Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LisectAVT_2403002A_138.exe

Overview

General Information

Sample name:LisectAVT_2403002A_138.exe
Analysis ID:1482505
MD5:fec47a3ee92a38794a904285cb01529b
SHA1:b9d5ca658c03e1e4fa124e5459130db55e818eba
SHA256:5ec4bb89bf846e2e9305f280673aeb564b13039b72bf8cf9a1b5294ed4aa7bc8
Tags:ArkeiStealerexe
Infos:

Detection

Vidar
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (creates a PE file in dynamic memory)
Malicious sample detected (through community Yara rule)
Yara detected Vidar stealer
AI detected suspicious sample
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • LisectAVT_2403002A_138.exe (PID: 7640 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_138.exe" MD5: FEC47A3EE92A38794A904285CB01529B)
    • conhost.exe (PID: 7648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • LisectAVT_2403002A_138.exe (PID: 7440 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_138.exe" MD5: FEC47A3EE92A38794A904285CB01529B)
    • LisectAVT_2403002A_138.exe (PID: 6128 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_138.exe" MD5: FEC47A3EE92A38794A904285CB01529B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
      0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Vidar_114258d5unknownunknown
        • 0x96c30:$a1: BinanceChainWallet
        • 0x99648:$b1: CC\%s_%s.txt
        • 0x996a4:$b2: History\%s_%s.txt
        • 0x99688:$b3: Autofill\%s_%s.txt
        0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
        • 0x992f4:$s1: JohnDoe
        • 0x992ec:$s2: HAL9TH
        Click to see the 17 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.3.LisectAVT_2403002A_138.exe.11930000.1.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
          0.3.LisectAVT_2403002A_138.exe.11930000.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0.3.LisectAVT_2403002A_138.exe.11930000.1.unpackWindows_Trojan_Vidar_114258d5unknownunknown
            • 0x95430:$a1: BinanceChainWallet
            • 0x97e48:$b1: CC\%s_%s.txt
            • 0x97ea4:$b2: History\%s_%s.txt
            • 0x97e88:$b3: Autofill\%s_%s.txt
            0.3.LisectAVT_2403002A_138.exe.11930000.1.unpackINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
            • 0x97af4:$s1: JohnDoe
            • 0x97aec:$s2: HAL9TH
            0.3.LisectAVT_2403002A_138.exe.11930000.1.unpackMALWARE_Win_VidarDetects Vidar / ArkeiStealerditekSHen
            • 0x97db0:$s1: "os_crypt":{"encrypted_key":"
            • 0x9d684:$s2: screenshot.jpg
            • 0x97c7c:$s3: Content-Disposition: form-data; name="
            Click to see the 25 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Suricata Signatures

            Timestamp:2024-07-25T23:55:49.455076+0200
            SID:2803305
            Source Port:49708
            Destination Port:443
            Protocol:TCP
            Classtype:Unknown Traffic
            Timestamp:2024-07-25T23:55:30.608049+0200
            SID:2022930
            Source Port:443
            Destination Port:49707
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T23:55:50.393757+0200
            SID:2803305
            Source Port:49709
            Destination Port:443
            Protocol:TCP
            Classtype:Unknown Traffic
            Timestamp:2024-07-25T23:54:52.856419+0200
            SID:2022930
            Source Port:443
            Destination Port:49705
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: LisectAVT_2403002A_138.exeAvira: detected
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: LisectAVT_2403002A_138.exeJoe Sandbox ML: detected
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_0041600C CryptUnprotectData,LocalAlloc,_memmove,LocalFree,10_2_0041600C
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_0041624B _malloc,_memmove,_malloc,CryptUnprotectData,_memmove,10_2_0041624B
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_00415FB3 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,10_2_00415FB3

            Compliance

            barindex
            Detected unpacking (creates a PE file in dynamic memory)
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeUnpacked PE file: 0.2.LisectAVT_2403002A_138.exe.3040000.1.unpack
            Source: LisectAVT_2403002A_138.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.8:49708 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.28.78.238:443 -> 192.168.2.8:49709 version: TLS 1.2
            Source: LisectAVT_2403002A_138.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030EBA2A FindFirstFileExW,FindNextFileW,FindClose,0_2_030EBA2A
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030EB976 _free,_free,FindFirstFileExW,0_2_030EB976
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_004074D6 __EH_prolog3_GS,_memset,_memset,_memset,_memset,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,PathMatchSpecW,DeleteFileW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcatW,FindNextFileW,FindClose,_memset,_memset,_memset,_memset,_memset,_memset,_memset,_memset,FindClose,10_2_004074D6
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_00417856 _sprintf,FindFirstFileA,_sprintf,_memset,_sprintf,GetFileAttributesA,FindNextFileA,FindClose,10_2_00417856
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_00407D0D __EH_prolog3_GS,_sprintf,FindFirstFileA,_sprintf,CopyFileA,FindNextFileA,FindClose,10_2_00407D0D
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_0040F3D6 _strtok,_strtok,__wgetenv,__wgetenv,GetLogicalDriveStringsA,_strtok,GetDriveTypeA,_strtok,10_2_0040F3D6
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 4x nop then mov eax, dword ptr fs:[00000030h]10_2_00401000
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 4x nop then mov dword ptr [ebp-04h], eax10_2_00401000
            Source: global trafficHTTP traffic detected: GET /hi20220412 HTTP/1.1Host: t.me
            Source: global trafficHTTP traffic detected: GET /@samal6 HTTP/1.1Host: noc.social
            Source: global trafficHTTP traffic detected: GET /hi20220412 HTTP/1.1Host: t.meCookie: stel_ssid=acd77626c02b155c6d_14393434764031872645
            Source: global trafficHTTP traffic detected: GET /@samal6 HTTP/1.1Host: noc.socialCookie: _mastodon_session=Qw9lJgCboiJD0%2F4%2BxCsP5G1hmJ17zNJU%2BEH7UaO0nSkWqV%2FG0pT%2BGz1pz%2Fy%2Fq%2F5pMPiAaFMnF7G58wt5rs%2Fnm%2Bpt%2FjwUstdfT1d7dVdA9YqBys4at5USOqOymXdXQB2mSR%2BJlot5wzs36BbHiNCS7ul%2B2mCL1SEmrhCTfExt7nSpOHcJtbmwozWalTJkQXPaYyRVyXASltft6%2FnqCPP6nLBw7Ai1IrMBq%2B00rBY%3D--AfxNH5XsTJwnLEC9--TeFYvmJjfvrHNxeyk9%2FUdQ%3D%3D
            Source: global trafficHTTP traffic detected: GET /hi20220412 HTTP/1.1Host: t.meCookie: stel_ssid=acd77626c02b155c6d_14393434764031872645
            Source: Joe Sandbox ViewIP Address: 149.28.78.238 149.28.78.238
            Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
            Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_00410235 __EH_prolog3,DeleteUrlCacheEntry,DeleteUrlCacheEntry,InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,10_2_00410235
            Source: global trafficHTTP traffic detected: GET /hi20220412 HTTP/1.1Host: t.me
            Source: global trafficHTTP traffic detected: GET /@samal6 HTTP/1.1Host: noc.social
            Source: global trafficHTTP traffic detected: GET /hi20220412 HTTP/1.1Host: t.meCookie: stel_ssid=acd77626c02b155c6d_14393434764031872645
            Source: global trafficHTTP traffic detected: GET /@samal6 HTTP/1.1Host: noc.socialCookie: _mastodon_session=Qw9lJgCboiJD0%2F4%2BxCsP5G1hmJ17zNJU%2BEH7UaO0nSkWqV%2FG0pT%2BGz1pz%2Fy%2Fq%2F5pMPiAaFMnF7G58wt5rs%2Fnm%2Bpt%2FjwUstdfT1d7dVdA9YqBys4at5USOqOymXdXQB2mSR%2BJlot5wzs36BbHiNCS7ul%2B2mCL1SEmrhCTfExt7nSpOHcJtbmwozWalTJkQXPaYyRVyXASltft6%2FnqCPP6nLBw7Ai1IrMBq%2B00rBY%3D--AfxNH5XsTJwnLEC9--TeFYvmJjfvrHNxeyk9%2FUdQ%3D%3D
            Source: global trafficHTTP traffic detected: GET /hi20220412 HTTP/1.1Host: t.meCookie: stel_ssid=acd77626c02b155c6d_14393434764031872645
            Source: global trafficDNS traffic detected: DNS query: t.me
            Source: global trafficDNS traffic detected: DNS query: noc.social
            Source: LisectAVT_2403002A_138.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
            Source: LisectAVT_2403002A_138.exeString found in binary or memory: http://s.symcd.com06
            Source: LisectAVT_2403002A_138.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
            Source: LisectAVT_2403002A_138.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
            Source: LisectAVT_2403002A_138.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
            Source: LisectAVT_2403002A_138.exeString found in binary or memory: https://d.symcb.com/cps0%
            Source: LisectAVT_2403002A_138.exeString found in binary or memory: https://d.symcb.com/rpa0
            Source: LisectAVT_2403002A_138.exeString found in binary or memory: https://d.symcb.com/rpa0.
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://noc.social
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://noc.social/
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://noc.social/5
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.000000000142F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://noc.social/eQ
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://noc.social;
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.000000000142F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://noc.social~
            Source: LisectAVT_2403002A_138.exe, 00000000.00000002.1911139518.000000000FF50000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 00000000.00000003.1831985576.0000000011930000.00000040.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/LI
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.000000000142F000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 0000000A.00000003.2137596982.0000000001435000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 0000000A.00000002.2641641619.00000000012F9000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 0000000A.00000003.2176119973.0000000001480000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.0000000001420000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 0000000A.00000002.2643040123.0000000002FD0000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/hi20220412
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/hi20220412A
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/hi20220412i/
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000003.2137596982.0000000001435000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/hi20220412j
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2643040123.0000000002FD0000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.000000000147C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telegram.org/img/t_logo.png
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000003.2137482736.0000000001435000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 0000000A.00000002.2643040123.0000000002FD0000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.000000000147C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.telegram.org
            Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
            Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
            Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
            Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.8:49708 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.28.78.238:443 -> 192.168.2.8:49709 version: TLS 1.2

