs: 0175ED7E
d8q, xrefs: 0175EB60

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID: Hq$d8q
API String ID: 0-4243181230
Opcode ID: 057a9cb0b20f06454e13a93cbaebdcfe4a996a30079b1a956d547c206e892d61
Instruction ID: 1cc5b8464c4880d61887dd3e411a9597b3478eeba3894ce79ea5e11bc0e3ea56
Opcode Fuzzy Hash: 057a9cb0b20f06454e13a93cbaebdcfe4a996a30079b1a956d547c206e892d61
Instruction Fuzzy Hash: F9124D34700304CFE716AB78F458B1A7B72EBA9361F504179E906473A5CBB9BD82DB21

Function 6E948D60 Relevance: 2.6, APIs: 2, Instructions: 78COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,6E948C13,?,6E948CD3,?,6E948C13,00000000,?,?,6E948C13,?,?), ref: 6E948D73
LeaveCriticalSection.KERNEL32(?,?,?,6E948CD3,?,6E948C13,00000000,?,?,6E948C13,?,?), ref: 6E948D8C

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 2d5531765834676d8b1df1225e3934df6149b7b6ab19f80163266e169588b98a
Instruction ID: 5216d258b8a0266a50857b302e46f536c6a477881ec6a9c47ced2723f394033f
Opcode Fuzzy Hash: 2d5531765834676d8b1df1225e3934df6149b7b6ab19f80163266e169588b98a
Instruction Fuzzy Hash: 8F21F87520450AEF8B18DF89D890DABB3BAFFC9310B108549F90687354D731EE16DBA1

Function 6E948BC0 Relevance: 2.6, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,6E946890,?), ref: 6E948BDD
LeaveCriticalSection.KERNEL32(?), ref: 6E948C23

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: f06c59e4433c363fe4fd9828f56d6fcbbe26c72f9f0cab8e220d548d863dde49
Instruction ID: b70d44f7047c8dc455417b17166b115945a256ba13e87d086fc28a17e368a789
Opcode Fuzzy Hash: f06c59e4433c363fe4fd9828f56d6fcbbe26c72f9f0cab8e220d548d863dde49
Instruction Fuzzy Hash: 260196B2708104AFCB54DFA8C88099BF3A8FF982007004669E909C7300EB32EE61CBD0

Function 03299B5D Relevance: 1.8, APIs: 1, Instructions: 298processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 03299E37

Memory Dump Source

Source File: 00000000.00000002.1266702418.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 87b0b6bef5dbaa2b1267da73901ec5573d0b6179307a68829382480373f3a07a
Instruction ID: ce0e5f6f79c11c7a23ca0ba68db8aeba9edd259fbfe03cafd66ba905eacf2579
Opcode Fuzzy Hash: 87b0b6bef5dbaa2b1267da73901ec5573d0b6179307a68829382480373f3a07a
Instruction Fuzzy Hash: A6B11271D102598FEF20DFA8C881BEDBBF2BB09314F14956AE858A7280D77489C5CF95

Function 03299B68 Relevance: 1.8, APIs: 1, Instructions: 295processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 03299E37

Memory Dump Source

Source File: 00000000.00000002.1266702418.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0212813e36328f29e633f2a2b8de827cfcc90735a45e5d756aa29ea8caf3794c
Instruction ID: fc0db793274c7087c886c962b122e7f84a9cfae7f1c7517ad5155fe20ab1a4cc
Opcode Fuzzy Hash: 0212813e36328f29e633f2a2b8de827cfcc90735a45e5d756aa29ea8caf3794c
Instruction Fuzzy Hash: 0FB10271D102598FEF20DFA8C885BEDBBF2BB09314F14916AE858A7280D77489C5CF95

Function 6E95E2CE Relevance: 1.7, APIs: 1, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: 8afa3f7b8c20ab44072fc7f99218c56176b298db629d9aeb6f0f67d0d2408161
Instruction ID: b3d233061c139b67ec261bfa22a6733a5ddc6a2dab8babd932925b021e4be639
Opcode Fuzzy Hash: 8afa3f7b8c20ab44072fc7f99218c56176b298db629d9aeb6f0f67d0d2408161
Instruction Fuzzy Hash: 2B8149F19083418FEB20DFE5889175ABBE8AF91304F184D6ED6598B390D776C8548F53

Function 0329A358 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0329A435

Memory Dump Source

Source File: 00000000.00000002.1266702418.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f187cceea2acae625eb1fe69b910e3fafae9de3a7d1396ed4aac2940cdf79c41
Instruction ID: 96066f2e23734816d512603e1c8e2e0841ce3fc45b5ccf6f317c81c77a57ee06
Opcode Fuzzy Hash: f187cceea2acae625eb1fe69b910e3fafae9de3a7d1396ed4aac2940cdf79c41
Instruction Fuzzy Hash: C54178B4D103989FDF10CFA9D984A9EFBF1BB09314F24902AE818B7250D375A945CF54

Function 0329A360 Relevance: 1.6, APIs: 1, Instructions: 115injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0329A435

Memory Dump Source

Source File: 00000000.00000002.1266702418.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8597298319c060e34c46140f6dab6ecb2b5d080af7f9443529bc5a5541f6f748
Instruction ID: e1b2a7c60f0a4838ef17a7d5f263d934c5ac199b26bcb241f7c0473f1d5f9864
Opcode Fuzzy Hash: 8597298319c060e34c46140f6dab6ecb2b5d080af7f9443529bc5a5541f6f748
Instruction Fuzzy Hash: 6C4166B5D102589FDF10CFA9D984A9EFBF1BB49310F24902AE818B7250D375A985CF64

Function 0329A168 Relevance: 1.6, APIs: 1, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0329A214

Memory Dump Source

Source File: 00000000.00000002.1266702418.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 99af3d55ed1a3ba1ead69ba2f6113095949176febcbfbbce07a0ea6648605ce9
Instruction ID: bf668901d4bd2f92b163fb553b9d75a90444e04bd3a033cd08e6ce010c06d0fe
Opcode Fuzzy Hash: 99af3d55ed1a3ba1ead69ba2f6113095949176febcbfbbce07a0ea6648605ce9
Instruction Fuzzy Hash: 953157B9D012589FDF10CFA9D984A9EFBB5BB49310F14902AE818BB310D775A941CF64

Function 0329A161 Relevance: 1.6, APIs: 1, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0329A214

Memory Dump Source

Source File: 00000000.00000002.1266702418.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b20ec3a83eb88239b5ee0a2dc87ac51e06af2c2475844d59df2ffc6f223a3382
Instruction ID: 22b949a9344621fbe39d8ebfa26b41a29eb5edd517034ed8809559c2ed9cb893
Opcode Fuzzy Hash: b20ec3a83eb88239b5ee0a2dc87ac51e06af2c2475844d59df2ffc6f223a3382
Instruction Fuzzy Hash: 244177B8D002589FDF10CFA9D984A9EFBF1BB09310F24902AE814BB350D335A942CF54

Function 6E947140 Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

APIs

Part of subcall function 6E962820: _malloc.LIBCMT ref: 6E962871

std::tr1::_Xweak.LIBCPMT ref: 6E9471D2

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Xweak_mallocstd::tr1::_
String ID:
API String ID: 4085767713-0
Opcode ID: 87db31155337a1bde5d73c80321be79be0e2788061dbe5bb829cddf301cc48df
Instruction ID: 6e4e8689182a17dd72f71e12494e33d5f109260cc2f0d60d8e9e49ed3912f93d
Opcode Fuzzy Hash: 87db31155337a1bde5d73c80321be79be0e2788061dbe5bb829cddf301cc48df
Instruction Fuzzy Hash: 5F317CB4A0474ADFCB50CFA9C990AABB7B9FF89204B108A5DE81597781D331E905CF90

Function 032901F1 Relevance: 1.6, APIs: 1, Instructions: 82libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?), ref: 03290292

Memory Dump Source

Source File: 00000000.00000002.1266702418.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 89b78d3188933e3f944754c05f578be1e3712753651a6b3783dbe20ac81145dd
Instruction ID: e725c6878fd08e777940b81695d796ccc71591609606c92e1f184ec816594dd9
Opcode Fuzzy Hash: 89b78d3188933e3f944754c05f578be1e3712753651a6b3783dbe20ac81145dd
Instruction Fuzzy Hash: A631B8B4D102199FDB14CFA9D584ADEFBF1AF48310F14902AE818B7360D734A941CF64

Function 0329A060 Relevance: 1.6, APIs: 1, Instructions: 82threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0329A0F3

Memory Dump Source

Source File: 00000000.00000002.1266702418.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c609d6499363b46731667ced6d0cb07c88a092824c9205c0233ea54945985cf8
Instruction ID: 2951a1c0e8499df0f8def96f6098ce4d603fa081f28ebf653b3f23cf0a5fb63b
Opcode Fuzzy Hash: c609d6499363b46731667ced6d0cb07c88a092824c9205c0233ea54945985cf8
Instruction Fuzzy Hash: 8F31CAB8D012599FDF10CFA9E584AEEFBF0AB09310F24942AE814B7350C739A945CF64

Function 0329A068 Relevance: 1.6, APIs: 1, Instructions: 81threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0329A0F3

Memory Dump Source

Source File: 00000000.00000002.1266702418.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: daae34d1b46657b474a4cc887205802ade4899080812927d0bc37f1f07a0c2f7
Instruction ID: f1b1cd25d41ec77cf9d7490bffb855881444942b6bc4c20b931d30e6d1607674
Opcode Fuzzy Hash: daae34d1b46657b474a4cc887205802ade4899080812927d0bc37f1f07a0c2f7
Instruction Fuzzy Hash: 7331AAB4D112589FDF10CFA9E584ADEFBF4AB09310F24902AE818B7350D775A945CF64

Function 032901F8 Relevance: 1.6, APIs: 1, Instructions: 78libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?), ref: 03290292

Memory Dump Source

Source File: 00000000.00000002.1266702418.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: dbe1250a60a2233bc665978019954008bd0a549610b2b8f8e645d436f334f331
Instruction ID: 162b5fe96f74374febc6a1bd827157893ff1bdc58e57a9a6a0f723a0e3c55958
Opcode Fuzzy Hash: dbe1250a60a2233bc665978019954008bd0a549610b2b8f8e645d436f334f331
Instruction Fuzzy Hash: 4031A6B4D002599FDB24CFAAD984A9EFBF5AB48310F14902AE818B7360D734A941CF64

Function 0329A4B0 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0329A535

Memory Dump Source

Source File: 00000000.00000002.1266702418.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 758a6507c29dae6f6519d8747768ff5cf01c0c51d3b24dc690f9954503a3c6b2
Instruction ID: c69da134b164b274d6fbbb48e6b8fb9e4ad5178a4099cb215eb692cfa48134ec
Opcode Fuzzy Hash: 758a6507c29dae6f6519d8747768ff5cf01c0c51d3b24dc690f9954503a3c6b2
Instruction Fuzzy Hash: D73198B4E112599FDF20CFA9E984A9EFBF0AB49310F14902AE818B7310D735A941CF64

Function 0329A4B8 Relevance: 1.6, APIs: 1, Instructions: 71threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0329A535

Memory Dump Source

Source File: 00000000.00000002.1266702418.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a92c9ab614d286d96b6b6da503aa0218a46018e1bd41a3133e59a8361832fd3c
Instruction ID: 3265bbd2d09f67e688328ace4bf756cc16cb516581c2f77848060cc5c3c9cdcc
Opcode Fuzzy Hash: a92c9ab614d286d96b6b6da503aa0218a46018e1bd41a3133e59a8361832fd3c
Instruction Fuzzy Hash: 113187B8D112589FDF20CFA9E984A9EFBF4AB49310F14902AE818B7310D775A941CF64

Function 6E95EA40 Relevance: 1.5, APIs: 1, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6E999BB5: _malloc.LIBCMT ref: 6E999BCF

SysAllocString.OLEAUT32 ref: 6E95EA8D

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: AllocString_malloc
String ID:
API String ID: 959018026-0
Opcode ID: 9ac2a61b36c531f87ec8319c8e163ae019c9ba4c85e10e664d86e1fe3039a17d
Instruction ID: a93974fe2bce6426e22676e151c3bf7f193b956006ba76774333503e3ab97d0b
Opcode Fuzzy Hash: 9ac2a61b36c531f87ec8319c8e163ae019c9ba4c85e10e664d86e1fe3039a17d
Instruction Fuzzy Hash: B0018072904A55EBD311CFA8C900B9AB7ACEF05B24F10475AEC15AB380D7B5D9008FD0

Function 6E999D21 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6E99E8DC

Part of subcall function 6E999BB5: _malloc.LIBCMT ref: 6E999BCF

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: H_prolog3_catch_malloc
String ID:
API String ID: 529455676-0
Opcode ID: 321e4b7550d3078b61ee907a8e06be25432ca9692dacda0b65e1461a2c75b066
Instruction ID: d6cd2b61c3f9bd8a230a86d31e8404e24ec1b5aba19fee3705e90376b5269232
Opcode Fuzzy Hash: 321e4b7550d3078b61ee907a8e06be25432ca9692dacda0b65e1461a2c75b066
Instruction Fuzzy Hash: D6D05E319142089BCB41ABD9C805BAD7BE8AF81329F680865E0087A280DB75CA00AF56

Function 6E99A510 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

___security_init_cookie.LIBCMT ref: 6E99A510

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ___security_init_cookie
String ID:
API String ID: 3657697845-0
Opcode ID: 27b748a9c275510458f0068f842967d98f7d0f67ac18c1338cd75791cb2cbf1f
Instruction ID: a27cea336ee132625dca13bb742108410aa517f35dbfcc3de2e4f13858f34f4b
Opcode Fuzzy Hash: 27b748a9c275510458f0068f842967d98f7d0f67ac18c1338cd75791cb2cbf1f
Instruction Fuzzy Hash: F1C09B351043089F8B05CF90F440CEE7719EFE4228724D515FC18067509B31D561FD54

Function 01752041 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

8q, xrefs: 01752117

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID: 8q
API String ID: 0-4083045702
Opcode ID: 16e7b44fc2bb6d3b088cdaab2df5eb0ff94c91357d2be5d4c6770a69222290af
Instruction ID: cd9e33352a0a8848c50101774b812cc12889e44a89b36b6d0e82697aab34087c
Opcode Fuzzy Hash: 16e7b44fc2bb6d3b088cdaab2df5eb0ff94c91357d2be5d4c6770a69222290af
Instruction Fuzzy Hash: 83413574E0A208CFDB80CFA9D4846EDFBB6FF8A300F5480AAD909A3262D7745945CF50

Function 01759740 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

Hq, xrefs: 017597D4

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID: Hq
API String ID: 0-1594803414
Opcode ID: e6040dce10eeb8df9ac8301ef5b41f632413110edb2cb3d841654e682ae13a4e
Instruction ID: 0cab4c366194655c0fae67905c774c1cc472cd9e6dd7fcaaea7fcae324220808
Opcode Fuzzy Hash: e6040dce10eeb8df9ac8301ef5b41f632413110edb2cb3d841654e682ae13a4e
Instruction Fuzzy Hash: 2F317830A08200FFEB569F748C017AE7F76FF86304F14C49AD605DB2A1DA709D0587A1

Function 017509D9 Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

0u, xrefs: 01750A9A

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID: 0u
API String ID: 0-3203441087
Opcode ID: b42e41c6bef67c68dd080f497d85e82b4c8c012f13466808d089c56a4b7c07a4
Instruction ID: dd4b7efe93fb6fd818231d41dae9b154baa5d669c724270218d10450512f7f90
Opcode Fuzzy Hash: b42e41c6bef67c68dd080f497d85e82b4c8c012f13466808d089c56a4b7c07a4
Instruction Fuzzy Hash: 2C215574D04209CFDB44CFA5D4446EEFBB5FB89300F54916AE809B3254E7B55A44CBA0

Function 017509E8 Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

0u, xrefs: 01750A9A

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID: 0u
API String ID: 0-3203441087
Opcode ID: d99f17da89f089aee64c3c4aa23912c7dd56a4d6a5cac7c1e5471b4669f5ad44
Instruction ID: ec0518288129671b0ca48beb5de8a83983e461fc721703510b654824b61d8963
Opcode Fuzzy Hash: d99f17da89f089aee64c3c4aa23912c7dd56a4d6a5cac7c1e5471b4669f5ad44
Instruction Fuzzy Hash: 07212074D04209DFDB44CFA5D8446EEFBB9FB89300F509569E80AB3254EBB55A44CBA0

Function 01750AC3 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e2938f33ff9b14fdc4daa34ebd2dd61a53aff7c67360553a3851d814f8fcadf
Instruction ID: 01e3e6215146027893faa3efde35a713bef003fe22111254df46f8a1ac5d46d5
Opcode Fuzzy Hash: 1e2938f33ff9b14fdc4daa34ebd2dd61a53aff7c67360553a3851d814f8fcadf
Instruction Fuzzy Hash: 9441F774E01219DFDB44DFA8D884AAEFBB6FF89300F148169E805A7364DB75AD02CB51

Function 01750E40 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0db4ae5c66448b443f046693fddd2bf81703e7e2d797fa3aca57726e7ff5136
Instruction ID: 0224939316fae5022b97974f460c65c92332761e2dc17e89fb18171434d6500e
Opcode Fuzzy Hash: f0db4ae5c66448b443f046693fddd2bf81703e7e2d797fa3aca57726e7ff5136
Instruction Fuzzy Hash: 3B31AE70E05248CFCB51DFA8E85469CBBB5FF8A311F5080AAE809E7352D7B05C42DB51

Function 01751F78 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fca2ea468eb2e3f2e3ecdce7432ac9f53c9267cc2bdd3ed3d6ab7f7237e7cadc
Instruction ID: 6cf2d2756e68f54542abf32ee257101f85349d33a9a95b1932ffd9c0f363fa87
Opcode Fuzzy Hash: fca2ea468eb2e3f2e3ecdce7432ac9f53c9267cc2bdd3ed3d6ab7f7237e7cadc
Instruction Fuzzy Hash: 8E215974E09209CFDB85CFA9C8846EEFBF5AF89201F54846AC805A7391D7705946CB51

Function 014AD964 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1265598450.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ad000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaeb1d9d026322ae1583d71da52e7731c1721d95d39fd50a324bebfe5ebeae42
Instruction ID: b59dc69473b4479dd6063dc839a8dd037de1d2e47807569f091aa056569bf0a2
Opcode Fuzzy Hash: aaeb1d9d026322ae1583d71da52e7731c1721d95d39fd50a324bebfe5ebeae42
Instruction Fuzzy Hash: EF212575904240DFDB15DF54E9C0B26BB66FB98314F64816AE8090B766C336D807CBA2

Function 014ADA4C Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1265598450.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ad000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 179ff7a5325b6f4b6e2791ee889bbd0efa1b31a128c6c06a90a1c57db852a5ad
Instruction ID: a6385657789c5953cabccbe63432942ab525fb7c5c44842df73d9fe05309ef27
Opcode Fuzzy Hash: 179ff7a5325b6f4b6e2791ee889bbd0efa1b31a128c6c06a90a1c57db852a5ad
Instruction Fuzzy Hash: 092137B1A08340DFDB15DF54D9C0B26BB65FB94324F64C56AE8090B766C336D406C761

Function 014AD44C Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1265598450.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ad000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7bd456691e35eb644b150718dbddc2d34a0861dd01695e322c94b631086baa7
Instruction ID: 5e71208d9afe94b2f9cfdbe7483708770120612c33eb6eca365f08412b3cd501
Opcode Fuzzy Hash: f7bd456691e35eb644b150718dbddc2d34a0861dd01695e322c94b631086baa7
Instruction Fuzzy Hash: A4213471A04300EFD710DF54D9C4B56BB65EB94224F60C27ED8490BB66C335E447CA62

Function 01759670 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde33500f8658e7163d89c15337e7b851ead350e717e594b336d062ed826f3dc
Instruction ID: c5abdefadd634dbb460fd4f8884d0508c7eef62a623fef2a9972ab48abd44308
Opcode Fuzzy Hash: dde33500f8658e7163d89c15337e7b851ead350e717e594b336d062ed826f3dc
Instruction Fuzzy Hash: D321FF74E00209DFCB45CFA9C840AEEBBB1FB49304F00806AEA25AB350D7759958CFA1

Function 017522E8 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87118c653f409668c3646405ed808b9ba03bc9bcba75d13b2604020cd2576974
Instruction ID: f53ec095d9aa9494c7fbbc4e963e2b023754678dc89a8a2d954c9987b0336cb9
Opcode Fuzzy Hash: 87118c653f409668c3646405ed808b9ba03bc9bcba75d13b2604020cd2576974
Instruction Fuzzy Hash: 7B2114B4E0020ADFDB44DFA9D0446AEFBF1FB48310F6481A9D815A7256D7749982CF90

Function 01751F88 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1472c0689898ebea02d891cfa39fcab8621506576b6c88d041797f95d21b399
Instruction ID: 78570c01f78720bd719c5447aedf8c6785fa54ec3959a4b68a097887d11379c6
Opcode Fuzzy Hash: c1472c0689898ebea02d891cfa39fcab8621506576b6c88d041797f95d21b399
Instruction Fuzzy Hash: 812137B4E05209CFDB84CFA9C4846EEFBF5BF89301F548469D905A7350D7705A41CBA0

Function 0175461E Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c80669267037607ad8c46b4479df1b4e9110572e48b5ff1218423cdc94f0b33
Instruction ID: c0861556a241c5eef325a848cb1d2380d3e636e81d1535c22e7f0714f1be680f
Opcode Fuzzy Hash: 5c80669267037607ad8c46b4479df1b4e9110572e48b5ff1218423cdc94f0b33
Instruction Fuzzy Hash: 6421A47490522CCFDBA8CF29C8457E9BBB1FB59301F1084DAD90AA2254E7B44AD0CF90

Function 014AD95F Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1265598450.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ad000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa649175a6a07c1293a0646eeb1dae1d7184f3825364c931512ed0431d75e21e
Instruction ID: 62027182544f3661bc531b178f47b516cc4393ee8421fab081b809171853d3ad
Opcode Fuzzy Hash: fa649175a6a07c1293a0646eeb1dae1d7184f3825364c931512ed0431d75e21e
Instruction Fuzzy Hash: 9511B176504280CFDB16CF54D5C0B16BF72FB84314F2481AAD8090B656C33AD41ACBA2

Function 014ADA47 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1265598450.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ad000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45ccc22ca586cb30894c3454275cb8d7f6963b827b46ca0b3fb863fd11c94238
Instruction ID: db6eaea89279802b0b6a0e6d3f3c10471d3eca8753e80104aa47ed7d50e55dc2
Opcode Fuzzy Hash: 45ccc22ca586cb30894c3454275cb8d7f6963b827b46ca0b3fb863fd11c94238
Instruction Fuzzy Hash: EA110476904280CFDB16CF54D5C0B16BF71FB84324F24C6AAD8090BB66C33AD41ACBA1

Function 0175FC80 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d44f42a05c17eaa38788d76803d2f7284a425827867b93b50afb606702989700
Instruction ID: 91fc81bfacd517302b4d250ff9100024faa6852e3d1457be5290a42246ab9a90
Opcode Fuzzy Hash: d44f42a05c17eaa38788d76803d2f7284a425827867b93b50afb606702989700
Instruction Fuzzy Hash: F4110270D00308DFDB64DFA9D454AEEFBB5AF4A300F10842AC415BB294EBB59942CFA1

Function 014AD447 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1265598450.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ad000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c95414d4725d7fd5483965d0f24f32316cc368c67e293f58d38c0de91b7fe89c
Instruction ID: 8bf9afc9eef1973e77debf88a38b040e110a820fcc1e2ef68323f07e47053057
Opcode Fuzzy Hash: c95414d4725d7fd5483965d0f24f32316cc368c67e293f58d38c0de91b7fe89c
Instruction Fuzzy Hash: 19110175904280DFDB12CF14D5C4B5ABF61FB84324F24C2AAD8490BB66C33AE44ACB92

Function 017522D8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9f98a7eb5c77f62c0de0a0a26abfa717c11998562a342d68280083aaba2e0d2
Instruction ID: a75d93e76dd701f5e638fdc594b7ad6fd3569d95d78a1747f04076821cb11fe3
Opcode Fuzzy Hash: a9f98a7eb5c77f62c0de0a0a26abfa717c11998562a342d68280083aaba2e0d2
Instruction Fuzzy Hash: F21148B0D09349DFCB86CFB998042AEBFF1AF4A310F5581AAD804E3257D3B40940CB50

Function 0149D149 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1265533817.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_149d000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88979ca9f0512367c856d29000bd86f7c0b80995e07e7b2eaa82502a3052858f
Instruction ID: 75e1d5045435a7797ae333b428142e4099c892fbd3f646fe742b52a882f1f519
Opcode Fuzzy Hash: 88979ca9f0512367c856d29000bd86f7c0b80995e07e7b2eaa82502a3052858f
Instruction Fuzzy Hash: 48012BB29043049FFB209E95CC85767FF9CDF41221F08C52BED080B396C2389845CAB2

Function 01750CE4 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b81971c803ffb9dad2660e0d3c1aed0041b2cf20c207d39ee28dc23cbe054539
Instruction ID: a1e3ae90e7a44e58552c1b55399d695e8ca08ace7659b3e78037bf0703594871
Opcode Fuzzy Hash: b81971c803ffb9dad2660e0d3c1aed0041b2cf20c207d39ee28dc23cbe054539
Instruction Fuzzy Hash: FCF0FC62C0E3C08FD7528B7898112E8FFB4AF67300B4801DBD845DB2A3E2755905D711

Function 0149D148 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1265533817.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_149d000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e29994554cfe873675b75aa39b9fb2fd56486bd4baa7db42fc7a44466b8a7c58
Instruction ID: b4dce7611c9c30ff9d09e55cdbdac10b2b906fa016f60bd589e38a7555d13d19
Opcode Fuzzy Hash: e29994554cfe873675b75aa39b9fb2fd56486bd4baa7db42fc7a44466b8a7c58
Instruction Fuzzy Hash: FDF0C2724043449EEB208E0ACC84B63FFA8EF80234F18C15AED080A297C2799844CAB1

Function 01754745 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8adabeaf3fb54da164bdc43e3e68bedef86df97f12687a1a30844550d1206e57
Instruction ID: 3c7b230b092c9c766bd0e958064a48637e775a67390e1cf19ca150d1629fccd9
Opcode Fuzzy Hash: 8adabeaf3fb54da164bdc43e3e68bedef86df97f12687a1a30844550d1206e57
Instruction Fuzzy Hash: 9F019374804228CFDBA4CF68D8857D9BBB0FB09311F9084E5DA0EA2252D7B04ED5CF64

Function 01751F39 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c03ac74245de275737f818d26e244ce6d01dc918ef9c32dae99931edca82e564
Instruction ID: 0c59dd000f5507970e54fcbff0b1630c746fe23fcc65b34f7c8e52add6b3c10f
Opcode Fuzzy Hash: c03ac74245de275737f818d26e244ce6d01dc918ef9c32dae99931edca82e564
Instruction Fuzzy Hash: 8BF02B3090D3854FC7D39BA89414269BFB46B2A301F8A019BC408C72F7D7B01801DB91

Function 01750908 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e2eed7cc859a5292a50b91c9d55263a6ee03c01230de0abce53289d7b3f9989
Instruction ID: 8b4d3230022d4054a4c262d674058e909d513972e367846d8d08ada86b825698
Opcode Fuzzy Hash: 2e2eed7cc859a5292a50b91c9d55263a6ee03c01230de0abce53289d7b3f9989
Instruction Fuzzy Hash: F4F08C708093C8AFE762DB7894143ADBFB4EB53300F8A41AAC844DB2ABD7B50D45C715

Function 0175E9C8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 444f2896148d6ca395eacdd8c79dcd9338fd02ee881564ea383fd61ae38d0cf8
Instruction ID: 105a6b43997103447c17ce41be462a8a6fcc1eacedc480e027612191c50138c8
Opcode Fuzzy Hash: 444f2896148d6ca395eacdd8c79dcd9338fd02ee881564ea383fd61ae38d0cf8
Instruction Fuzzy Hash: 4AE09B35304259BB9F161F559814CBE7F7AEFC83617058019FD69C2214CF71CA2197B1

Function 01750CA1 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cb4daaf792faf4188d823acf3605e2f693ed49dadcaa8cd6487a86cb7f1b0f7
Instruction ID: c16d06445c527734c7132da0c021d4752f455fb5eeb05683ad628e769f359c9f
Opcode Fuzzy Hash: 8cb4daaf792faf4188d823acf3605e2f693ed49dadcaa8cd6487a86cb7f1b0f7
Instruction Fuzzy Hash: BFE0393185E3849FC7859B68E4106E8BFB5AB4B304F1852DAD819A7263D27249068B55

Function 0175FE38 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e367fa66bb5502294fed8f87bf531ef073be49bed31b779de83676824ffa6a6
Instruction ID: be098c3cc6c3a9e173ba0810223b1b7574fe94f647acfd05398ce306ae34f770
Opcode Fuzzy Hash: 8e367fa66bb5502294fed8f87bf531ef073be49bed31b779de83676824ffa6a6
Instruction Fuzzy Hash: 11F09874D04209EFDB44EFE8D5446AEBBF5BF48300F2081AAD805A3354DB705A40DBA1