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
            Source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
            Source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.unpack, type: UNPACKEDPEMatched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
            Source: 10.2.LisectAVT_2403002A_138.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
            Source: 10.2.LisectAVT_2403002A_138.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
            Source: 10.2.LisectAVT_2403002A_138.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
            Source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
            Source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
            Source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.unpack, type: UNPACKEDPEMatched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
            Source: 10.2.LisectAVT_2403002A_138.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
            Source: 10.2.LisectAVT_2403002A_138.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
            Source: 10.2.LisectAVT_2403002A_138.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
            Source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
            Source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
            Source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
            Source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
            Source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
            Source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
            Source: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
            Source: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
            Source: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
            Source: 00000000.00000003.1904476430.0000000011B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
            Source: 00000000.00000003.1904476430.0000000011B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
            Source: 00000000.00000003.1904476430.0000000011B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
            Source: 00000000.00000003.1904629214.0000000011930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
            Source: 00000000.00000003.1904629214.0000000011930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
            Source: 00000000.00000003.1904629214.0000000011930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Vidar / ArkeiStealer Author: ditekSHen
            Source: Process Memory Space: LisectAVT_2403002A_138.exe PID: 7640, type: MEMORYSTRMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
            Source: Process Memory Space: LisectAVT_2403002A_138.exe PID: 6128, type: MEMORYSTRMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_0055A7380_2_0055A738
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_0055B0D40_2_0055B0D4
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_0055B0960_2_0055B096
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030A43100_2_030A4310
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030D83100_2_030D8310
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030D43300_2_030D4330
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030DF3B00_2_030DF3B0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030E23C00_2_030E23C0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030DB3F00_2_030DB3F0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030E33F00_2_030E33F0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030E42000_2_030E4200
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030F023C0_2_030F023C
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030E02500_2_030E0250
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030DC2600_2_030DC260
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030D91400_2_030D9140
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030D51A00_2_030D51A0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030D80000_2_030D8000
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030E10000_2_030E1000
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030E50800_2_030E5080
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030C20900_2_030C2090
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030DD0A00_2_030DD0A0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_0309E0B00_2_0309E0B0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030D47600_2_030D4760
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030E17700_2_030E1770
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030E57800_2_030E5780
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030DC7900_2_030DC790
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030DD7C00_2_030DD7C0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030CE6700_2_030CE670
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030D66C00_2_030D66C0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030D65000_2_030D6500
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030E25800_2_030E2580
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030DA5F00_2_030DA5F0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030DE5F00_2_030DE5F0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030CD4100_2_030CD410
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_0308D4E00_2_0308D4E0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030D74F00_2_030D74F0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030E3B000_2_030E3B00
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030DFB300_2_030DFB30
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030DEB400_2_030DEB40
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030DBB500_2_030DBB50
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_0308CB900_2_0308CB90
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030D7BC00_2_030D7BC0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030C1BE00_2_030C1BE0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030D8A200_2_030D8A20
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030D4A800_2_030D4A80
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030E49100_2_030E4910
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030DC9400_2_030DC940
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030DF9700_2_030DF970
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030DB9900_2_030DB990
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030DE9D00_2_030DE9D0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030D98000_2_030D9800
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030D58300_2_030D5830
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030D88600_2_030D8860
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030D48D00_2_030D48D0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030E08E00_2_030E08E0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030D5F700_2_030D5F70
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030D8F800_2_030D8F80
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030D4FE00_2_030D4FE0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030D6E100_2_030D6E10
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030CEE400_2_030CEE40
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030E1E600_2_030E1E60
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_0308CEC00_2_0308CEC0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030CDEC00_2_030CDEC0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030D9EC00_2_030D9EC0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030DDEE00_2_030DDEE0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030E5EE00_2_030E5EE0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030E5D200_2_030E5D20
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030E2CC00_2_030E2CC0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030DACE00_2_030DACE0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_0308DCF00_2_0308DCF0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_013A029B0_2_013A029B
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_004560FA10_2_004560FA
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_0042E14710_2_0042E147
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_0040520710_2_00405207
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_0046B2D810_2_0046B2D8
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_004872D610_2_004872D6
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_0040F3D610_2_0040F3D6
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_0047F40210_2_0047F402
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_0041F41C10_2_0041F41C
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_0048542010_2_00485420
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_0040643910_2_00406439
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_0042043810_2_00420438
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_004044EB10_2_004044EB
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_004494F910_2_004494F9
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_0046D49B10_2_0046D49B
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_0048659E10_2_0048659E
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_004576C210_2_004576C2
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_0044D6CE10_2_0044D6CE
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_004707B010_2_004707B0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_0048597110_2_00485971
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_0043D9FF10_2_0043D9FF
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_00459AAF10_2_00459AAF
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_00403CEB10_2_00403CEB
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_0046DE6E10_2_0046DE6E
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_00485EC210_2_00485EC2
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_00404E8610_2_00404E86
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_00440F4210_2_00440F42
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_00432F3F10_2_00432F3F
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_0041DFEB10_2_0041DFEB
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: String function: 00402D44 appears 33 times
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: String function: 00475ED0 appears 50 times
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: String function: 0041FA3E appears 103 times
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: String function: 0041EFA2 appears 41 times
            Source: LisectAVT_2403002A_138.exeBinary or memory string: OriginalFilename vs LisectAVT_2403002A_138.exe
            Source: LisectAVT_2403002A_138.exe, 00000000.00000000.1389211867.0000000000707000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVtradsxvhxy.exe< vs LisectAVT_2403002A_138.exe
            Source: LisectAVT_2403002A_138.exeBinary or memory string: OriginalFilename vs LisectAVT_2403002A_138.exe
            Source: LisectAVT_2403002A_138.exe, 00000009.00000002.1873693039.0000000000707000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVtradsxvhxy.exe< vs LisectAVT_2403002A_138.exe
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000000.1903816265.0000000000707000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVtradsxvhxy.exe< vs LisectAVT_2403002A_138.exe
            Source: LisectAVT_2403002A_138.exeBinary or memory string: OriginalFilenameVtradsxvhxy.exe< vs LisectAVT_2403002A_138.exe
            Source: LisectAVT_2403002A_138.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
            Source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
            Source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
            Source: 10.2.LisectAVT_2403002A_138.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
            Source: 10.2.LisectAVT_2403002A_138.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
            Source: 10.2.LisectAVT_2403002A_138.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
            Source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
            Source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
            Source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
            Source: 10.2.LisectAVT_2403002A_138.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
            Source: 10.2.LisectAVT_2403002A_138.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
            Source: 10.2.LisectAVT_2403002A_138.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
            Source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
            Source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
            Source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
            Source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
            Source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
            Source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
            Source: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
            Source: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
            Source: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
            Source: 00000000.00000003.1904476430.0000000011B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
            Source: 00000000.00000003.1904476430.0000000011B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
            Source: 00000000.00000003.1904476430.0000000011B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
            Source: 00000000.00000003.1904629214.0000000011930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
            Source: 00000000.00000003.1904629214.0000000011930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
            Source: 00000000.00000003.1904629214.0000000011930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Vidar author = ditekSHen, description = Detects Vidar / ArkeiStealer
            Source: Process Memory Space: LisectAVT_2403002A_138.exe PID: 7640, type: MEMORYSTRMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
            Source: Process Memory Space: LisectAVT_2403002A_138.exe PID: 6128, type: MEMORYSTRMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
            Source: LisectAVT_2403002A_138.exeStatic PE information: Section: ymZHo ZLIB complexity 0.99568714198036
            Source: classification engineClassification label: mal92.troj.spyw.evad.winEXE@6/0@2/2
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_00417AF9 _malloc,CreateToolhelp32Snapshot,CloseHandle,Process32First,Process32Next,CloseHandle,10_2_00417AF9
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeMutant created: \Sessions\1\BaseNamedObjects\9e146be9-c76a-4720-bcdb-8c18-806e6f6e6963user4
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: LisectAVT_2403002A_138.exe, LisectAVT_2403002A_138.exe, 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: LisectAVT_2403002A_138.exe, LisectAVT_2403002A_138.exe, 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: LisectAVT_2403002A_138.exe, LisectAVT_2403002A_138.exe, 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
            Source: LisectAVT_2403002A_138.exe, LisectAVT_2403002A_138.exe, 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: LisectAVT_2403002A_138.exe, LisectAVT_2403002A_138.exe, 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: LisectAVT_2403002A_138.exe, 00000000.00000003.1904476430.0000000011B40000.00000040.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 00000000.00000003.1904629214.0000000011930000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: LisectAVT_2403002A_138.exe, LisectAVT_2403002A_138.exe, 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
            Source: unknownProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe "C:\Users\user\Desktop\LisectAVT_2403002A_138.exe"
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe "C:\Users\user\Desktop\LisectAVT_2403002A_138.exe"
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe "C:\Users\user\Desktop\LisectAVT_2403002A_138.exe"
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe "C:\Users\user\Desktop\LisectAVT_2403002A_138.exe"Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe "C:\Users\user\Desktop\LisectAVT_2403002A_138.exe"Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
            Source: LisectAVT_2403002A_138.exeStatic file information: File size 2190481 > 1048576
            Source: LisectAVT_2403002A_138.exeStatic PE information: Raw size of ymZHo is bigger than: 0x100000 < 0x17de00
            Source: LisectAVT_2403002A_138.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            Detected unpacking (creates a PE file in dynamic memory)
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeUnpacked PE file: 0.2.LisectAVT_2403002A_138.exe.3040000.1.unpack
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_0046AD94 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_0046AD94
            Source: initial sampleStatic PE information: section where entry point is pointing to: viKy
            Source: LisectAVT_2403002A_138.exeStatic PE information: real checksum: 0x21a6a0 should be: 0x2242e8
            Source: LisectAVT_2403002A_138.exeStatic PE information: section name: EaHF
            Source: LisectAVT_2403002A_138.exeStatic PE information: section name: pIuGK
            Source: LisectAVT_2403002A_138.exeStatic PE information: section name: ymZHo
            Source: LisectAVT_2403002A_138.exeStatic PE information: section name: OkG
            Source: LisectAVT_2403002A_138.exeStatic PE information: section name: fwu
            Source: LisectAVT_2403002A_138.exeStatic PE information: section name: viKy
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_0055A176 push ebp; ret 0_2_0055A1B0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_00556104 push edx; retf 0_2_0055610A
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_0055A1C1 push ebp; ret 0_2_0055A1B0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_005541BF push edi; iretd 0_2_005541C0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_0055955B push 00000059h; iretd 0_2_00559570
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_00559687 push edx; iretd 0_2_0055968D
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_00557941 push edx; retf 0_2_00557942
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_00559A57 push esp; ret 0_2_00559A58
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_00557F5F push FFFFFFE9h; iretd 0_2_00557F6B
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_00557F2C push ebx; retf 0_2_00557F31
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_0304C303 push ds; ret 0_2_0304C305
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_0304B331 push ecx; iretd 0_2_0304B333
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_03047387 push ebx; iretd 0_2_030473CF
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_0304A3C6 push FFFFFF8Bh; ret 0_2_0304A3CF
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_0304322E push ebx; iretd 0_2_03043232
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_0304B249 push ecx; iretd 0_2_0304B24A
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_0304C25E push edx; iretd 0_2_0304C264
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030441F4 push ebx; rep ret 0_2_03044209
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_0304A621 push ds; retf 0_2_0304A622
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_0304A446 push edi; ret 0_2_0304A459
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_03042B4C push FFFFFF8Bh; ret 0_2_03042B55
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_03043B66 push ecx; iretd 0_2_03043B68
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_03044B7B push edx; iretd 0_2_03044B81
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_03042BCC push edi; ret 0_2_03042BDF
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_03043A7E push ecx; iretd 0_2_03043A7F
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_0304AAA8 push ebx; iretd 0_2_0304AAAC
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_03048ABB push ebp; retf 0_2_03048ABC
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_0304B9BF push ebx; rep ret 0_2_0304B9D4
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_03042DA7 push ds; retf 0_2_03042DA8
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_03044C20 push ds; ret 0_2_03044C22
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 9_2_00554C55 push ss; ret 9_2_00554C5F
            Source: LisectAVT_2403002A_138.exeStatic PE information: section name: EaHF entropy: 7.03133579730527
            Source: LisectAVT_2403002A_138.exeStatic PE information: section name: viKy entropy: 7.075532543911929
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_0046AD94 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_0046AD94

            Malware Analysis System Evasion

            barindex
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: LisectAVT_2403002A_138.exeBinary or memory string: DIR_WATCH.DLL
            Source: LisectAVT_2403002A_138.exeBinary or memory string: SBIEDLL.DLL
            Source: LisectAVT_2403002A_138.exeBinary or memory string: API_LOG.DLL
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: HGETPROCESSWINDOWSTATIONGETUSEROBJECTINFORMATIONWGETLASTACTIVEPOPUPGETACTIVEWINDOWMESSAGEBOXWUSER32.DLLCONOUT$AVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLLHKIAFZ5
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeAPI coverage: 7.0 %
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe TID: 7644Thread sleep time: -32000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe TID: 3644Thread sleep time: -240000s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030EBA2A FindFirstFileExW,FindNextFileW,FindClose,0_2_030EBA2A
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030EB976 _free,_free,FindFirstFileExW,0_2_030EB976
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_004074D6 __EH_prolog3_GS,_memset,_memset,_memset,_memset,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,PathMatchSpecW,DeleteFileW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcatW,FindNextFileW,FindClose,_memset,_memset,_memset,_memset,_memset,_memset,_memset,_memset,FindClose,10_2_004074D6
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_00417856 _sprintf,FindFirstFileA,_sprintf,_memset,_sprintf,GetFileAttributesA,FindNextFileA,FindClose,10_2_00417856
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_00407D0D __EH_prolog3_GS,_sprintf,FindFirstFileA,_sprintf,CopyFileA,FindNextFileA,FindClose,10_2_00407D0D
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_0040F3D6 _strtok,_strtok,__wgetenv,__wgetenv,GetLogicalDriveStringsA,_strtok,GetDriveTypeA,_strtok,10_2_0040F3D6
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_0046773B GetSystemInfo,10_2_0046773B
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeThread delayed: delay time: 120000Jump to behavior
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(5B
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.0000000001420000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWq
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.0000000001420000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: LisectAVT_2403002A_138.exe, 00000000.00000002.1910710435.000000000150E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeAPI call chain: ExitProcess graph end nodegraph_10-49392
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeAPI call chain: ExitProcess graph end nodegraph_10-48506
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeAPI call chain: ExitProcess graph end nodegraph_10-49146
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_00571EC0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00571EC0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_0046AD94 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_0046AD94
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_005518D0 mov eax, dword ptr fs:[00000030h]0_2_005518D0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_03042150 mov eax, dword ptr fs:[00000030h]0_2_03042150
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_03042150 mov eax, dword ptr fs:[00000030h]0_2_03042150
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030EABB2 mov eax, dword ptr fs:[00000030h]0_2_030EABB2
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030E792F mov eax, dword ptr fs:[00000030h]0_2_030E792F
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_03041FC0 mov eax, dword ptr fs:[00000030h]0_2_03041FC0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_03041FC0 mov eax, dword ptr fs:[00000030h]0_2_03041FC0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_00401000 mov eax, dword ptr fs:[00000030h]10_2_00401000
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_00483DA9 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,10_2_00483DA9
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_0056F2ED SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0056F2ED
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_00571EC0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00571EC0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030EA299 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_030EA299
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030E71CD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_030E71CD
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030E6CCC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_030E6CCC
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_0046F26F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_0046F26F
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_004765CD _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_004765CD