Function 01750868 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 370ada3aaee2ebda6cf560799183f56ce187986ea23523bcd369f809f72a207c
Instruction ID: a9697bec26862a66c9654e835702b3a3d94b37926957ac8bc3fea0f94e942eec
Opcode Fuzzy Hash: 370ada3aaee2ebda6cf560799183f56ce187986ea23523bcd369f809f72a207c
Instruction Fuzzy Hash: 57E0263444C3C55FC3621B7454283AE7F749B63222F8B059B8809C71E383780C04C766

Function 01750918 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea295d827383dd1fa6fa58d83151ef0c2213853d6606c81d1b5ee4586907d119
Instruction ID: 6e25145b433952156f77ac0c3263e7f429ea9072de70c77062a84b1966e9b6a7
Opcode Fuzzy Hash: ea295d827383dd1fa6fa58d83151ef0c2213853d6606c81d1b5ee4586907d119
Instruction Fuzzy Hash: E9E0DF70804348BFE720DB78A004399BEB8EB02300FC600ADC808932A9D7B10D40C315

Function 017585D0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a759a1be4fd395fb93176913c95eea7928560370ac7f535fb5bcbd791f8a41d0
Instruction ID: 35cde4332a0ec4bd5a3361ad3c2d729e731adb7922149a2fdaeb8eca5456c896
Opcode Fuzzy Hash: a759a1be4fd395fb93176913c95eea7928560370ac7f535fb5bcbd791f8a41d0
Instruction Fuzzy Hash: 81E012B0D00308EFCB54DFA9D404A9DBFB5FB48300FA081AAD814A3340E7759A90DF85

Function 01758440 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58769440bea70e893154e9ebd5d33274750710e0b81235ff8dd90973cd199c50
Instruction ID: b343a0d7766d681f2b423dd8b227888e3ab2dfdb0fea41a92acd51616a7c99e7
Opcode Fuzzy Hash: 58769440bea70e893154e9ebd5d33274750710e0b81235ff8dd90973cd199c50
Instruction Fuzzy Hash: 18E01774D05208EFCB90EFB8E84969CBFF8AB05201F9041AADD08A3390E7705E50DB91

Function 01758380 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e2bbb22e9ddb392629cdb55c15c9fdfc73d101553f258a1d37dba94f07e73f5
Instruction ID: 72db327e7e4fb96d7380057d78499888bad552d40c60deb61a5cb5bc93990401
Opcode Fuzzy Hash: 9e2bbb22e9ddb392629cdb55c15c9fdfc73d101553f258a1d37dba94f07e73f5
Instruction Fuzzy Hash: 41D05E30901308EBC714EFA8E40469DBB74AB41305F9042ECC90423394C7B15E50DB95

Function 01750838 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e007ef56bc6807d7f798eb96484be8aa1cb04e9e39679adf4e74023656010c9d
Instruction ID: a47491d6de86f6b1289beeaade8a44b76795c0def51c2978cb0c228f639eb666
Opcode Fuzzy Hash: e007ef56bc6807d7f798eb96484be8aa1cb04e9e39679adf4e74023656010c9d
Instruction Fuzzy Hash: 00D02232498304EFF7245368A8183AC7FB0EB03310F8E022A8D49424F283B91C40CBA6

Function 01751EB3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03fa858ba6005e7bd7a24d21b555bbbf56c8943e01fb7286e49c2520a7deac78
Instruction ID: 0f00fb43fce579be803cc076c86e1695545cb3bac4ca1cfda625aa1c10a47252
Opcode Fuzzy Hash: 03fa858ba6005e7bd7a24d21b555bbbf56c8943e01fb7286e49c2520a7deac78
Instruction Fuzzy Hash: 58E092B8E04248CFCB40CFE8E9984ACFFB1FB4D310B50406AE806AA328D7751889CF10

Function 017586A0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 131626f022c0c9c9b169a7e79ea8c56d353ff6ce8fe0093b63f342c432837921
Instruction ID: 959e74fdd9efe8091dd32ccc639fdaf4327adeb4f70136ec3ce7c9262bcd35a7
Opcode Fuzzy Hash: 131626f022c0c9c9b169a7e79ea8c56d353ff6ce8fe0093b63f342c432837921
Instruction Fuzzy Hash: 99D05E30804208EFC750DFA8E44469CBFB4EB01301F4401A9D80463390D7B01E54CBA2

Function 0175A000 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 590c5c9664bd9cb9492a89e13accf104da9e669efd8b3b345b763989f520e12b
Instruction ID: 3432f516918c522111d95f1384937c219b9001085476ef3cdf553546f235f3ef
Opcode Fuzzy Hash: 590c5c9664bd9cb9492a89e13accf104da9e669efd8b3b345b763989f520e12b
Instruction Fuzzy Hash: 04D012306143089FDF605F75E90CB27BFE8AF04251F048135E90AC3161EF72C850DA50

Function 01753BEE Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d160fdf08ccdc7232aa79c904b766ff81e72e62f94190aeb8ca3787403258348
Instruction ID: f6d963d7fb377d50d472f738d17624ef94c8a5c51c81ee7107bd8b6b03fb32c7
Opcode Fuzzy Hash: d160fdf08ccdc7232aa79c904b766ff81e72e62f94190aeb8ca3787403258348
Instruction Fuzzy Hash: 0BE04C74D00628CFCBA4DF14DD94B99BBB1EB45306F4101D5A50EA2265DA741EC5CF40

Function 01750848 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6b1a464c18f22ff081bad541bc7c8c23348b059451f72cbe3dae5743e3c21a
Instruction ID: f47b8b8a9c4bfa6883717c6339509eabc511e8dfb6160af591b1f13c8340137b
Opcode Fuzzy Hash: fb6b1a464c18f22ff081bad541bc7c8c23348b059451f72cbe3dae5743e3c21a
Instruction Fuzzy Hash: 31B09B7204070497E6245799740C7687E5C9701315FCD01159A5D014B487F05490D7A9

Non-executed Functions

Function 6E952D70 Relevance: 35.2, APIs: 23, Instructions: 669COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E952DFF
VariantInit.OLEAUT32(?), ref: 6E952E08
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6E952E7E
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6E952EB5
VariantClear.OLEAUT32(?), ref: 6E952EC1

Part of subcall function 6E95C850: VariantInit.OLEAUT32(?), ref: 6E95C88F
Part of subcall function 6E95C850: VariantInit.OLEAUT32(?), ref: 6E95C895
Part of subcall function 6E95C850: SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6E95C8A0
Part of subcall function 6E95C850: SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6E95C8D5
Part of subcall function 6E95C850: VariantClear.OLEAUT32(?), ref: 6E95C8E1

VariantClear.OLEAUT32(?), ref: 6E9530D5
SafeArrayDestroy.OLEAUT32(?), ref: 6E953550
VariantClear.OLEAUT32(?), ref: 6E953563
VariantClear.OLEAUT32(?), ref: 6E953569

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Init$CreateElementVector$Destroy
String ID:
API String ID: 2012514194-0
Opcode ID: f6e33b83b44d62e95330146d7ab2cd8c11fc376e805addc93dfc1adfd42fbcf6
Instruction ID: 73fee3fe8a1f7817e07f17045ce183777d43a88e27c30f78fba20944eb005aa1
Opcode Fuzzy Hash: f6e33b83b44d62e95330146d7ab2cd8c11fc376e805addc93dfc1adfd42fbcf6
Instruction Fuzzy Hash: D3526A71900218DFDB44DFA8C884BEEBBB9BF99300F148599E909AB345D770E946CF90

Function 6E94A0C0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 227libraryloaderCOMMON

Download Yara Rule

APIs

CorBindToRuntimeEx.MSCOREE(v2.0.50727,wks,00000000,6E9C0634,6E9C0738,?), ref: 6E94A119
GetModuleHandleW.KERNEL32(mscorwks), ref: 6E94A145
__cftoe.LIBCMT ref: 6E94A1FB
GetModuleHandleW.KERNEL32(?), ref: 6E94A215
GetProcAddress.KERNEL32(00000000,00000018), ref: 6E94A265

Strings

mscorwks, xrefs: 6E94A140
wks, xrefs: 6E94A10B
v2.0.50727, xrefs: 6E94A110

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: HandleModule$AddressBindProcRuntime__cftoe
String ID: mscorwks$v2.0.50727$wks
API String ID: 1312202379-2066655427
Opcode ID: 00893cd221ac9c9bc5517942e67bce18f3630c15c731a31b1e0ebac045d55a96
Instruction ID: 3c0106fe8ac219da049678c3fa8266326560b37736ea1d2cb65ec896216d3429
Opcode Fuzzy Hash: 00893cd221ac9c9bc5517942e67bce18f3630c15c731a31b1e0ebac045d55a96
Instruction Fuzzy Hash: 499147B0904249DFDB04DFE8C88099EBBB9BF89300F20866DE519EB244E774E945CF95

Function 6E98DBB0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,64F62E83,6E9B8180,00000000,?), ref: 6E98DBFB
GetLastError.KERNEL32 ref: 6E98DC01
CryptAcquireContextA.ADVAPI32(?,Crypto++ RNG,00000000,00000001,00000008), ref: 6E98DC15
CryptAcquireContextA.ADVAPI32(?,Crypto++ RNG,00000000,00000001,00000028), ref: 6E98DC26
SetLastError.KERNEL32(00000000), ref: 6E98DC2D

Part of subcall function 6E98D9D0: GetLastError.KERNEL32(00000010,64F62E83,7686FC30,?,00000000), ref: 6E98DA1A

__CxxThrowException@8.LIBCMT ref: 6E98DC78

Part of subcall function 6E99AC75: RaiseException.KERNEL32(?,?,6E999C34,64F62E83,?,?,?,?,6E999C34,64F62E83,6E9C9C90,6E9DB974,64F62E83), ref: 6E99ACB7

Strings

CryptAcquireContext, xrefs: 6E98DC35
Crypto++ RNG, xrefs: 6E98DC0D, 6E98DC20

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: AcquireContextCryptErrorLast$ExceptionException@8RaiseThrow
String ID: CryptAcquireContext$Crypto++ RNG
API String ID: 3279666080-1159690233
Opcode ID: 0febe6c285e7869f30ed91a30120b67f8afae5389cf9c11cbbbea5c2ad4500c2
Instruction ID: 3d2ae0b790aa95296cbe65582f54804f58403658d108ee969f0725df31c82c15
Opcode Fuzzy Hash: 0febe6c285e7869f30ed91a30120b67f8afae5389cf9c11cbbbea5c2ad4500c2
Instruction Fuzzy Hash: 0D2180B1258751ABE3109BA8CC45F9BBBECAF99B44F00091EF541962C0EBB5E4048F52

Function 0175E000 Relevance: 8.0, Strings: 6, Instructions: 502COMMON

Download Yara Rule

Strings

4'q, xrefs: 0175E01B
4'q, xrefs: 0175E076
4|q, xrefs: 0175E1F0
4'q, xrefs: 0175E0A6
4|q, xrefs: 0175E20B
$q, xrefs: 0175E0C8

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$4|q$4|q$$q
API String ID: 0-3102600102
Opcode ID: a190034b4ad16a5c6bad9e102f0a7bf01fabdd4c2745741128b8c5bdaf4072a6
Instruction ID: 3efcc21dd964de47eb27ca006b696e8bb0abbe0cd149ffe4565eff11738edc97
Opcode Fuzzy Hash: a190034b4ad16a5c6bad9e102f0a7bf01fabdd4c2745741128b8c5bdaf4072a6
Instruction Fuzzy Hash: BA02F531B042118FEB69DB79C85462DFBA2BF8520072944ADDD06CB3A6DFB1DE42C791

Function 6E99948B Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6E99CE6C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6E99CE81
UnhandledExceptionFilter.KERNEL32(6E9B9428), ref: 6E99CE8C
GetCurrentProcess.KERNEL32(C0000409), ref: 6E99CEA8
TerminateProcess.KERNEL32(00000000), ref: 6E99CEAF

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: a95e3643ef44d0b37b36564acfb98d17b64132132c74dc46f7d9dcab6086d595
Instruction ID: 597f380029d64b883b569412081c643285f9070e7b70215dd3f535a5f5fab798
Opcode Fuzzy Hash: a95e3643ef44d0b37b36564acfb98d17b64132132c74dc46f7d9dcab6086d595
Instruction Fuzzy Hash: DA21BEB5809E24AFCB50CF99D5886857BF4FF4A304F10401AE9099BB48FBB099C1CF19

Function 6E992310 Relevance: 6.7, APIs: 4, Instructions: 663COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6E9924A1

Part of subcall function 6E99AC75: RaiseException.KERNEL32(?,?,6E999C34,64F62E83,?,?,?,?,6E999C34,64F62E83,6E9C9C90,6E9DB974,64F62E83), ref: 6E99ACB7

std::exception::exception.LIBCMT ref: 6E99248C

Part of subcall function 6E999533: std::exception::_Copy_str.LIBCMT ref: 6E99954E

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Copy_strExceptionException@8RaiseThrowstd::exception::_std::exception::exception
String ID:
API String ID: 757275642-0
Opcode ID: 8153fd50a247ce22bfb0cd39d08d75e51df56413a75c42ff061ffa8c393ef338
Instruction ID: d02b3f01de6102355493e92d53930ba17184495fde9508b0da359f040d0f57a9
Opcode Fuzzy Hash: 8153fd50a247ce22bfb0cd39d08d75e51df56413a75c42ff061ffa8c393ef338
Instruction Fuzzy Hash: 21329071A016068FDB44CFE9D490AAEB7B9FF99704B18452CE8069B354EB30ED05DFA1

Function 6E985DD0 Relevance: 6.4, APIs: 4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faa55d51597e2f5759ede6410a83fd02763d7c7b85fb03f964f9f4d85edd5856
Instruction ID: cbfa5a434fbe4ef42bb5bba1d9ef10bb85be4d011fee0c4bd4360aa5cd06ce47
Opcode Fuzzy Hash: faa55d51597e2f5759ede6410a83fd02763d7c7b85fb03f964f9f4d85edd5856
Instruction Fuzzy Hash: B7029FB041CB688FC764CF69C4A053EBBF1EFDA211F41090EE5F657269E234A598CB61

Function 6E985EB9 Relevance: 6.3, APIs: 4, Instructions: 318COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6E9862FC
_memmove.LIBCMT ref: 6E98632B
_memmove.LIBCMT ref: 6E98635A
_memmove.LIBCMT ref: 6E986389

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: bb6d9701454231976b4d208943d44cd68a135a8c04800967e4df893cc45bcbb8
Instruction ID: ce9666e898fb2e89dfcf8cc81eb5a92f22b7076084a3a2df402226aa564e26dd
Opcode Fuzzy Hash: bb6d9701454231976b4d208943d44cd68a135a8c04800967e4df893cc45bcbb8
Instruction Fuzzy Hash: 5CE191B042CB698FC764CB69C8A053E7BF1EFD7211F41050EE5F5572A9E234A1A9CB21

Function 6E98DE00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57encryptionCOMMON

Download Yara Rule

APIs

CryptGenRandom.ADVAPI32(?,?,?,64F62E83,00000000), ref: 6E98DE6F
__CxxThrowException@8.LIBCMT ref: 6E98DEB9

Part of subcall function 6E98DD20: CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000000,6E9AF0E6,000000FF,6E98DF67,00000000,?), ref: 6E98DDB4

Strings

CryptGenRandom, xrefs: 6E98DE7B

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Crypt$ContextException@8RandomReleaseThrow
String ID: CryptGenRandom
API String ID: 1047471967-3616286655
Opcode ID: 2328f9287d0e1796d052660ebef0ee946bf906cf3b4ed7d9793b3a1d39e15341
Instruction ID: 50f60f831e5b98e53c7a77fea3c4c6fb31098f69b94be43c17b1ceaee1d6b334
Opcode Fuzzy Hash: 2328f9287d0e1796d052660ebef0ee946bf906cf3b4ed7d9793b3a1d39e15341
Instruction Fuzzy Hash: 62212371418B809FD704DFA4C444B9ABBF8AF99718F004A0EE85587384EB74E548CF92

Function 6E9863B0 Relevance: 5.1, APIs: 3, Instructions: 648COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6E986437

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 9da8888e02ac697131423c4c0eb27ec44e9760c07a33f8de3d0011babceee962
Instruction ID: 868c6ccfbbbb6dd9778b2802d42175a90d34d62d6169addeaa375f7437f8acd2
Opcode Fuzzy Hash: 9da8888e02ac697131423c4c0eb27ec44e9760c07a33f8de3d0011babceee962
Instruction Fuzzy Hash: 60523570114A668FC358CF29C0E056BBBE2EFCE315758898DD4D68B396D234F5A1CBA0

Function 6E98D9D0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 126COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000010,64F62E83,7686FC30,?,00000000), ref: 6E98DA1A

Part of subcall function 6E934010: std::_Xinvalid_argument.LIBCPMT ref: 6E93402A

Strings

operation failed with error , xrefs: 6E98DA49
OS_Rng: , xrefs: 6E98DA35

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ErrorLastXinvalid_argumentstd::_
String ID: operation failed with error $OS_Rng:
API String ID: 406877150-700108173
Opcode ID: 4a600a812d1a7535762210602e03f34c80d48e38adcc7353d04d8c305efd3b8a
Instruction ID: a3ca761eb5cb2c45c157ed13f3085ed290f3ce8d9897893b257bd66612921f41
Opcode Fuzzy Hash: 4a600a812d1a7535762210602e03f34c80d48e38adcc7353d04d8c305efd3b8a
Instruction Fuzzy Hash: D94127B1508380AFD321CFA9C841B9BBBE8AFD9644F144D2EE18987251EB75D444CF63

Function 6E991CA0 Relevance: 3.6, APIs: 2, Instructions: 619COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 6E991E1D

Part of subcall function 6E999533: std::exception::_Copy_str.LIBCMT ref: 6E99954E

__CxxThrowException@8.LIBCMT ref: 6E991E32

Part of subcall function 6E99AC75: RaiseException.KERNEL32(?,?,6E999C34,64F62E83,?,?,?,?,6E999C34,64F62E83,6E9C9C90,6E9DB974,64F62E83), ref: 6E99ACB7

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Copy_strExceptionException@8RaiseThrowstd::exception::_std::exception::exception
String ID:
API String ID: 757275642-0
Opcode ID: 0a09eb64536dbf0da56630087d1c994a5e4bdfb0866406f248fbdd95554c0d27
Instruction ID: c96e841d7703bbff5eed56061e862e93282539730ca0f69243583842691c3cfa
Opcode Fuzzy Hash: 0a09eb64536dbf0da56630087d1c994a5e4bdfb0866406f248fbdd95554c0d27
Instruction Fuzzy Hash: E4329071A006069FDB48CFD9D8909AEB3BEFF8A740B19452DE5169B354EB30E904DF90

Function 6E9A0B89 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e3e8b3825e4d4069971ee7ef4f675d26c03b02e25217e9e64496db02114037e
Instruction ID: fa72af2eb4b5656e60139128db3585c4c5f5dfea99dc9d7479cc6390898083ff
Opcode Fuzzy Hash: 0e3e8b3825e4d4069971ee7ef4f675d26c03b02e25217e9e64496db02114037e
Instruction Fuzzy Hash: BA320161D29F414DDB639939C832336729DAFA73C4F11D737E829B5A9AEF29C4834500

Function 6E98DEE0 Relevance: 1.6, APIs: 1, Instructions: 71encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 6E934760: __CxxThrowException@8.LIBCMT ref: 6E9347F9

CryptReleaseContext.ADVAPI32(?,00000000,00000000,?), ref: 6E98DF7B

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ContextCryptException@8ReleaseThrow
String ID:
API String ID: 3140249258-0
Opcode ID: f167dfc6a43ddc5cf520e49c39381da664e7ab37553070fadb11f3903c1c06fc
Instruction ID: f06f14ecd59424b03bcaad44ac56cb529252162dca009bdf19e8b668ce3253c0
Opcode Fuzzy Hash: f167dfc6a43ddc5cf520e49c39381da664e7ab37553070fadb11f3903c1c06fc
Instruction Fuzzy Hash: A521AFB5508344ABC240DF55C940B4BBBECEFEA668F000A2EF84583391D771E908CFA2

Function 6E98DD20 Relevance: 1.6, APIs: 1, Instructions: 66encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000000,6E9AF0E6,000000FF,6E98DF67,00000000,?), ref: 6E98DDB4

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: 5470b48ee255deaa0277c170c9a26743e44f4a11589338b36cd23ddd9ed80287
Instruction ID: 880ac9302ca545d78d1f9206eb97563588105af9921e1fa1431111f1303e6306
Opcode Fuzzy Hash: 5470b48ee255deaa0277c170c9a26743e44f4a11589338b36cd23ddd9ed80287
Instruction Fuzzy Hash: 7411A2B1608B615FE710CF98C89179773ECEF45A10F080D2AE915C7780EB79D4048F91

Function 6E98D7F0 Relevance: 1.5, APIs: 1, Instructions: 17encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(?,00000000), ref: 6E98D803

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: bda0048bd52aca266d85e830790c48ee8e5f0ca8d9867cebb2bbbaf425597a00
Instruction ID: c09f55f0feeb1e5b8540674773b9f9583d5807043faa7ce098434a66e5ba0975
Opcode Fuzzy Hash: bda0048bd52aca266d85e830790c48ee8e5f0ca8d9867cebb2bbbaf425597a00
Instruction Fuzzy Hash: 12D05EB1B0536216D6209A949C05B8776CC4F51A44F19482AF559D2390D6B4D8418EE5

Function 6E9B35E0 Relevance: 1.5, APIs: 1, Instructions: 17encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(?,00000000), ref: 6E9B35F5

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: 9d331ead13966a9778a91e5f9c77409a784d470a7c652d4646615e781db4f79f
Instruction ID: 0d38a8195a6538363787dd876d7ff0cfae8222cada23322eb36c8e0cce363894
Opcode Fuzzy Hash: 9d331ead13966a9778a91e5f9c77409a784d470a7c652d4646615e781db4f79f
Instruction Fuzzy Hash: 51D05EB1505A229BEF50CAA4981AB8733EC5F12A40F080010E504C7284EFB4D8408F64

Function 6E98D7D5 Relevance: 1.5, APIs: 1, Instructions: 8encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(?,00000000), ref: 6E98D7E0

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: 172fc3a902fdcccf9ae4691d593a7013857e20ebbf9c3c78da4260503a4e5360
Instruction ID: 6304e7afdb30b2de0d28c658bf87f0e8dc45a543fef630dcd7ec48ef4ada38bf
Opcode Fuzzy Hash: 172fc3a902fdcccf9ae4691d593a7013857e20ebbf9c3c78da4260503a4e5360
Instruction Fuzzy Hash: 31B012F0B0520167EF3C8F118B68B2B3A1D6F41F46F10484C660A553908A63E402CD04

Function 6E985830 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

@, xrefs: 6E985A30

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 87301c1e1620c97d990bc2f692860f4cb7b400d4596613ba8475f39e5d7b100b
Instruction ID: 8c5d483c9c0b01485e4b4edb872a6d10cd8eaddc2db00b8777421db31e940f80
Opcode Fuzzy Hash: 87301c1e1620c97d990bc2f692860f4cb7b400d4596613ba8475f39e5d7b100b
Instruction Fuzzy Hash: 37916C71818B868BE701CF6CC8829AAB7A0FFD9354F149B1DFDD562210EB35D548CB81

Function 6E9ABFF1 Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE

Download Yara Rule

Strings

N@, xrefs: 6E9AC001

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID: N@
API String ID: 0-1509896676
Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
Instruction ID: f743e58687c36d3f23855f093b5d43751b6759406f7d0d0b8242fcdc488856ac
Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
Instruction Fuzzy Hash: 986139B1A007168FDB18CF88C4946AABBF2BF84314F1AC5AED9195F365C7B1D954CB80

Function 6E9858D7 Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

@, xrefs: 6E985A30

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: e46e8281a9deb3a52b8c2ef0ee3fb48392f647ce4e45e089888081192aa57ad8
Instruction ID: 1aba8a9d73820a39c1cfe7caf5c7a456cbb6429f4926256dd5bbe5feea161c1c
Opcode Fuzzy Hash: e46e8281a9deb3a52b8c2ef0ee3fb48392f647ce4e45e089888081192aa57ad8
Instruction Fuzzy Hash: DC519F72818B829BE311CF6DC8829ABF7A0BFD9244F209B1DFDD562611EB75C544CB81

Function 6E9858D5 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

@, xrefs: 6E985A30

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 3de0045e5c6d1a8ec8c6755177c3c4be8090bd8d618057417eb006cb60e37b2d
Instruction ID: f176670fb2c2266c64601c44a34b49bae64168605e8eb9e62ae130e4128c6008
Opcode Fuzzy Hash: 3de0045e5c6d1a8ec8c6755177c3c4be8090bd8d618057417eb006cb60e37b2d
Instruction Fuzzy Hash: 83516F71818B869BE301CF6DC8819ABF7A0BFD9244F209B1DFDD562611EB75C544CB81

Function 017573FA Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

:, xrefs: 01757610

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID: :
API String ID: 0-336475711
Opcode ID: 0c401dd303462324f3f60539a9adbdcfd1dcc71732445747d965312d8321cbe7
Instruction ID: d27e22e46423437bdb6dd3946505767aef8636e5c6e33da8e22de6e94bf9487a
Opcode Fuzzy Hash: 0c401dd303462324f3f60539a9adbdcfd1dcc71732445747d965312d8321cbe7
Instruction Fuzzy Hash: 69616E74E016298FDB64CB68CD80B9DBBF1FF89300F5482E9D558EB245D7709A858F11

Function 03291B48 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

lq, xrefs: 03291BAF

Memory Dump Source

Source File: 00000000.00000002.1266702418.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID: lq
API String ID: 0-573745274
Opcode ID: 83241b55b781feae77ebd13794c3a3376749c0632065555f3871f60546a3a336
Instruction ID: b24568f485a1dcd779667390d8f9a796589ea28ddc582c812518fc3aafbf0861
Opcode Fuzzy Hash: 83241b55b781feae77ebd13794c3a3376749c0632065555f3871f60546a3a336
Instruction Fuzzy Hash: C331D275E01208AFDB04CFA5D484AEEFBF5FF49310F10906AE915B7260DB709A04CBA9

Function 03291B50 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

lq, xrefs: 03291BAF

Memory Dump Source

Source File: 00000000.00000002.1266702418.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID: lq
API String ID: 0-573745274
Opcode ID: 7a0e06e6e7981aac9a9c8e81f53e9b30b6326aae48448aa6fa4ba2905c339587
Instruction ID: caf186d1381d39519f120b01737c5601f19c90cac76deaf68853c2cf837f25d7
Opcode Fuzzy Hash: 7a0e06e6e7981aac9a9c8e81f53e9b30b6326aae48448aa6fa4ba2905c339587
Instruction Fuzzy Hash: 6E31B275E01208AFDB04CFA5D484AEEFBF5EF49310F10906AE915B7260DB709A048B99

Function 6E973460 Relevance: .7, Instructions: 681COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57defef04cdd397cd2c8daee722437a19485c34a4febab60d24264a227c0bb9
Instruction ID: aa74d366f6ce4f68929a12cab1b95c4886cb057314d35bff452369b36ed46ff4
Opcode Fuzzy Hash: e57defef04cdd397cd2c8daee722437a19485c34a4febab60d24264a227c0bb9
Instruction Fuzzy Hash: 755299716483058FC758CF5EC98054AF7F2BBC8718F18CA7DA599C6B21E374E9468B82

Function 6E973E50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79c477024e71e463717b892515b73390a80f0de7856b5551fe47b4012150965c
Instruction ID: f58f59fd753db1d5a06673b96f9205d3f47784dbc8776f863be213912ecc1d89
Opcode Fuzzy Hash: 79c477024e71e463717b892515b73390a80f0de7856b5551fe47b4012150965c
Instruction Fuzzy Hash: AA223E71A083058FC344CF69C88064AF7E2FFC8318F59892DE598D7715E775EA4A8B92

Function 6E974AC0 Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c32662eef60f0c471b7fdac11190f1f5451b2dd2c365e0225398f315df61cf83
Instruction ID: 9ded071ad59cd704732e825f270e8da77efaef640fe718d0d309e11cafb84771
Opcode Fuzzy Hash: c32662eef60f0c471b7fdac11190f1f5451b2dd2c365e0225398f315df61cf83
Instruction Fuzzy Hash: A80296717443018FC758CF6ECC8154AB7E2ABC8314F19CA7DA499C7B21E778E94A8B52

Function 6E985050 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e485bdb1e59d7b42e29f3a8aa3fe403936397c163f8a5a3f88d2470699029853
Instruction ID: 34543e006108cd0440bf8b9ecf966d207909658ea972eab33a099acbe9918cdf
Opcode Fuzzy Hash: e485bdb1e59d7b42e29f3a8aa3fe403936397c163f8a5a3f88d2470699029853
Instruction Fuzzy Hash: D502903280A2B49FDB92EF5ED8405AB73F5FF90355F43892ADC8163241D335EA099B94

Function 6E974550 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ed4dd07c22fc926db6187162ceb4f6c9de92f9471c57bfdad431e9e1507ebf3
Instruction ID: 5f0367c05d9e803403292a80ae2ee566663ed1d763c363ca41ed2b3cb0e999bd
Opcode Fuzzy Hash: 9ed4dd07c22fc926db6187162ceb4f6c9de92f9471c57bfdad431e9e1507ebf3
Instruction Fuzzy Hash: 2ED1A4716443018FC348CF1EC98164AF7E2BFD8718F19CA6DA599C7B21D379E9468B42

Function 6E985274 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35bd22f95dab943cb3221f365cd1ea733415a38271d1e5144e58f245e77465ab
Instruction ID: c90962f4f351e742a589fa77946b7e0647bca30d4e324d4321a4cdcf81c33502
Opcode Fuzzy Hash: 35bd22f95dab943cb3221f365cd1ea733415a38271d1e5144e58f245e77465ab
Instruction Fuzzy Hash: F0A1423241A2B49FDB92EF6ED8400AB73E5EF94355F43892FDCC167281C235EA089795

Function 6E973260 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 326bc5982354ac438e1a9f739f44fe0e5fdd5d63dcd15d05e6311c1e57b5f58c
Instruction ID: 77c67e4e61c8f026e6fc0232a3d214a61c66183bd9c4334c8bf01a2cff0a98da
Opcode Fuzzy Hash: 326bc5982354ac438e1a9f739f44fe0e5fdd5d63dcd15d05e6311c1e57b5f58c
Instruction Fuzzy Hash: 8171A371A083058FC344CF1AC94164AF7E2FFC8718F19C96DA898C7B21E775E9468B82

Function 6E973C90 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cdc20a2fddfc9a188b602cbb1ee077ba7ac09752fea693f80eeb2021d0fc81c
Instruction ID: c816e45da3559c3907b7fb3d5880d540d82664f1bd06f7db55950fe47940c881
Opcode Fuzzy Hash: 7cdc20a2fddfc9a188b602cbb1ee077ba7ac09752fea693f80eeb2021d0fc81c
Instruction Fuzzy Hash: 1F51F776A083058FC344CF69C88064AF7E2FBC8318F59C93DE999C7715E675E94A8B81

Function 6E974970 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ba715fd754b714e9d068fda8deb8e9fc5fdebe33215753f3ecb5741719fa00b
Instruction ID: 69990af1b33206951b8dcabbca6b0527f4b1e7b774d6cca876f21f347aff3c55
Opcode Fuzzy Hash: 6ba715fd754b714e9d068fda8deb8e9fc5fdebe33215753f3ecb5741719fa00b
Instruction Fuzzy Hash: 9441D972B042168FCB48CE2ECC4165AF7E6FBC8210B4DC639A859C7B15E734E9498B91

Function 03290554 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266702418.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17f47d64676ac6721b02c7348975aecd388139d1b8c739d3e0bee53eb8f2c30e
Instruction ID: b2e0c60058fd452a682adc1aac13eefbec3f2dd1ec32349a2b7afd1333fafcc0
Opcode Fuzzy Hash: 17f47d64676ac6721b02c7348975aecd388139d1b8c739d3e0bee53eb8f2c30e
Instruction Fuzzy Hash: 9A51DDB4D1034D9FEF24CFA9D884BAEBBF1BB49304F24912AE414AB290D7749885CF44

Function 03290560 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266702418.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 378e4feadde3055ad8c89781cf2bc0e494515d34795228e40aa9cae23669a8d2
Instruction ID: cd0288c9f7a3b6c76b2294e90f721cd5e399e80ce8fd082cc0adb24d3eb74d59
Opcode Fuzzy Hash: 378e4feadde3055ad8c89781cf2bc0e494515d34795228e40aa9cae23669a8d2
Instruction Fuzzy Hash: 3841DCB4D1034D9FEF24CFA9D985B9DFBF5AB49304F24902AE818AB290D7749885CF44

Function 6E984EE0 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f8bf5a89ffef69f344e6e8193914170c14a28b6c4aea654e567071568625f4c
Instruction ID: 54e266ca1b948d18c4b7d45ce2eb3f73dda5b1e77e0546b370a1b9394bb978cb
Opcode Fuzzy Hash: 1f8bf5a89ffef69f344e6e8193914170c14a28b6c4aea654e567071568625f4c
Instruction Fuzzy Hash: D6419E7120C30D0ED35CFEE496DB397B6D4E789280F41543F9A018A1A2FEA0955996D4

Function 01752524 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266019168.0000000001750000.00000040.00000800.00020000.00000000.sdmp, Offset: 01750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1750000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d02797deb3a67f8730633d47249deab97e9a80fdd50306ed50b6e95c4e9e6c
Instruction ID: 8a15d4f261e8bbe0960d34bce8d7c18c9389ea6b398f0b6d793059a716b66853
Opcode Fuzzy Hash: 41d02797deb3a67f8730633d47249deab97e9a80fdd50306ed50b6e95c4e9e6c
Instruction Fuzzy Hash: FA412EB1E05A188BEB58CF6BCD4479AFAF3AFC9301F54C1B9C44CA6255DB7009458F11

Function 03299F50 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266702418.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56ac40019b237c7bcca0805688784f2455af0e1ed9b6b9d9c3244007eb6d31eb
Instruction ID: 78e1166fca24fa085e8f3fbaeec9068b04521cfa80a79eca552f9df9281ab9ad
Opcode Fuzzy Hash: 56ac40019b237c7bcca0805688784f2455af0e1ed9b6b9d9c3244007eb6d31eb
Instruction Fuzzy Hash: 1931DDB8D14258CFDB10CFA9D484AEEFBF0AB09310F14902AE814B7240C739A985CF64

Function 03299F58 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266702418.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00322d60ddf866d3fe41eca1789de41659fa4673a63bd1ba346475ccd9a1cb7c
Instruction ID: c2f7557a8be925393f24ce476caea59864abd3ef7a80db1f947c5150e7c4f163
Opcode Fuzzy Hash: 00322d60ddf866d3fe41eca1789de41659fa4673a63bd1ba346475ccd9a1cb7c
Instruction Fuzzy Hash: 9131BBB4D15258DFDB10CFA9D484AEEFBF4AB49310F14902AE818B7250D738A985CF64

Function 03291A38 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266702418.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5705ad9ae9bde45bddd647ac77531d5ce011eb5b190f50097b46c871cb523246
Instruction ID: 29f0515d9c48190200aa905a93bb275314b75fd1cf26ab0677fd46da1b7e22bc
Opcode Fuzzy Hash: 5705ad9ae9bde45bddd647ac77531d5ce011eb5b190f50097b46c871cb523246
Instruction Fuzzy Hash: 3B31D375E01209AFDB04CFA5D484AEEFBF1FF49300F10906AE915BB260DB709A05CB95

Function 03291C5A Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266702418.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f087ad85f38e664d12f66e2a6fbe709364fe0c0f9ce89e39985c32975190584
Instruction ID: afdce29806d7796c89d493487b0d4e45855fe1d3741d7260fabf02ec00b3cb9d
Opcode Fuzzy Hash: 3f087ad85f38e664d12f66e2a6fbe709364fe0c0f9ce89e39985c32975190584
Instruction Fuzzy Hash: 8A31C175E41208AFDB04CFA5D484AEEFBF5FF49310F10906AE915BB260DB709A05CBA5

Function 03291A40 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266702418.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ec449c8514a984cea3ab29f58578ba48b425c42be31c24bccaa21645191daa7
Instruction ID: 1bf596ce81551b2568458de23c4c50bb2677623d1c2b45db2fddb002223eda0a
Opcode Fuzzy Hash: 5ec449c8514a984cea3ab29f58578ba48b425c42be31c24bccaa21645191daa7
Instruction Fuzzy Hash: FC31C475E01208AFDB04CFA5D484AEEFBF5FF49310F10906AE915B7260DB70AA44CB95

Function 03291C60 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266702418.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0896a4c5523f56fd153edf31e26bd257ba40ea3ecc77337e331537e6e7f4e64c
Instruction ID: d818c59b7dd55b55522dfdfdeb9fa1af16d880914ddd9b81a624c0f1dfc329d0
Opcode Fuzzy Hash: 0896a4c5523f56fd153edf31e26bd257ba40ea3ecc77337e331537e6e7f4e64c
Instruction Fuzzy Hash: 5931C275E01208AFDB04CFA5D484AEEFBF5FF49310F10906AE915B7260DB70AA04CBA5

Function 6E936650 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c2a4e5319b11e48729058604c95f45a5f512c01db7aed5589e00d7c185c0113
Instruction ID: 3322faebe9e435f4bbe604b0833a1456fea73228f048d67ec45fdc8d03230cb4
Opcode Fuzzy Hash: 6c2a4e5319b11e48729058604c95f45a5f512c01db7aed5589e00d7c185c0113
Instruction Fuzzy Hash: 5321E7367155624BE705CE2EC8908A6B7A7FF8D31472981F9E808CB283CA70E916C7D0

Function 6E938B30 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519b3b72f4d0e40bab733eecf5f1683974662187ffa70974d5324fa566ddd64b
Instruction ID: 77e744e144684fc2eb64045e7a3d23c418bffae2f5e45bfbb2be96410316c525
Opcode Fuzzy Hash: 519b3b72f4d0e40bab733eecf5f1683974662187ffa70974d5324fa566ddd64b
Instruction Fuzzy Hash: AD219F757046974BE719CF2EC84059BBBA7EFD9300B1980B7E858DB242C674E866CBD0

Function 6E93C7B0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 491a25c253d72754cd753df5ea73fe4730b8206852d94c2a89a3efade510d907
Instruction ID: 56c03b565510826836395351bbb2b44035b6968ebbd4edee8518492a9907ccd1
Opcode Fuzzy Hash: 491a25c253d72754cd753df5ea73fe4730b8206852d94c2a89a3efade510d907
Instruction Fuzzy Hash: EB11E63A709A530BF308CE2EE844493B797EFCD31476A85AEA858DF146C771E416CA91

Function 6E93A7E0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef0fe430f5274c6fa702dd06a168edf7b4634a1fa37fbabfcf4ba1ecb026e4e8
Instruction ID: 08d643dc1901933b5d0d4e19dff38376578eef0f9d4f57754522601d65c7ad60
Opcode Fuzzy Hash: ef0fe430f5274c6fa702dd06a168edf7b4634a1fa37fbabfcf4ba1ecb026e4e8
Instruction Fuzzy Hash: A9110A31A156A24BD7018E2DC4406D77B6BAFCE710B1A41EAD854DF257C7B4D81BC7D0

Function 03299A88 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266702418.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dadbfe3adbfb0b66bf4c1413387d0617cacabd9bfb7d8947eed8b5604580509
Instruction ID: a5a5d69b24ee234df54bbb1491b2500070334ecee308de04307913e7b9a7a94a
Opcode Fuzzy Hash: 2dadbfe3adbfb0b66bf4c1413387d0617cacabd9bfb7d8947eed8b5604580509
Instruction Fuzzy Hash: 7521ACB4D152088FDB20CF99D584AEEFBF1EB49320F24901AE819B7350C735A945CF64

Function 03299A90 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1266702418.0000000003290000.00000040.00000800.00020000.00000000.sdmp, Offset: 03290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3290000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ca1934409a3814d8eff3e17301b822fa45f0f5f149545e3588e2361b5991067
Instruction ID: c659bcae6f95b4d47fa16d377db5adf1be171d3d0b9facc9b0d13bea37568030
Opcode Fuzzy Hash: 5ca1934409a3814d8eff3e17301b822fa45f0f5f149545e3588e2361b5991067
Instruction Fuzzy Hash: 10219BB5D112189FDB20CFA9D584ADEFBF4EB49320F24901AE818B3350C735A945CF65

Function 6E9984B0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c9017b505fbbe853e81ab0812d29d446aa82f96e6eabd9ebdf9569441b6532
Instruction ID: 59ee1506ef657013f072f4d5a5deb8decdb2c7573a4a6dc4589f233058947d4c
Opcode Fuzzy Hash: a2c9017b505fbbe853e81ab0812d29d446aa82f96e6eabd9ebdf9569441b6532
Instruction Fuzzy Hash: 5E115E72908609EFC714CF59D841799FBF4FB85724F10826EE81997B80E735A940CB90

Function 6E9A6FB1 Relevance: 54.3, APIs: 36, Instructions: 344COMMONLIBRARYCODE

Download Yara Rule

APIs

operator+.LIBCMT ref: 6E9A6FCC

Part of subcall function 6E9A4147: DName::DName.LIBCMT ref: 6E9A415A
Part of subcall function 6E9A4147: DName::operator+.LIBCMT ref: 6E9A4161

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: NameName::Name::operator+operator+
String ID:
API String ID: 2937105810-0
Opcode ID: 640f68247fa2921d580a7bfcb08774018fe350347b7d335d35fb11e4bc19f9ef
Instruction ID: 3be8eee1de7ca7e8f9a7cfc730981c16b536ced3e9112f4027a4c2059e675a0a
Opcode Fuzzy Hash: 640f68247fa2921d580a7bfcb08774018fe350347b7d335d35fb11e4bc19f9ef
Instruction Fuzzy Hash: DBD10BB1910209AFDF00DFECD895AEEBBF9AF59314F10445AEA11AB290DB34DA45CF50

Function 6E99EC9D Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,6E99A2D4,6E9C95C0,00000008,6E99A468,?,?,?,6E9C95E0,0000000C,6E99A523,?), ref: 6E99ECA5
__mtterm.LIBCMT ref: 6E99ECB1

Part of subcall function 6E99E97C: DecodePointer.KERNEL32(00000012,6E99A397,6E99A37D,6E9C95C0,00000008,6E99A468,?,?,?,6E9C95E0,0000000C,6E99A523,?), ref: 6E99E98D
Part of subcall function 6E99E97C: TlsFree.KERNEL32(0000000A,6E99A397,6E99A37D,6E9C95C0,00000008,6E99A468,?,?,?,6E9C95E0,0000000C,6E99A523,?), ref: 6E99E9A7
Part of subcall function 6E99E97C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,6E99A397,6E99A37D,6E9C95C0,00000008,6E99A468,?,?,?,6E9C95E0,0000000C,6E99A523,?), ref: 6E9A2325
Part of subcall function 6E99E97C: DeleteCriticalSection.KERNEL32(0000000A,?,?,6E99A397,6E99A37D,6E9C95C0,00000008,6E99A468,?,?,?,6E9C95E0,0000000C,6E99A523,?), ref: 6E9A234F

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 6E99ECC7
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 6E99ECD4
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 6E99ECE1
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 6E99ECEE
TlsAlloc.KERNEL32(?,?,6E99A2D4,6E9C95C0,00000008,6E99A468,?,?,?,6E9C95E0,0000000C,6E99A523,?), ref: 6E99ED3E
TlsSetValue.KERNEL32(00000000,?,?,6E99A2D4,6E9C95C0,00000008,6E99A468,?,?,?,6E9C95E0,0000000C,6E99A523,?), ref: 6E99ED59
__init_pointers.LIBCMT ref: 6E99ED63
EncodePointer.KERNEL32(?,?,6E99A2D4,6E9C95C0,00000008,6E99A468,?,?,?,6E9C95E0,0000000C,6E99A523,?), ref: 6E99ED74
EncodePointer.KERNEL32(?,?,6E99A2D4,6E9C95C0,00000008,6E99A468,?,?,?,6E9C95E0,0000000C,6E99A523,?), ref: 6E99ED81
EncodePointer.KERNEL32(?,?,6E99A2D4,6E9C95C0,00000008,6E99A468,?,?,?,6E9C95E0,0000000C,6E99A523,?), ref: 6E99ED8E
EncodePointer.KERNEL32(?,?,6E99A2D4,6E9C95C0,00000008,6E99A468,?,?,?,6E9C95E0,0000000C,6E99A523,?), ref: 6E99ED9B
DecodePointer.KERNEL32(Function_0006EB00,?,?,6E99A2D4,6E9C95C0,00000008,6E99A468,?,?,?,6E9C95E0,0000000C,6E99A523,?), ref: 6E99EDBC
__calloc_crt.LIBCMT ref: 6E99EDD1
DecodePointer.KERNEL32(00000000,?,?,6E99A2D4,6E9C95C0,00000008,6E99A468,?,?,?,6E9C95E0,0000000C,6E99A523,?), ref: 6E99EDEB
GetCurrentThreadId.KERNEL32 ref: 6E99EDFD

Strings

KERNEL32.DLL, xrefs: 6E99ECA0
FlsSetValue, xrefs: 6E99ECD6
FlsFree, xrefs: 6E99ECE3
FlsGetValue, xrefs: 6E99ECC9
FlsAlloc, xrefs: 6E99ECC1

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 1868149495-3819984048
Opcode ID: 11033eb70835035e827e1f4c610143b59d2e394467de9a1740477b89f9e5ee2b
Instruction ID: 466ebe51d7388837c44102bda963062e3e52e9747d40ab32cfe2787328d7f30d
Opcode Fuzzy Hash: 11033eb70835035e827e1f4c610143b59d2e394467de9a1740477b89f9e5ee2b
Instruction Fuzzy Hash: 9E315B3185CF259BDF51EFF598086167BE8FFA7660718052AE8209B290EB30D481EF90

Function 6E940EA0 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 337COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E940EF2
std::_Xinvalid_argument.LIBCPMT ref: 6E940F14
_memmove.LIBCMT ref: 6E940F70
_memmove.LIBCMT ref: 6E940F95
_memmove.LIBCMT ref: 6E940FA9
_memmove.LIBCMT ref: 6E940FDB
_memmove.LIBCMT ref: 6E941182
std::_Xinvalid_argument.LIBCPMT ref: 6E9411B6

Strings

string too long, xrefs: 6E940EED, 6E940F0F
invalid string position, xrefs: 6E9411B1

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: _memmove$Xinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 1771113911-4289949731
Opcode ID: 38c31f6a26e1f8570b94a0b6e5b59199176b5d9bdd6cbc11f32544af7e238966
Instruction ID: 0799ba04b1b524ad0224b938a0a3e1ff886ce32a32548c9ea7e28c3d3f38fb52
Opcode Fuzzy Hash: 38c31f6a26e1f8570b94a0b6e5b59199176b5d9bdd6cbc11f32544af7e238966
Instruction Fuzzy Hash: 3BB16FB1710146DFEB28CF9DCC90AAF73AAEF963447144919E4528B741D730EC958FA2

Function 6E9A7FC4 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 138COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::getBasicDataType.LIBCMT ref: 6E9A7FFF
DName::operator=.LIBCMT ref: 6E9A8013
DName::operator+=.LIBCMT ref: 6E9A8021
UnDecorator::getPtrRefType.LIBCMT ref: 6E9A804D
UnDecorator::getDataIndirectType.LIBCMT ref: 6E9A80CA
UnDecorator::getBasicDataType.LIBCMT ref: 6E9A80D3
operator+.LIBCMT ref: 6E9A8166

Strings

volatile, xrefs: 6E9A800B, 6E9A8139
std::nullptr_t, xrefs: 6E9A8122

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Decorator::getType$Data$Basic$IndirectName::operator+=Name::operator=operator+
String ID: std::nullptr_t$volatile
API String ID: 2203807771-3726895890
Opcode ID: 59354072b06e06a0ff81f1cb9509a98ffa2c25610845406d86e7aff6ea2baa2e
Instruction ID: 23b4e7f42fbec336f1a4a0772faf7b4a674bb1097b0bf0efefb0e33978c0f97d
Opcode Fuzzy Hash: 59354072b06e06a0ff81f1cb9509a98ffa2c25610845406d86e7aff6ea2baa2e
Instruction Fuzzy Hash: 8B41AEB240859ABFCF689FECC8989EE7B78FF42345F408465EB549A241D730D6828F50

Function 6E94F95E Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 332COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6E94FA0F
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E94FA22
SafeArrayGetElement.OLEAUT32 ref: 6E94FA5A

Part of subcall function 6E953A90: SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6E953B71
Part of subcall function 6E953A90: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E953B83

Part of subcall function 6E9569C0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6E956A08
Part of subcall function 6E9569C0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E956A15
Part of subcall function 6E9569C0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6E956A41

SafeArrayDestroy.OLEAUT32(?), ref: 6E9523B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95240F

Part of subcall function 6E94DFB0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6E94DFF6
Part of subcall function 6E94DFB0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E94E003
Part of subcall function 6E94DFB0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6E94E02F

Strings

RS7m, xrefs: 6E94FC82
RS{m, xrefs: 6E94FC3E

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArraySafe$Bound$Destroy$Element
String ID: RS7m$RS{m
API String ID: 959723449-144615663
Opcode ID: c477648a8f9492cdec8f2c61d2348547638dd73bb929dec49f49b6a6302433a5
Instruction ID: ee45c593dfd9b4403fc4ff027dea1327b52125969aa8b4962e76e15e4e5a1c8e
Opcode Fuzzy Hash: c477648a8f9492cdec8f2c61d2348547638dd73bb929dec49f49b6a6302433a5
Instruction Fuzzy Hash: 65C11B70A00205EFDB54DFA8CC90FA9B7BDAF85308F244598E945AB386DB71E981CF50

Function 6E953690 Relevance: 18.2, APIs: 12, Instructions: 215COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E9536CD
VariantInit.OLEAUT32(?), ref: 6E9536DA
VariantInit.OLEAUT32(?), ref: 6E9536E0
VariantInit.OLEAUT32(?), ref: 6E9536E6
VariantInit.OLEAUT32 ref: 6E9537DD
VariantCopy.OLEAUT32(?,?), ref: 6E9537E4
VariantInit.OLEAUT32 ref: 6E953815
VariantCopy.OLEAUT32(?,?), ref: 6E95381C
VariantClear.OLEAUT32(?), ref: 6E9538A8
VariantClear.OLEAUT32(?), ref: 6E9538AE
VariantClear.OLEAUT32(?), ref: 6E9538B4
VariantClear.OLEAUT32(?), ref: 6E9538BA

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Variant$Init$Clear$Copy
String ID:
API String ID: 3833040332-0
Opcode ID: f6a4396177dd033ad9b9aaad638929f86bc412794f182c337fa0b16d07af47a5
Instruction ID: 8e519ba5227653f3e7adeb14cb5e1f025f0ff2a81111b8d6deb44547b10ab893
Opcode Fuzzy Hash: f6a4396177dd033ad9b9aaad638929f86bc412794f182c337fa0b16d07af47a5
Instruction Fuzzy Hash: 548148B1900219AFDB04DBE8C884AEEBBB9BF89304F14455DE505AB344EB74E915CF90

Function 6E95D880 Relevance: 18.2, APIs: 12, Instructions: 202COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E95D8EC
VariantInit.OLEAUT32 ref: 6E95D902
VariantInit.OLEAUT32(?), ref: 6E95D90D
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6E95D929
SafeArrayPutElement.OLEAUT32(?,?,?), ref: 6E95D966
VariantClear.OLEAUT32(?), ref: 6E95D973
SafeArrayPutElement.OLEAUT32(?,?,?), ref: 6E95D9B4
VariantClear.OLEAUT32(?), ref: 6E95D9C1
SafeArrayDestroy.OLEAUT32(?), ref: 6E95DA6F
VariantClear.OLEAUT32(?), ref: 6E95DA80
VariantClear.OLEAUT32(?), ref: 6E95DA87
VariantClear.OLEAUT32(?), ref: 6E95DA99

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Variant$Clear$ArraySafe$Init$Element$CreateDestroyVector
String ID:
API String ID: 1625659656-0
Opcode ID: 09a47060af2402de582cf210a90c9e286c448a9bd9459ea297d811dcd3cfd578
Instruction ID: d5742e6d1884ac36970ceb96055f43ef8cf2cfd83ef8e6f2620b04f08cef986d
Opcode Fuzzy Hash: 09a47060af2402de582cf210a90c9e286c448a9bd9459ea297d811dcd3cfd578
Instruction Fuzzy Hash: D08102766087029FC700CFA8C884B5BB7E8AFD9714F048A5DE9959B350E774E906CF92

Function 6E9412A0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 171COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E9412DD
std::_Xinvalid_argument.LIBCPMT ref: 6E9412FB
_memmove.LIBCMT ref: 6E941368
_memmove.LIBCMT ref: 6E94139F
std::_Xinvalid_argument.LIBCPMT ref: 6E94140C

Strings

string too long, xrefs: 6E9412D8, 6E9412F6
invalid string position, xrefs: 6E941407

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 2168136238-4289949731
Opcode ID: efa7934fe02c2c856bc1c72aba9c049575586bed3452d70b3da743fad4afdf20
Instruction ID: d24fbe3db4cbb7dd91c7aad086557e009bbc1db79070db18831693dc78294423
Opcode Fuzzy Hash: efa7934fe02c2c856bc1c72aba9c049575586bed3452d70b3da743fad4afdf20
Instruction Fuzzy Hash: 89415431300206DFE714CEDEDC90AAEB7AAEF862547240D2EE891C7B41D770D8598BA1

Function 6E954BA0 Relevance: 15.5, APIs: 10, Instructions: 475COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E954BDC
VariantInit.OLEAUT32(?), ref: 6E954BE5
VariantInit.OLEAUT32(?), ref: 6E954BEB
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6E954BF6
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6E954C2A
VariantClear.OLEAUT32(?), ref: 6E954C37
SafeArrayDestroy.OLEAUT32(00000000), ref: 6E955107
VariantClear.OLEAUT32(?), ref: 6E955117
VariantClear.OLEAUT32(?), ref: 6E95511D
VariantClear.OLEAUT32(?), ref: 6E955123

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Variant$Clear$ArrayInitSafe$CreateDestroyElementVector
String ID:
API String ID: 2515392200-0
Opcode ID: e6c29134334e0bb643955fab7018f54da785c49d637917adfc758c8ad1ef24f0
Instruction ID: fc932255b450fd245f923217822f37a3289e352ff0dc1b8a1323767973370f13
Opcode Fuzzy Hash: e6c29134334e0bb643955fab7018f54da785c49d637917adfc758c8ad1ef24f0
Instruction Fuzzy Hash: A112E475A15705AFC758DBE8DD84DAAB3B9BF8D300F144668F50AABB91CA30F841CB50

Function 6E9549B0 Relevance: 15.2, APIs: 10, Instructions: 174COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(6E9B05A8), ref: 6E9549EE
VariantInit.OLEAUT32(?), ref: 6E9549F7
VariantInit.OLEAUT32(?), ref: 6E9549FD
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6E954A08
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6E954A39
VariantClear.OLEAUT32(?), ref: 6E954A45
SafeArrayDestroy.OLEAUT32(00000000), ref: 6E954B66
VariantClear.OLEAUT32(?), ref: 6E954B76
VariantClear.OLEAUT32(?), ref: 6E954B7C
VariantClear.OLEAUT32(6E9B05A8), ref: 6E954B82

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Variant$Clear$ArrayInitSafe$CreateDestroyElementVector
String ID:
API String ID: 2515392200-0
Opcode ID: 057313d3c2389577e01fc1c2c88374ddf7a2596d1b8ec2caf16a12cf0f088174
Instruction ID: d051add1bcdeb3d5f0f3b3f351c988ac532c9fcd49b7f1aebc071e0f981c9b94
Opcode Fuzzy Hash: 057313d3c2389577e01fc1c2c88374ddf7a2596d1b8ec2caf16a12cf0f088174
Instruction Fuzzy Hash: 18513B72A00219AFDB44DFA4CC84EAEB7B8FF99310F044559E915AB344D735E912CFA0

Function 6E9547D0 Relevance: 15.2, APIs: 10, Instructions: 168COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E95480C
VariantInit.OLEAUT32(?), ref: 6E954815
VariantInit.OLEAUT32(?), ref: 6E95481B
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6E954826
SafeArrayPutElement.OLEAUT32(00000000,000000FF,?), ref: 6E95485B
VariantClear.OLEAUT32(?), ref: 6E954868
SafeArrayDestroy.OLEAUT32(00000000), ref: 6E954974
VariantClear.OLEAUT32(?), ref: 6E954984
VariantClear.OLEAUT32(?), ref: 6E95498A
VariantClear.OLEAUT32(?), ref: 6E954990

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Variant$Clear$ArrayInitSafe$CreateDestroyElementVector
String ID:
API String ID: 2515392200-0
Opcode ID: 5c2aeec3606a4b86de355bdb9117d2714a8e4957024c747b344a59e1c28de850
Instruction ID: d542a30a14fb42f8ce9401b7edaa1c4c403659abc62df9943900d0550f7a27da
Opcode Fuzzy Hash: 5c2aeec3606a4b86de355bdb9117d2714a8e4957024c747b344a59e1c28de850
Instruction Fuzzy Hash: 78513872904249AFDB14DFE8C880EAEB7B9FF99310F144569E506AB644D730E906CFA0

Function 6E94DCD0 Relevance: 15.1, APIs: 10, Instructions: 138COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E94DD00
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000003), ref: 6E94DD10
SafeArrayPutElement.OLEAUT32(00000000,6E952FFF,?), ref: 6E94DD47
VariantClear.OLEAUT32(?), ref: 6E94DD4F
SafeArrayPutElement.OLEAUT32(00000000,6E952FFF,?), ref: 6E94DD6D
SafeArrayPutElement.OLEAUT32(00000000,00000002,?), ref: 6E94DDA4
VariantClear.OLEAUT32(?), ref: 6E94DDAC
SafeArrayDestroy.OLEAUT32(00000000), ref: 6E94DE16
SafeArrayDestroy.OLEAUT32(00000000), ref: 6E94DE27
VariantClear.OLEAUT32(?), ref: 6E94DE31