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeMemory written: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe "C:\Users\user\Desktop\LisectAVT_2403002A_138.exe"Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe "C:\Users\user\Desktop\LisectAVT_2403002A_138.exe"Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030E6EE5 cpuid 0_2_030E6EE5
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,10_2_0047F0AE
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,10_2_0047F16E
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,10_2_0047F1D5
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,10_2_0047F211
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,10_2_004753F5
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,10_2_0047E5C9
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,10_2_0047D69F
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,10_2_0047E8B7
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,10_2_0047D96D
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: GetLocaleInfoA,10_2_004759F8
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,10_2_00483B57
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,10_2_00483C31
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,10_2_0047ECE6
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,10_2_0047EDDB
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,10_2_0047EEDD
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,10_2_0047EE82
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 0_2_030E6B72 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_030E6B72
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_00467DAE GetUserNameA,10_2_00467DAE
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeCode function: 10_2_00479BE9 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,10_2_00479BE9
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_138.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Vidar stealer
            Source: Yara matchFile source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.LisectAVT_2403002A_138.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.LisectAVT_2403002A_138.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1904476430.0000000011B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1904629214.0000000011930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_138.exe PID: 7640, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_138.exe PID: 6128, type: MEMORYSTR
            Found many strings related to Crypto-Wallets (likely being stolen)
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Electrum
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ElectronCash
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Electrum\wallets\
            Source: LisectAVT_2403002A_138.exe, 00000000.00000002.1911139518.000000000FF50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: JaxxLib
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: exodus.conf.json
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Exodus\
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: info.seco
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ElectrumLTC
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: passphrase.json
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \jaxx\Local Storage\
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Ethereum\
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Exodus\
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Ethereum"
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: default_wallet
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: file__0.localstorage
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Coinomi\Coinomi\wallets\
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: MultiDoge
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet\
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: seed.seco
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
            Source: LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Electrum-LTC\wallets\
            Source: Yara matchFile source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.LisectAVT_2403002A_138.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.LisectAVT_2403002A_138.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1904476430.0000000011B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1904629214.0000000011930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_138.exe PID: 7640, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_138.exe PID: 6128, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Vidar stealer
            Source: Yara matchFile source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.LisectAVT_2403002A_138.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.LisectAVT_2403002A_138.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.LisectAVT_2403002A_138.exe.11b40000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.LisectAVT_2403002A_138.exe.11930000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1904476430.0000000011B40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1904629214.0000000011930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_138.exe PID: 7640, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_138.exe PID: 6128, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Native API            		1
            DLL Side-Loading            		111
            Process Injection            		11
            Virtualization/Sandbox Evasion            		OS Credential Dumping2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		21
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		111
            Process Injection            		LSASS Memory121
            Security Software Discovery            		Remote Desktop Protocol1
            Data from Local System            		2
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            Deobfuscate/Decode Files or Information            		Security Account Manager11
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook4
            Obfuscated Files or Information            		NTDS2
            Process Discovery            		Distributed Component Object ModelInput Capture3
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
            Software Packing            		LSA Secrets1
            Account Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials1
            System Owner/User Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync2
            File and Directory Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem24
            System Information Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            LisectAVT_2403002A_138.exe100%AviraTR/AD.GenSteal.cxhyd
            LisectAVT_2403002A_138.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://t.me/hi20220412A0%Avira URL Cloudsafe
            https://noc.social/eQ0%Avira URL Cloudsafe
            https://telegram.org/img/t_logo.png0%Avira URL Cloudsafe
            https://t.me/hi20220412i/0%Avira URL Cloudsafe
            https://t.me/0%Avira URL Cloudsafe
            https://noc.social~0%Avira URL Cloudsafe
            https://noc.social/@samal60%Avira URL Cloudsafe
            https://noc.social;0%Avira URL Cloudsafe
            https://web.telegram.org0%Avira URL Cloudsafe
            https://t.me/LI0%Avira URL Cloudsafe
            https://noc.social/50%Avira URL Cloudsafe
            https://noc.social0%Avira URL Cloudsafe
            https://t.me/hi20220412j0%Avira URL Cloudsafe
            https://t.me/hi202204120%Avira URL Cloudsafe
            https://noc.social/0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            t.me
            		149.154.167.99
            		truefalse
              		unknown
              noc.social
              		149.28.78.238
              		truefalse
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://noc.social/@samal6false
                • Avira URL Cloud: safe
                		unknown
                https://t.me/hi20220412false
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://t.me/LisectAVT_2403002A_138.exe, 00000000.00000002.1911139518.000000000FF50000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 00000000.00000003.1831985576.0000000011930000.00000040.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013F9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://noc.social/eQLisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.000000000142F000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://t.me/hi20220412ALisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013F9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://t.me/hi20220412i/LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://web.telegram.orgLisectAVT_2403002A_138.exe, 0000000A.00000003.2137482736.0000000001435000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 0000000A.00000002.2643040123.0000000002FD0000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.000000000147C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://noc.social~LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.000000000142F000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://t.me/LILisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://telegram.org/img/t_logo.pngLisectAVT_2403002A_138.exe, 0000000A.00000002.2643040123.0000000002FD0000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.000000000147C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://noc.social;LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013F9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://t.me/hi20220412jLisectAVT_2403002A_138.exe, 0000000A.00000003.2137596982.0000000001435000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://noc.social/LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013F9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://noc.socialLisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013F9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://noc.social/5LisectAVT_2403002A_138.exe, 0000000A.00000002.2641697890.00000000013F9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                149.28.78.238
                		noc.socialUnited States
                		20473AS-CHOOPAUSfalse
                149.154.167.99
                		t.meUnited Kingdom
                		62041TELEGRAMRUfalse

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1482505
                Start date and time:2024-07-25 23:53:41 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 6m 22s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:12
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:LisectAVT_2403002A_138.exe
                Detection:MAL
                Classification:mal92.troj.spyw.evad.winEXE@6/0@2/2
                EGA Information:
                • Successful, ratio: 66.7%
                HCA Information:Failed
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                • Execution Graph export aborted for target LisectAVT_2403002A_138.exe, PID 7440 because there are no executed function
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • VT rate limit hit for: LisectAVT_2403002A_138.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                17:55:49API Interceptor2x Sleep call for process: LisectAVT_2403002A_138.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                149.28.78.2386A42F7E5290BF7E40E1AA0C0E9CEDA098A612D6DDA9B7.exeGet hashmaliciousNymaim, RedLine, SmokeLoader, Socelars, Vidar, onlyLoggerBrowse
                  3F947F5A849F11BE9079A5C2418240E2FAF7E53B63662.exeGet hashmaliciousNymaim, PrivateLoader, RedLine, Socelars, Vidar, onlyLoggerBrowse
                    6E004CB6C3F1C0338A20692C375DE17324C45E5176E80.exeGet hashmaliciousAmadey Raccoon RedLine SmokeLoader Socelars Vidar onlyLoggerBrowse
                      83335468.exeGet hashmaliciousVidarBrowse
                        77040473.exeGet hashmaliciousVidarBrowse
                          73073377.exeGet hashmaliciousVidarBrowse
                            MBbJxOcnhQ.exeGet hashmaliciousSystemBC VidarBrowse
                              414YLLerpQ.exeGet hashmaliciousRedLine SmartSearch Installer SmokeLoader Vidar onlyLoggerBrowse
                                kGl1qp3Ox8.exeGet hashmaliciousRedLine SmokeLoader Vidar onlyLoggerBrowse
                                  CaaBlZ3pOc.exeGet hashmaliciousVidarBrowse
                                    149.154.167.99http://bekaaviator.kz/Get hashmaliciousUnknownBrowse
                                    • telegram.org/
                                    http://telegramtw1.org/Get hashmaliciousUnknownBrowse
                                    • telegram.org/?setln=pl
                                    http://makkko.kz/Get hashmaliciousUnknownBrowse
                                    • telegram.org/
                                    http://telegram.dogGet hashmaliciousUnknownBrowse
                                    • telegram.dog/
                                    LnSNtO8JIa.exeGet hashmaliciousCinoshi StealerBrowse
                                    • t.me/cinoshibot
                                    jtfCFDmLdX.exeGet hashmaliciousGurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRATBrowse
                                    • t.me/cinoshibot
                                    vSlVoTPrmP.exeGet hashmaliciousGurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRATBrowse
                                    • t.me/cinoshibot
                                    RO67OsrIWi.exeGet hashmaliciousGurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRATBrowse
                                    • t.me/cinoshibot
                                    KeyboardRGB.exeGet hashmaliciousUnknownBrowse
                                    • t.me/cinoshibot
                                    file.exeGet hashmaliciousCinoshi StealerBrowse
                                    • t.me/cinoshibot

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    t.meLisectAVT_2403002A_425.dllGet hashmaliciousUnknownBrowse
                                    • 149.154.167.99
                                    LisectAVT_2403002A_425.dllGet hashmaliciousUnknownBrowse
                                    • 149.154.167.99
                                    LisectAVT_2403002B_272.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                    • 149.154.167.99
                                    LisectAVT_2403002B_344.exeGet hashmaliciousBdaejec, VidarBrowse
                                    • 149.154.167.99
                                    Bootstrapper.exeGet hashmaliciousHancitor, VidarBrowse
                                    • 149.154.167.99
                                    LisectAVT_2403002C_18.exeGet hashmaliciousRaccoonBrowse
                                    • 188.114.96.3
                                    LisectAVT_2403002C_18.exeGet hashmaliciousRaccoonBrowse
                                    • 188.114.97.3
                                    LisectAVT_2403002C_60.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                    • 149.154.167.99
                                    LisectAVT_2403002C_67.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                    • 149.154.167.99
                                    LisectAVT_2403002C_81.exeGet hashmaliciousVidarBrowse
                                    • 149.154.167.99
                                    noc.social6A42F7E5290BF7E40E1AA0C0E9CEDA098A612D6DDA9B7.exeGet hashmaliciousNymaim, RedLine, SmokeLoader, Socelars, Vidar, onlyLoggerBrowse
                                    • 149.28.78.238
                                    3F947F5A849F11BE9079A5C2418240E2FAF7E53B63662.exeGet hashmaliciousNymaim, PrivateLoader, RedLine, Socelars, Vidar, onlyLoggerBrowse
                                    • 149.28.78.238
                                    6E004CB6C3F1C0338A20692C375DE17324C45E5176E80.exeGet hashmaliciousAmadey Raccoon RedLine SmokeLoader Socelars Vidar onlyLoggerBrowse
                                    • 149.28.78.238
                                    83335468.exeGet hashmaliciousVidarBrowse
                                    • 149.28.78.238
                                    77040473.exeGet hashmaliciousVidarBrowse
                                    • 149.28.78.238
                                    73073377.exeGet hashmaliciousVidarBrowse
                                    • 149.28.78.238
                                    MBbJxOcnhQ.exeGet hashmaliciousSystemBC VidarBrowse
                                    • 149.28.78.238
                                    7ZrcAR8FEj.exeGet hashmaliciousRaccoon RedLine SmokeLoader Tofsee VidarBrowse
                                    • 149.28.78.238
                                    jvEwcodrmK.exeGet hashmaliciousRaccoon RedLine SmokeLoader Tofsee VidarBrowse
                                    • 149.28.78.238
                                    8h3Owatb9e.exeGet hashmaliciousRaccoon RedLine SmokeLoader Tofsee VidarBrowse
                                    • 149.28.78.238

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    TELEGRAMRULisectAVT_2403002A_425.dllGet hashmaliciousUnknownBrowse
                                    • 149.154.167.99
                                    LisectAVT_2403002A_425.dllGet hashmaliciousUnknownBrowse
                                    • 149.154.167.99
                                    LisectAVT_2403002A_74.exeGet hashmaliciousAgentTeslaBrowse
                                    • 149.154.167.220
                                    New Order.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                    • 149.154.167.220
                                    LisectAVT_2403002B_181.exeGet hashmaliciousPrivateLoaderBrowse
                                    • 149.154.167.99
                                    LisectAVT_2403002B_272.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                    • 149.154.167.99
                                    LisectAVT_2403002B_344.exeGet hashmaliciousBdaejec, VidarBrowse
                                    • 149.154.167.99
                                    LisectAVT_2403002B_4.exeGet hashmaliciousAsyncRAT, Neshta, StormKitty, WorldWind StealerBrowse
                                    • 149.154.167.220
                                    Payment_Advice.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                    • 149.154.167.220
                                    Apixaban - August 2024.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                    • 149.154.167.220
                                    AS-CHOOPAUSLisectAVT_2403002A_463.exeGet hashmaliciousXmrigBrowse
                                    • 141.164.54.46
                                    LisectAVT_2403002B_338.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                    • 207.148.99.69
                                    LisectAVT_2403002B_59.dllGet hashmaliciousEmotetBrowse
                                    • 66.42.57.149
                                    LisectAVT_2403002C_48.dllGet hashmaliciousQbotBrowse
                                    • 140.82.27.132
                                    Remittance advice.htmGet hashmaliciousUnknownBrowse
                                    • 149.28.225.195
                                    Lisect_AVT_24003_G1B_25.exeGet hashmaliciousUnknownBrowse
                                    • 207.246.70.132
                                    Lisect_AVT_24003_G1B_122.exeGet hashmaliciousUnknownBrowse
                                    • 149.28.155.28
                                    Lisect_AVT_24003_G1B_125.msiGet hashmaliciousUnknownBrowse
                                    • 207.246.70.132
                                    LisectAVT_2403002A_258.exeGet hashmaliciousXmrigBrowse
                                    • 45.76.89.70
                                    LisectAVT_2403002A_202.exeGet hashmaliciousXmrigBrowse
                                    • 45.76.89.70