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArraySafe$Variant$ClearElement$Destroy$CreateInitVector
String ID:
API String ID: 3525949229-0
Opcode ID: 8c5d5a5190946c9a84b45a9c59985238d23c68be286e3832e888d7121fa0a54e
Instruction ID: 32c47bf1a06bb01da84281831156489c62ca60899b39a25a592a0cc2c8eeda57
Opcode Fuzzy Hash: 8c5d5a5190946c9a84b45a9c59985238d23c68be286e3832e888d7121fa0a54e
Instruction Fuzzy Hash: 15513D75A04609AFDB00DFA5C894EDFBBB8EF9A700F008119EA15A7350EB34D901CFA0

Function 6E96C1B0 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 266COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E96C213

Part of subcall function 6E9990D8: std::exception::exception.LIBCMT ref: 6E9990ED
Part of subcall function 6E9990D8: __CxxThrowException@8.LIBCMT ref: 6E999102
Part of subcall function 6E9990D8: std::exception::exception.LIBCMT ref: 6E999113

Strings

gfff, xrefs: 6E96C3A3
gfff, xrefs: 6E96C2EA
vector<T> too long, xrefs: 6E96C20E
gfff, xrefs: 6E96C259
gfff, xrefs: 6E96C1F2
gfff, xrefs: 6E96C3F7
gfff, xrefs: 6E96C222

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: gfff$gfff$gfff$gfff$gfff$gfff$vector<T> too long
API String ID: 1823113695-1254974138
Opcode ID: 4bb46e7a253dbcc4ad4d769a94f70ac85eec889cdaff5c06cf512ed0a2176dfb
Instruction ID: 36d2e00c631b9451c8f1dbdcabd70d1d8fb6d33a2437cd9df527ddebe898414a
Opcode Fuzzy Hash: 4bb46e7a253dbcc4ad4d769a94f70ac85eec889cdaff5c06cf512ed0a2176dfb
Instruction Fuzzy Hash: 059155B1600209AFDB18CF99D890EAAB7B9EF98314F04861DF955DB344E770B904CB91

Function 6E940CD0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E940D3A
std::_Xinvalid_argument.LIBCPMT ref: 6E940D60
_memmove.LIBCMT ref: 6E940D95
std::_Xinvalid_argument.LIBCPMT ref: 6E940DBF
_memmove.LIBCMT ref: 6E940E3E

Strings

string too long, xrefs: 6E940D5B, 6E940DBA
invalid string position, xrefs: 6E940D35

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 2168136238-4289949731
Opcode ID: d8a3788430ec1692fdb443694cabd072aa4b445b5d112655ec88236fead0482e
Instruction ID: 42ac885f6e30b965d495b7d947362e86c59f4d4a9c522d2a4ad3e28044dfef3b
Opcode Fuzzy Hash: d8a3788430ec1692fdb443694cabd072aa4b445b5d112655ec88236fead0482e
Instruction Fuzzy Hash: A151B432310206DFD724DE9CD880A6FB3AAEFE5314B24491DE855C7784E770E8548F92

Function 6E961B20 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 154libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(User32.dll,?,00000000,?,?,?,?,?,?,?,?), ref: 6E961C5E
LoadLibraryW.KERNEL32(User32.dll,?,00000000,?,?,?,?,?,?,?,?), ref: 6E961C69
GetProcAddress.KERNEL32(00000000,F1F2E532), ref: 6E961CA2
GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 6E961CC1
LoadLibraryW.KERNEL32(kernel32.dll,?,00000000), ref: 6E961CCC
GetProcAddress.KERNEL32(00000000,EFF3E52B), ref: 6E961D0A

Strings

kernel32.dll, xrefs: 6E961CBA, 6E961CC7
User32.dll, xrefs: 6E961C57, 6E961C64

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: User32.dll$kernel32.dll
API String ID: 310444273-1965990335
Opcode ID: 2295308e57821e1b279a0179d4a5dd6d1e2b2a5b412577da08176fb73fc61ffb
Instruction ID: 7b71ad59eeb92ac3e8cbede49035e858a6c9822c20f7bee3942335d2a1298160
Opcode Fuzzy Hash: 2295308e57821e1b279a0179d4a5dd6d1e2b2a5b412577da08176fb73fc61ffb
Instruction Fuzzy Hash: 216162B4504B108FD760CF9AC191A6BBBF2FF96700F608919D5968BB42D735E84ACF81

Function 6E9A4409 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::getArgumentList.LIBCMT ref: 6E9A442E

Part of subcall function 6E9A3FC9: Replicator::operator[].LIBCMT ref: 6E9A404C
Part of subcall function 6E9A3FC9: DName::operator+=.LIBCMT ref: 6E9A4054

DName::operator+.LIBCMT ref: 6E9A4487
DName::DName.LIBCMT ref: 6E9A44DF

Strings

,<ellipsis>, xrefs: 6E9A447A, 6E9A447F
..., xrefs: 6E9A44C2
<ellipsis>, xrefs: 6E9A44C9, 6E9A44CE
void, xrefs: 6E9A44D7
,..., xrefs: 6E9A4473

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=Replicator::operator[]
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 834187326-2211150622
Opcode ID: 78cbd65bffa58a5bddb569a684793e7286cb70bc83f33612df6d212dc7c744ab
Instruction ID: fc7813e27e42998ee08f619f01fbb8d91fcba7f811dc6f016e893243e84bee42
Opcode Fuzzy Hash: 78cbd65bffa58a5bddb569a684793e7286cb70bc83f33612df6d212dc7c744ab
Instruction Fuzzy Hash: FB2159B4204A0AAFCF01CB9CC894AA97BF9EF46389B508199E945CF316CB30D943CF50

Function 6E9A5D36 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::UScore.LIBCMT ref: 6E9A5D40
DName::DName.LIBCMT ref: 6E9A5D4C

Part of subcall function 6E9A3B3B: DName::doPchar.LIBCMT ref: 6E9A3B6C

UnDecorator::getScopedName.LIBCMT ref: 6E9A5D8B
DName::operator+=.LIBCMT ref: 6E9A5D95
DName::operator+=.LIBCMT ref: 6E9A5DA4
DName::operator+=.LIBCMT ref: 6E9A5DB0
DName::operator+=.LIBCMT ref: 6E9A5DBD

Strings

void, xrefs: 6E9A5D9C

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
String ID: void
API String ID: 1480779885-3531332078
Opcode ID: af1a0ac280b1e9ce57dac687583498f5eb63187f42e28c3b7a68ce0c593e6c20
Instruction ID: 74e827807b5933783b4f446df102fc9f584a6e16a09b2846fd0e4cf1e86476bd
Opcode Fuzzy Hash: af1a0ac280b1e9ce57dac687583498f5eb63187f42e28c3b7a68ce0c593e6c20
Instruction Fuzzy Hash: 7011A070604244AFDB04DBFCC89CBED7BB89F61304F408499D615AB291DB30DA46CF40

Function 6E953F10 Relevance: 13.7, APIs: 9, Instructions: 201COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6E953F7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E953F8D
VariantInit.OLEAUT32(?), ref: 6E953FB7
SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6E953FD0
VariantClear.OLEAUT32(?), ref: 6E9540C9
VariantClear.OLEAUT32(?), ref: 6E954105
SafeArrayDestroy.OLEAUT32(?), ref: 6E954123
VariantClear.OLEAUT32(?), ref: 6E954157
VariantClear.OLEAUT32(?), ref: 6E954168

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Bound$DestroyElementInit
String ID:
API String ID: 758290628-0
Opcode ID: 4f59855e0a8381ef3ff63444a60ab956964d728a02ec65304a0b57dfde561f33
Instruction ID: 42d5bed38e5f0fb7e0fa089fac6eeb4e2fa584eb2cf197057434692d4026274a
Opcode Fuzzy Hash: 4f59855e0a8381ef3ff63444a60ab956964d728a02ec65304a0b57dfde561f33
Instruction Fuzzy Hash: 627159765083429FC740DFA8C88495BBBE8BFA9304F144A2CF59687350D735E956CF92

Function 6E93FC30 Relevance: 13.7, APIs: 9, Instructions: 154fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32(00000000,?,?,00000000,64F62E83), ref: 6E93FC98
CloseHandle.KERNEL32(FFFFFFFF,?,?,00000000,64F62E83), ref: 6E93FCAD
CloseHandle.KERNEL32(?,?,?,00000000,64F62E83), ref: 6E93FCB7
SetLastError.KERNEL32(00000000,?,?,00000000,64F62E83), ref: 6E93FCBA
CreateFileW.KERNEL32(?,-00000001,00000001,00000000,00000003,00000000,00000000,?,?,00000000,64F62E83), ref: 6E93FD01
GetFileSizeEx.KERNEL32(00000000,?,?,?,00000000,64F62E83), ref: 6E93FD14
GetLastError.KERNEL32(?,?,00000000,64F62E83), ref: 6E93FD2A
CreateFileMappingW.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,?,00000000,64F62E83), ref: 6E93FD6B
MapViewOfFile.KERNEL32(00000000,?,00000000,00000000,00000000,?,?,00000000,64F62E83), ref: 6E93FD98

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastView$MappingSizeUnmap
String ID:
API String ID: 1303881157-0
Opcode ID: 57dcdf99de7f3655a42e3ce5a555a829a8c20d43037de85235763d6e8d76b1ee
Instruction ID: 19c7df42481189a9cd925a264c19ed917cb52ee8c1e1a90d4afacb59fffc1679
Opcode Fuzzy Hash: 57dcdf99de7f3655a42e3ce5a555a829a8c20d43037de85235763d6e8d76b1ee
Instruction Fuzzy Hash: 9451C6B5A44311AFDB008FB5C894B9677A9AF89324F348659EC15CF2C5E770DC028FA0

Function 6E9942B0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 186COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E9942DD

Part of subcall function 6E9990D8: std::exception::exception.LIBCMT ref: 6E9990ED
Part of subcall function 6E9990D8: __CxxThrowException@8.LIBCMT ref: 6E999102
Part of subcall function 6E9990D8: std::exception::exception.LIBCMT ref: 6E999113

_memmove.LIBCMT ref: 6E994363
_memmove.LIBCMT ref: 6E994381
_memmove.LIBCMT ref: 6E9943E6
_memmove.LIBCMT ref: 6E994453
_memmove.LIBCMT ref: 6E994474

Strings

vector<T> too long, xrefs: 6E9942D8

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: _memmove$std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: vector<T> too long
API String ID: 4034224661-3788999226
Opcode ID: f4cdbfcb88072ff8e35f871144f1415dcd0050107af58ace4dd2cfd23798995f
Instruction ID: 5829f788d89dd52d9d2db85186a7fe9186dc2a1a356936993ebf0f363b3dad0d
Opcode Fuzzy Hash: f4cdbfcb88072ff8e35f871144f1415dcd0050107af58ace4dd2cfd23798995f
Instruction Fuzzy Hash: CA517FB26043068FD718CFB8DD8596BB7E9EFD8214F184E2DE856C3344E671E905CAA1

Function 6E964B60 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 143COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E964BC8
std::_Xinvalid_argument.LIBCPMT ref: 6E964BE0
std::_Xinvalid_argument.LIBCPMT ref: 6E964BFA
_memmove.LIBCMT ref: 6E964C64
_memmove.LIBCMT ref: 6E964C81

Strings

string too long, xrefs: 6E964BDB, 6E964BF5
invalid string position, xrefs: 6E964BC3

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 2168136238-4289949731
Opcode ID: a50eb0b75da4c72d5185a057f5fda5707009bbd203e16535d447c614cdca4227
Instruction ID: dc270a2c0c292b0068a8f88f85d5e912bbfe9f6a5770b8a8121231120dbafd9f
Opcode Fuzzy Hash: a50eb0b75da4c72d5185a057f5fda5707009bbd203e16535d447c614cdca4227
Instruction Fuzzy Hash: DF4151323046118BF6249EEDD8A0AAEB3EAEFD5714B210D2FE051C7750C765D8868F61

Function 6E94FFEA Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E9523B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95240F

Strings

RSDi, xrefs: 6E950075

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RSDi
API String ID: 4225690600-559181253
Opcode ID: feb76103f3b62b65e8bb53e5f82f87213ad95d3b9050e3ed16d54e8e7ef2db9c
Instruction ID: e8474b0c4db5c720a6fc8c4790f8a54cfeceba9e279378f926eec92a7902b749
Opcode Fuzzy Hash: feb76103f3b62b65e8bb53e5f82f87213ad95d3b9050e3ed16d54e8e7ef2db9c
Instruction Fuzzy Hash: FA413A74A006059FDB40DFA9C990A5AB7BEAF89304F24858AE909DB355DB31E841CF50

Function 6E950815 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E9523B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95240F

Strings

RSUa, xrefs: 6E950864

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RSUa
API String ID: 4225690600-2086061799
Opcode ID: bd1ae2aae78e863b21e419fdd30738c0d17b671aecd8fe9a81e8c51e8a096d2e
Instruction ID: 5c4194f487fc1d0415851e7e2ed8aa25b833f010d974660c4920abcdb9afc6dd
Opcode Fuzzy Hash: bd1ae2aae78e863b21e419fdd30738c0d17b671aecd8fe9a81e8c51e8a096d2e
Instruction Fuzzy Hash: DA311770A006199FDB40DFA9C990BAEB7BDAF89300F20859AE918E7351D771E981CF50

Function 6E9506F9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E9523B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95240F

Strings

RSqb, xrefs: 6E950748

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RSqb
API String ID: 4225690600-347567867
Opcode ID: 32505c103d67737cb17c97c96cfc87436de3855ea234337a3e827c4ba9c875f6
Instruction ID: bd2df473b80169ce70a86bd3254de3f8b135be40b555a516f994448f58c98149
Opcode Fuzzy Hash: 32505c103d67737cb17c97c96cfc87436de3855ea234337a3e827c4ba9c875f6
Instruction Fuzzy Hash: FA312A70A006199FDB40DFA9CD90BAEB7BDAF89200F20859AE518E7351D775D9418F50

Function 6E950787 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E9523B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95240F

Strings

RSa, xrefs: 6E9507D6

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RSa
API String ID: 4225690600-3169278968
Opcode ID: 98cd5df467629adcf8d1bfaa3b2e00de6eb1d83a2dd71279b8af44b74062df78
Instruction ID: e9fe06c2bc88a8fd4b3fcf7fe1e9f5a8312ac8d1542d383ce343aed4df244edf
Opcode Fuzzy Hash: 98cd5df467629adcf8d1bfaa3b2e00de6eb1d83a2dd71279b8af44b74062df78
Instruction Fuzzy Hash: 23312870A006199FDB40DFA9CD90BAEB7BDAF89200F20859AE818EB351D771E9418F50

Function 6E950237 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E9523B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95240F

Strings

RS3g, xrefs: 6E950286

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RS3g
API String ID: 4225690600-2794631155
Opcode ID: 456b1ce340ca56cdde74cb35f19e8752a13726eebbaa80fc798a6fba95b4fcbc
Instruction ID: 951fc2a922b208940f6e99724c225965f58bae1fc46818cba4f10bec85c5cd53
Opcode Fuzzy Hash: 456b1ce340ca56cdde74cb35f19e8752a13726eebbaa80fc798a6fba95b4fcbc
Instruction Fuzzy Hash: 39313C70E006199FDB40DFA9CD90BAEB7BDAF89200F248696E418EB355DB71E941CF50

Function 6E95012D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E9523B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95240F

Strings

RS:h, xrefs: 6E95017F

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RS:h
API String ID: 4225690600-3891202347
Opcode ID: 5fe2962b20dd63aed4c4b9c2d032230e54d65dfbdb616ca51d2cd9f14b6c0e0d
Instruction ID: 91d4c30f2b2eb6ee3e335e0ef4d936bc5e46e633bab95306b497e24e1cb811b4
Opcode Fuzzy Hash: 5fe2962b20dd63aed4c4b9c2d032230e54d65dfbdb616ca51d2cd9f14b6c0e0d
Instruction Fuzzy Hash: 45312A70E006099FDB50DFA9CC90B6EB7BDAF89200F248596E418E7355D771E9418F50

Function 6E98C760 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 95COMMON

Download Yara Rule

APIs

type_info::operator!=.LIBCMT ref: 6E98C7EB

Strings

MultiplicativeInverseOfPrime2ModPrime1, xrefs: 6E98C815
Prime2, xrefs: 6E98C876
ModPrime2PrivateExponent, xrefs: 6E98C82C
PrivateExponent, xrefs: 6E98C85F
Prime1, xrefs: 6E98C88A
ModPrime1PrivateExponent, xrefs: 6E98C840

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: type_info::operator!=
String ID: ModPrime1PrivateExponent$ModPrime2PrivateExponent$MultiplicativeInverseOfPrime2ModPrime1$Prime1$Prime2$PrivateExponent
API String ID: 2241493438-339133643
Opcode ID: f25a3fd31c15a65b12fec4e62f28fa0bd2df458563daee5a5c3952d3f405ec91
Instruction ID: fcc7279d6626a23f2b8e6317690c5e34dd65ccf432803b4501b54e866de851cf
Opcode Fuzzy Hash: f25a3fd31c15a65b12fec4e62f28fa0bd2df458563daee5a5c3952d3f405ec91
Instruction Fuzzy Hash: 0E3149709143449EC7449FB8C94558BBBF5AFD5608F444E2EF589AB360EB70D848CF92

Function 6E950457 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E9523B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95240F

Strings

RS%e, xrefs: 6E950494

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RS%e
API String ID: 4225690600-1409579784
Opcode ID: 6d6022442d1da83946293fd45c58df6cc1735773d0b51fb684561cfed02c37f6
Instruction ID: 0db3399afad7896db07fed1b0e0bd83037e68fc765794fbf75c38260676a7944
Opcode Fuzzy Hash: 6d6022442d1da83946293fd45c58df6cc1735773d0b51fb684561cfed02c37f6
Instruction Fuzzy Hash: 29311870A006189FDB50DFA9CC80BADB7BEAF85700F24859AE518E7351D775D9418F50

Function 6E94AA00 Relevance: 12.3, APIs: 8, Instructions: 309COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E94AA54
VariantInit.OLEAUT32(?), ref: 6E94AA5B
VariantInit.OLEAUT32(?), ref: 6E94AA62
VariantInit.OLEAUT32(?), ref: 6E94AA69
VariantClear.OLEAUT32(?), ref: 6E94ACF2
VariantClear.OLEAUT32(?), ref: 6E94ACF9
VariantClear.OLEAUT32(?), ref: 6E94AD00
VariantClear.OLEAUT32(?), ref: 6E94AD07

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Variant$ClearInit
String ID:
API String ID: 2610073882-0
Opcode ID: 169816b4e9f4ad8db2cc5e1545aed3fb73d9786865337ca0698213735ce8527a
Instruction ID: 087f51104fb9526ff1b49c3b19971b362f212d9bd0398e6ebe5339bfce58ece5
Opcode Fuzzy Hash: 169816b4e9f4ad8db2cc5e1545aed3fb73d9786865337ca0698213735ce8527a
Instruction Fuzzy Hash: ACC13371608B01DFC340DFA8C880D5BB7EABFD8204F248A5DE5989B264E774E845CF92

Function 6E949D00 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 326COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6E949DEB
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E949DFB
SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6E949E29
SafeArrayDestroy.OLEAUT32(?), ref: 6E949F25
VariantClear.OLEAUT32(?), ref: 6E949FE5

Strings

@, xrefs: 6E949DD7

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArraySafe$Bound$ClearDestroyElementVariant
String ID: @
API String ID: 3214203402-2766056989
Opcode ID: 7063a6e82f83282df81ed27ecc33c33b175c3479fbeb0489238db6687bf93166
Instruction ID: d4b3879f238302ace81d09a9b4f26bbeccc2b9f904c1f11e0af88fcd5af47cba
Opcode Fuzzy Hash: 7063a6e82f83282df81ed27ecc33c33b175c3479fbeb0489238db6687bf93166
Instruction Fuzzy Hash: FCD14871D0024ACFDB00DFE8C984AADBBB9BF89304F2485A9E515AB254D771EE45CF90

Function 6E94B300 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 326COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6E94B3EB
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E94B3FB
SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6E94B429
SafeArrayDestroy.OLEAUT32(?), ref: 6E94B525
VariantClear.OLEAUT32(?), ref: 6E94B5E5

Strings

@, xrefs: 6E94B3D7

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArraySafe$Bound$ClearDestroyElementVariant
String ID: @
API String ID: 3214203402-2766056989
Opcode ID: f29acbe0e409b3e941d94b387b9c50fe2e9f5529562798c7f4d19b73975ba1cc
Instruction ID: 5b4f3268c63946d5167f3c71d7c96b73c754016ef1df33bc8da6220381a12dd0
Opcode Fuzzy Hash: f29acbe0e409b3e941d94b387b9c50fe2e9f5529562798c7f4d19b73975ba1cc
Instruction Fuzzy Hash: 1CD14A71D0024ACFDB04DFE8C890A9DBBB9BF88314F248559E515AB358E730EA45CF90

Function 6E971580 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 277COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6E9716B2

Part of subcall function 6E99AC75: RaiseException.KERNEL32(?,?,6E999C34,64F62E83,?,?,?,?,6E999C34,64F62E83,6E9C9C90,6E9DB974,64F62E83), ref: 6E99ACB7

__CxxThrowException@8.LIBCMT ref: 6E97180A

Part of subcall function 6E934010: std::_Xinvalid_argument.LIBCPMT ref: 6E93402A

Strings

exceeds the maximum of , xrefs: 6E97173F
: message length of , xrefs: 6E97170D
for this public key, xrefs: 6E971771
: this key is too short to encrypt any messages, xrefs: 6E97162A

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaiseXinvalid_argumentstd::_
String ID: exceeds the maximum of $ for this public key$: message length of $: this key is too short to encrypt any messages
API String ID: 3807434085-412673420
Opcode ID: edfb4b0d10971b78dfcfe22aea23a45b9193a36ce05cd53fb8ba3a0f5d6239ff
Instruction ID: d4d3c38b49b3930843370d3e4e92835b6ec243091a2c57d4b121d9b8e950a3bb
Opcode Fuzzy Hash: edfb4b0d10971b78dfcfe22aea23a45b9193a36ce05cd53fb8ba3a0f5d6239ff
Instruction Fuzzy Hash: ACB14C715083809FD324DBA9C890BDBB7E9AFDA304F04491DE58D87351EB71A909CFA2

Function 6E991250 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E99126E

Part of subcall function 6E9990D8: std::exception::exception.LIBCMT ref: 6E9990ED
Part of subcall function 6E9990D8: __CxxThrowException@8.LIBCMT ref: 6E999102
Part of subcall function 6E9990D8: std::exception::exception.LIBCMT ref: 6E999113

_memmove.LIBCMT ref: 6E9912E0
_memmove.LIBCMT ref: 6E991305
_memmove.LIBCMT ref: 6E991342
_memmove.LIBCMT ref: 6E99135F

Strings

deque<T> too long, xrefs: 6E991269

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: _memmove$std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: deque<T> too long
API String ID: 4034224661-309773918
Opcode ID: 2179f9e37dd865ff42b8ebc0b2b1a2ec69c8c464345cd5c6d59a56cf415475ed
Instruction ID: 77c7135b7af796f30f280eba0c1850f8fa14034ff9da871cd002b27362e39262
Opcode Fuzzy Hash: 2179f9e37dd865ff42b8ebc0b2b1a2ec69c8c464345cd5c6d59a56cf415475ed
Instruction Fuzzy Hash: B641F872A042014FD704CEA9CC9156BB7EEEFD4210F0D8A2DE809D7344FA34ED058BA1

Function 6E9913A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E9913BE

Part of subcall function 6E9990D8: std::exception::exception.LIBCMT ref: 6E9990ED
Part of subcall function 6E9990D8: __CxxThrowException@8.LIBCMT ref: 6E999102
Part of subcall function 6E9990D8: std::exception::exception.LIBCMT ref: 6E999113

_memmove.LIBCMT ref: 6E991431
_memmove.LIBCMT ref: 6E991456
_memmove.LIBCMT ref: 6E991493
_memmove.LIBCMT ref: 6E9914B0

Strings

deque<T> too long, xrefs: 6E9913B9

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: _memmove$std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: deque<T> too long
API String ID: 4034224661-309773918
Opcode ID: 0c2b36bcfa4b2089159de125157420a699d237144d6b5ca0725f372dae29ae08
Instruction ID: cdb6cd7dad374acdc17f89b50f751b056afa1f74d96ab48a908d542ef1c39e7c
Opcode Fuzzy Hash: 0c2b36bcfa4b2089159de125157420a699d237144d6b5ca0725f372dae29ae08
Instruction Fuzzy Hash: A941D872A042054FD704CEA9DC9156BB7EEEFD4214F0E8A2DE849D7344EB74ED098BA1

Function 6E934D90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E934DA9

Part of subcall function 6E999125: std::exception::exception.LIBCMT ref: 6E99913A
Part of subcall function 6E999125: __CxxThrowException@8.LIBCMT ref: 6E99914F
Part of subcall function 6E999125: std::exception::exception.LIBCMT ref: 6E999160

std::_Xinvalid_argument.LIBCPMT ref: 6E934DCA
std::_Xinvalid_argument.LIBCPMT ref: 6E934DE5
_memmove.LIBCMT ref: 6E934E4D

Strings

string too long, xrefs: 6E934DC5, 6E934DE0
invalid string position, xrefs: 6E934DA4

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 443534600-4289949731
Opcode ID: c0eada73600d1920894812a602a5f2e91f0dc047f81ef3272f110dca4ea8f2ff
Instruction ID: 4161bf36a15b07000f948b3c2e19f1ee0e29b88ae09b58cae87f681c7d86f20e
Opcode Fuzzy Hash: c0eada73600d1920894812a602a5f2e91f0dc047f81ef3272f110dca4ea8f2ff
Instruction Fuzzy Hash: 183184323042218FE7258EDCE890A6AB7E9AF90725B310A2FE5658B740D772D8418F91

Function 6E9A44E9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6E9A4532
DName::operator+.LIBCMT ref: 6E9A4539
DName::DName.LIBCMT ref: 6E9A455B
DName::operator+.LIBCMT ref: 6E9A4562
DName::operator+.LIBCMT ref: 6E9A4569

Strings

throw(, xrefs: 6E9A452A, 6E9A4553

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Name::operator+$NameName::
String ID: throw(
API String ID: 168861036-3159766648
Opcode ID: e783a6e09ec088b741f65bf662f0f7029220c6f1e22f8238a3a3abcd04a39c15
Instruction ID: e15c4f0563e9d71e298ceed4af20e4eb4e5a88118e53b6b7c12f821019aff811
Opcode Fuzzy Hash: e783a6e09ec088b741f65bf662f0f7029220c6f1e22f8238a3a3abcd04a39c15
Instruction Fuzzy Hash: 0C014C7460010AAFCF04DBECC895DEE7BBEAF94308F504555EA019B294DB70EA468F90

Function 6E99CCF3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 6E99CCFA

Part of subcall function 6E99EA6D: GetLastError.KERNEL32(?,?,6E99D7DD,6E999DEF,00000000,?,6E999BD4,6E931290,64F62E83), ref: 6E99EA71
Part of subcall function 6E99EA6D: ___set_flsgetvalue.LIBCMT ref: 6E99EA7F
Part of subcall function 6E99EA6D: __calloc_crt.LIBCMT ref: 6E99EA93
Part of subcall function 6E99EA6D: DecodePointer.KERNEL32(00000000,?,?,6E99D7DD,6E999DEF,00000000,?,6E999BD4,6E931290,64F62E83), ref: 6E99EAAD
Part of subcall function 6E99EA6D: GetCurrentThreadId.KERNEL32 ref: 6E99EAC3
Part of subcall function 6E99EA6D: SetLastError.KERNEL32(00000000,?,?,6E99D7DD,6E999DEF,00000000,?,6E999BD4,6E931290,64F62E83), ref: 6E99EADB

__calloc_crt.LIBCMT ref: 6E99CD1C
__get_sys_err_msg.LIBCMT ref: 6E99CD3A
_strcpy_s.LIBCMT ref: 6E99CD42
__invoke_watson.LIBCMT ref: 6E99CD57

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 6E99CD07, 6E99CD2A

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ErrorLast__calloc_crt$CurrentDecodePointerThread___set_flsgetvalue__get_sys_err_msg__getptd_noexit__invoke_watson_strcpy_s
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 3117964792-798102604
Opcode ID: 70875e7f960b9df9ddd337153b07975a412b215c998cf226bd4b2b3b43b78515
Instruction ID: 279fcb75adfd28835f26e0a061c62c98964c72353bbe471e8b8e4f79ade78317
Opcode Fuzzy Hash: 70875e7f960b9df9ddd337153b07975a412b215c998cf226bd4b2b3b43b78515
Instruction Fuzzy Hash: 97F02B735043142BC71025D99C8098F7AECDFE175CB0C0C3AF504AF100E621D8416DB4

Function 6E99E9B9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,6E9C9880,00000008,6E99EAC1,00000000,00000000,?,?,6E99D7DD,6E999DEF,00000000,?,6E999BD4,6E931290,64F62E83), ref: 6E99E9CA
__lock.LIBCMT ref: 6E99E9FE

Part of subcall function 6E9A2438: __mtinitlocknum.LIBCMT ref: 6E9A244E
Part of subcall function 6E9A2438: __amsg_exit.LIBCMT ref: 6E9A245A
Part of subcall function 6E9A2438: EnterCriticalSection.KERNEL32(6E999BD4,6E999BD4,?,6E99EA03,0000000D), ref: 6E9A2462

InterlockedIncrement.KERNEL32(FFFFFEF5), ref: 6E99EA0B
__lock.LIBCMT ref: 6E99EA1F
___addlocaleref.LIBCMT ref: 6E99EA3D

Strings

KERNEL32.DLL, xrefs: 6E99E9C5

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: 028063007d8a3a5a95d20311f9cd78472113b83c85cee20a92e85c309e1f6d94
Instruction ID: 950b861d29a962c865ad2ebb49b63353c0622536a5b3234a4f18aa03e26a71f2
Opcode Fuzzy Hash: 028063007d8a3a5a95d20311f9cd78472113b83c85cee20a92e85c309e1f6d94
Instruction Fuzzy Hash: A6015E71845B00EFD7209FAAC40478AFBE4BFA1318F20890DD595973A0CB70E644DF11

Function 6E94E120 Relevance: 9.4, APIs: 6, Instructions: 364COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(00000000,?,?), ref: 6E94E29B
SafeArrayGetUBound.OLEAUT32(00000000,?,?), ref: 6E94E2B6
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 6E94E2D7

Part of subcall function 6E955760: std::tr1::_Xweak.LIBCPMT ref: 6E955769

SafeArrayUnaccessData.OLEAUT32(00000000), ref: 6E94E309

Part of subcall function 6E999BB5: _malloc.LIBCMT ref: 6E999BCF

SafeArrayDestroy.OLEAUT32(00000000), ref: 6E94E523
InterlockedCompareExchange.KERNEL32(6E9DC6A4,45524548,4B4F4F4C), ref: 6E94E544

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArraySafe$BoundData$AccessCompareDestroyExchangeInterlockedUnaccessXweak_mallocstd::tr1::_
String ID:
API String ID: 2722669376-0
Opcode ID: a9cbeccce987a01880bf662ae3c4edb609bbbb5228b3da0d34c5f3692c18e28a
Instruction ID: 634f564a266eaabbe91bb58d248e31a01951e7af6992e122e9a0d847c3787248
Opcode Fuzzy Hash: a9cbeccce987a01880bf662ae3c4edb609bbbb5228b3da0d34c5f3692c18e28a
Instruction Fuzzy Hash: 73D182B1A00209DFDB11CFE4C894BEEB7BDAF55304F144969E906AB281E774E944CFA1

Function 6E958A9A Relevance: 9.1, APIs: 6, Instructions: 130COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEBF

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: feb76103f3b62b65e8bb53e5f82f87213ad95d3b9050e3ed16d54e8e7ef2db9c
Instruction ID: ba3c1e63f380fe8f33bd3c9d8da9c20cd7621c4e334836e07b6bb41331cd9e60
Opcode Fuzzy Hash: feb76103f3b62b65e8bb53e5f82f87213ad95d3b9050e3ed16d54e8e7ef2db9c
Instruction Fuzzy Hash: AF415774A006099FDB40DFA9CD90A5AB7FEAF89300F20859AE909EB355DB71EC41CF50

Function 6E958DE8 Relevance: 9.1, APIs: 6, Instructions: 112COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEBF

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: db67a17a08e96477bd489134a7a4d514f1d848dbf1d3f5e826fe3fb6d8e37a77
Instruction ID: 1917d4a1cd14d822baedaa4c9b636079b79a1d81c7780e4e1f9d63d09d39c288
Opcode Fuzzy Hash: db67a17a08e96477bd489134a7a4d514f1d848dbf1d3f5e826fe3fb6d8e37a77
Instruction Fuzzy Hash: 3C416A70A006199FDB00DFA8CC90B9EB7BDAF89200F24859AE519EB351DB70ED44CF60

Function 6E950338 Relevance: 9.1, APIs: 6, Instructions: 112COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E9523B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95240F

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: db67a17a08e96477bd489134a7a4d514f1d848dbf1d3f5e826fe3fb6d8e37a77
Instruction ID: 5c32b3ea072e2aeb3345fb46f8ca2deb308ab2be79287ed4afca1ad8f38de7da
Opcode Fuzzy Hash: db67a17a08e96477bd489134a7a4d514f1d848dbf1d3f5e826fe3fb6d8e37a77
Instruction Fuzzy Hash: 9D413D70A00619DFDB40DFA9CC90BAEB7BDAF89200F24859AE918EB355D771E941CF50

Function 6E958F83 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEBF

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 736ff64b483fbf4b0d8f944201ddba3b4c04768dbd176d6b145189ca1a50f3c8
Instruction ID: cc73fd815beedf358c8a2d041e97cb63704d5ef8e5ea972238d37d84612cca95
Opcode Fuzzy Hash: 736ff64b483fbf4b0d8f944201ddba3b4c04768dbd176d6b145189ca1a50f3c8
Instruction Fuzzy Hash: CA314A70E006099FDB50CFA8CC90B5EB7BDAF89200F208596E418E7341D775E941CF60

Function 6E958CE7 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEBF

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 456b1ce340ca56cdde74cb35f19e8752a13726eebbaa80fc798a6fba95b4fcbc
Instruction ID: 065791656520a333e015dd11bed91e9e1f10a5d5dc2e851d8bfc25b8be07a38f
Opcode Fuzzy Hash: 456b1ce340ca56cdde74cb35f19e8752a13726eebbaa80fc798a6fba95b4fcbc
Instruction Fuzzy Hash: DB312870E006199FDB50CBA8CC90B9EB7FDAF89200F24869AE419EB355D771E944CF60

Function 6E958BDD Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEBF

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 5fe2962b20dd63aed4c4b9c2d032230e54d65dfbdb616ca51d2cd9f14b6c0e0d
Instruction ID: b6d2bfb3370f284b3e794d2c0825e9b92824c6d57566e639e6053a5de862517f
Opcode Fuzzy Hash: 5fe2962b20dd63aed4c4b9c2d032230e54d65dfbdb616ca51d2cd9f14b6c0e0d
Instruction Fuzzy Hash: 0C312770E006099FDB50DBA8CC90BAEB7BDAF89200F24859AE419E7355D775ED81CF60

Function 6E950668 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E9523B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95240F

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 05400078effeae019b4a182e2dde4a99adca23ab3117dd02918cdbde8d2fd92b
Instruction ID: 32da35e3cda875f1d5e95ad77a9721b69369b08bae6f4870b421225b0b0749e9
Opcode Fuzzy Hash: 05400078effeae019b4a182e2dde4a99adca23ab3117dd02918cdbde8d2fd92b
Instruction Fuzzy Hash: 49314970E006099FDB40CFA9CD90BAEB7BDAF89200F20859AE418EB341DB71E940CF50

Function 6E9504D3 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E9523B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95240F

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 736ff64b483fbf4b0d8f944201ddba3b4c04768dbd176d6b145189ca1a50f3c8
Instruction ID: e0a23c250eccec444f068dccad8188ba6e93664973cd8e3865e82c1a36cf65a1
Opcode Fuzzy Hash: 736ff64b483fbf4b0d8f944201ddba3b4c04768dbd176d6b145189ca1a50f3c8
Instruction Fuzzy Hash: 79313B70E006099FDB40DFA9CC90BAEB7BDAF89300F208596E918E7351DB75D9418F50

Function 6E9505DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E9523B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95240F

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 46ed5a44dbcffa0e60d659cce942d0940e60c28613ed59d0c9545f4474ca6288
Instruction ID: 2c0f29c11fd82a4ac56d6e03e4d42c66201ca6b4a8d69c875597cfa6092bb01d
Opcode Fuzzy Hash: 46ed5a44dbcffa0e60d659cce942d0940e60c28613ed59d0c9545f4474ca6288
Instruction Fuzzy Hash: FE313970E006199FDB40DFA9CD90BAEB7BDAF89200F20859AE818EB351D775E941CF50

Function 6E9592C5 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEBF

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: bd1ae2aae78e863b21e419fdd30738c0d17b671aecd8fe9a81e8c51e8a096d2e
Instruction ID: d652b3528e4cf3fc408838d2a773e47775acc7e7ab012241bb5e5984b8852d38
Opcode Fuzzy Hash: bd1ae2aae78e863b21e419fdd30738c0d17b671aecd8fe9a81e8c51e8a096d2e
Instruction Fuzzy Hash: A6313870E006199FDB50CBA8CC90B9EB7BDAF89200F24858AE419EB355D775ED85CF60

Function 6E959237 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEBF

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 98cd5df467629adcf8d1bfaa3b2e00de6eb1d83a2dd71279b8af44b74062df78
Instruction ID: fad4f2a16a4fd35fb60aac63fa758609007c534416aeb71688d07dd775ca8b73
Opcode Fuzzy Hash: 98cd5df467629adcf8d1bfaa3b2e00de6eb1d83a2dd71279b8af44b74062df78
Instruction Fuzzy Hash: B0314870E006099FDB40DBA8CC90B9EB7BDAF89200F20858AE419EB341DB71E941CF60

Function 6E95908A Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEBF

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 46ed5a44dbcffa0e60d659cce942d0940e60c28613ed59d0c9545f4474ca6288
Instruction ID: 49d96cb7f629aeacf7ed8bac64616d51f97b533692004347038ef6de994ae449
Opcode Fuzzy Hash: 46ed5a44dbcffa0e60d659cce942d0940e60c28613ed59d0c9545f4474ca6288
Instruction Fuzzy Hash: 663139B0E006199FDB50CBA8CC90B9EB7BEAF89200F24858AE519E7351D775ED41CF60

Function 6E9591A9 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEBF

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 32505c103d67737cb17c97c96cfc87436de3855ea234337a3e827c4ba9c875f6
Instruction ID: 982cf7e1824381d6959a56d100ff769ed98dfbe6eeaf7141798d3d36df24c467
Opcode Fuzzy Hash: 32505c103d67737cb17c97c96cfc87436de3855ea234337a3e827c4ba9c875f6
Instruction Fuzzy Hash: 58314770E006199FDB40CBA9CD90B9EB7BDAF89200F20858AE419EB341DB75E944CF60

Function 6E959118 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEBF

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 05400078effeae019b4a182e2dde4a99adca23ab3117dd02918cdbde8d2fd92b
Instruction ID: d478610755071f1f1488db74e685991c389cd7c4ab5f127658c27862844d54af
Opcode Fuzzy Hash: 05400078effeae019b4a182e2dde4a99adca23ab3117dd02918cdbde8d2fd92b
Instruction Fuzzy Hash: C1314870E006199FDB40CBA8CC90B9EB7BDAF89200F20859AE419EB341DB71E940CF60

Function 6E95C150 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6E95C180
SafeArrayPutElement.OLEAUT32(00000000,6E953749,?), ref: 6E95C1B8
VariantClear.OLEAUT32(?), ref: 6E95C1C4
VariantCopy.OLEAUT32(6E953749,?), ref: 6E95C21B
VariantClear.OLEAUT32(?), ref: 6E95C22F
SafeArrayDestroy.OLEAUT32(00000000), ref: 6E95C23E

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArraySafeVariant$Clear$CopyCreateDestroyElementVector
String ID:
API String ID: 3979206172-0
Opcode ID: 9889a48fdc09fdf499176a99d8d2079eccd9db8f9d9928d9bbb2beb95f3f2e3d
Instruction ID: 68f92d5255336b4b491815f1bb8d411502a892584d843abee3d9a37d266eef15
Opcode Fuzzy Hash: 9889a48fdc09fdf499176a99d8d2079eccd9db8f9d9928d9bbb2beb95f3f2e3d
Instruction Fuzzy Hash: 1A311975A04609AFDB04DFE9C894B9FBBB8EF99700F108519E916DB350EA35D9018FA0

Function 6E947370 Relevance: 9.1, APIs: 6, Instructions: 96COMMON

Download Yara Rule

APIs

Part of subcall function 6E999BB5: _malloc.LIBCMT ref: 6E999BCF

InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,6E9B11FD,000000FF,?,6E948B80,00000000,?,00000000,?,6E948C13,?,?), ref: 6E947415
InitializeCriticalSection.KERNEL32(00000018,?,00000000,00000000,6E9B11FD,000000FF,?,6E948B80,00000000,?,00000000,?,6E948C13,?,?), ref: 6E94741B
std::exception::exception.LIBCMT ref: 6E94743D
__CxxThrowException@8.LIBCMT ref: 6E947452
std::exception::exception.LIBCMT ref: 6E947461
__CxxThrowException@8.LIBCMT ref: 6E947476

Part of subcall function 6E999BB5: std::exception::exception.LIBCMT ref: 6E999C04
Part of subcall function 6E999BB5: std::exception::exception.LIBCMT ref: 6E999C1E
Part of subcall function 6E999BB5: __CxxThrowException@8.LIBCMT ref: 6E999C2F

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$CriticalInitializeSection$_malloc
String ID:
API String ID: 189561132-0
Opcode ID: f67b8e781324be8e3379e3a694fd3c4d5c7092a2368e405c8c8be62147ce51a8
Instruction ID: bd0873cfc6ffca59c73f5b0c3601548ee417fe42a323d4571861e04278193b85
Opcode Fuzzy Hash: f67b8e781324be8e3379e3a694fd3c4d5c7092a2368e405c8c8be62147ce51a8
Instruction Fuzzy Hash: 2D3149B19006489FC750CF99C880A9AFBF8FF99210B44895AE95697B40E771F504CF61

Function 6E958E8E Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEBF

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 9f58e805cc548c8c6defc77ad322b74b979f864eaf8412bbaf105a383c38a0d8
Instruction ID: 843c02e1cd26ac39a73ab0701159b4f9037e853eddc0a8197bd72f1fd3bd9ec1
Opcode Fuzzy Hash: 9f58e805cc548c8c6defc77ad322b74b979f864eaf8412bbaf105a383c38a0d8
Instruction Fuzzy Hash: B5314970E006189FDB10CBA8CC94B9EB7BDAF89200F24869AE419E7345C7B1ED44CF64

Function 6E958F07 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEBF

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 6d6022442d1da83946293fd45c58df6cc1735773d0b51fb684561cfed02c37f6
Instruction ID: 97f0803daf9bfcbaa2bedc93d21a4415d3cfa543e211561537e994149ce28966
Opcode Fuzzy Hash: 6d6022442d1da83946293fd45c58df6cc1735773d0b51fb684561cfed02c37f6
Instruction Fuzzy Hash: D8311870E006189FDB50CBA9CC94B9EB7BEAF89200F24859AE519E7341D7B1ED44CF60

Function 6E958C6E Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEBF

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 64bc57beb2a738388241915d1fec202efc12a30cefc5d6605f1f489ad0442745
Instruction ID: 03da891162bfe88fd9fe8c6031ce562478c9668ef9cc50c6de3e6b4939c3cb39
Opcode Fuzzy Hash: 64bc57beb2a738388241915d1fec202efc12a30cefc5d6605f1f489ad0442745
Instruction Fuzzy Hash: 76316C70E006189FDB50DBA9CC90B9EB7BDAF89200F24859AE419E7341C7B1ED44CF60

Function 6E958D72 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEBF

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 5910c4dec0290212af276d41dd65a7fb6f0eb5bc338a0ffba7681f62b86e5a82
Instruction ID: b42215d05e190b73132635c924b52c1452e2e9b934d346044b184bb64bc31f7d
Opcode Fuzzy Hash: 5910c4dec0290212af276d41dd65a7fb6f0eb5bc338a0ffba7681f62b86e5a82
Instruction Fuzzy Hash: DC315E70E006189FDB10CBA8CC94B9EB7BDAF95200F24869AE419E7345D771ED44CF50

Function 6E958B64 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEBF

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 2fbdbfd552e6ff72cc8209e375c369948342df42a574adf89cc5b6bad00782c8
Instruction ID: f2fc03546a415c7b8d66ae27aae79cbfb102e6ed9f690f686e4310c8ca389d11
Opcode Fuzzy Hash: 2fbdbfd552e6ff72cc8209e375c369948342df42a574adf89cc5b6bad00782c8
Instruction Fuzzy Hash: AF316AB0E006189FDB50DBA8CC90B9EB7BDAF99200F24858AE419E7341C7B1ED45CF60

Function 6E95884F Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEBF

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: f7bc8456c4e938b1cdfaed959d19c9dc76dc6a1fbf841bfd63884ae61e2ef730
Instruction ID: f1fcecd1894832c99e49b06e0891726f5b120a7da79ddede16d3b03d014787d0
Opcode Fuzzy Hash: f7bc8456c4e938b1cdfaed959d19c9dc76dc6a1fbf841bfd63884ae61e2ef730
Instruction Fuzzy Hash: CD314C70E006189FDB50CBA9CC90B9EB7BEAF99200F24859AE419E7341D7B1ED45CF64

Function 6E950561 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E9523B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95240F

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 469fec16257b32822aa30d47775903b541fe6c47be79f4b82d17240457db60dc
Instruction ID: 872e92e18f3a1e818dee193449581b5190bf2a5a7339c623db1864a5cd3f7a4b
Opcode Fuzzy Hash: 469fec16257b32822aa30d47775903b541fe6c47be79f4b82d17240457db60dc
Instruction Fuzzy Hash: FF313A70E006189FDB50DFA9CC90B9DB7BDAF89700F24859AE418E7342D771D9818F50

Function 6E9502C2 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E9523B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95240F

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 5910c4dec0290212af276d41dd65a7fb6f0eb5bc338a0ffba7681f62b86e5a82
Instruction ID: f86a4546070133f1fd4baca75b4f3e90f0d61ba154cab742484bcb6fe22206a9
Opcode Fuzzy Hash: 5910c4dec0290212af276d41dd65a7fb6f0eb5bc338a0ffba7681f62b86e5a82
Instruction Fuzzy Hash: 4C312B70E006189FDB50CFA9CC80BADB7BDAF85600F64869AE819E7345D771D941CF50

Function 6E9503DE Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E9523B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95240F

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 9f58e805cc548c8c6defc77ad322b74b979f864eaf8412bbaf105a383c38a0d8
Instruction ID: 94e3e1413fcc35aa7b16177c96e4ab590c70d200af472781a155691ac51aed47
Opcode Fuzzy Hash: 9f58e805cc548c8c6defc77ad322b74b979f864eaf8412bbaf105a383c38a0d8
Instruction Fuzzy Hash: 57312970E006189FDB50CFA9CC90BADB7BDAF89600F24869AE418E7355DB71E981CF50

Function 6E9500B4 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E9523B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95240F

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 2fbdbfd552e6ff72cc8209e375c369948342df42a574adf89cc5b6bad00782c8
Instruction ID: 079936aff4b4b6ab65392fa637bd141f399bf10a05f93b3164bf8b141b738adf
Opcode Fuzzy Hash: 2fbdbfd552e6ff72cc8209e375c369948342df42a574adf89cc5b6bad00782c8
Instruction Fuzzy Hash: A0312970E006189FDB50DFA9CC80BADB7BEAF95600F24859AE818E7341DB71D981CF50

Function 6E9501BE Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E9523B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95240F

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 64bc57beb2a738388241915d1fec202efc12a30cefc5d6605f1f489ad0442745
Instruction ID: 53844a912e275a1d0befc68bfd5318aecef9bb8d615b344ba3e3cd2279c39c26
Opcode Fuzzy Hash: 64bc57beb2a738388241915d1fec202efc12a30cefc5d6605f1f489ad0442745
Instruction Fuzzy Hash: 01312970E006189FDB50DFA9CC90BADB7BEAF95600F24859AE418E7342D771E9818F50

Function 6E94FD9F Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E9523B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95240F

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: f7bc8456c4e938b1cdfaed959d19c9dc76dc6a1fbf841bfd63884ae61e2ef730
Instruction ID: d89666640fe0f5fc3f307584f21adc44b2a1da7becb810f47c347955d9eb390f
Opcode Fuzzy Hash: f7bc8456c4e938b1cdfaed959d19c9dc76dc6a1fbf841bfd63884ae61e2ef730
Instruction Fuzzy Hash: 80310970E006189FDB50DFA9CC90B9DB7BDAF99600F24859AE418EB341D771E9418F50

Function 6E959011 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEBF

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 469fec16257b32822aa30d47775903b541fe6c47be79f4b82d17240457db60dc
Instruction ID: ce1977f0494134885cb508b044571269c8923a8b8b863cc4afb43cff6d449536
Opcode Fuzzy Hash: 469fec16257b32822aa30d47775903b541fe6c47be79f4b82d17240457db60dc
Instruction Fuzzy Hash: FC314EB0E006189FDB50DBA9CC90B9EB7BDAF89200F24858AE419E7345D7B1DD44CF50

Function 6E9A249C Relevance: 9.1, APIs: 6, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000100,?,?,?,?,?,6E9A25B1,?,00000000,?), ref: 6E9A24E6
_malloc.LIBCMT ref: 6E9A251B
_memset.LIBCMT ref: 6E9A253B
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,?,00000001,?,00000000,00000001,00000000), ref: 6E9A2550
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 6E9A255E
__freea.LIBCMT ref: 6E9A2568

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ByteCharMultiWide$StringType__freea_malloc_memset
String ID:
API String ID: 525495869-0
Opcode ID: 253635d530b4b17971575d4d658f6cf048ebe239e791ce77503762fa42e2c319
Instruction ID: 31b545999184118e4e72bae2292d0c010b6d4ef7a6f2ddf3fce582716bf11a5c
Opcode Fuzzy Hash: 253635d530b4b17971575d4d658f6cf048ebe239e791ce77503762fa42e2c319
Instruction Fuzzy Hash: 8D312AB160020AAFEB019FAADC909AE7BADEF48254F114829FA1597250E734DD509F60

Function 6E958A39 Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 6E9569C0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6E956A08
Part of subcall function 6E9569C0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E956A15
Part of subcall function 6E9569C0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6E956A41

SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEBF

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArraySafe$Destroy$Bound$Element
String ID:
API String ID: 757764206-0
Opcode ID: 31a9a23a6f3df677fad2f046e8e2ae73c212ea26b851f69bbbf2ad4888b4ce0a
Instruction ID: 9a9cef0d7b86e09730c1785aaaab0adfbcbac43c9bc70e7739e01b62df06dce4
Opcode Fuzzy Hash: 31a9a23a6f3df677fad2f046e8e2ae73c212ea26b851f69bbbf2ad4888b4ce0a
Instruction Fuzzy Hash: 9D312C70E006189FDB50DBA8CC90B9EB7BDAF95200F64468AE419E7341C7B5ED84CF64

Function 6E9587EE Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 6E9569C0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6E956A08
Part of subcall function 6E9569C0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E956A15
Part of subcall function 6E9569C0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6E956A41

SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95AEBF

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArraySafe$Destroy$Bound$Element
String ID:
API String ID: 757764206-0
Opcode ID: 7b0dd3582b56515fce74bc5d929eef42f630b808a827719f6d6b344a25501fe6
Instruction ID: 7c8702476a02e3d57ff0a5abf4b6ddf099057e8a0001eb2af9fc19b8ffc6ff2a
Opcode Fuzzy Hash: 7b0dd3582b56515fce74bc5d929eef42f630b808a827719f6d6b344a25501fe6
Instruction Fuzzy Hash: 35314A70E006189FDB10CBA8CC90B9EB7BEAF95200F24498AE419E7341D7B5ED84CF60

Function 6E94FF89 Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 6E9569C0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6E956A08
Part of subcall function 6E9569C0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E956A15
Part of subcall function 6E9569C0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6E956A41

SafeArrayDestroy.OLEAUT32(?), ref: 6E9523B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95240F

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArraySafe$Destroy$Bound$Element
String ID:
API String ID: 757764206-0
Opcode ID: 31a9a23a6f3df677fad2f046e8e2ae73c212ea26b851f69bbbf2ad4888b4ce0a
Instruction ID: f6618a1e2df46fe4fbdea452bc2aadabccbd24579886e14d675c2a5d15857cbd
Opcode Fuzzy Hash: 31a9a23a6f3df677fad2f046e8e2ae73c212ea26b851f69bbbf2ad4888b4ce0a
Instruction Fuzzy Hash: 27312870E006189FDB50DFA9CC90B9DB7BEAF99700F24469AE419EB341C775E9808F50

Function 6E94FD3E Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 6E9569C0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6E956A08
Part of subcall function 6E9569C0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E956A15
Part of subcall function 6E9569C0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6E956A41

SafeArrayDestroy.OLEAUT32(?), ref: 6E9523B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E9523FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E95240F

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArraySafe$Destroy$Bound$Element
String ID:
API String ID: 757764206-0
Opcode ID: 7b0dd3582b56515fce74bc5d929eef42f630b808a827719f6d6b344a25501fe6
Instruction ID: 6a2b9e6059c3d194d90c1b1bc2918bc4ea4331617b4ffb2302667911205fde8e
Opcode Fuzzy Hash: 7b0dd3582b56515fce74bc5d929eef42f630b808a827719f6d6b344a25501fe6
Instruction Fuzzy Hash: 68312970E006189FDB10DFA9CC90B9DB7BEAF95700F24458AE418E7341D775D9808F50

Function 6E9906A0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 328COMMON

Download Yara Rule

APIs

Part of subcall function 6E934760: __CxxThrowException@8.LIBCMT ref: 6E9347F9

_memmove.LIBCMT ref: 6E990907
_memmove.LIBCMT ref: 6E990936
_memmove.LIBCMT ref: 6E990959
__CxxThrowException@8.LIBCMT ref: 6E990A25

Strings

PSSR_MEM: message recovery disabled, xrefs: 6E9909E3

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: _memmove$Exception@8Throw
String ID: PSSR_MEM: message recovery disabled
API String ID: 2655171816-3051149714
Opcode ID: bbd2108068f4a1e24b8ae6fdbad9f19408b92c734e48a5368dd9ea1cb072b00c
Instruction ID: 7579c809023931a3a76d3ee0b30dc1eef382377ae1b21055f95ca828153d4e29
Opcode Fuzzy Hash: bbd2108068f4a1e24b8ae6fdbad9f19408b92c734e48a5368dd9ea1cb072b00c
Instruction Fuzzy Hash: C9C189702083419FD754CF68C890B6BB7E9AFC9304F048A1CE5998B385E775E945CFA2

Function 6E997FE0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 325COMMON

Download Yara Rule

APIs

Part of subcall function 6E934010: std::_Xinvalid_argument.LIBCPMT ref: 6E93402A

__CxxThrowException@8.LIBCMT ref: 6E9980EA

Part of subcall function 6E99AC75: RaiseException.KERNEL32(?,?,6E999C34,64F62E83,?,?,?,?,6E999C34,64F62E83,6E9C9C90,6E9DB974,64F62E83), ref: 6E99ACB7

Strings

RandomNumberType, xrefs: 6E9983A9
invalid bit length, xrefs: 6E998044
Min, xrefs: 6E9983C5
Max, xrefs: 6E9983E3

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowXinvalid_argumentstd::_
String ID: Max$Min$RandomNumberType$invalid bit length
API String ID: 3718517217-2498579642
Opcode ID: 320629a46c6f7355b6cc2c4476e3f0c049d33cee07d82af54ac60be341714f83
Instruction ID: 35956edd8b61db21f91c00b8cc7c517f4b344dcfef2067b580655b6cc851d1cd
Opcode Fuzzy Hash: 320629a46c6f7355b6cc2c4476e3f0c049d33cee07d82af54ac60be341714f83
Instruction Fuzzy Hash: A8C191715087809EE338C7A8C850B9FB7D9AFEA204F484E1DE59983391DB74D904CB63

Function 6E99BE8E Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 6E99BEB6

Part of subcall function 6E99AB70: __getptd.LIBCMT ref: 6E99AB7E
Part of subcall function 6E99AB70: __getptd.LIBCMT ref: 6E99AB8C

__getptd.LIBCMT ref: 6E99BEC0

Part of subcall function 6E99EAE6: __getptd_noexit.LIBCMT ref: 6E99EAE9
Part of subcall function 6E99EAE6: __amsg_exit.LIBCMT ref: 6E99EAF6

__getptd.LIBCMT ref: 6E99BECE
__getptd.LIBCMT ref: 6E99BEDC
__getptd.LIBCMT ref: 6E99BEE7
_CallCatchBlock2.LIBCMT ref: 6E99BF0D

Part of subcall function 6E99AC15: __CallSettingFrame@12.LIBCMT ref: 6E99AC61

Part of subcall function 6E99BFB4: __getptd.LIBCMT ref: 6E99BFC3
Part of subcall function 6E99BFB4: __getptd.LIBCMT ref: 6E99BFD1

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: e4592e34591871a0dd77284131183d31702761ed2f6d3e811dae24ef7e512112
Instruction ID: 52cd4d67c0ec2a33ed03a2eb643ecb09c52b51ed6038c78bbbf75cc236454a0b
Opcode Fuzzy Hash: e4592e34591871a0dd77284131183d31702761ed2f6d3e811dae24ef7e512112
Instruction Fuzzy Hash: FB11E4B1C01209AFDB00DFE4C544ADEBBB4FF54318F148869F814AB260EB789A50AF50