                                    JA3 Fingerprints

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    37f463bf4616ecd445d4a1937da06e19LisectAVT_2403002A_156.exeGet hashmaliciousXRedBrowse
                                    • 149.28.78.238
                                    • 149.154.167.99
                                    LisectAVT_2403002A_160.exeGet hashmaliciousGh0stCringe, GhostRat, Mimikatz, RunningRAT, XRedBrowse
                                    • 149.28.78.238
                                    • 149.154.167.99
                                    LisectAVT_2403002A_156.exeGet hashmaliciousXRedBrowse
                                    • 149.28.78.238
                                    • 149.154.167.99
                                    LisectAVT_2403002A_193.exeGet hashmaliciousUnknownBrowse
                                    • 149.28.78.238
                                    • 149.154.167.99
                                    LisectAVT_2403002A_201.exeGet hashmaliciousAmadeyBrowse
                                    • 149.28.78.238
                                    • 149.154.167.99
                                    LisectAVT_2403002A_207.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                    • 149.28.78.238
                                    • 149.154.167.99
                                    LisectAVT_2403002A_206.exeGet hashmaliciousUnknownBrowse
                                    • 149.28.78.238
                                    • 149.154.167.99
                                    LisectAVT_2403002A_282.exeGet hashmaliciousXRedBrowse
                                    • 149.28.78.238
                                    • 149.154.167.99
                                    LisectAVT_2403002A_250.exeGet hashmaliciousXRedBrowse
                                    • 149.28.78.238
                                    • 149.154.167.99
                                    LisectAVT_2403002A_282.exeGet hashmaliciousXRedBrowse
                                    • 149.28.78.238
                                    • 149.154.167.99

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    No created / dropped files found

                                    Static File Info

                                    General

                                    File type:PE32 executable (console) Intel 80386, for MS Windows
                                    Entropy (8bit):7.684151475718382
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:LisectAVT_2403002A_138.exe
                                    File size:2'190'481 bytes
                                    MD5:fec47a3ee92a38794a904285cb01529b
                                    SHA1:b9d5ca658c03e1e4fa124e5459130db55e818eba
                                    SHA256:5ec4bb89bf846e2e9305f280673aeb564b13039b72bf8cf9a1b5294ed4aa7bc8
                                    SHA512:956cac2f8e4e0b3d3e863216c30d3211b513c00e00919eb5177a1ed31f8cb399168c6b87c12d151a532c31c74ab0688e00dad0705d27f8fee02965e2a2117147
                                    SSDEEP:49152:z+mAw9YRh2lvd/Z49kjBUZO5DcK2IDb8Q9bUP9JZPNHLpSwdcV:z+mAwlqozP38yUlJ7HLZSV
                                    TLSH:46A5F139067A30D7D65DB9B0CA0A4DA301625E38153319BF28BEFE7D193C8B5854F6AC
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5...q...q...q...e.|.{...e.z.....e.{.c.....{.`.....|.b.....z.[...e.~.v...q.~.......v.p.....}.p...Richq...........PE..L...zQ[b...

                                    File Icon

                                    Icon Hash:07396d6d6c390727

                                    Static PE Info

                                    General

                                    Entrypoint:0x615000
                                    Entrypoint Section:viKy
                                    Digitally signed:true
                                    Imagebase:0x400000
                                    Subsystem:windows cui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x625B517A [Sat Apr 16 23:30:02 2022 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:6
                                    OS Version Minor:0
                                    File Version Major:6
                                    File Version Minor:0
                                    Subsystem Version Major:6
                                    Subsystem Version Minor:0
                                    Import Hash:68a9454cff55284fc76cf3593a1922ba

                                    Authenticode Signature

                                    Signature Valid:
                                    Signature Issuer:
                                    Signature Validation Error:
                                    Error Number:
                                    Not Before, Not After
                                      Subject Chain
                                        Version:
                                        Thumbprint MD5:
                                        Thumbprint SHA-1:
                                        Thumbprint SHA-256:
                                        Serial:

                                        Entrypoint Preview

                                        Instruction
                                        pushad
                                        call 00007F6B3CBCA600h
                                        push eax
                                        and dword ptr [eax], eax
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        push esi
                                        push eax
                                        and dword ptr [eax], eax
                                        push eax
                                        and dword ptr [eax], eax
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        arpl word ptr [eax+21h], dx
                                        add byte ptr [eax+edx*2+21h], dh
                                        add byte ptr [ebx-6DFFDEB0h], al
                                        push eax
                                        and dword ptr [eax], eax
                                        mov al, byte ptr [B1002150h]
                                        push eax
                                        and dword ptr [eax], eax
                                        rcl dword ptr [eax+21h], 00000000h
                                        aam 50h
                                        and dword ptr [eax], eax
                                        out 50h, al
                                        and dword ptr [eax], eax
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        dec ebx
                                        inc ebp
                                        push edx
                                        dec esi
                                        inc ebp
                                        dec esp
                                        xor esi, dword ptr [edx]
                                        insb
                                        insb
                                        add byte ptr [eax], al
                                        add byte ptr [edi+65h], al
                                        je 00007F6B3CBCA4F2h
                                        jc 00007F6B3CBCA511h
                                        arpl word ptr [ecx+64h], ax
                                        jc 00007F6B3CBCA508h
                                        jnc 00007F6B3CBCA515h
                                        add byte ptr [eax], al
                                        add byte ptr [edi+ebp*2+61h], cl
                                        dec esp
                                        imul esp, dword ptr [edx+72h], 41797261h
                                        add byte ptr [eax], al
                                        add byte ptr [esi+69h], dl
                                        jc 00007F6B3CBCA516h
                                        jne 00007F6B3CBCA503h
                                        insb
                                        inc ecx
                                        insb
                                        insb
                                        outsd
                                        arpl word ptr [eax], ax
                                        add byte ptr [eax], al
                                        push esi
                                        imul esi, dword ptr [edx+74h], 466C6175h
                                        jc 00007F6B3CBCA507h
                                        add byte ptr [eax], al
                                        add byte ptr [esi+69h], dl
                                        jc 00007F6B3CBCA516h
                                        jne 00007F6B3CBCA503h
                                        insb
                                        push eax
                                        jc 00007F6B3CBCA511h
                                        je 00007F6B3CBCA507h
                                        arpl word ptr [eax+eax+00h], si
                                        add byte ptr [edi+65h], al
                                        je 00007F6B3CBCA4F8h
                                        jc 00007F6B3CBCA516h
                                        imul ebp, dword ptr [edi+6Eh], 00417845h
                                        add byte ptr [eax], al
                                        inc edi
                                        je 00007F6B3CBCA4F0h

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x2150060xf2viKy
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1b90000x5bed1fwu
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x2158000x1468viKy
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        EaHF0x10000x2cd700x2ce00dfc177b0b81a64ecc183a5cd87ceb492False0.6306363161559888data7.03133579730527IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        pIuGK0x2e0000x96ca0x9800f0b7b988ab1bb8ab677ed2cc5dae0f72False0.3465768914473684data4.34746372850297IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        ymZHo0x380000x17e6400x17de00c969ef6557c62c8c07c440ae526eed96False0.99568714198036data7.9992853495413385IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        OkG0x1b70000x1fcc0x2000b11077b5f0b06c0928aacf469cecc9baFalse0.7183837890625data6.440246800218606IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                        fwu0x1b90000x5bed10x5c000427530f64ddcc4ddd7e29d2977434d96False0.1388284434442935data4.536376856605245IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        viKy0x2150000x30000x30004e0443f55a742733e3be3c06946c5253False0.7041829427083334data7.075532543911929IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_ICON0x1b93a00x42028Device independent bitmap graphic, 256 x 512 x 32, image size 2703360.09595156374826168
                                        RT_ICON0x1fb3c80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.17913758428960133
                                        RT_ICON0x20bbf00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.28696268304204064
                                        RT_ICON0x20fe180x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.3783195020746888
                                        RT_ICON0x2123c00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.4371482176360225
                                        RT_ICON0x2134680x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.5618852459016394
                                        RT_ICON0x213df00x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.6826241134751773
                                        RT_DIALOG0x2142580x218data0.5783582089552238
                                        RT_DIALOG0x2144700xa0data0.7625
                                        RT_STRING0x2145100xb0data0.6363636363636364
                                        RT_STRING0x2145c00x1d4data0.5683760683760684
                                        RT_STRING0x2147940x1b8data0.5818181818181818
                                        RT_STRING0x21494c0x40AmigaOS bitmap font "n", 18688 elements, 2nd, 3rd0.609375
                                        RT_GROUP_ICON0x21498c0x68data0.7403846153846154
                                        RT_VERSION0x2149f40x360dataEnglishUnited States0.4930555555555556
                                        RT_MANIFEST0x214d540x17dXML 1.0 document, ASCII text, with CRLF line terminators0.5931758530183727

                                        Imports

                                        DLLImport
                                        KERNEL32.dllGetProcAddress, LoadLibraryA, VirtualAlloc, VirtualFree, VirtualProtect, GetVersionExA, GetModuleHandleA, GetCommandLineA, GetStartupInfoA

                                        Possible Origin

                                        Language of compilation systemCountry where language is spokenMap
                                        EnglishUnited States

                                        Network Behavior

                                        Suricata IDS Alerts

                                        TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                        2024-07-25T23:55:49.455076+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H49708443192.168.2.8149.154.167.99
                                        2024-07-25T23:55:30.608049+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434970720.114.59.183192.168.2.8
                                        2024-07-25T23:55:50.393757+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H49709443192.168.2.8149.28.78.238
                                        2024-07-25T23:54:52.856419+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434970520.114.59.183192.168.2.8