Function 6E9670E0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 187COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6E967267

Strings

is less than the minimum of , xrefs: 6E9671D0
: IV length , xrefs: 6E96719E, 6E9672D7
exceeds the maximum of , xrefs: 6E967309

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Exception@8Throw
String ID: exceeds the maximum of $ is less than the minimum of $: IV length
API String ID: 2005118841-1273958906
Opcode ID: 3fe516e4fb7cf333259dae3330312289b93f4fb24ad3c9f11c8ef0fb988d0ec6
Instruction ID: 61adaf78a478e83fddd4e4edc5c6d7e0e905111c7662fd877ca1c406c2a48d17
Opcode Fuzzy Hash: 3fe516e4fb7cf333259dae3330312289b93f4fb24ad3c9f11c8ef0fb988d0ec6
Instruction Fuzzy Hash: 9B617271108380AFD321DBA9C884FDBB7ECAFE9304F054A1DE58987241EB7599058FA2

Function 6E98AE90 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

type_info::operator!=.LIBCMT ref: 6E98AF27
_strncmp.LIBCMT ref: 6E98AFA6

Strings

ValueNames, xrefs: 6E98AEB7
ThisPointer:, xrefs: 6E98AF4B, 6E98AFA0

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: _strncmptype_info::operator!=
String ID: ThisPointer:$ValueNames
API String ID: 1333309372-2375088429
Opcode ID: dad402706f64fd9337d8ccf7293f799ce97f2fb371a636e8f62a392afb145683
Instruction ID: 14846b3623a11f9757d8cc605e6c052e5d24fd8445d21caaf87fac3d85d4d386
Opcode Fuzzy Hash: dad402706f64fd9337d8ccf7293f799ce97f2fb371a636e8f62a392afb145683
Instruction Fuzzy Hash: 3751D0B52087405FC3548EE4C890A67B7FEAF96748F084E1DE4968B3A5D762E8098F52

Function 6E96A360 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

type_info::operator!=.LIBCMT ref: 6E96A3F7
_strncmp.LIBCMT ref: 6E96A476

Strings

ValueNames, xrefs: 6E96A387
ThisPointer:, xrefs: 6E96A41B, 6E96A470

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: _strncmptype_info::operator!=
String ID: ThisPointer:$ValueNames
API String ID: 1333309372-2375088429
Opcode ID: 973de714c86ec53ba905ef971d9daa8bb3a529ec37ee45053577b349f270d8f7
Instruction ID: d2a4e9f47adf7defb8f4c4ad22d81f212cc37b1d2939d215d8763fde53720468
Opcode Fuzzy Hash: 973de714c86ec53ba905ef971d9daa8bb3a529ec37ee45053577b349f270d8f7
Instruction Fuzzy Hash: FC5105312083505FE310DFE4D890A67B7EEAFD6748F044A5EE4D68B351D7A2E8098F52

Function 6E98B9B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

type_info::operator!=.LIBCMT ref: 6E98BA47
_strncmp.LIBCMT ref: 6E98BAC6

Strings

ValueNames, xrefs: 6E98B9D7
ThisPointer:, xrefs: 6E98BA6B, 6E98BAC0

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: _strncmptype_info::operator!=
String ID: ThisPointer:$ValueNames
API String ID: 1333309372-2375088429
Opcode ID: 3e609cb8378926bf3c700f82007cfa848083bf423000bfc7d586ae65095c8c4d
Instruction ID: 34d5454a3a4955e4d87afed4ad0dd9f13a5f4fe2cf37b2cd072d409e5c84c683
Opcode Fuzzy Hash: 3e609cb8378926bf3c700f82007cfa848083bf423000bfc7d586ae65095c8c4d
Instruction Fuzzy Hash: 1351D7352087446BC3148FE5C890A67B7FE9FD6658F084E1DE4D68B369E722E809CF52

Function 6E971B70 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 165COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6E971C1A

Part of subcall function 6E99AC75: RaiseException.KERNEL32(?,?,6E999C34,64F62E83,?,?,?,?,6E999C34,64F62E83,6E9C9C90,6E9DB974,64F62E83), ref: 6E99ACB7

__CxxThrowException@8.LIBCMT ref: 6E971CDE
__CxxThrowException@8.LIBCMT ref: 6E971D3E

Strings

TF_SignerBase: the recoverable message part is too long for the given key and algorithm, xrefs: 6E971CF0
TF_SignerBase: this algorithm does not support messsage recovery or the key is too short, xrefs: 6E971C67

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: TF_SignerBase: the recoverable message part is too long for the given key and algorithm$TF_SignerBase: this algorithm does not support messsage recovery or the key is too short
API String ID: 3476068407-3371871069
Opcode ID: 35915a48f6025838a31772e702b135e60c6c6ab4fa8ca1ad542989f2bb858de6
Instruction ID: e2e25029c56582ab1306a30d622df62968bd85f45118d1b5713b59155bb2720b
Opcode Fuzzy Hash: 35915a48f6025838a31772e702b135e60c6c6ab4fa8ca1ad542989f2bb858de6
Instruction Fuzzy Hash: A4514C752087409FD364DFA8C880F9BB7E9BFD8604F108A1DE58987391DB70E9058FA2

Function 6E934010 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E93402A

Part of subcall function 6E999125: std::exception::exception.LIBCMT ref: 6E99913A
Part of subcall function 6E999125: __CxxThrowException@8.LIBCMT ref: 6E99914F
Part of subcall function 6E999125: std::exception::exception.LIBCMT ref: 6E999160

std::_Xinvalid_argument.LIBCPMT ref: 6E934067

Part of subcall function 6E9990D8: std::exception::exception.LIBCMT ref: 6E9990ED
Part of subcall function 6E9990D8: __CxxThrowException@8.LIBCMT ref: 6E999102
Part of subcall function 6E9990D8: std::exception::exception.LIBCMT ref: 6E999113

_memmove.LIBCMT ref: 6E9340C8

Strings

string too long, xrefs: 6E934062
invalid string position, xrefs: 6E934025

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 1615890066-4289949731
Opcode ID: 323b2b23ec7bb9dc62de957409ea011f3c5d5ab837949df1b66b294d73306330
Instruction ID: 438dd2b56e389e99b65361d80acfe8946dac25f1c46c839f2c6183550411ac85
Opcode Fuzzy Hash: 323b2b23ec7bb9dc62de957409ea011f3c5d5ab837949df1b66b294d73306330
Instruction Fuzzy Hash: BD31B8723046259BD7218E9CE880A5EF7A9DFD1668F31092FE151CB250D763DC428FA1

Function 6E99C23B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 6E99C24E

Part of subcall function 6E99C1A9: ___BuildCatchObjectHelper.LIBCMT ref: 6E99C1DF

_UnwindNestedFrames.LIBCMT ref: 6E99C265
___FrameUnwindToState.LIBCMT ref: 6E99C273

Strings

csm, xrefs: 6E99C24A, 6E99C25F, 6E99C272, 6E99C290, 6E99C2A0
csm, xrefs: 6E99C23D

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: 2a3f766c9b4dac2ca2754d74b5085f77c001a70fed88627ce95d418e20d78339
Instruction ID: e4d4e985697f07e9564b2ccee39479015bef7ad7b78d2e17290bc105a061a196
Opcode Fuzzy Hash: 2a3f766c9b4dac2ca2754d74b5085f77c001a70fed88627ce95d418e20d78339
Instruction Fuzzy Hash: DD01E43140110ABBDF125F91CC45EEE7F6AEF98354F084420BD1819160E77AD9A2EFA4

Function 6E972300 Relevance: 7.8, APIs: 5, Instructions: 257COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6E9723F3
_memmove.LIBCMT ref: 6E972460

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: f9fa292314d77ccc8b33f6b790b8b7ab360916430f13c24b7cfed4ca832cd967
Instruction ID: db3de37e68edf24be62387dbf95a959c4eaf7b625442928287458083a32cce3f
Opcode Fuzzy Hash: f9fa292314d77ccc8b33f6b790b8b7ab360916430f13c24b7cfed4ca832cd967
Instruction Fuzzy Hash: B2915FB1618702DFDB24CF99D990A2BB7E9EF88604F10492DE895C3740E734E9498F92

Function 6E953C10 Relevance: 7.7, APIs: 5, Instructions: 186COMMON

Download Yara Rule

APIs

SafeArrayGetElement.OLEAUT32(?,?,64F62E83), ref: 6E953C49
VariantInit.OLEAUT32(?), ref: 6E953C81
VariantClear.OLEAUT32(?), ref: 6E953D26
VariantClear.OLEAUT32(?), ref: 6E953D30
VariantClear.OLEAUT32(?), ref: 6E953D89

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Variant$Clear$ArrayElementInitSafe
String ID:
API String ID: 4110538090-0
Opcode ID: 6fcc5b8d60dc3b245617a92b517e9089ca975b71527a282ec25d78e5b2ea886d
Instruction ID: 0bdcb8a8763be0b2092589b203e90764b29c227d71c245c5985b42654a6f08cc
Opcode Fuzzy Hash: 6fcc5b8d60dc3b245617a92b517e9089ca975b71527a282ec25d78e5b2ea886d
Instruction Fuzzy Hash: CE615B72A042499FCB00DFE8C8849EEB7B9EF99310F2485A9E515AB354D731ED45CFA0

Function 6E961D50 Relevance: 7.6, APIs: 5, Instructions: 144timesleepCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM(64F62E83), ref: 6E961D91
timeGetTime.WINMM(64F62E83), ref: 6E961D9F
timeGetTime.WINMM ref: 6E961DBB
timeGetTime.WINMM ref: 6E961DC9
Sleep.KERNEL32(00000032), ref: 6E961DDC

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Timetime$Sleep
String ID:
API String ID: 4176159691-0
Opcode ID: ba3a2850ab1ead14e27a7bc32620529e13b2757aeb74a14fabf70fe667827e38
Instruction ID: 42cb4ae1250f93b54457aa2eaf1ef630a7a159722081a8459940245057822753
Opcode Fuzzy Hash: ba3a2850ab1ead14e27a7bc32620529e13b2757aeb74a14fabf70fe667827e38
Instruction Fuzzy Hash: 03519CB19046559FEB01DFEAC88579EBBB8AF16300F54496AE508DB240E770D988CF92

Function 6E946D40 Relevance: 7.6, APIs: 5, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 6E999BB5: _malloc.LIBCMT ref: 6E999BCF

_rand.LIBCMT ref: 6E946DEA

Part of subcall function 6E999E0C: __getptd.LIBCMT ref: 6E999E0C

std::exception::exception.LIBCMT ref: 6E946E17
__CxxThrowException@8.LIBCMT ref: 6E946E2C
std::exception::exception.LIBCMT ref: 6E946E3B
__CxxThrowException@8.LIBCMT ref: 6E946E50

Part of subcall function 6E999BB5: std::exception::exception.LIBCMT ref: 6E999C04
Part of subcall function 6E999BB5: std::exception::exception.LIBCMT ref: 6E999C1E
Part of subcall function 6E999BB5: __CxxThrowException@8.LIBCMT ref: 6E999C2F

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$__getptd_malloc_rand
String ID:
API String ID: 2791304714-0
Opcode ID: 02363f89128ae04c90ee1825dc2e469cffc817a0ba352f445470e686109ba231
Instruction ID: c638d644050ee56c1db5b1f0b4f6239a62297178a1c75e372a112ec065417d6d
Opcode Fuzzy Hash: 02363f89128ae04c90ee1825dc2e469cffc817a0ba352f445470e686109ba231
Instruction Fuzzy Hash: 5F31F4B19007449FC750CFA8C480A8ABBF4FF18314F44896ED85A9BB41E775E604CF61

Function 6E947750 Relevance: 7.6, APIs: 5, Instructions: 79COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,?,?), ref: 6E947761
LeaveCriticalSection.KERNEL32(00000000,?), ref: 6E947782
EnterCriticalSection.KERNEL32(00000018), ref: 6E947796
LeaveCriticalSection.KERNEL32(00000018), ref: 6E9477CE
QueueUserWorkItem.KERNEL32(6E961D50,00000000,00000010), ref: 6E94780C

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ItemQueueUserWork
String ID:
API String ID: 584243675-0
Opcode ID: 751628a41f9171ff0d35652515d918f29d9768657bf9c13cc32f4bf95a78a965
Instruction ID: e1abfe2637a823b3e7b3cb8eb4de1d97864533dd5191105cdd7923c3027ab62d
Opcode Fuzzy Hash: 751628a41f9171ff0d35652515d918f29d9768657bf9c13cc32f4bf95a78a965
Instruction Fuzzy Hash: 3E217F7150560DEFDB40CFA4C994A9BBBF8FF85304F408959E4568B680D730EA49CFA0

Function 6E935AAC Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 6E935ACB

Part of subcall function 6E999533: std::exception::_Copy_str.LIBCMT ref: 6E99954E

__CxxThrowException@8.LIBCMT ref: 6E935ABC

Part of subcall function 6E99AC75: RaiseException.KERNEL32(?,?,6E999C34,64F62E83,?,?,?,?,6E999C34,64F62E83,6E9C9C90,6E9DB974,64F62E83), ref: 6E99ACB7

__CxxThrowException@8.LIBCMT ref: 6E935AE0

Part of subcall function 6E999BB5: _malloc.LIBCMT ref: 6E999BCF

std::exception::exception.LIBCMT ref: 6E935B18
__CxxThrowException@8.LIBCMT ref: 6E935B2D

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Exception@8Throw$std::exception::exception$Copy_strExceptionRaise_mallocstd::exception::_
String ID:
API String ID: 921928366-0
Opcode ID: b57efdcaa0156322fc062b3e5e5e7d2023165126c989046301f979b128a5df11
Instruction ID: 9064e61551391baf88f0061476c8a59cbee68e6172dc011d97e5dec7b560f622
Opcode Fuzzy Hash: b57efdcaa0156322fc062b3e5e5e7d2023165126c989046301f979b128a5df11
Instruction Fuzzy Hash: C501E1B1810208AFDB04DFE4D8419DF77BCEF65244F148559E909A7140EB74E6049FB2

Function 6E99F03B Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6E99F047

Part of subcall function 6E99EAE6: __getptd_noexit.LIBCMT ref: 6E99EAE9
Part of subcall function 6E99EAE6: __amsg_exit.LIBCMT ref: 6E99EAF6

__amsg_exit.LIBCMT ref: 6E99F067
__lock.LIBCMT ref: 6E99F077
InterlockedDecrement.KERNEL32(?), ref: 6E99F094
InterlockedIncrement.KERNEL32(074E1688), ref: 6E99F0BF

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 06918343ac9eae7df2b73bb27fcdd5b1eed48e03f3d6324d22e454adbf4d333d
Instruction ID: bf5e6d0f646c17da3f3fc4bc5c7335f6ea67298284ab7037fb138b40072c5faa
Opcode Fuzzy Hash: 06918343ac9eae7df2b73bb27fcdd5b1eed48e03f3d6324d22e454adbf4d333d
Instruction Fuzzy Hash: BC01A172D05E229BDB119FE584447AEB7ACBF42758F280405F81067284CB34D841EFD2

Function 6E99F7BC Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6E99F7C8

Part of subcall function 6E99EAE6: __getptd_noexit.LIBCMT ref: 6E99EAE9
Part of subcall function 6E99EAE6: __amsg_exit.LIBCMT ref: 6E99EAF6

__getptd.LIBCMT ref: 6E99F7DF
__amsg_exit.LIBCMT ref: 6E99F7ED
__lock.LIBCMT ref: 6E99F7FD
__updatetlocinfoEx_nolock.LIBCMT ref: 6E99F811

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 1b711f7f5fdbf2d9dbc83afec91e4b210a583c5c084c87a238b9ac2d48cc3cf6
Instruction ID: 3d94cb764efbc2d280b70234116e131445cbc7e32185f8d1d12e356318af7464
Opcode Fuzzy Hash: 1b711f7f5fdbf2d9dbc83afec91e4b210a583c5c084c87a238b9ac2d48cc3cf6
Instruction Fuzzy Hash: 18F0CD32904A109BDB60ABE98400BDDB6A8BFA072CF380949F410AA2D0CB24D540FE62

Function 6E97E6E0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 331COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 6E97E76F
_memcpy_s.LIBCMT ref: 6E97E78B

Strings

, xrefs: 6E97E85A

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: _memcpy_s
String ID:
API String ID: 2001391462-3916222277
Opcode ID: 9444f20365b3f4bd8703d7dbc7100713fecc3639b4452d324e370641b4000515
Instruction ID: 3065fb5e73eed3fb644e2d96211cb43c269377e692a6f283c7cc877a745a9402
Opcode Fuzzy Hash: 9444f20365b3f4bd8703d7dbc7100713fecc3639b4452d324e370641b4000515
Instruction Fuzzy Hash: 01C16E756083028FEB64CF68C8906AAB7EAFFC9314F04492DE495C7254E775E949CF42

Function 6E998B60 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 252COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 6E998C40
_memset.LIBCMT ref: 6E998C56
_memmove.LIBCMT ref: 6E998DA8

Strings

EncodingParameters, xrefs: 6E998CD6

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: _memcpy_s_memmove_memset
String ID: EncodingParameters
API String ID: 4034675494-55378216
Opcode ID: 5f230e494a166d11d7292ce81da315720624d1af264b989156c733dcb9765e0f
Instruction ID: 1f85cbd987429e8a2ef90e168f71c957761bddcaad55c06eccc2a832755b19dd
Opcode Fuzzy Hash: 5f230e494a166d11d7292ce81da315720624d1af264b989156c733dcb9765e0f
Instruction Fuzzy Hash: D49198706083819FE314CF68C880B5BBBE9AFDA748F18491DF89887391D771E944CB92

Function 6E971200 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 244COMMON

Download Yara Rule

APIs

Part of subcall function 6E98D820: _memmove.LIBCMT ref: 6E98D930

Part of subcall function 6E934010: std::_Xinvalid_argument.LIBCPMT ref: 6E93402A

__CxxThrowException@8.LIBCMT ref: 6E9713D4

Part of subcall function 6E99AC75: RaiseException.KERNEL32(?,?,6E999C34,64F62E83,?,?,?,?,6E999C34,64F62E83,6E9C9C90,6E9DB974,64F62E83), ref: 6E99ACB7

Part of subcall function 6E968D80: _malloc.LIBCMT ref: 6E968D8A
Part of subcall function 6E968D80: _malloc.LIBCMT ref: 6E968DAF

Strings

doesn't match the required length of , xrefs: 6E971316
for this key, xrefs: 6E971348
: ciphertext length of , xrefs: 6E9712E4

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: _malloc$ExceptionException@8RaiseThrowXinvalid_argument_memmovestd::_
String ID: doesn't match the required length of $ for this key$: ciphertext length of
API String ID: 1025790555-2559040249
Opcode ID: f21c51b03464d96ff61336a544063ed6845c22c524e6d44069c27bc974c90b7e
Instruction ID: b8616a05d5b1bfd3c852f683519b660c9b946b40391e91688493ca67c480fae5
Opcode Fuzzy Hash: f21c51b03464d96ff61336a544063ed6845c22c524e6d44069c27bc974c90b7e
Instruction Fuzzy Hash: FCA13D715083809FD324CBA9C890BDBB7E9AFD9304F044A1DE59987350EB70E949CFA2

Function 6E99B47D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 6E99B50D

Part of subcall function 6E9A1AA0: __87except.LIBCMT ref: 6E9A1ADB

Strings

pow, xrefs: 6E99B4E5, 6E99B502

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 91a071a62fa9b758ec781bc6dec828f434b836cdb5eeb43a9f7d5f28f8d5a2ff
Instruction ID: 2b8ceacd7fca790f1cf6e51d3768744fc5d8d26767b945a2bc208db5aec0fff3
Opcode Fuzzy Hash: 91a071a62fa9b758ec781bc6dec828f434b836cdb5eeb43a9f7d5f28f8d5a2ff
Instruction Fuzzy Hash: 3F515EA1A1C60296C741AADEC5503AE7BBCDF83714F148D58D5D44229CFB38C8C8AF4B

Function 6E948560 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 179COMMON

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 6E9488ED

Part of subcall function 6E99A116: __mbstowcs_s_l.LIBCMT ref: 6E99A12C

__cftoe.LIBCMT ref: 6E948911

Strings

P, xrefs: 6E948841
zX, xrefs: 6E94865E

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: __cftoe$__mbstowcs_s_l
String ID: zX$P
API String ID: 1494777130-2079734279
Opcode ID: b2a312c2bda7992f2e97662b462c8faac7001b79b437219bb22e34c5eccbf748
Instruction ID: c73d08edde60737932bd843034374a8dba528d0ecbf27ca1e3748544c6c89d9e
Opcode Fuzzy Hash: b2a312c2bda7992f2e97662b462c8faac7001b79b437219bb22e34c5eccbf748
Instruction Fuzzy Hash: CD910EB11087819FC376CF55C890BABBBE8EF84714F504A1DE1A98B280EB719645CF92

Function 6E9689D0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6E968ABB
__CxxThrowException@8.LIBCMT ref: 6E968B82

Strings

PK_DefaultDecryptionFilter: ciphertext too long, xrefs: 6E968A8E
: invalid ciphertext, xrefs: 6E968B48

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Exception@8Throw
String ID: : invalid ciphertext$PK_DefaultDecryptionFilter: ciphertext too long
API String ID: 2005118841-483996327
Opcode ID: 7c57808dd629b1bfd264b57e19a8c02694dc263926f3814c5518f14e7455dc85
Instruction ID: 65e16dcb5ec176770ed4b1541f03bc327817c08f4b922d53ac7829edf965b6d9
Opcode Fuzzy Hash: 7c57808dd629b1bfd264b57e19a8c02694dc263926f3814c5518f14e7455dc85
Instruction Fuzzy Hash: B6511AB5104741AFD324CFA4C990EABB7E8AFD9704F004A1DA99A87650DB31E909CF62

Function 6E966B00 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

Part of subcall function 6E934010: std::_Xinvalid_argument.LIBCPMT ref: 6E93402A

__CxxThrowException@8.LIBCMT ref: 6E966BA6

Part of subcall function 6E99AC75: RaiseException.KERNEL32(?,?,6E999C34,64F62E83,?,?,?,?,6E999C34,64F62E83,6E9C9C90,6E9DB974,64F62E83), ref: 6E99ACB7

Part of subcall function 6E934010: std::_Xinvalid_argument.LIBCPMT ref: 6E934067
Part of subcall function 6E934010: _memmove.LIBCMT ref: 6E9340C8

__CxxThrowException@8.LIBCMT ref: 6E966C56

Strings

NullRNG: NullRNG should only be passed to functions that don't need to generate random bytes, xrefs: 6E966B33
RandomNumberGenerator: IncorporateEntropy not implemented, xrefs: 6E966BE3

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_$ExceptionRaise_memmove
String ID: NullRNG: NullRNG should only be passed to functions that don't need to generate random bytes$RandomNumberGenerator: IncorporateEntropy not implemented
API String ID: 1902190269-184618050
Opcode ID: f4e6e1af3d98f37d3a9ee0f6c91eed87d98867664db20c074f51c36b2035cefe
Instruction ID: e5176f16216fd1c0af85f80e8d4ff0f95078d32907b18d802673ac30b7cf7bd7
Opcode Fuzzy Hash: f4e6e1af3d98f37d3a9ee0f6c91eed87d98867664db20c074f51c36b2035cefe
Instruction Fuzzy Hash: 5C5102B1108780AFC300DFA9C980A5BFBE8BF99654F504A2EF59587390E7B4D948CF52

Function 6E934E80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E934EFC
std::_Xinvalid_argument.LIBCPMT ref: 6E934F16
_memmove.LIBCMT ref: 6E934F6C

Part of subcall function 6E934D90: std::_Xinvalid_argument.LIBCPMT ref: 6E934DA9
Part of subcall function 6E934D90: std::_Xinvalid_argument.LIBCPMT ref: 6E934DCA
Part of subcall function 6E934D90: std::_Xinvalid_argument.LIBCPMT ref: 6E934DE5
Part of subcall function 6E934D90: _memmove.LIBCMT ref: 6E934E4D

Strings

string too long, xrefs: 6E934EF7, 6E934F11

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: 18d69c449d20a6d7a0704885ec75843bc8cc64e4c05bcd51fbfd52b0ee67208b
Instruction ID: 0f11719c712727485e22b084118e2d6597b414429cff14e086ba328887d05b4e
Opcode Fuzzy Hash: 18d69c449d20a6d7a0704885ec75843bc8cc64e4c05bcd51fbfd52b0ee67208b
Instruction Fuzzy Hash: 5231F9363106214FE7249DDCE85096EF7EAEFD1621735492FE455CB640C772D8828FA1

Function 6E932090 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 6E934010: std::_Xinvalid_argument.LIBCPMT ref: 6E93402A

__CxxThrowException@8.LIBCMT ref: 6E93211F

Part of subcall function 6E99AC75: RaiseException.KERNEL32(?,?,6E999C34,64F62E83,?,?,?,?,6E999C34,64F62E83,6E9C9C90,6E9DB974,64F62E83), ref: 6E99ACB7

Part of subcall function 6E934010: std::_Xinvalid_argument.LIBCPMT ref: 6E934067
Part of subcall function 6E934010: _memmove.LIBCMT ref: 6E9340C8

__CxxThrowException@8.LIBCMT ref: 6E9321BF

Strings

PK_MessageAccumulator: DigestSize() should not be called, xrefs: 6E9320BD
PK_MessageAccumulator: TruncatedFinal() should not be called, xrefs: 6E93215D

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_$ExceptionRaise_memmove
String ID: PK_MessageAccumulator: DigestSize() should not be called$PK_MessageAccumulator: TruncatedFinal() should not be called
API String ID: 1902190269-1268710280
Opcode ID: ff1ba1afb2868249520b1774a5d10f804952206871f731291a1928e2a6876166
Instruction ID: 0f1f280724d2eb669c39934164712f5d302e1b824ad5a19c1bf15ab542930c6c
Opcode Fuzzy Hash: ff1ba1afb2868249520b1774a5d10f804952206871f731291a1928e2a6876166
Instruction Fuzzy Hash: CB4129B0C04288AFDB05DFE9D880ADEFBB8AF19314F104669E521A7391DB749A08DF50

Function 6E931D30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 6E934010: std::_Xinvalid_argument.LIBCPMT ref: 6E93402A

__CxxThrowException@8.LIBCMT ref: 6E931DC9

Part of subcall function 6E99AC75: RaiseException.KERNEL32(?,?,6E999C34,64F62E83,?,?,?,?,6E999C34,64F62E83,6E9C9C90,6E9DB974,64F62E83), ref: 6E99ACB7

Part of subcall function 6E934010: std::_Xinvalid_argument.LIBCPMT ref: 6E934067
Part of subcall function 6E934010: _memmove.LIBCMT ref: 6E9340C8

__CxxThrowException@8.LIBCMT ref: 6E931E74

Strings

BufferedTransformation: this object is not attachable, xrefs: 6E931D67
CryptoMaterial: this object contains invalid values, xrefs: 6E931E16

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_$ExceptionRaise_memmove
String ID: BufferedTransformation: this object is not attachable$CryptoMaterial: this object contains invalid values
API String ID: 1902190269-3853263434
Opcode ID: ef4943b711c4a276e5eb0a1d8407da65b4f850646105138da2739e641a45225f
Instruction ID: 65d74fa0114f14ec9f8cd799f87e65c7ef4a7e264907de6748c0e3e15d485ddb
Opcode Fuzzy Hash: ef4943b711c4a276e5eb0a1d8407da65b4f850646105138da2739e641a45225f
Instruction Fuzzy Hash: E3414E71C04298AFDB04DFE9D880ADEFBB8EF59314F10866AE42567390DB749608CF50

Function 6E9674C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 6E98D820: _memmove.LIBCMT ref: 6E98D930

Part of subcall function 6E934010: std::_Xinvalid_argument.LIBCPMT ref: 6E93402A

__CxxThrowException@8.LIBCMT ref: 6E96761A

Part of subcall function 6E99AC75: RaiseException.KERNEL32(?,?,6E999C34,64F62E83,?,?,?,?,6E999C34,64F62E83,6E9C9C90,6E9DB974,64F62E83), ref: 6E99ACB7

Strings

HashTransformation: can't truncate a , xrefs: 6E967552
bytes, xrefs: 6E967594
byte digest to , xrefs: 6E967565

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowXinvalid_argument_memmovestd::_
String ID: byte digest to $ bytes$HashTransformation: can't truncate a
API String ID: 39012651-1139078987
Opcode ID: 1b2ea0e3eb4c102a5ee5a4167daf950ff04dd5ab12a2bafe45596d7d513ec44f
Instruction ID: 5b13505e3dd325c78ef2da31d3e08ec853ecba9f1c638031c402ff44a4c493a4
Opcode Fuzzy Hash: 1b2ea0e3eb4c102a5ee5a4167daf950ff04dd5ab12a2bafe45596d7d513ec44f
Instruction Fuzzy Hash: 94414F711083D0AAD321CB94C844FDBB7E8AFD9314F144E1DE69997280EB7595098FA7