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jul 25, 2024 23:55:48.510236025 CEST49708443192.168.2.8149.154.167.99
                                        Jul 25, 2024 23:55:48.510289907 CEST44349708149.154.167.99192.168.2.8
                                        Jul 25, 2024 23:55:48.510376930 CEST49708443192.168.2.8149.154.167.99
                                        Jul 25, 2024 23:55:48.564944983 CEST49708443192.168.2.8149.154.167.99
                                        Jul 25, 2024 23:55:48.564975023 CEST44349708149.154.167.99192.168.2.8
                                        Jul 25, 2024 23:55:49.192589045 CEST44349708149.154.167.99192.168.2.8
                                        Jul 25, 2024 23:55:49.192732096 CEST49708443192.168.2.8149.154.167.99
                                        Jul 25, 2024 23:55:49.267265081 CEST49708443192.168.2.8149.154.167.99
                                        Jul 25, 2024 23:55:49.267344952 CEST44349708149.154.167.99192.168.2.8
                                        Jul 25, 2024 23:55:49.268332958 CEST44349708149.154.167.99192.168.2.8
                                        Jul 25, 2024 23:55:49.268420935 CEST49708443192.168.2.8149.154.167.99
                                        Jul 25, 2024 23:55:49.272723913 CEST49708443192.168.2.8149.154.167.99
                                        Jul 25, 2024 23:55:49.320506096 CEST44349708149.154.167.99192.168.2.8
                                        Jul 25, 2024 23:55:49.455091000 CEST44349708149.154.167.99192.168.2.8
                                        Jul 25, 2024 23:55:49.455123901 CEST44349708149.154.167.99192.168.2.8
                                        Jul 25, 2024 23:55:49.455163002 CEST44349708149.154.167.99192.168.2.8
                                        Jul 25, 2024 23:55:49.455188990 CEST49708443192.168.2.8149.154.167.99
                                        Jul 25, 2024 23:55:49.455197096 CEST44349708149.154.167.99192.168.2.8
                                        Jul 25, 2024 23:55:49.455235958 CEST49708443192.168.2.8149.154.167.99
                                        Jul 25, 2024 23:55:49.455297947 CEST49708443192.168.2.8149.154.167.99
                                        Jul 25, 2024 23:55:49.464027882 CEST49708443192.168.2.8149.154.167.99
                                        Jul 25, 2024 23:55:49.464051962 CEST44349708149.154.167.99192.168.2.8
                                        Jul 25, 2024 23:55:49.492275953 CEST49709443192.168.2.8149.28.78.238
                                        Jul 25, 2024 23:55:49.492326021 CEST44349709149.28.78.238192.168.2.8
                                        Jul 25, 2024 23:55:49.492407084 CEST49709443192.168.2.8149.28.78.238
                                        Jul 25, 2024 23:55:49.492800951 CEST49709443192.168.2.8149.28.78.238
                                        Jul 25, 2024 23:55:49.492815971 CEST44349709149.28.78.238192.168.2.8
                                        Jul 25, 2024 23:55:50.145102978 CEST44349709149.28.78.238192.168.2.8
                                        Jul 25, 2024 23:55:50.145235062 CEST49709443192.168.2.8149.28.78.238
                                        Jul 25, 2024 23:55:50.149645090 CEST49709443192.168.2.8149.28.78.238
                                        Jul 25, 2024 23:55:50.149658918 CEST44349709149.28.78.238192.168.2.8
                                        Jul 25, 2024 23:55:50.149897099 CEST44349709149.28.78.238192.168.2.8
                                        Jul 25, 2024 23:55:50.149949074 CEST49709443192.168.2.8149.28.78.238
                                        Jul 25, 2024 23:55:50.150377989 CEST49709443192.168.2.8149.28.78.238
                                        Jul 25, 2024 23:55:50.196501970 CEST44349709149.28.78.238192.168.2.8
                                        Jul 25, 2024 23:55:50.393836021 CEST44349709149.28.78.238192.168.2.8
                                        Jul 25, 2024 23:55:50.393903017 CEST44349709149.28.78.238192.168.2.8
                                        Jul 25, 2024 23:55:50.393923044 CEST49709443192.168.2.8149.28.78.238
                                        Jul 25, 2024 23:55:50.393960953 CEST44349709149.28.78.238192.168.2.8
                                        Jul 25, 2024 23:55:50.393976927 CEST49709443192.168.2.8149.28.78.238
                                        Jul 25, 2024 23:55:50.394002914 CEST49709443192.168.2.8149.28.78.238
                                        Jul 25, 2024 23:55:50.394057035 CEST44349709149.28.78.238192.168.2.8
                                        Jul 25, 2024 23:55:50.394102097 CEST49709443192.168.2.8149.28.78.238
                                        Jul 25, 2024 23:55:50.500294924 CEST49710443192.168.2.8149.154.167.99
                                        Jul 25, 2024 23:55:50.500339985 CEST44349710149.154.167.99192.168.2.8
                                        Jul 25, 2024 23:55:50.500416994 CEST49710443192.168.2.8149.154.167.99
                                        Jul 25, 2024 23:55:50.500689030 CEST49710443192.168.2.8149.154.167.99
                                        Jul 25, 2024 23:55:50.500714064 CEST44349710149.154.167.99192.168.2.8
                                        Jul 25, 2024 23:55:51.172843933 CEST44349710149.154.167.99192.168.2.8
                                        Jul 25, 2024 23:55:51.172959089 CEST49710443192.168.2.8149.154.167.99
                                        Jul 25, 2024 23:55:51.173445940 CEST49710443192.168.2.8149.154.167.99
                                        Jul 25, 2024 23:55:51.173455954 CEST44349710149.154.167.99192.168.2.8
                                        Jul 25, 2024 23:55:51.173609972 CEST49710443192.168.2.8149.154.167.99
                                        Jul 25, 2024 23:55:51.173624039 CEST44349710149.154.167.99192.168.2.8
                                        Jul 25, 2024 23:55:51.432790995 CEST44349710149.154.167.99192.168.2.8
                                        Jul 25, 2024 23:55:51.432876110 CEST44349710149.154.167.99192.168.2.8
                                        Jul 25, 2024 23:55:51.432924986 CEST44349710149.154.167.99192.168.2.8
                                        Jul 25, 2024 23:55:51.433023930 CEST44349710149.154.167.99192.168.2.8
                                        Jul 25, 2024 23:55:51.433062077 CEST49710443192.168.2.8149.154.167.99
                                        Jul 25, 2024 23:55:51.433082104 CEST49710443192.168.2.8149.154.167.99
                                        Jul 25, 2024 23:55:51.433521032 CEST49710443192.168.2.8149.154.167.99
                                        Jul 25, 2024 23:55:51.433540106 CEST44349710149.154.167.99192.168.2.8
                                        Jul 25, 2024 23:55:51.440213919 CEST49711443192.168.2.8149.28.78.238
                                        Jul 25, 2024 23:55:51.440258026 CEST44349711149.28.78.238192.168.2.8
                                        Jul 25, 2024 23:55:51.440330029 CEST49711443192.168.2.8149.28.78.238
                                        Jul 25, 2024 23:55:51.440601110 CEST49711443192.168.2.8149.28.78.238
                                        Jul 25, 2024 23:55:51.440613031 CEST44349711149.28.78.238192.168.2.8
                                        Jul 25, 2024 23:55:52.042088032 CEST44349711149.28.78.238192.168.2.8
                                        Jul 25, 2024 23:55:52.042320013 CEST49711443192.168.2.8149.28.78.238
                                        Jul 25, 2024 23:55:52.042774916 CEST49711443192.168.2.8149.28.78.238
                                        Jul 25, 2024 23:55:52.042783976 CEST44349711149.28.78.238192.168.2.8
                                        Jul 25, 2024 23:55:52.042968035 CEST49711443192.168.2.8149.28.78.238
                                        Jul 25, 2024 23:55:52.042974949 CEST44349711149.28.78.238192.168.2.8
                                        Jul 25, 2024 23:55:52.278038979 CEST44349711149.28.78.238192.168.2.8
                                        Jul 25, 2024 23:55:52.278105974 CEST44349711149.28.78.238192.168.2.8
                                        Jul 25, 2024 23:55:52.278110981 CEST49711443192.168.2.8149.28.78.238
                                        Jul 25, 2024 23:55:52.278136969 CEST44349711149.28.78.238192.168.2.8
                                        Jul 25, 2024 23:55:52.278150082 CEST49711443192.168.2.8149.28.78.238
                                        Jul 25, 2024 23:55:52.278181076 CEST49711443192.168.2.8149.28.78.238
                                        Jul 25, 2024 23:55:52.278187037 CEST44349711149.28.78.238192.168.2.8
                                        Jul 25, 2024 23:55:52.278239012 CEST49711443192.168.2.8149.28.78.238
                                        Jul 25, 2024 23:55:52.278244019 CEST44349711149.28.78.238192.168.2.8
                                        Jul 25, 2024 23:55:52.278286934 CEST49711443192.168.2.8149.28.78.238
                                        Jul 25, 2024 23:55:52.390808105 CEST49712443192.168.2.8149.154.167.99
                                        Jul 25, 2024 23:55:52.390911102 CEST44349712149.154.167.99192.168.2.8
                                        Jul 25, 2024 23:55:52.391055107 CEST49712443192.168.2.8149.154.167.99
                                        Jul 25, 2024 23:55:52.391298056 CEST49712443192.168.2.8149.154.167.99
                                        Jul 25, 2024 23:55:52.391334057 CEST44349712149.154.167.99192.168.2.8
                                        Jul 25, 2024 23:55:53.043673038 CEST44349712149.154.167.99192.168.2.8
                                        Jul 25, 2024 23:55:53.043838978 CEST49712443192.168.2.8149.154.167.99
                                        Jul 25, 2024 23:55:53.044663906 CEST49712443192.168.2.8149.154.167.99
                                        Jul 25, 2024 23:55:53.044675112 CEST44349712149.154.167.99192.168.2.8
                                        Jul 25, 2024 23:55:53.044858932 CEST49712443192.168.2.8149.154.167.99
                                        Jul 25, 2024 23:55:53.044863939 CEST44349712149.154.167.99192.168.2.8
                                        Jul 25, 2024 23:55:53.320282936 CEST44349712149.154.167.99192.168.2.8
                                        Jul 25, 2024 23:55:53.320306063 CEST44349712149.154.167.99192.168.2.8
                                        Jul 25, 2024 23:55:53.320339918 CEST44349712149.154.167.99192.168.2.8
                                        Jul 25, 2024 23:55:53.320367098 CEST44349712149.154.167.99192.168.2.8
                                        Jul 25, 2024 23:55:53.320517063 CEST49712443192.168.2.8149.154.167.99
                                        Jul 25, 2024 23:55:53.320985079 CEST49712443192.168.2.8149.154.167.99
                                        Jul 25, 2024 23:55:53.321002007 CEST44349712149.154.167.99192.168.2.8

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jul 25, 2024 23:55:48.496279001 CEST5779053192.168.2.81.1.1.1
                                        Jul 25, 2024 23:55:48.503907919 CEST53577901.1.1.1192.168.2.8
                                        Jul 25, 2024 23:55:49.482965946 CEST6255853192.168.2.81.1.1.1
                                        Jul 25, 2024 23:55:49.491322994 CEST53625581.1.1.1192.168.2.8

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Jul 25, 2024 23:55:48.496279001 CEST192.168.2.81.1.1.10xa534Standard query (0)t.meA (IP address)IN (0x0001)false
                                        Jul 25, 2024 23:55:49.482965946 CEST192.168.2.81.1.1.10x3b06Standard query (0)noc.socialA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Jul 25, 2024 23:55:48.503907919 CEST1.1.1.1192.168.2.80xa534No error (0)t.me149.154.167.99A (IP address)IN (0x0001)false
                                        Jul 25, 2024 23:55:49.491322994 CEST1.1.1.1192.168.2.80x3b06No error (0)noc.social149.28.78.238A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • t.me
                                        • noc.social

                                        HTTPS Proxied Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.849708149.154.167.994436128C:\Users\user\Desktop\LisectAVT_2403002A_138.exe
                                        TimestampBytes transferredDirectionData
                                        2024-07-25 21:55:49 UTC40OUTGET /hi20220412 HTTP/1.1
                                        Host: t.me
                                        2024-07-25 21:55:49 UTC511INHTTP/1.1 200 OK
                                        Server: nginx/1.18.0
                                        Date: Thu, 25 Jul 2024 21:55:49 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Content-Length: 9589
                                        Connection: close
                                        Set-Cookie: stel_ssid=acd77626c02b155c6d_14393434764031872645; expires=Fri, 26 Jul 2024 21:55:49 GMT; path=/; samesite=None; secure; HttpOnly
                                        Pragma: no-cache
                                        Cache-control: no-store
                                        X-Frame-Options: ALLOW-FROM https://web.telegram.org
                                        Content-Security-Policy: frame-ancestors https://web.telegram.org
                                        Strict-Transport-Security: max-age=35768000
                                        2024-07-25 21:55:49 UTC9589INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 68 69 32 30 32 32 30 34 31 32 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61
                                        Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @hi20220412</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.pa


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        1192.168.2.849709149.28.78.2384436128C:\Users\user\Desktop\LisectAVT_2403002A_138.exe
                                        TimestampBytes transferredDirectionData
                                        2024-07-25 21:55:50 UTC43OUTGET /@samal6 HTTP/1.1
                                        Host: noc.social
                                        2024-07-25 21:55:50 UTC1495INHTTP/1.1 410 Gone
                                        Date: Thu, 25 Jul 2024 21:55:50 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Server: Mastodon
                                        X-Frame-Options: DENY
                                        X-Content-Type-Options: nosniff
                                        X-XSS-Protection: 0
                                        Permissions-Policy: interest-cohort=()
                                        Referrer-Policy: same-origin
                                        Cache-Control: max-age=180, public
                                        Content-Security-Policy: base-uri 'none'; default-src 'none'; frame-ancestors 'none'; font-src 'self' https://noc.social; img-src 'self' https: data: blob: https://noc.social; style-src 'self' https://noc.social 'nonce-YW8XALMQnpBEzh7noRZHzA=='; media-src 'self' https: data: https://noc.social; frame-src 'self' https:; manifest-src 'self' https://noc.social; form-action 'self'; connect-src 'self' data: blob: https://noc.social https://noc.social wss://noc.social; script-src 'self' https://noc.social 'wasm-unsafe-eval'; child-src 'self' blob: https://noc.social; worker-src 'self' blob: https://noc.social
                                        Set-Cookie: _mastodon_session=Qw9lJgCboiJD0%2F4%2BxCsP5G1hmJ17zNJU%2BEH7UaO0nSkWqV%2FG0pT%2BGz1pz%2Fy%2Fq%2F5pMPiAaFMnF7G58wt5rs%2Fnm%2Bpt%2FjwUstdfT1d7dVdA9YqBys4at5USOqOymXdXQB2mSR%2BJlot5wzs36BbHiNCS7ul%2B2mCL1SEmrhCTfExt7nSpOHcJtbmwozWalTJkQXPaYyRVyXASltft6%2FnqCPP6nLBw7Ai1IrMBq%2B00rBY%3D--AfxNH5XsTJwnLEC9--TeFYvmJjfvrHNxeyk9%2FUdQ%3D%3D; path=/; HttpOnly; SameSite=Lax; secure
                                        X-Request-Id: 6079cfd7-3db7-4acf-a14a-ad35310ed792
                                        X-Runtime: 0.011989
                                        Strict-Transport-Security: max-age=63072000; includeSubDomains
                                        Vary: Origin
                                        2024-07-25 21:55:50 UTC1214INData Raw: 34 62 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 27 65 6e 27 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 27 20 68 74 74 70 2d 65 71 75 69 76 3d 27 43 6f 6e 74 65 6e 74 2d 54 79 70 65 27 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 27 75 74 66 2d 38 27 3e 0a 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 77 65 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 64 6f 65 73 6e 26 23 33 39 3b 74 20 65 78 69 73 74 20 68 65 72 65 20 61 6e 79 6d 6f 72 65 2e 0a 20 2d 20 4d 61 73 74 6f 64 6f 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69
                                        Data Ascii: 4b2<!DOCTYPE html><html lang='en'><head><meta content='text/html; charset=UTF-8' http-equiv='Content-Type'><meta charset='utf-8'><title>The page you were looking for doesn&#39;t exist here anymore. - Mastodon</title><meta content='width=device-wi