Function 6E96BEF0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E96BF2D

Part of subcall function 6E9990D8: std::exception::exception.LIBCMT ref: 6E9990ED
Part of subcall function 6E9990D8: __CxxThrowException@8.LIBCMT ref: 6E999102
Part of subcall function 6E9990D8: std::exception::exception.LIBCMT ref: 6E999113

Strings

gfff, xrefs: 6E96BF80
vector<T> too long, xrefs: 6E96BF28
gfff, xrefs: 6E96BF37

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: gfff$gfff$vector<T> too long
API String ID: 1823113695-3369487235
Opcode ID: b57cb95e2405690958a0f0050b1267bdac61e754ba0fdc285ddf123f6e1ef6a7
Instruction ID: 7b9dcd1022e6d7da62bfd8803782087c71d90b16a25a5d318897af376284bdf1
Opcode Fuzzy Hash: b57cb95e2405690958a0f0050b1267bdac61e754ba0fdc285ddf123f6e1ef6a7
Instruction Fuzzy Hash: 3D31B6B1A006099FD718CF99D980E6AF7B9EF98310F14862DF9599B380E771B904CF91

Function 6E998E40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

QueryPerformanceFrequency.KERNEL32(64F62E83,64F62E83), ref: 6E998E7F
GetLastError.KERNEL32(0000000A), ref: 6E998E8F

Part of subcall function 6E934010: std::_Xinvalid_argument.LIBCPMT ref: 6E93402A

__CxxThrowException@8.LIBCMT ref: 6E998F14

Part of subcall function 6E99AC75: RaiseException.KERNEL32(?,?,6E999C34,64F62E83,?,?,?,?,6E999C34,64F62E83,6E9C9C90,6E9DB974,64F62E83), ref: 6E99ACB7

Strings

Timer: QueryPerformanceFrequency failed with error , xrefs: 6E998EA5

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ErrorExceptionException@8FrequencyLastPerformanceQueryRaiseThrowXinvalid_argumentstd::_
String ID: Timer: QueryPerformanceFrequency failed with error
API String ID: 2175244869-348333943
Opcode ID: 45ed47bd0fe44fc1086cc38564e3b376dc41b711a5c2a775dfdc8eb4b93aa682
Instruction ID: 530ac8bc70a7ca3c05f0f4a8b464c652f143df256c3c9a6841199a06a30d16fd
Opcode Fuzzy Hash: 45ed47bd0fe44fc1086cc38564e3b376dc41b711a5c2a775dfdc8eb4b93aa682
Instruction Fuzzy Hash: 982128B15087809FD311CFA4C840B9BB7E8FF99614F404E1DF5A986281E775D4088FA2

Function 6E998F40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(64F62E83,64F62E83,?,00000000), ref: 6E998F7F
GetLastError.KERNEL32(0000000A,?,00000000), ref: 6E998F8F

Part of subcall function 6E934010: std::_Xinvalid_argument.LIBCPMT ref: 6E93402A

__CxxThrowException@8.LIBCMT ref: 6E999014

Part of subcall function 6E99AC75: RaiseException.KERNEL32(?,?,6E999C34,64F62E83,?,?,?,?,6E999C34,64F62E83,6E9C9C90,6E9DB974,64F62E83), ref: 6E99ACB7

Strings

Timer: QueryPerformanceCounter failed with error , xrefs: 6E998FA5

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: CounterErrorExceptionException@8LastPerformanceQueryRaiseThrowXinvalid_argumentstd::_
String ID: Timer: QueryPerformanceCounter failed with error
API String ID: 1823523280-4075696077
Opcode ID: 6159cb3923fe2aeeb1bff5a95406186765561e9d84ad2d512f67afd55319b64b
Instruction ID: 962bbf574c6c7c65771f976aad73c9b78bf954b7633e55c2d556cf34bcd38c83
Opcode Fuzzy Hash: 6159cb3923fe2aeeb1bff5a95406186765561e9d84ad2d512f67afd55319b64b
Instruction Fuzzy Hash: C2212BB15087809FD311CFA4C840B9BB7E8FF99618F404E1DF5A986281E775D4048F92

Function 6E966480 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6E966518

Part of subcall function 6E99AC75: RaiseException.KERNEL32(?,?,6E999C34,64F62E83,?,?,?,?,6E999C34,64F62E83,6E9C9C90,6E9DB974,64F62E83), ref: 6E99ACB7

__CxxThrowException@8.LIBCMT ref: 6E966558

Strings

Cryptographic algorithms are disabled after a power-up self test failed., xrefs: 6E966527
Cryptographic algorithms are disabled before the power-up self tests are performed., xrefs: 6E9664E7

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Cryptographic algorithms are disabled after a power-up self test failed.$Cryptographic algorithms are disabled before the power-up self tests are performed.
API String ID: 3476068407-3345525433
Opcode ID: 00b461586a1b66f8a9298c828f1b7877b42c67db10ac46f3de4eb469ffa52ac4
Instruction ID: a8c51aa706f58c4aa116f60c936d3db754d1d0f82ca9bb5ae044fc66a472aa55
Opcode Fuzzy Hash: 00b461586a1b66f8a9298c828f1b7877b42c67db10ac46f3de4eb469ffa52ac4
Instruction Fuzzy Hash: DE21CF715282909ED720DFE4C841BDBB3ECAFD6648F404E1EA58986285EB74D004CEA3

Function 6E96C120 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E96C14E

Part of subcall function 6E9990D8: std::exception::exception.LIBCMT ref: 6E9990ED
Part of subcall function 6E9990D8: __CxxThrowException@8.LIBCMT ref: 6E999102
Part of subcall function 6E9990D8: std::exception::exception.LIBCMT ref: 6E999113

Strings

gfff, xrefs: 6E96C15A
vector<T> too long, xrefs: 6E96C149
gfff, xrefs: 6E96C129

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: gfff$gfff$vector<T> too long
API String ID: 1823113695-3369487235
Opcode ID: ad664f68b0a772af5fd49d3f129ffee4ef1e77faa9ace3135fb4793f85c90c05
Instruction ID: 650527deb95576d5e215526a660c27019a17ae27b42455aa603dd6c51f433b9a
Opcode Fuzzy Hash: ad664f68b0a772af5fd49d3f129ffee4ef1e77faa9ace3135fb4793f85c90c05
Instruction Fuzzy Hash: B101D1B3F141251F931199BFED4444AEBABAED439471ACA3BE608DF348E571D8025BC2

Function 6E9725D0 Relevance: 6.2, APIs: 4, Instructions: 206COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6E972677
_memmove.LIBCMT ref: 6E9726E6
_memmove.LIBCMT ref: 6E972746
__CxxThrowException@8.LIBCMT ref: 6E9727CD

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: _memmove$Exception@8Throw
String ID:
API String ID: 2655171816-0
Opcode ID: 9c1f587eb167cf4b6be4cad2320b5100fd715d517349ef7138deaee6b6d5166c
Instruction ID: 637be2d2517554148cda8873470ccda8f05972f0ab2d626b08119d5c38823244
Opcode Fuzzy Hash: 9c1f587eb167cf4b6be4cad2320b5100fd715d517349ef7138deaee6b6d5166c
Instruction Fuzzy Hash: 885193B57187468FDB14DFA9C990A2FB3E9AFC8604F10492EE455C7340EB34E9098F92

Function 6E94D4B0 Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 6E999BB5: _malloc.LIBCMT ref: 6E999BCF

std::exception::exception.LIBCMT ref: 6E94D5E4
__CxxThrowException@8.LIBCMT ref: 6E94D5F9
std::exception::exception.LIBCMT ref: 6E94D608
__CxxThrowException@8.LIBCMT ref: 6E94D61D

Part of subcall function 6E999BB5: std::exception::exception.LIBCMT ref: 6E999C04
Part of subcall function 6E999BB5: std::exception::exception.LIBCMT ref: 6E999C1E
Part of subcall function 6E999BB5: __CxxThrowException@8.LIBCMT ref: 6E999C2F

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$_malloc
String ID:
API String ID: 2621100827-0
Opcode ID: a6f424f5209f5cd2a3ada8e12047d17d48d5b7ba93c78c5ede3297b5f556ed76
Instruction ID: f519620f07bafbc1546cb5702dc2b534ba6d942886db95bdcfe9b71f593a710d
Opcode Fuzzy Hash: a6f424f5209f5cd2a3ada8e12047d17d48d5b7ba93c78c5ede3297b5f556ed76
Instruction Fuzzy Hash: 055159B1A0064AEFD744CFA8C980A8ABBF4FF49304F54866AE4199B740D771E954CFA1

Function 6E955F00 Relevance: 6.1, APIs: 4, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 6E999BB5: _malloc.LIBCMT ref: 6E999BCF

std::exception::exception.LIBCMT ref: 6E956035
__CxxThrowException@8.LIBCMT ref: 6E95604A
std::exception::exception.LIBCMT ref: 6E956059
__CxxThrowException@8.LIBCMT ref: 6E95606E

Part of subcall function 6E999BB5: std::exception::exception.LIBCMT ref: 6E999C04
Part of subcall function 6E999BB5: std::exception::exception.LIBCMT ref: 6E999C1E
Part of subcall function 6E999BB5: __CxxThrowException@8.LIBCMT ref: 6E999C2F

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$_malloc
String ID:
API String ID: 2621100827-0
Opcode ID: 1398cb9b9a7a21c880b76f6b1236fc4fe262e20bda2858bc593e45186af3f641
Instruction ID: d35d1876e99a776fd15318e04b894a09f2ece487a16e36c518d00a021c0216ba
Opcode Fuzzy Hash: 1398cb9b9a7a21c880b76f6b1236fc4fe262e20bda2858bc593e45186af3f641
Instruction Fuzzy Hash: 11513AB1A0060AEFC744CFA8C980A8ABBF4FF49304F148669D519D7B41D771E954CFA1

Function 6E94DE50 Relevance: 6.1, APIs: 4, Instructions: 118COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E94DE81
VariantClear.OLEAUT32(?), ref: 6E94DF3C
VariantClear.OLEAUT32(?), ref: 6E94DF6D
VariantClear.OLEAUT32(?), ref: 6E94DF8B

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Variant$Clear$Init
String ID:
API String ID: 3740757921-0
Opcode ID: c4c78aae7e90e0299213975296990a2d33411418771983920ec3bf6a5c3c65b0
Instruction ID: 47c4141eb6f33a8791885e403cf12b54e8d88f24515bb23528607a3dc0e17d36
Opcode Fuzzy Hash: c4c78aae7e90e0299213975296990a2d33411418771983920ec3bf6a5c3c65b0
Instruction Fuzzy Hash: 77416776608602DFD700DF69C940A5BB7E8EF9A724F044A6AF9449B350E731E905CFA2

Function 6E955DB0 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 6E999BB5: _malloc.LIBCMT ref: 6E999BCF

std::exception::exception.LIBCMT ref: 6E955E87
__CxxThrowException@8.LIBCMT ref: 6E955E9C
std::exception::exception.LIBCMT ref: 6E955EAB
__CxxThrowException@8.LIBCMT ref: 6E955EC0

Part of subcall function 6E999BB5: std::exception::exception.LIBCMT ref: 6E999C04
Part of subcall function 6E999BB5: std::exception::exception.LIBCMT ref: 6E999C1E
Part of subcall function 6E999BB5: __CxxThrowException@8.LIBCMT ref: 6E999C2F

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$_malloc
String ID:
API String ID: 2621100827-0
Opcode ID: d522205375760a47e4399cc40390f2539ae4765e0a5a3bdbca829ec490826665
Instruction ID: e1e8739baf2d5b65a6514f89a36a2df9e4c545bf71ccaad91ab054b9d31a6da5
Opcode Fuzzy Hash: d522205375760a47e4399cc40390f2539ae4765e0a5a3bdbca829ec490826665
Instruction Fuzzy Hash: 414128B19007489FC720CFA9C980A9ABBF8FF19304F44896ED95A97741E775E508CFA1

Function 6E94D360 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 6E999BB5: _malloc.LIBCMT ref: 6E999BCF

std::exception::exception.LIBCMT ref: 6E94D437
__CxxThrowException@8.LIBCMT ref: 6E94D44C
std::exception::exception.LIBCMT ref: 6E94D45B
__CxxThrowException@8.LIBCMT ref: 6E94D470

Part of subcall function 6E999BB5: std::exception::exception.LIBCMT ref: 6E999C04
Part of subcall function 6E999BB5: std::exception::exception.LIBCMT ref: 6E999C1E
Part of subcall function 6E999BB5: __CxxThrowException@8.LIBCMT ref: 6E999C2F

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$_malloc
String ID:
API String ID: 2621100827-0
Opcode ID: d7657054c40eb1035078c591e2ecc4645abab00fb3a693667f8fc7ee19e699cc
Instruction ID: ce0f484a8ca6671cb33222bde0f557e1e11ec13652446d8dfd5e9af0281028e1
Opcode Fuzzy Hash: d7657054c40eb1035078c591e2ecc4645abab00fb3a693667f8fc7ee19e699cc
Instruction Fuzzy Hash: F84128B19007489FC724CFA9D880A8ABBF8FF19304F44896ED95A97741E775E504CFA2

Function 6E992B80 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

Part of subcall function 6E966480: __CxxThrowException@8.LIBCMT ref: 6E966518
Part of subcall function 6E966480: __CxxThrowException@8.LIBCMT ref: 6E966558

Part of subcall function 6E999BB5: _malloc.LIBCMT ref: 6E999BCF

std::exception::exception.LIBCMT ref: 6E992C9A
__CxxThrowException@8.LIBCMT ref: 6E992CB1
std::exception::exception.LIBCMT ref: 6E992CC3
__CxxThrowException@8.LIBCMT ref: 6E992CDA

Part of subcall function 6E999BB5: std::exception::exception.LIBCMT ref: 6E999C04
Part of subcall function 6E999BB5: std::exception::exception.LIBCMT ref: 6E999C1E
Part of subcall function 6E999BB5: __CxxThrowException@8.LIBCMT ref: 6E999C2F

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Exception@8Throw$std::exception::exception$_malloc
String ID:
API String ID: 3942750879-0
Opcode ID: dcb12b21674db7e153454edae518638daba7305746e5576b999ea833f150ab9d
Instruction ID: 289e6952ef4759df0cadf865ee39ed5988c40891d9698f5cfea0ae0cbbf9a7d0
Opcode Fuzzy Hash: dcb12b21674db7e153454edae518638daba7305746e5576b999ea833f150ab9d
Instruction Fuzzy Hash: 734147B15187019FC314CF98C480A4AFBF8FFA9714F548A2EE19A87680D7B0E504CFA2

Function 6E95C410 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6E95C478
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E95C488
SafeArrayGetElement.OLEAUT32(?,00000001,?), ref: 6E95C4B4
SafeArrayDestroy.OLEAUT32(?), ref: 6E95C512

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArraySafe$Bound$DestroyElement
String ID:
API String ID: 3987547017-0
Opcode ID: c21111542a3b870f5bb2cf1edd185126d6e88907aa62de395aaee850d2c58281
Instruction ID: 2ab150bf5021d590f09cf0a8c6838f547194c3650d567cbaccf20d3b491e011f
Opcode Fuzzy Hash: c21111542a3b870f5bb2cf1edd185126d6e88907aa62de395aaee850d2c58281
Instruction Fuzzy Hash: CA41F875A0414AAFDB00DFD8C884DAEB7B8EF59350F108569F919EB340D630EA56CFA0

Function 6E95B580 Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(6E9B02A0), ref: 6E95B5D5
VariantInit.OLEAUT32(?), ref: 6E95B5E2
VariantClear.OLEAUT32(?), ref: 6E95B685
VariantClear.OLEAUT32(6E9B02A0), ref: 6E95B68B

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Variant$ClearInit
String ID:
API String ID: 2610073882-0
Opcode ID: 46c123df5846d4e6d5052f0465cf33e21d6c3f3702f72866179dd98eab7faaac
Instruction ID: 281b2c17a198f59a87d81200555a49f7b43bf5e671a00d9f37bfbff5e72edeb9
Opcode Fuzzy Hash: 46c123df5846d4e6d5052f0465cf33e21d6c3f3702f72866179dd98eab7faaac
Instruction Fuzzy Hash: BE418072A05609DFDB04DFA9C980B9AF7F9EF89310F20419AE9049B354E735E942CF90

Function 6E9A88C9 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6E9A88FD
__isleadbyte_l.LIBCMT ref: 6E9A8930
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?), ref: 6E9A8961
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?), ref: 6E9A89CF

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 22a92380999e94417724c28e4945f25c51e0eaaa7f3411148c8729ad4f781cd0
Instruction ID: c5c4fab0c460ab6f17fbb5c28e5268b09c284c6e51e392f201c2cb9df03d87e0
Opcode Fuzzy Hash: 22a92380999e94417724c28e4945f25c51e0eaaa7f3411148c8729ad4f781cd0
Instruction Fuzzy Hash: 7831BF71A14286EFDB68DFECC8989AE3BB8BF41310F144969E2A49B190E730D940DF51

Function 6E935A30 Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 6E999BB5: _malloc.LIBCMT ref: 6E999BCF

std::exception::exception.LIBCMT ref: 6E935ACB
__CxxThrowException@8.LIBCMT ref: 6E935AE0
std::exception::exception.LIBCMT ref: 6E935B18
__CxxThrowException@8.LIBCMT ref: 6E935B2D

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception$_malloc
String ID:
API String ID: 3153320871-0
Opcode ID: 2fbb02960a68b76d51e27ad86d6b315693e405ef1f4be3ba3c4d425ba883e3ba
Instruction ID: a097b88a2c060cd6cad2f49676b332ce7a665735fcedd8a160a4101fe9ced69c
Opcode Fuzzy Hash: 2fbb02960a68b76d51e27ad86d6b315693e405ef1f4be3ba3c4d425ba883e3ba
Instruction Fuzzy Hash: AD3181B1910608AFCB04DFD8D8419DAB7F8FF98750F10866AE81997740EB70EA04CFA1

Function 6E948470 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 6E999BB5: _malloc.LIBCMT ref: 6E999BCF

InitializeCriticalSection.KERNEL32(00000000,00000000,6E945D89,00000000,00000004,00000000,?,00000000,00000000), ref: 6E9484EA
InitializeCriticalSection.KERNEL32(00000018,?,00000000,00000000), ref: 6E9484F0
std::exception::exception.LIBCMT ref: 6E94853C
__CxxThrowException@8.LIBCMT ref: 6E948551

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: CriticalInitializeSection$Exception@8Throw_mallocstd::exception::exception
String ID:
API String ID: 3005353045-0
Opcode ID: 43ca47ad213f6e7e56803889d43e83b6b9085bccd5bcae4d24b817c998a9e0c1
Instruction ID: 19e505d4518ff3429e7fbd0e92696b77a5ad9c2188e0d56fabe08586f9b6f58e
Opcode Fuzzy Hash: 43ca47ad213f6e7e56803889d43e83b6b9085bccd5bcae4d24b817c998a9e0c1
Instruction Fuzzy Hash: 61316A71901705AFC714CFA9C480A9AFBF8FF59210F508A6EE90687B40D770EA44CF91

Function 6E95DC40 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 6E95DCC5

Part of subcall function 6E999533: std::exception::_Copy_str.LIBCMT ref: 6E99954E

__CxxThrowException@8.LIBCMT ref: 6E95DCDA

Part of subcall function 6E99AC75: RaiseException.KERNEL32(?,?,6E999C34,64F62E83,?,?,?,?,6E999C34,64F62E83,6E9C9C90,6E9DB974,64F62E83), ref: 6E99ACB7

Part of subcall function 6E999BB5: _malloc.LIBCMT ref: 6E999BCF

std::exception::exception.LIBCMT ref: 6E95DD09
__CxxThrowException@8.LIBCMT ref: 6E95DD1E

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaise_mallocstd::exception::_
String ID:
API String ID: 399550787-0
Opcode ID: 7fe0ad64d4b76d71d70c38a9e7c78c613730231e0de1b24136d8e4c35559b03a
Instruction ID: 368bd1a79c685154856055c6e7cdc6c5dfc4b3aabf2cec86731ee709d6b1946b
Opcode Fuzzy Hash: 7fe0ad64d4b76d71d70c38a9e7c78c613730231e0de1b24136d8e4c35559b03a
Instruction Fuzzy Hash: 70315CB59003099FD704DFD9D840A9EBBF8BF95700F048569E9199B350E770EA04DFA1

Function 6E9A2645 Relevance: 6.1, APIs: 4, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6E9A2653

Part of subcall function 6E999D66: __FF_MSGBANNER.LIBCMT ref: 6E999D7F
Part of subcall function 6E999D66: __NMSG_WRITE.LIBCMT ref: 6E999D86
Part of subcall function 6E999D66: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00000000,?,6E999BD4,6E931290,64F62E83), ref: 6E999DAB

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 24112ee6d7d6358dd7d45dae2bf9f79648c943e8764319175fec29203a964d3e
Instruction ID: c164b04a0d00ea859ba6b71f3bdcb51a3ef74e254a3448bfe4e26419752bc4f8
Opcode Fuzzy Hash: 24112ee6d7d6358dd7d45dae2bf9f79648c943e8764319175fec29203a964d3e
Instruction Fuzzy Hash: AE11CA72846A156FCB111FFFAC0469E37ADAF923A5B180827FA489B650DB34C8409F94

Function 6E947240 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 6E964410: _malloc.LIBCMT ref: 6E96446E

SafeArrayCreateVector.OLEAUT32(00000011,00000000,?), ref: 6E947287
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 6E94729B
_memmove.LIBCMT ref: 6E9472AF
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 6E9472B8

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ArraySafe$Data$AccessCreateUnaccessVector_malloc_memmove
String ID:
API String ID: 583974297-0
Opcode ID: 3f9955cf3684e8ffc2c1025fcd5537e5e7552debff624631b2002f4001e0b738
Instruction ID: 3f362ae73a6f1913ca9f734ab497bf93d421782cbdd743565c204ae039557d88
Opcode Fuzzy Hash: 3f9955cf3684e8ffc2c1025fcd5537e5e7552debff624631b2002f4001e0b738
Instruction Fuzzy Hash: 2E1163B2914529BBDB04CFD5D880DDFBB7DDFD9654B008269F90497240E670DA058FE0

Function 6E955A70 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E955AB9
VariantCopy.OLEAUT32(?,6E9C9C90), ref: 6E955AC1
VariantClear.OLEAUT32(?), ref: 6E955AE2
__CxxThrowException@8.LIBCMT ref: 6E955AEF

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Variant$ClearCopyException@8InitThrow
String ID:
API String ID: 3826472263-0
Opcode ID: f3a4af1aef4209275ad8d565187558191d7f4fabc6d10394882bac0ae00067d8
Instruction ID: 474306e38819f801166184e588248940609c2565b89256ab530b4384ef0bdb68
Opcode Fuzzy Hash: f3a4af1aef4209275ad8d565187558191d7f4fabc6d10394882bac0ae00067d8
Instruction Fuzzy Hash: 3E117C72904669BBCB00DFD8888499FBB6CEF56614F11456AE924A7301D774AA048BA1

Function 6E968D80 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6E968D8A

Part of subcall function 6E999D66: __FF_MSGBANNER.LIBCMT ref: 6E999D7F
Part of subcall function 6E999D66: __NMSG_WRITE.LIBCMT ref: 6E999D86
Part of subcall function 6E999D66: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00000000,?,6E999BD4,6E931290,64F62E83), ref: 6E999DAB

Part of subcall function 6E9991F6: std::_Lockit::_Lockit.LIBCPMT ref: 6E999202

_malloc.LIBCMT ref: 6E968DAF
std::exception::exception.LIBCMT ref: 6E968DD4
__CxxThrowException@8.LIBCMT ref: 6E968DEB

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: _malloc$AllocateException@8HeapLockitLockit::_Throwstd::_std::exception::exception
String ID:
API String ID: 3043633502-0
Opcode ID: 2bb3599944d4f1e0c11003bee9ede0d7c6ba747441b2ef912702407213dcd13a
Instruction ID: 853e2162385cfab7e9987624b2bdd53ddb034d7b29788e845e746190d2b5447b
Opcode Fuzzy Hash: 2bb3599944d4f1e0c11003bee9ede0d7c6ba747441b2ef912702407213dcd13a
Instruction Fuzzy Hash: BBF0C2724043115BD221EBD59CA1BDF32AC9EE2614F480C19F95492240F721D1099DB3

Function 6E9A0A60 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 6E9A0A86

Part of subcall function 6E9A08B2: __fltout2.LIBCMT ref: 6E9A08DD

__cftog_l.LIBCMT ref: 6E9A0AAC
__cftoe_l.LIBCMT ref: 6E9A0ADE

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 11deb44cdfc202b88007331b31083cfb285e808d2c5b582a55e83ca63213af75
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 4D11693200014ABBCF124EC8DC158EE3F2ABF59354B498914FE2859070E336CAB1AF81

Function 6E998970 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6E998A84
_memmove.LIBCMT ref: 6E998AA0

Strings

EncodingParameters, xrefs: 6E998A41

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: _memmove_memset
String ID: EncodingParameters
API String ID: 3555123492-55378216
Opcode ID: 1a38397f8ae4d240191d3f17d7e4db425a4e507fc7eda09a0f931170017a3325
Instruction ID: e02e6ee14fb8f322c38720cd83eeea35f1b6b5ffb9774b6a28df83402d019230
Opcode Fuzzy Hash: 1a38397f8ae4d240191d3f17d7e4db425a4e507fc7eda09a0f931170017a3325
Instruction Fuzzy Hash: 176101B4208341AFD304CF69C880A2AFBE9AFD9754F144A1DF58987391D7B0E945CBA2

Function 6E93F190 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 6E934760: __CxxThrowException@8.LIBCMT ref: 6E9347F9

Part of subcall function 6E968D80: _malloc.LIBCMT ref: 6E968D8A
Part of subcall function 6E968D80: _malloc.LIBCMT ref: 6E968DAF

_memcpy_s.LIBCMT ref: 6E93F282
_memset.LIBCMT ref: 6E93F293

Strings

@, xrefs: 6E93F2DE

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: _malloc$Exception@8Throw_memcpy_s_memset
String ID: @
API String ID: 3081897325-2766056989
Opcode ID: d8af072a2c5edd5d2f37e8e0da5fdde2571749d8fc88381c553866e3cbef407e
Instruction ID: 3249d40fce4698533f3b3387373f6971587ef02c0260dd4b27c9890a1eaa4326
Opcode Fuzzy Hash: d8af072a2c5edd5d2f37e8e0da5fdde2571749d8fc88381c553866e3cbef407e
Instruction Fuzzy Hash: C2518CB0900358DFDB20CFE4C840BDEBBB8AF55308F148599D95967381DB71AA49CFA2

Function 6E934100 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E934175
_memmove.LIBCMT ref: 6E9341C6

Part of subcall function 6E934010: std::_Xinvalid_argument.LIBCPMT ref: 6E93402A

Strings

string too long, xrefs: 6E934170

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: 881bde4be74c3b5aa9aa9bfa7c58e2067e229cd8e6cd3fdbd730c7748f31825e
Instruction ID: c0d074506f688f43e3c85ff5bfdea0d685535646d56b903bccfc95f0407caa8b
Opcode Fuzzy Hash: 881bde4be74c3b5aa9aa9bfa7c58e2067e229cd8e6cd3fdbd730c7748f31825e
Instruction Fuzzy Hash: FE31A836310A215BE7208EDCAC8096AF7EDEFB5664731091BE491CBA41C762DC418FA1

Function 6E96C350 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6E96C39B

Strings

gfff, xrefs: 6E96C3A3
gfff, xrefs: 6E96C3F7

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Exception@8Throw
String ID: gfff$gfff
API String ID: 2005118841-3084402119
Opcode ID: 0fc975951894ecdd0a9fd187ee17f5a7dd85dbf523fbdf3c3300f41ba2466e2d
Instruction ID: 8635c8a6531bfd536a5545db4fde1f9ff90a25ac916a94e33275b7e2543ba5c6
Opcode Fuzzy Hash: 0fc975951894ecdd0a9fd187ee17f5a7dd85dbf523fbdf3c3300f41ba2466e2d
Instruction Fuzzy Hash: 56313E71900209AFDB14CF98D980EEEB779EF94314F44851DF9159B284E730BA15CBA1

Function 6E9318C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 6E934010: std::_Xinvalid_argument.LIBCPMT ref: 6E93402A

__CxxThrowException@8.LIBCMT ref: 6E93194F

Part of subcall function 6E99AC75: RaiseException.KERNEL32(?,?,6E999C34,64F62E83,?,?,?,?,6E999C34,64F62E83,6E9C9C90,6E9DB974,64F62E83), ref: 6E99ACB7

std::exception::exception.LIBCMT ref: 6E93198E

Part of subcall function 6E9995C1: std::exception::operator=.LIBCMT ref: 6E9995DA

Part of subcall function 6E934010: std::_Xinvalid_argument.LIBCPMT ref: 6E934067
Part of subcall function 6E934010: _memmove.LIBCMT ref: 6E9340C8

Strings

Clone() is not implemented yet., xrefs: 6E9318ED

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$ExceptionException@8RaiseThrow_memmovestd::exception::exceptionstd::exception::operator=
String ID: Clone() is not implemented yet.
API String ID: 2192554526-226299721
Opcode ID: be6a1a30a3e9a0c4866ad9c4e534fcd6c2975635c5cf2f85e85c00e4886c1105
Instruction ID: 7b4089dbec5afa94e2763d40cae175796fc62ab2be1a693a98a0440d9e40cc2c
Opcode Fuzzy Hash: be6a1a30a3e9a0c4866ad9c4e534fcd6c2975635c5cf2f85e85c00e4886c1105
Instruction Fuzzy Hash: 6E316BB1804248AFCB14CFD9D840AEEFBB8EF59714F104A2EE821A7781E7759905DF90