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        2192.168.2.849710149.154.167.994436128C:\Users\user\Desktop\LisectAVT_2403002A_138.exe
                                        TimestampBytes transferredDirectionData
                                        2024-07-25 21:55:51 UTC99OUTGET /hi20220412 HTTP/1.1
                                        Host: t.me
                                        Cookie: stel_ssid=acd77626c02b155c6d_14393434764031872645
                                        2024-07-25 21:55:51 UTC368INHTTP/1.1 200 OK
                                        Server: nginx/1.18.0
                                        Date: Thu, 25 Jul 2024 21:55:51 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Content-Length: 9589
                                        Connection: close
                                        Pragma: no-cache
                                        Cache-control: no-store
                                        X-Frame-Options: ALLOW-FROM https://web.telegram.org
                                        Content-Security-Policy: frame-ancestors https://web.telegram.org
                                        Strict-Transport-Security: max-age=35768000
                                        2024-07-25 21:55:51 UTC9589INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 68 69 32 30 32 32 30 34 31 32 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61
                                        Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @hi20220412</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.pa


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        3192.168.2.849711149.28.78.2384436128C:\Users\user\Desktop\LisectAVT_2403002A_138.exe
                                        TimestampBytes transferredDirectionData
                                        2024-07-25 21:55:52 UTC385OUTGET /@samal6 HTTP/1.1
                                        Host: noc.social
                                        Cookie: _mastodon_session=Qw9lJgCboiJD0%2F4%2BxCsP5G1hmJ17zNJU%2BEH7UaO0nSkWqV%2FG0pT%2BGz1pz%2Fy%2Fq%2F5pMPiAaFMnF7G58wt5rs%2Fnm%2Bpt%2FjwUstdfT1d7dVdA9YqBys4at5USOqOymXdXQB2mSR%2BJlot5wzs36BbHiNCS7ul%2B2mCL1SEmrhCTfExt7nSpOHcJtbmwozWalTJkQXPaYyRVyXASltft6%2FnqCPP6nLBw7Ai1IrMBq%2B00rBY%3D--AfxNH5XsTJwnLEC9--TeFYvmJjfvrHNxeyk9%2FUdQ%3D%3D
                                        2024-07-25 21:55:52 UTC1481INHTTP/1.1 410 Gone
                                        Date: Thu, 25 Jul 2024 21:55:52 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Server: Mastodon
                                        X-Frame-Options: DENY
                                        X-Content-Type-Options: nosniff
                                        X-XSS-Protection: 0
                                        Permissions-Policy: interest-cohort=()
                                        Referrer-Policy: same-origin
                                        Cache-Control: max-age=180, public
                                        Content-Security-Policy: base-uri 'none'; default-src 'none'; frame-ancestors 'none'; font-src 'self' https://noc.social; img-src 'self' https: data: blob: https://noc.social; style-src 'self' https://noc.social 'nonce-ykrMOmOrMpy3lh5Qd7CwiA=='; media-src 'self' https: data: https://noc.social; frame-src 'self' https:; manifest-src 'self' https://noc.social; form-action 'self'; connect-src 'self' data: blob: https://noc.social https://noc.social wss://noc.social; script-src 'self' https://noc.social 'wasm-unsafe-eval'; child-src 'self' blob: https://noc.social; worker-src 'self' blob: https://noc.social
                                        Set-Cookie: _mastodon_session=WuXi5Ic6b2gt6%2BzHU6wuXdUTYHAQJyJiICscb20kYy524xxjtj%2FJ9f7LOWHsChHM28TaqYcD%2FfktEM1nTeWPqT7DyE4ntZPxdphln8kptezxrRC1%2FqPjVUxY5bMrt6Yn2n%2BMjO4xD9XzC%2BJQLy5rVIoSUGt5UPV0Sn%2Fvo1j8Nic95jHy01AQ0RBqyLk1Rxkau5pz162WMqk%2BMBCyYxExvxJ3eboV%2BI3LK3dM64Y%3D--2iwqfT7C64pGtEro--kvn6e35WUWvFXEahfO9f9w%3D%3D; path=/; HttpOnly; SameSite=Lax; secure
                                        X-Request-Id: e58d212e-efec-4f98-baec-3a2dfc2080ef
                                        X-Runtime: 0.010679
                                        Strict-Transport-Security: max-age=63072000; includeSubDomains
                                        Vary: Origin
                                        2024-07-25 21:55:52 UTC1214INData Raw: 34 62 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 27 65 6e 27 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 27 20 68 74 74 70 2d 65 71 75 69 76 3d 27 43 6f 6e 74 65 6e 74 2d 54 79 70 65 27 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 27 75 74 66 2d 38 27 3e 0a 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 77 65 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 64 6f 65 73 6e 26 23 33 39 3b 74 20 65 78 69 73 74 20 68 65 72 65 20 61 6e 79 6d 6f 72 65 2e 0a 20 2d 20 4d 61 73 74 6f 64 6f 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69
                                        Data Ascii: 4b2<!DOCTYPE html><html lang='en'><head><meta content='text/html; charset=UTF-8' http-equiv='Content-Type'><meta charset='utf-8'><title>The page you were looking for doesn&#39;t exist here anymore. - Mastodon</title><meta content='width=device-wi


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        4192.168.2.849712149.154.167.994436128C:\Users\user\Desktop\LisectAVT_2403002A_138.exe
                                        TimestampBytes transferredDirectionData
                                        2024-07-25 21:55:53 UTC99OUTGET /hi20220412 HTTP/1.1
                                        Host: t.me
                                        Cookie: stel_ssid=acd77626c02b155c6d_14393434764031872645
                                        2024-07-25 21:55:53 UTC368INHTTP/1.1 200 OK
                                        Server: nginx/1.18.0
                                        Date: Thu, 25 Jul 2024 21:55:53 GMT
                                        Content-Type: text/html; charset=utf-8
                                        Content-Length: 9588
                                        Connection: close
                                        Pragma: no-cache
                                        Cache-control: no-store
                                        X-Frame-Options: ALLOW-FROM https://web.telegram.org
                                        Content-Security-Policy: frame-ancestors https://web.telegram.org
                                        Strict-Transport-Security: max-age=35768000
                                        2024-07-25 21:55:53 UTC9588INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 68 69 32 30 32 32 30 34 31 32 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61
                                        Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @hi20220412</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.pa


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:17:54:33
                                        Start date:25/07/2024
                                        Path:C:\Users\user\Desktop\LisectAVT_2403002A_138.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\LisectAVT_2403002A_138.exe"
                                        Imagebase:0x550000
                                        File size:2'190'481 bytes
                                        MD5 hash:FEC47A3EE92A38794A904285CB01529B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000003.1904476430.0000000011B40000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1904476430.0000000011B40000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Vidar_114258d5, Description: unknown, Source: 00000000.00000003.1904476430.0000000011B40000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                        • Rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation, Description: Detects executables containing potential Windows Defender anti-emulation checks, Source: 00000000.00000003.1904476430.0000000011B40000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                        • Rule: MALWARE_Win_Vidar, Description: Detects Vidar / ArkeiStealer, Source: 00000000.00000003.1904476430.0000000011B40000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                        • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000003.1904629214.0000000011930000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1904629214.0000000011930000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Vidar_114258d5, Description: unknown, Source: 00000000.00000003.1904629214.0000000011930000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                        • Rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation, Description: Detects executables containing potential Windows Defender anti-emulation checks, Source: 00000000.00000003.1904629214.0000000011930000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                        • Rule: MALWARE_Win_Vidar, Description: Detects Vidar / ArkeiStealer, Source: 00000000.00000003.1904629214.0000000011930000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:1
                                        Start time:17:54:33
                                        Start date:25/07/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6ee680000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:9
                                        Start time:17:55:21
                                        Start date:25/07/2024
                                        Path:C:\Users\user\Desktop\LisectAVT_2403002A_138.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Users\user\Desktop\LisectAVT_2403002A_138.exe"
                                        Imagebase:0x550000
                                        File size:2'190'481 bytes
                                        MD5 hash:FEC47A3EE92A38794A904285CB01529B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:10
                                        Start time:17:55:24
                                        Start date:25/07/2024
                                        Path:C:\Users\user\Desktop\LisectAVT_2403002A_138.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\LisectAVT_2403002A_138.exe"
                                        Imagebase:0x550000
                                        File size:2'190'481 bytes
                                        MD5 hash:FEC47A3EE92A38794A904285CB01529B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2641697890.00000000013B8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Vidar_114258d5, Description: unknown, Source: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                        • Rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation, Description: Detects executables containing potential Windows Defender anti-emulation checks, Source: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                        • Rule: MALWARE_Win_Vidar, Description: Detects Vidar / ArkeiStealer, Source: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                        Reputation:low
                                        Has exited:false

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:4.8%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:4.3%
                                          Total number of Nodes:865
                                          Total number of Limit Nodes:21
                                          execution_graph 19723 573a17 GetLastError 19724 573a2e 19723->19724 19725 573a34 19723->19725 19758 5763c0 19724->19758 19744 573a3a SetLastError 19725->19744 19746 5763ff 19725->19746 19732 573a81 19735 5763ff _free 6 API calls 19732->19735 19733 573a6a 19734 5763ff _free 6 API calls 19733->19734 19736 573a78 19734->19736 19737 573a8d 19735->19737 19763 573ce9 19736->19763 19738 573aa2 19737->19738 19739 573a91 19737->19739 19769 5736ee 19738->19769 19740 5763ff _free 6 API calls 19739->19740 19740->19736 19745 573ce9 _free 12 API calls 19745->19744 19774 576203 19746->19774 19748 57641b 19749 573a52 19748->19749 19750 576439 TlsSetValue 19748->19750 19749->19744 19751 573c8c 19749->19751 19756 573c99 ___std_exception_copy 19751->19756 19752 573cd9 19790 573c79 19752->19790 19753 573cc4 RtlAllocateHeap 19755 573a62 19753->19755 19753->19756 19755->19732 19755->19733 19756->19752 19756->19753 19787 5720dc 19756->19787 19759 576203 _free 5 API calls 19758->19759 19760 5763dc 19759->19760 19761 5763f7 TlsGetValue 19760->19761 19762 5763e5 19760->19762 19762->19725 19764 573cf4 RtlFreeHeap 19763->19764 19768 573d1d _free 19763->19768 19765 573d09 19764->19765 19764->19768 19766 573c79 _free 12 API calls 19765->19766 19767 573d0f GetLastError 19766->19767 19767->19768 19768->19744 19827 573582 19769->19827 19775 576231 19774->19775 19776 57622d _free 19774->19776 19775->19776 19780 57613c 19775->19780 19776->19748 19779 57624b GetProcAddress 19779->19776 19781 57614d _free 19780->19781 19782 5761f8 19781->19782 19783 57616b LoadLibraryExW 19781->19783 19785 5761e1 FreeLibrary 19781->19785 19786 5761b9 LoadLibraryExW 19781->19786 19782->19776 19782->19779 19783->19781 19784 576186 GetLastError 19783->19784 19784->19781 19785->19781 19786->19781 19793 572109 19787->19793 19804 573a17 GetLastError 19790->19804 19792 573c7e 19792->19755 19794 572115 ___std_exception_copy 19793->19794 19799 573b53 RtlEnterCriticalSection 19794->19799 19796 572120 19800 57215c 19796->19800 19799->19796 19803 573b9b RtlLeaveCriticalSection 19800->19803 19802 5720e7 19802->19756 19803->19802 19805 573a2e 19804->19805 19806 573a34 19804->19806 19808 5763c0 _free 6 API calls 19805->19808 19807 5763ff _free 6 API calls 19806->19807 19825 573a3a SetLastError 19806->19825 19809 573a52 19807->19809 19808->19806 19810 573c8c _free 12 API calls 19809->19810 19809->19825 19811 573a62 19810->19811 19813 573a81 19811->19813 19814 573a6a 19811->19814 19816 5763ff _free 6 API calls 19813->19816 19815 5763ff _free 6 API calls 19814->19815 19817 573a78 19815->19817 19818 573a8d 19816->19818 19823 573ce9 _free 12 API calls 19817->19823 19819 573aa2 19818->19819 19820 573a91 19818->19820 19822 5736ee _free 12 API calls 19819->19822 19821 5763ff _free 6 API calls 19820->19821 19821->19817 19824 573aad 19822->19824 19823->19825 19826 573ce9 _free 12 API calls 19824->19826 19825->19792 19826->19825 19828 57358e ___std_exception_copy 19827->19828 19841 573b53 RtlEnterCriticalSection 19828->19841 19830 573598 19842 5735c8 19830->19842 19833 573694 19834 5736a0 ___std_exception_copy 19833->19834 19846 573b53 RtlEnterCriticalSection 19834->19846 19836 5736aa 19847 573875 19836->19847 19838 5736c2 19851 5736e2 19838->19851 19841->19830 19845 573b9b RtlLeaveCriticalSection 19842->19845 19844 5735b6 19844->19833 19845->19844 19846->19836 19848 573884 _free 19847->19848 19849 5738ab _free 19847->19849 19848->19849 19854 575db7 19848->19854 19849->19838 19968 573b9b RtlLeaveCriticalSection 19851->19968 19853 5736d0 19853->19745 19855 575e37 19854->19855 19858 575dcd 19854->19858 19857 573ce9 _free 14 API calls 19855->19857 19880 575e85 19855->19880 19859 575e59 19857->19859 19858->19855 19862 573ce9 _free 14 API calls 19858->19862 19864 575e00 19858->19864 19860 573ce9 _free 14 API calls 19859->19860 19863 575e6c 19860->19863 19861 575e93 19866 575ef3 19861->19866 19879 573ce9 14 API calls _free 19861->19879 19867 575df5 19862->19867 19868 573ce9 _free 14 API calls 19863->19868 19869 573ce9 _free 14 API calls 19864->19869 19881 575e22 19864->19881 19865 573ce9 _free 14 API calls 19870 575e2c 19865->19870 19871 573ce9 _free 14 API calls 19866->19871 19882 575970 19867->19882 19873 575e7a 19868->19873 19874 575e17 19869->19874 19875 573ce9 _free 14 API calls 19870->19875 19876 575ef9 19871->19876 19877 573ce9 _free 14 API calls 19873->19877 19910 575a6e 19874->19910 19875->19855 19876->19849 19877->19880 19879->19861 19922 575f28 19880->19922 19881->19865 19883 575981 19882->19883 19884 575a6a 19882->19884 19885 575992 19883->19885 19886 573ce9 _free 14 API calls 19883->19886 19884->19864 19887 5759a4 19885->19887 19889 573ce9 _free 14 API calls 19885->19889 19886->19885 19888 5759b6 19887->19888 19890 573ce9 _free 14 API calls 19887->19890 19891 5759c8 19888->19891 19892 573ce9 _free 14 API calls 19888->19892 19889->19887 19890->19888 19893 5759da 19891->19893 19894 573ce9 _free 14 API calls 19891->19894 19892->19891 19895 5759ec 19893->19895 19897 573ce9 _free 14 API calls 19893->19897 19894->19893 19896 5759fe 19895->19896 19898 573ce9 _free 14 API calls 19895->19898 19899 575a10 19896->19899 19900 573ce9 _free 14 API calls 19896->19900 19897->19895 19898->19896 19901 575a22 19899->19901 19902 573ce9 _free 14 API calls 19899->19902 19900->19899 19903 575a34 19901->19903 19905 573ce9 _free 14 API calls 19901->19905 19902->19901 19904 575a46 19903->19904 19906 573ce9 _free 14 API calls 19903->19906 19907 575a58 19904->19907 19908 573ce9 _free 14 API calls 19904->19908 19905->19903 19906->19904 19907->19884 19909 573ce9 _free 14 API calls 19907->19909 19908->19907 19909->19884 19911 575a7b 19910->19911 19921 575ad3 19910->19921 19912 575a8b 19911->19912 19913 573ce9 _free 14 API calls 19911->19913 19914 573ce9 _free 14 API calls 19912->19914 19915 575a9d 19912->19915 19913->19912 19914->19915 19916 573ce9 _free 14 API calls 19915->19916 19918 575aaf 19915->19918 19916->19918 19917 575ac1 19920 573ce9 _free 14 API calls 19917->19920 19917->19921 19918->19917 19919 573ce9 _free 14 API calls 19918->19919 19919->19917 19920->19921 19921->19881 19923 575f54 19922->19923 19924 575f35 19922->19924 19923->19861 19924->19923 19928 575b0f 19924->19928 19927 573ce9 _free 14 API calls 19927->19923 19929 575bed 19928->19929 19930 575b20 19928->19930 19929->19927 19964 575ad7 19930->19964 19933 575ad7 _free 14 API calls 19934 575b33 19933->19934 19935 575ad7 _free 14 API calls 19934->19935 19936 575b3e 19935->19936 19937 575ad7 _free 14 API calls 19936->19937 19938 575b49 19937->19938 19939 575ad7 _free 14 API calls 19938->19939 19940 575b57 19939->19940 19941 573ce9 _free 14 API calls 19940->19941 19942 575b62 19941->19942 19943 573ce9 _free 14 API calls 19942->19943 19944 575b6d 19943->19944 19945 573ce9 _free 14 API calls 19944->19945 19946 575b78 19945->19946 19947 575ad7 _free 14 API calls 19946->19947 19948 575b86 19947->19948 19949 575ad7 _free 14 API calls 19948->19949 19950 575b94 19949->19950 19951 575ad7 _free 14 API calls 19950->19951 19952 575ba5 19951->19952 19953 575ad7 _free 14 API calls 19952->19953 19954 575bb3 19953->19954 19955 575ad7 _free 14 API calls 19954->19955 19956 575bc1 19955->19956 19957 573ce9 _free 14 API calls 19956->19957 19958 575bcc 19957->19958 19959 573ce9 _free 14 API calls 19958->19959 19960 575bd7 19959->19960 19961 573ce9 _free 14 API calls 19960->19961 19962 575be2 19961->19962 19963 573ce9 _free 14 API calls 19962->19963 19963->19929 19965 575b0a 19964->19965 19966 575afa 19964->19966 19965->19933 19966->19965 19967 573ce9 _free 14 API calls 19966->19967 19967->19966 19968->19853 20506 558f85 20507 558f88 20506->20507 20511 558f17 20506->20511 20508 559f25 GetConsoleWindow ShowWindow 20507->20508 20509 559dff 20507->20509 20510 55ad94 20508->20510 20509->20509 20510->20510 20511->20511 19969 55b0d4 19970 55b0e2 19969->19970 20000 567ff0 19970->20000 19972 55b1cd 20006 569ce0 19972->20006 19974 55b1fc 20010 569f90 19974->20010 19976 55b223 20013 56a040 19976->20013 19978 55b278 _Smanip 20017 56a430 19978->20017 19980 55b2ad 20020 554810 19980->20020 19982 55b318 20024 5546a0 19982->20024 19984 55b39e 20028 56a4c0 19984->20028 19987 55b3d1 20031 56a4d0 19987->20031 19989 55b3fa 20035 56ba20 19989->20035 19991 55b45b 20038 56f032 19991->20038 19994 55b4f4 20053 570060 19994->20053 19996 55b514 20056 567f90 19996->20056 19998 55b484 20048 56b740 19998->20048 19999 55b520 19999->19999 20001 568028 20000->20001 20059 568680 20001->20059 20003 56805a 20063 56f01f 20003->20063 20005 568081 20005->19972 20007 569d10 20006->20007 20008 56f032 _Allocate 16 API calls 20007->20008 20009 569d3c std::bad_function_call::bad_function_call 20008->20009 20009->19974 20011 56f032 _Allocate 16 API calls 20010->20011 20012 569fbf Concurrency::details::GlobalCore::TopologyObject::TopologyObject 20011->20012 20012->19976 20014 56a070 20013->20014 20015 56f032 _Allocate 16 API calls 20014->20015 20016 56a09c Concurrency::details::GlobalCore::TopologyObject::TopologyObject 20015->20016 20016->19978 20018 56f032 _Allocate 16 API calls 20017->20018 20019 56a45f 20018->20019 20019->19980 20021 554831 20020->20021 20022 56f01f _Ptr_base 5 API calls 20021->20022 20023 554846 20022->20023 20023->19982 20025 5546c1 20024->20025 20026 56f01f _Ptr_base 5 API calls 20025->20026 20027 5546d6 20026->20027 20027->19984 20201 56e1d0 20028->20201 20032 56a500 20031->20032 20033 56f032 _Allocate 16 API calls 20032->20033 20034 56a52c Concurrency::details::GlobalCore::TopologyObject::TopologyObject 20033->20034 20034->19989 20036 56f032 _Allocate 16 API calls 20035->20036 20037 56ba4f 20036->20037 20037->19991 20040 56f037 20038->20040 20039 572165 ___std_exception_copy 15 API calls 20039->20040 20040->20039 20041 56f051 20040->20041 20042 5720dc ___std_exception_copy 2 API calls 20040->20042 20045 56f053 _Allocate 20040->20045 20041->19998 20042->20040 20043 56f430 Concurrency::cancel_current_task 20044 570060 std::_Xinvalid_argument KiUserExceptionDispatcher 20043->20044 20047 56f44d 20044->20047 20045->20043 20046 570060 std::_Xinvalid_argument KiUserExceptionDispatcher 20045->20046 20046->20043 20047->19998 20388 56e5d0 20048->20388 20051 56d580 5 API calls 20052 56b790 20051->20052 20052->19994 20054 5700a7 KiUserExceptionDispatcher 20053->20054 20055 57007a 20053->20055 20054->19996 20055->20054 20394 568570 20056->20394 20058 567fc5 20058->19999 20060 568690 _Ptr_base char_traits 20059->20060 20070 5686b0 20060->20070 20062 5686a9 20062->20003 20064 56f027 20063->20064 20065 56f028 IsProcessorFeaturePresent 20063->20065 20064->20005 20067 56f32a 20065->20067 20200 56f2ed SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 20067->20200 20069 56f40d 20069->20005 20071 568708 20070->20071 20073 5686c4 20070->20073 20074 56bcb0 20071->20074 20073->20062 20087 568870 20074->20087 20077 56bcd5 20094 56d750 20077->20094 20080 56bcea 20099 568920 20080->20099 20082 56bd10 _Ptr_base 20084 56bd65 20082->20084 20103 568950 20082->20103 20085 56f01f _Ptr_base 5 API calls 20084->20085 20086 56bd8c 20085->20086 20086->20073 20088 56888b _Min_value _Max_value 20087->20088 20089 56f01f _Ptr_base 5 API calls 20088->20089 20090 5688e0 20089->20090 20090->20077 20091 5514d0 20090->20091 20106 56efff 20091->20106 20095 568870 5 API calls 20094->20095 20096 56d75f 20095->20096 20144 56d900 20096->20144 20100 568930 allocator 20099->20100 20148 56be80 20100->20148 20192 56be10 20103->20192 20105 568964 20105->20084 20111 56ef87 20106->20111 20109 570060 std::_Xinvalid_argument KiUserExceptionDispatcher 20110 56f01e 20109->20110 20114 56ef37 20111->20114 20117 56ffbb 20114->20117 20118 56ffc8 20117->20118 20123 56ef63 20117->20123 