Function 6E965560 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 6E934010: std::_Xinvalid_argument.LIBCPMT ref: 6E93402A

__CxxThrowException@8.LIBCMT ref: 6E965657

Part of subcall function 6E99AC75: RaiseException.KERNEL32(?,?,6E999C34,64F62E83,?,?,?,?,6E999C34,64F62E83,6E9C9C90,6E9DB974,64F62E83), ref: 6E99ACB7

Strings

StringStore: missing InputBuffer argument, xrefs: 6E9655E0
InputBuffer, xrefs: 6E9655BF

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowXinvalid_argumentstd::_
String ID: InputBuffer$StringStore: missing InputBuffer argument
API String ID: 3718517217-2380213735
Opcode ID: 292dce9bfe1a7068ced5ffc76654c86709a111461c0c6b775e47fe79841fbc63
Instruction ID: 67e6bac8c74a45c98afd222b13e03e3a7a66635c8e6b3f016a0c34be1bf8e1c8
Opcode Fuzzy Hash: 292dce9bfe1a7068ced5ffc76654c86709a111461c0c6b775e47fe79841fbc63
Instruction Fuzzy Hash: E04124B15087809FD310CF99C490A9BBBE4BF99614F544A2EE59987380DB70D908CF52

Function 6E931EA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 6E934010: std::_Xinvalid_argument.LIBCPMT ref: 6E93402A

__CxxThrowException@8.LIBCMT ref: 6E931F36

Part of subcall function 6E99AC75: RaiseException.KERNEL32(?,?,6E999C34,64F62E83,?,?,?,?,6E999C34,64F62E83,6E9C9C90,6E9DB974,64F62E83), ref: 6E99ACB7

std::exception::exception.LIBCMT ref: 6E931F6E

Part of subcall function 6E9995C1: std::exception::operator=.LIBCMT ref: 6E9995DA

Part of subcall function 6E934010: std::_Xinvalid_argument.LIBCPMT ref: 6E934067
Part of subcall function 6E934010: _memmove.LIBCMT ref: 6E9340C8

Strings

CryptoMaterial: this object does not support precomputation, xrefs: 6E931ED4

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$ExceptionException@8RaiseThrow_memmovestd::exception::exceptionstd::exception::operator=
String ID: CryptoMaterial: this object does not support precomputation
API String ID: 2192554526-3625584042
Opcode ID: 05769faf62e92e7f00724c337ad564a29678e153350582095ae4bc9a2a64a83c
Instruction ID: 03ecfc36f978cce5642ddc8227d0878b6c7ea6e39c3f01bd41d5506ca3b05718
Opcode Fuzzy Hash: 05769faf62e92e7f00724c337ad564a29678e153350582095ae4bc9a2a64a83c
Instruction Fuzzy Hash: 49315DB1804248AFCB14CFD9D840AEEFBB8EF59714F20466EE521A7780D7759905DF90

Function 6E943317 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6E943327

Part of subcall function 6E99AC75: RaiseException.KERNEL32(?,?,6E999C34,64F62E83,?,?,?,?,6E999C34,64F62E83,6E9C9C90,6E9DB974,64F62E83), ref: 6E99ACB7

std::_Xinvalid_argument.LIBCPMT ref: 6E94336B

Part of subcall function 6E9990D8: std::exception::exception.LIBCMT ref: 6E9990ED
Part of subcall function 6E9990D8: __CxxThrowException@8.LIBCMT ref: 6E999102
Part of subcall function 6E9990D8: std::exception::exception.LIBCMT ref: 6E999113

Strings

vector<T> too long, xrefs: 6E943366

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception$ExceptionRaiseXinvalid_argumentstd::_
String ID: vector<T> too long
API String ID: 1735018483-3788999226
Opcode ID: 2f98193efb1ef4f4f10b7f81b297fb3db8fde037e7ae2267db1d962f3721c83f
Instruction ID: 01e31db20f1983ccf8de1b262f6575737e51cf63674fbfab21b5be2107f8fe94
Opcode Fuzzy Hash: 2f98193efb1ef4f4f10b7f81b297fb3db8fde037e7ae2267db1d962f3721c83f
Instruction Fuzzy Hash: C231E2B1A04616DFCB14CFE8D880A9AB7B4EF85714F404629EC159F380DB31E900CF91

Function 6E955810 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E95584D

Part of subcall function 6E9990D8: std::exception::exception.LIBCMT ref: 6E9990ED
Part of subcall function 6E9990D8: __CxxThrowException@8.LIBCMT ref: 6E999102
Part of subcall function 6E9990D8: std::exception::exception.LIBCMT ref: 6E999113

VariantClear.OLEAUT32(00000000), ref: 6E955899

Strings

vector<T> too long, xrefs: 6E955848

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: std::exception::exception$ClearException@8ThrowVariantXinvalid_argumentstd::_
String ID: vector<T> too long
API String ID: 2677079660-3788999226
Opcode ID: 08c65163199d94173394b867fa3eb37116e01c103f45cf082e660750da68c71b
Instruction ID: 890a2c82e3471db465db9930f0828c21d0f894e49e70560617210722b022d86e
Opcode Fuzzy Hash: 08c65163199d94173394b867fa3eb37116e01c103f45cf082e660750da68c71b
Instruction Fuzzy Hash: 3821A1B2A006059FD710CFA8D880AAEB7F9EF84324F144A2EE56597740E734E9408F91

Function 6E945750 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E94576B

Part of subcall function 6E9990D8: std::exception::exception.LIBCMT ref: 6E9990ED
Part of subcall function 6E9990D8: __CxxThrowException@8.LIBCMT ref: 6E999102
Part of subcall function 6E9990D8: std::exception::exception.LIBCMT ref: 6E999113

std::_Xinvalid_argument.LIBCPMT ref: 6E945782

Strings

string too long, xrefs: 6E945766, 6E94577D

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: string too long
API String ID: 963545896-2556327735
Opcode ID: 505f0b4ba71b94faab3ac81fc27627b80a02b21aaacb521207409a0def4d3344
Instruction ID: a2dedc5499d45032b173c591b51b46a6e9603ffd5a0b760288e7e10267751a76
Opcode Fuzzy Hash: 505f0b4ba71b94faab3ac81fc27627b80a02b21aaacb521207409a0def4d3344
Instruction Fuzzy Hash: 2911B433304611DFE3219ADCA890AAAF3EDBFA5624F20062FE552CB740C761D9048BA1

Function 6E9346B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E9346C4

Part of subcall function 6E9990D8: std::exception::exception.LIBCMT ref: 6E9990ED
Part of subcall function 6E9990D8: __CxxThrowException@8.LIBCMT ref: 6E999102
Part of subcall function 6E9990D8: std::exception::exception.LIBCMT ref: 6E999113

_memmove.LIBCMT ref: 6E93470B

Strings

string too long, xrefs: 6E9346BF

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: string too long
API String ID: 1785806476-2556327735
Opcode ID: 2759a8c041c963f6301a0524d4643dc2083206bde77b9204a4a23115d5c37e03
Instruction ID: da8d5509ce74557bf37680f30b9c8b0421cb1f7c9b0fe6a625edc69d05f4d3b1
Opcode Fuzzy Hash: 2759a8c041c963f6301a0524d4643dc2083206bde77b9204a4a23115d5c37e03
Instruction Fuzzy Hash: F611E9761143215FF7209DF8A8C0A6FB7ACEF51218F310E2ED49783682D762E4498FA1

Function 6E964D30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

Part of subcall function 6E934010: std::_Xinvalid_argument.LIBCPMT ref: 6E93402A

__CxxThrowException@8.LIBCMT ref: 6E964E00

Part of subcall function 6E99AC75: RaiseException.KERNEL32(?,?,6E999C34,64F62E83,?,?,?,?,6E999C34,64F62E83,6E9C9C90,6E9DB974,64F62E83), ref: 6E99ACB7

Strings

OutputBuffer, xrefs: 6E964D77
ArraySink: missing OutputBuffer argument, xrefs: 6E964D91

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowXinvalid_argumentstd::_
String ID: ArraySink: missing OutputBuffer argument$OutputBuffer
API String ID: 3718517217-3781944848
Opcode ID: 43b4626719d66aab6201f56e521e91bd5601554f0b3a3675602c0c12965b0800
Instruction ID: d6d28b08d89542b13c9e706b6bbed26ca17dea7098dd3b006db3a16b635fb2db
Opcode Fuzzy Hash: 43b4626719d66aab6201f56e521e91bd5601554f0b3a3675602c0c12965b0800
Instruction Fuzzy Hash: AA3104B5508780AFC310CFA9C480A9BBBE4BF99654F404E2EF5A587350EB75D908CF92

Function 6E940150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 6E934010: std::_Xinvalid_argument.LIBCPMT ref: 6E93402A

__CxxThrowException@8.LIBCMT ref: 6E940201

Part of subcall function 6E99AC75: RaiseException.KERNEL32(?,?,6E999C34,64F62E83,?,?,?,?,6E999C34,64F62E83,6E9C9C90,6E9DB974,64F62E83), ref: 6E99ACB7

Strings

StringSink: OutputStringPointer not specified, xrefs: 6E94019B
OutputStringPointer, xrefs: 6E94018C

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowXinvalid_argumentstd::_
String ID: OutputStringPointer$StringSink: OutputStringPointer not specified
API String ID: 3718517217-1331214609
Opcode ID: 14a6cd5d52bdc5be715fb10b8064eebd3b3b0b9f49b79881a51a764fab276e59
Instruction ID: 227b3ec972e11b42c8b84c542025fa0d794f5db9b053d5f1f575fc43e0823d86
Opcode Fuzzy Hash: 14a6cd5d52bdc5be715fb10b8064eebd3b3b0b9f49b79881a51a764fab276e59
Instruction Fuzzy Hash: C7213075D04648AFCB04DFD9D890BDEFBB8EF59204F10855AE425AB381DB359504DF50

Function 6E934620 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E934636

Part of subcall function 6E999125: std::exception::exception.LIBCMT ref: 6E99913A
Part of subcall function 6E999125: __CxxThrowException@8.LIBCMT ref: 6E99914F
Part of subcall function 6E999125: std::exception::exception.LIBCMT ref: 6E999160

_memmove.LIBCMT ref: 6E93466F

Strings

invalid string position, xrefs: 6E934631

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: d9087f094487adbf136b3424fd246074bf1e6df2fc2a6f1333a1ee0d0214371f
Instruction ID: f9e9d51f8cc060975e8328593bd8d6e2e420cb850371fc3be64891daf6ec8f71
Opcode Fuzzy Hash: d9087f094487adbf136b3424fd246074bf1e6df2fc2a6f1333a1ee0d0214371f
Instruction Fuzzy Hash: 5301C4313002618BD3218DECEC80A6AB3BAEFD1618B354D2DD195CB701D6B2EC428FA1

Function 6E96ACA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

type_info::operator!=.LIBCMT ref: 6E96ACF8

Strings

Modulus, xrefs: 6E96AD30
PublicExponent, xrefs: 6E96AD1F

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: type_info::operator!=
String ID: Modulus$PublicExponent
API String ID: 2241493438-3324115277
Opcode ID: 84606f4dc49e98b0d2f09e71f756d7ab8ce03fae0d57fee02251bfc88ab567c6
Instruction ID: 3860aba5142dd6d44ebe3b5726824c04c3e3c04c59ed38cea918dcb249157ce4
Opcode Fuzzy Hash: 84606f4dc49e98b0d2f09e71f756d7ab8ce03fae0d57fee02251bfc88ab567c6
Instruction Fuzzy Hash: E511E0309083149FC200DFA8C94059BFBF8AFE6648F404A2FF5819B260EB70D848CF96

Function 6E98B7F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

type_info::operator!=.LIBCMT ref: 6E98B848

Strings

Modulus, xrefs: 6E98B880
PublicExponent, xrefs: 6E98B86F

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: type_info::operator!=
String ID: Modulus$PublicExponent
API String ID: 2241493438-3324115277
Opcode ID: 6fb0c025cfd66a287ed41ca0269ad5252b480a463c2f3a83b3a61fa23be2b639
Instruction ID: 025e09d22fb78193b913bc0c4eab00b10e8e890f127e38bd8755c1bf76c85de2
Opcode Fuzzy Hash: 6fb0c025cfd66a287ed41ca0269ad5252b480a463c2f3a83b3a61fa23be2b639
Instruction Fuzzy Hash: A8118F705043445EC600DFA9894058BFBF8AFE5648F140E6EF9855B360EB31D949CF96

Function 6E96B5F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E96B605

Part of subcall function 6E9990D8: std::exception::exception.LIBCMT ref: 6E9990ED
Part of subcall function 6E9990D8: __CxxThrowException@8.LIBCMT ref: 6E999102
Part of subcall function 6E9990D8: std::exception::exception.LIBCMT ref: 6E999113

_memmove.LIBCMT ref: 6E96B634

Strings

vector<T> too long, xrefs: 6E96B600

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<T> too long
API String ID: 1785806476-3788999226
Opcode ID: bbd2d77ff409c802c9069adb3689000bbe45fc05ee6900086507fb2df3a0dc4e
Instruction ID: 4090b89e6159bc91747474c55c5461a42563ff771952e82c2b22334a1b9cc632
Opcode Fuzzy Hash: bbd2d77ff409c802c9069adb3689000bbe45fc05ee6900086507fb2df3a0dc4e
Instruction Fuzzy Hash: A90171B26006059FE724DEE9DC958A7B3ECEF94254718492EE9AAC3254F670F8048F61

Function 6E994230 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E994241

Part of subcall function 6E9990D8: std::exception::exception.LIBCMT ref: 6E9990ED
Part of subcall function 6E9990D8: __CxxThrowException@8.LIBCMT ref: 6E999102
Part of subcall function 6E9990D8: std::exception::exception.LIBCMT ref: 6E999113

_memmove.LIBCMT ref: 6E994277

Strings

vector<bool> too long, xrefs: 6E99423C

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<bool> too long
API String ID: 1785806476-842332957
Opcode ID: dddcdbce88e89584ae86e7a7357bfc62013b58ba1cc2bc0ccf3cc80d86a0f42e
Instruction ID: f13610f203b9cb6a07995685dd5a09b3a5138f33d7ad32dd08b83b386c3dee69
Opcode Fuzzy Hash: dddcdbce88e89584ae86e7a7357bfc62013b58ba1cc2bc0ccf3cc80d86a0f42e
Instruction Fuzzy Hash: 2E01DF72A042055FD714CFA9DCD08AEB3ADFFC4354F55462AE52687744E730E909CEA0

Function 6E993840 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E993855

Part of subcall function 6E9990D8: std::exception::exception.LIBCMT ref: 6E9990ED
Part of subcall function 6E9990D8: __CxxThrowException@8.LIBCMT ref: 6E999102
Part of subcall function 6E9990D8: std::exception::exception.LIBCMT ref: 6E999113

_memmove.LIBCMT ref: 6E993880

Strings

vector<T> too long, xrefs: 6E993850

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<T> too long
API String ID: 1785806476-3788999226
Opcode ID: 126deabb3ffe6f595f73946cc445296b441ebf078975d6485d906ad5a5dd372c
Instruction ID: ef5aeb229b78921b3a7083cdb36065a0d689ab3d3c840dbd42e904b93d71354f
Opcode Fuzzy Hash: 126deabb3ffe6f595f73946cc445296b441ebf078975d6485d906ad5a5dd372c
Instruction Fuzzy Hash: 980171B15007099FD314DEF9D8898AAB3ECAF942107154A3DE5AAD3650EA74F8008F60

Function 6E945160 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E945173

Part of subcall function 6E9990D8: std::exception::exception.LIBCMT ref: 6E9990ED
Part of subcall function 6E9990D8: __CxxThrowException@8.LIBCMT ref: 6E999102
Part of subcall function 6E9990D8: std::exception::exception.LIBCMT ref: 6E999113

_memmove.LIBCMT ref: 6E94519E

Strings

vector<T> too long, xrefs: 6E94516E

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<T> too long
API String ID: 1785806476-3788999226
Opcode ID: 87024923642c5152725c0557f7b644d48e661751c49ff39359387965a56f21e5
Instruction ID: c8bf3e66bf0b01a913f3fa92341eef6d2c8122c860c7c0389cbbba4d4fd53866
Opcode Fuzzy Hash: 87024923642c5152725c0557f7b644d48e661751c49ff39359387965a56f21e5
Instruction Fuzzy Hash: 53014FF16002069FD728CEE8CC9186AB3EDEFA4254B18492DE85AC7740E775F904CF61

Function 6E99BFB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6E99ABC3: __getptd.LIBCMT ref: 6E99ABC9
Part of subcall function 6E99ABC3: __getptd.LIBCMT ref: 6E99ABD9

__getptd.LIBCMT ref: 6E99BFC3

Part of subcall function 6E99EAE6: __getptd_noexit.LIBCMT ref: 6E99EAE9
Part of subcall function 6E99EAE6: __amsg_exit.LIBCMT ref: 6E99EAF6

__getptd.LIBCMT ref: 6E99BFD1

Strings

csm, xrefs: 6E99BFDF

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 86966626eb4e0d809bdbd7093bece3461dc5396f3a0cf366651c66bb381db945
Instruction ID: 7080104af2777e97b989a46f37ef23f1428759709beb98750e4311aa9e116171
Opcode Fuzzy Hash: 86966626eb4e0d809bdbd7093bece3461dc5396f3a0cf366651c66bb381db945
Instruction Fuzzy Hash: AD0146B48013059EDF648FE1D850AADB3FDBF58215F68482EE0519E2A0DB75C580EF41

Function 6E9A3EA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6E9A3ED9
DName::DName.LIBCMT ref: 6E9A3EE5

Strings

{flat}, xrefs: 6E9A3ED4

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: NameName::
String ID: {flat}
API String ID: 1333004437-2606204563
Opcode ID: b1e7bf10d8486febc4f5c512a49d38ff884c1ebe448232e3441d84de49a4e13c
Instruction ID: 697c0a5b93a86fe616f43cee36cdc4edd14d8592db1ab216fa93b40657cd202b
Opcode Fuzzy Hash: b1e7bf10d8486febc4f5c512a49d38ff884c1ebe448232e3441d84de49a4e13c
Instruction Fuzzy Hash: A5F03075144645AFCB00CFACC468BAC3BA59F92759F148045EA5C0F252C731D442CF55

Function 6E947680 Relevance: 5.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,64F62E83), ref: 6E9476AD
LeaveCriticalSection.KERNEL32(?,?,?,64F62E83), ref: 6E9476FF
EnterCriticalSection.KERNEL32(64F62E83,?,?,?,64F62E83), ref: 6E94770D
LeaveCriticalSection.KERNEL32(64F62E83,?,00000000,?,?,?,?,64F62E83), ref: 6E94772A

Part of subcall function 6E999BB5: _malloc.LIBCMT ref: 6E999BCF

Part of subcall function 6E946D40: _rand.LIBCMT ref: 6E946DEA

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: CriticalSection$EnterLeave$_malloc_rand
String ID:
API String ID: 119520971-0
Opcode ID: 7a8e260ec95eeb1d6d5b885fa9b3c562b0f9f0db216ab75ff732d012e02bebf3
Instruction ID: ca7d6a50c28d70b449700018b28a0e8d0b0dfeb11284f2b63786b7190f287e79
Opcode Fuzzy Hash: 7a8e260ec95eeb1d6d5b885fa9b3c562b0f9f0db216ab75ff732d012e02bebf3
Instruction Fuzzy Hash: 212153B2904609EFCB10DF95CC44ADBB7BDFF91254F104A25E81697640EB70EA05CFA0

Function 6E949580 Relevance: 5.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?), ref: 6E9495A9
LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 6E9495CA
EnterCriticalSection.KERNEL32(00000000,?,?), ref: 6E9495DA
LeaveCriticalSection.KERNEL32(00000000,?,?,?), ref: 6E9495FB

Memory Dump Source

Source File: 00000000.00000002.1331992357.000000006E931000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E930000, based on PE: true

Associated: 00000000.00000002.1331916618.000000006E930000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333243700.000000006E9B4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333635993.000000006E9CE000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333724805.000000006E9D0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333763815.000000006E9D1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333799912.000000006E9D3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333906761.000000006E9DC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1333971489.000000006E9DE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e930000_LisectAVT_2403002A_482.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: af928f24894167adfb1a95d6e7ed151c72ca093d77a0523b15dbcf874979266e
Instruction ID: fa07608b767f53a22cedada0924a3836b4505e8400a5b3a26e309f844086729f
Opcode Fuzzy Hash: af928f24894167adfb1a95d6e7ed151c72ca093d77a0523b15dbcf874979266e
Instruction Fuzzy Hash: F7116A7290450AEFCB40CFD9E9809DEF7BCFF91214B10459AE91597610E770EA51CFA0

Analysis Process: MSBuild.exePID: 4324, Parent PID: 1664COMMON

Execution Graph

Execution Coverage:	18.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	26
Total number of Limit Nodes:	1

Executed Functions

Function 0104C72F Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 0104C829

Memory Dump Source

Source File: 00000004.00000002.1290203358.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_MSBuild.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 633d2acd2c01871502f767a6f72e855628496e34e65bf98a400dfb3e23afc8a8
Instruction ID: 4f0c86fbe69c2163be0ac906d1027d56093d7817d3167691b9f4a505539303f6
Opcode Fuzzy Hash: 633d2acd2c01871502f767a6f72e855628496e34e65bf98a400dfb3e23afc8a8
Instruction Fuzzy Hash: 75510971D01619CFEB25CFA5C980BDEBBF5BF49300F1080AAD149AB251DA715A45CF91

Function 0104B294 Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 0104C829

Memory Dump Source

Source File: 00000004.00000002.1290203358.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_MSBuild.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 24492ca479e204649d282320889fb763c57dcec9d96918f0fef1590f02676b2f
Instruction ID: d129e2e52d703a361514dfce3965fc96d006e0190f99d37183577c29b86dee22
Opcode Fuzzy Hash: 24492ca479e204649d282320889fb763c57dcec9d96918f0fef1590f02676b2f
Instruction Fuzzy Hash: 875106B1D016198FEB24CFA5C984BCEBBF5AF49300F1080AAD548AB250DB716A85CF91

Function 0104AE23 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 0104AE98

Memory Dump Source

Source File: 00000004.00000002.1290203358.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_MSBuild.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 3083b257c2e9a06793e35b56cf4c50984fa61b9e37288f1b71ec5773c1d591da
Instruction ID: ddac1abbbfec21ac2ebc27eab49ef8f84f9420e32f756ef15abc42b78a89bc90
Opcode Fuzzy Hash: 3083b257c2e9a06793e35b56cf4c50984fa61b9e37288f1b71ec5773c1d591da
Instruction Fuzzy Hash: 4D21DDB4D012089FCB24CFA9D584ADEBBF0AF48320F24842AD419B7340C7356942CFA4

Function 0104AE28 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 0104AE98

Memory Dump Source

Source File: 00000004.00000002.1290203358.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_MSBuild.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 457996375e892b9194caef6a8eb118d08906cc2509f3b75430abf8aae31ed899
Instruction ID: 440b14235066fba4871a24897d3669c02a6415c37259033883d25d3fa3fb77aa
Opcode Fuzzy Hash: 457996375e892b9194caef6a8eb118d08906cc2509f3b75430abf8aae31ed899
Instruction Fuzzy Hash: E621BDB4D012099FDB24DFA9D584ADEBBF5AB48320F24942AD419B7240C7356946CFA4

Function 00FCD1D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1289601505.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fcd000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 311608a9c8f2d14fe7fdb1d408b70af1239efb19e2fcfca4a4b07ba93dd852c1
Instruction ID: 0912ca04e1607517d09ef00f2ba3b70d11a3d9f430eb7cea5515d1889a4dd687
Opcode Fuzzy Hash: 311608a9c8f2d14fe7fdb1d408b70af1239efb19e2fcfca4a4b07ba93dd852c1
Instruction Fuzzy Hash: E821E272904201DFDB159F50DAC5F5ABB65EB88324F24C16DE8090B246C336D816EBA2

Function 00FCD3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1289601505.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fcd000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41ce1249c718eabba61f4a3098907e4efa5e1e822c51719fd5a88f8d6c5cea3c
Instruction ID: c19c63b24abcac6ad99e4e08b6044f3ac68b31617d04ec7b04515cbe7d92b9de
Opcode Fuzzy Hash: 41ce1249c718eabba61f4a3098907e4efa5e1e822c51719fd5a88f8d6c5cea3c
Instruction Fuzzy Hash: 79210372904241DFDB18DF10DAC1F1ABB65FB94324F20C57DE9090B246C336E856EBA2

Function 00FDD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1289794080.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fdd000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1e7b9d19674be2b8bfe5ec57d9556f10f10c550a859267e70cca1bdfc21e2fa
Instruction ID: 010a235c1b9f0b1260628bd5f2c0cbd385fd269ed46e4e3dd70163577cc90aea
Opcode Fuzzy Hash: f1e7b9d19674be2b8bfe5ec57d9556f10f10c550a859267e70cca1bdfc21e2fa
Instruction Fuzzy Hash: 1C21F575A04300DFDB14DF14D9C8B16BB66EBC4324F28C56ED84A4B38AC336D847DA62

Function 00FDD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1289794080.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fdd000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d73109c7770b97b296186b66597f0fac91a6889b6fa366e559d390859270cab4
Instruction ID: 9fae70db4126f5ee27d258854af02395be82c5397679da883bd21b01fa08095d
Opcode Fuzzy Hash: d73109c7770b97b296186b66597f0fac91a6889b6fa366e559d390859270cab4
Instruction Fuzzy Hash: 76210771A04304EFDB15DF10D9C0B25BB66FB84325F28C56ED8494B392C336D846DA61

Function 00FDD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1289794080.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fdd000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0570819fc33786626430afa1e6da73efb1814f2735a184834c36bd645658ac19
Instruction ID: 20580f597da649ed02fa78d24d306a7b67c29a993e7b95943ca4ce9c749637e2
Opcode Fuzzy Hash: 0570819fc33786626430afa1e6da73efb1814f2735a184834c36bd645658ac19
Instruction Fuzzy Hash: 142153755093808FC716CF24D594715BF72EB46324F29C5EBD8498B6A7C33A980ACB62

Function 00FCD1D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1289601505.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fcd000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fa0a9b6888ab601070468a7c49be392b44274aed9e91ce62da6c30ec0883e0c
Instruction ID: f825e49e455c4c945fd04af6af1db2a6daff44e797680f540fa9f05926694c58
Opcode Fuzzy Hash: 6fa0a9b6888ab601070468a7c49be392b44274aed9e91ce62da6c30ec0883e0c
Instruction Fuzzy Hash: 28219076904240DFCB16CF50DAC4B5ABF72FB94324F24C1A9DC490B656C336D81ADB91

Function 00FCD3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1289601505.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fcd000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: f00dfaf89d28a3ad81fbf62d0264dddb3127135f98c0e6a73f7f2d878c981243
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: DB110376904280CFCB05CF10DAC1B1ABF72FB94324F24C5ADD9490B656C336E85ADBA1

Function 00FDD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1289794080.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_fdd000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction ID: 7d998a17e7549ea1f5995a8a5b5114c5fce8dba94bbe904afcf3e9ed52c0cb8b
Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
Instruction Fuzzy Hash: 0A118B75904280DFCB15DF14D9C4B15BBB2FB84324F28C6AED8494B796C33AD84ADB61

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002A_482.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LisectAVT_2403002A_482.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MsBuild.exe.log

C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
LisectAVT_2403002A_482.exe

Function 6E95B6B0 Relevance: 35.2, APIs: 23, Instructions: 669
COMMON

Function 6E94B6C0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 245
libraryloaderCOMMON

Function 6E952970 Relevance: 25.8, APIs: 17, Instructions: 335
COMMON

Function 6E94AF30 Relevance: 24.3, APIs: 16, Instructions: 335
COMMON

Function 6E95D410 Relevance: 24.3, APIs: 16, Instructions: 290
COMMON

Function 6E95D468 Relevance: 21.2, APIs: 14, Instructions: 226
COMMON

Function 6E955140 Relevance: 21.2, APIs: 14, Instructions: 203
COMMON

Function 6E9544C0 Relevance: 19.8, APIs: 13, Instructions: 261
COMMON

Function 6E95BF00 Relevance: 18.2, APIs: 12, Instructions: 215
COMMON

Function 6E9564D0 Relevance: 18.2, APIs: 12, Instructions: 159
COMMON

Function 6E95CB90 Relevance: 18.1, APIs: 12, Instructions: 143
COMMON

Function 6E94A350 Relevance: 16.7, APIs: 11, Instructions: 206
COMMON

Function 6E95CD20 Relevance: 15.5, APIs: 10, Instructions: 485
COMMON

Function 6E9566A0 Relevance: 15.2, APIs: 10, Instructions: 155
COMMON

Function 6E95840E Relevance: 13.8, APIs: 9, Instructions: 332
COMMON