20118->20123 20125 572165 20118->20125 20123->20109 20124 56fff5 20141 572e4d 20124->20141 20131 573bb2 ___std_exception_copy 20125->20131 20126 573bf0 20128 573c79 _free 14 API calls 20126->20128 20127 573bdb RtlAllocateHeap 20129 56ffe5 20127->20129 20127->20131 20128->20129 20129->20124 20132 5733dc 20129->20132 20130 5720dc ___std_exception_copy RtlEnterCriticalSection RtlLeaveCriticalSection 20130->20131 20131->20126 20131->20127 20131->20130 20133 5733f7 20132->20133 20134 5733e9 20132->20134 20135 573c79 _free 14 API calls 20133->20135 20134->20133 20139 57340e 20134->20139 20136 5733ff 20135->20136 20137 57206c ___std_exception_copy 25 API calls 20136->20137 20138 573409 20137->20138 20138->20124 20139->20138 20140 573c79 _free 14 API calls 20139->20140 20140->20136 20142 573ce9 _free 14 API calls 20141->20142 20143 572e65 20142->20143 20143->20123 20146 56d921 _Max_value 20144->20146 20145 56f01f _Ptr_base 5 API calls 20147 56d770 20145->20147 20146->20145 20147->20080 20149 56be8c 20148->20149 20150 56be9a 20148->20150 20154 56e6a0 20149->20154 20152 568939 20150->20152 20162 551420 20150->20162 20152->20082 20155 56e6b7 20154->20155 20156 56e6bc 20154->20156 20165 551340 20155->20165 20158 551420 _Allocate 16 API calls 20156->20158 20160 56e6c5 20158->20160 20161 56e6e0 20160->20161 20169 57207c 20160->20169 20161->20152 20163 56f032 _Allocate 16 API calls 20162->20163 20164 55142c 20163->20164 20164->20152 20166 55134e Concurrency::cancel_current_task 20165->20166 20167 570060 std::_Xinvalid_argument KiUserExceptionDispatcher 20166->20167 20168 55135c 20167->20168 20168->20156 20174 572008 20169->20174 20171 57208b 20182 572099 IsProcessorFeaturePresent 20171->20182 20173 572098 20175 573a17 _free 14 API calls 20174->20175 20176 572013 20175->20176 20177 572021 20176->20177 20178 572099 _Allocate 11 API calls 20176->20178 20177->20171 20179 57206b 20178->20179 20180 572008 ___std_exception_copy 25 API calls 20179->20180 20181 572078 20180->20181 20181->20171 20183 5720a5 20182->20183 20186 571ec0 20183->20186 20187 571edc _Allocate 20186->20187 20188 571f08 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 20187->20188 20189 571fd9 _Allocate 20188->20189 20190 56f01f _Ptr_base 5 API calls 20189->20190 20191 571ff7 GetCurrentProcess TerminateProcess 20190->20191 20191->20173 20193 56be3b 20192->20193 20195 56be48 _MallocaArrayHolder 20192->20195 20196 551440 20193->20196 20195->20105 20197 55147e 20196->20197 20198 57207c _Allocate 25 API calls 20197->20198 20199 551499 20197->20199 20198->20197 20199->20195 20200->20069 20214 552290 20201->20214 20207 56f01f _Ptr_base 5 API calls 20208 55b3c2 VirtualAlloc 20207->20208 20208->19987 20210 56e1e9 _Ptr_base 20211 56e267 20210->20211 20213 56e273 20210->20213 20217 551ca0 20210->20217 20220 551d00 20210->20220 20230 551e60 20210->20230 20240 551fa0 20210->20240 20260 5522e0 20210->20260 20250 552110 20211->20250 20213->20207 20270 551b60 20214->20270 20216 55229c 20216->20210 20334 551a20 20217->20334 20221 551d4a 20220->20221 20222 56f032 _Allocate 16 API calls 20221->20222 20225 551d5d 20222->20225 20224 551dcf 20226 570060 std::_Xinvalid_argument KiUserExceptionDispatcher 20224->20226 20355 568c50 20225->20355 20227 551de9 20226->20227 20228 56f01f _Ptr_base 5 API calls 20227->20228 20229 551e58 20228->20229 20229->20210 20231 551eaa 20230->20231 20232 56f032 _Allocate 16 API calls 20231->20232 20233 551ebd 20232->20233 20366 568ce0 20233->20366 20235 551f0b 20236 570060 std::_Xinvalid_argument KiUserExceptionDispatcher 20235->20236 20237 551f25 20236->20237 20238 56f01f _Ptr_base 5 API calls 20237->20238 20239 551f94 20238->20239 20239->20210 20241 551fea 20240->20241 20242 56f032 _Allocate 16 API calls 20241->20242 20244 551ffd 20242->20244 20377 568d50 20244->20377 20245 552075 20246 570060 std::_Xinvalid_argument KiUserExceptionDispatcher 20245->20246 20247 55208f 20246->20247 20248 56f01f _Ptr_base 5 API calls 20247->20248 20249 5520fe 20248->20249 20249->20210 20251 55215a 20250->20251 20252 56f032 _Allocate 16 API calls 20251->20252 20253 55218f 20252->20253 20254 568d50 21 API calls 20253->20254 20255 5521ff 20254->20255 20256 570060 std::_Xinvalid_argument KiUserExceptionDispatcher 20255->20256 20257 552219 20256->20257 20258 56f01f _Ptr_base 5 API calls 20257->20258 20259 552288 20258->20259 20259->20213 20261 55232a 20260->20261 20262 56f032 _Allocate 16 API calls 20261->20262 20265 55234c 20262->20265 20263 568c50 21 API calls 20264 5523d4 20263->20264 20266 570060 std::_Xinvalid_argument KiUserExceptionDispatcher 20264->20266 20265->20263 20267 5523ee 20266->20267 20268 56f01f _Ptr_base 5 API calls 20267->20268 20269 55245d 20268->20269 20269->20210 20271 551ba7 20270->20271 20272 56f032 _Allocate 16 API calls 20271->20272 20273 551bba 20272->20273 20280 551be2 20273->20280 20284 5518e0 20273->20284 20276 551c10 20279 570060 std::_Xinvalid_argument KiUserExceptionDispatcher 20276->20279 20278 5518e0 22 API calls 20278->20280 20281 551c2a 20279->20281 20298 568be0 20280->20298 20282 56f01f _Ptr_base 5 API calls 20281->20282 20283 551c99 20282->20283 20283->20216 20285 551927 20284->20285 20286 56f032 _Allocate 16 API calls 20285->20286 20289 55193a 20286->20289 20287 551962 20305 568ae0 20287->20305 20289->20287 20303 5518d0 GetPEB 20289->20303 20291 551959 20304 5518d0 GetPEB 20291->20304 20292 551990 20294 570060 std::_Xinvalid_argument KiUserExceptionDispatcher 20292->20294 20295 5519aa 20294->20295 20296 56f01f _Ptr_base 5 API calls 20295->20296 20297 551a19 20296->20297 20297->20278 20328 56dc00 20298->20328 20301 56d580 5 API calls 20302 568c30 20301->20302 20302->20276 20303->20291 20304->20287 20310 56da60 20305->20310 20309 568b30 20309->20292 20311 56da93 std::_Iterator_base::_Iterator_base 20310->20311 20312 56f032 _Allocate 16 API calls 20311->20312 20313 56daad Concurrency::details::VirtualProcessor::ClaimTicket::InitializeTicket 20312->20313 20314 56f01f _Ptr_base 5 API calls 20313->20314 20315 568b14 20314->20315 20316 56d580 20315->20316 20319 56d830 20316->20319 20324 56e7a0 20319->20324 20322 56e7a0 _Ptr_base 5 API calls 20323 56d593 20322->20323 20323->20309 20325 56e7b9 _Ptr_base 20324->20325 20326 56f01f _Ptr_base 5 API calls 20325->20326 20327 56d844 20326->20327 20327->20322 20329 56dc33 std::_Iterator_base::_Iterator_base 20328->20329 20330 56f032 _Allocate 16 API calls 20329->20330 20331 56dc4d Concurrency::details::VirtualProcessor::ClaimTicket::InitializeTicket 20330->20331 20332 56f01f _Ptr_base 5 API calls 20331->20332 20333 568c14 20332->20333 20333->20301 20335 551a67 20334->20335 20336 56f032 _Allocate 16 API calls 20335->20336 20337 551a7a 20336->20337 20344 568b70 20337->20344 20339 551ad2 20340 570060 std::_Xinvalid_argument KiUserExceptionDispatcher 20339->20340 20341 551aec 20340->20341 20342 56f01f _Ptr_base 5 API calls 20341->20342 20343 551b5b 20342->20343 20343->20210 20349 56db30 20344->20349 20347 56d580 5 API calls 20348 568bc0 20347->20348 20348->20339 20350 56db63 std::_Iterator_base::_Iterator_base 20349->20350 20351 56f032 _Allocate 16 API calls 20350->20351 20352 56db7d Concurrency::details::VirtualProcessor::ClaimTicket::InitializeTicket 20351->20352 20353 56f01f _Ptr_base 5 API calls 20352->20353 20354 568ba4 20353->20354 20354->20347 20360 56dcd0 20355->20360 20358 56d580 5 API calls 20359 568ca0 20358->20359 20359->20224 20361 56dd03 std::_Iterator_base::_Iterator_base 20360->20361 20362 56f032 _Allocate 16 API calls 20361->20362 20363 56dd1d Concurrency::details::VirtualProcessor::ClaimTicket::InitializeTicket 20362->20363 20364 56f01f _Ptr_base 5 API calls 20363->20364 20365 568c84 20364->20365 20365->20358 20371 56dda0 20366->20371 20369 56d580 5 API calls 20370 568d30 20369->20370 20370->20235 20372 56ddd3 std::_Iterator_base::_Iterator_base 20371->20372 20373 56f032 _Allocate 16 API calls 20372->20373 20374 56dded Concurrency::details::VirtualProcessor::ClaimTicket::InitializeTicket 20373->20374 20375 56f01f _Ptr_base 5 API calls 20374->20375 20376 568d14 20375->20376 20376->20369 20382 56de70 20377->20382 20380 56d580 5 API calls 20381 568da0 20380->20381 20381->20245 20383 56dea3 std::_Iterator_base::_Iterator_base 20382->20383 20384 56f032 _Allocate 16 API calls 20383->20384 20385 56debd Concurrency::details::VirtualProcessor::ClaimTicket::InitializeTicket 20384->20385 20386 56f01f _Ptr_base 5 API calls 20385->20386 20387 568d84 20386->20387 20387->20380 20389 56e603 std::_Iterator_base::_Iterator_base 20388->20389 20390 56f032 _Allocate 16 API calls 20389->20390 20391 56e61d Concurrency::details::VirtualProcessor::ClaimTicket::InitializeTicket 20390->20391 20392 56f01f _Ptr_base 5 API calls 20391->20392 20393 56b774 20392->20393 20393->20051 20396 5685a0 20394->20396 20395 5685e4 20395->20058 20396->20395 20397 568950 allocator 25 API calls 20396->20397 20397->20395 20398 13a0b58 VirtualProtect 20399 13a0b63 20398->20399 20512 30e781a 20515 30e7984 20512->20515 20516 30e79a4 20515->20516 20517 30e7992 20515->20517 20527 30e7ac2 20516->20527 20543 30e7899 GetModuleHandleW 20517->20543 20522 30e782b 20526 30e79e7 20528 30e7ace __dosmaperr 20527->20528 20551 30e9130 EnterCriticalSection 20528->20551 20530 30e7ad8 20552 30e79e8 20530->20552 20532 30e7ae5 20556 30e7b03 20532->20556 20535 30e792f 20634 30eabb2 GetPEB 20535->20634 20538 30e795e 20541 30e78dc __fassign 3 API calls 20538->20541 20539 30e793e GetPEB 20539->20538 20540 30e794e GetCurrentProcess TerminateProcess 20539->20540 20540->20538 20542 30e7966 ExitProcess 20541->20542 20544 30e78a5 20543->20544 20544->20516 20545 30e78dc GetModuleHandleExW 20544->20545 20546 30e791e 20545->20546 20547 30e78fb GetProcAddress 20545->20547 20549 30e792d 20546->20549 20550 30e7924 FreeLibrary 20546->20550 20548 30e7910 20547->20548 20548->20546 20549->20516 20550->20549 20551->20530 20553 30e79f4 __dosmaperr 20552->20553 20555 30e7a55 __fassign 20553->20555 20559 30e800b 20553->20559 20555->20532 20633 30e9147 LeaveCriticalSection 20556->20633 20558 30e79d7 20558->20522 20558->20535 20562 30e82ac 20559->20562 20563 30e82b8 __dosmaperr 20562->20563 20570 30e9130 EnterCriticalSection 20563->20570 20565 30e82c6 20571 30e8177 20565->20571 20570->20565 20573 30e818e 20571->20573 20574 30e8196 20571->20574 20575 30e82fb 20573->20575 20574->20573 20578 30ea182 20574->20578 20632 30e9147 LeaveCriticalSection 20575->20632 20577 30e8036 20577->20555 20579 30ea18d HeapFree 20578->20579 20580 30ea1b6 _free 20578->20580 20579->20580 20581 30ea1a2 20579->20581 20580->20573 20584 30eae8a 20581->20584 20587 30e9316 GetLastError 20584->20587 20586 30ea1a8 GetLastError 20586->20580 20588 30e932d 20587->20588 20589 30e9333 20587->20589 20610 30e8da6 20588->20610 20608 30e9339 SetLastError 20589->20608 20615 30e8de5 20589->20615 20596 30e9369 20598 30e8de5 __dosmaperr 6 API calls 20596->20598 20597 30e9380 20599 30e8de5 __dosmaperr 6 API calls 20597->20599 20600 30e9377 20598->20600 20601 30e938c 20599->20601 20605 30ea182 _free 12 API calls 20600->20605 20602 30e9390 20601->20602 20603 30e93a1 20601->20603 20606 30e8de5 __dosmaperr 6 API calls 20602->20606 20627 30e9437 20603->20627 20605->20608 20606->20600 20608->20586 20609 30ea182 _free 12 API calls 20609->20608 20611 30e9007 __dosmaperr 5 API calls 20610->20611 20612 30e8dc2 20611->20612 20613 30e8ddd TlsGetValue 20612->20613 20614 30e8dcb 20612->20614 20614->20589 20616 30e9007 __dosmaperr 5 API calls 20615->20616 20617 30e8e01 20616->20617 20618 30e8e1f TlsSetValue 20617->20618 20619 30e8e0a 20617->20619 20619->20608 20620 30eaf16 20619->20620 20625 30eaf23 __dosmaperr 20620->20625 20621 30eaf63 20624 30eae8a _free 13 API calls 20621->20624 20622 30eaf4e HeapAlloc 20623 30e9361 20622->20623 20622->20625 20623->20596 20623->20597 20624->20623 20625->20621 20625->20622 20626 30ea445 __dosmaperr EnterCriticalSection LeaveCriticalSection 20625->20626 20626->20625 20628 30e959d __dosmaperr EnterCriticalSection LeaveCriticalSection 20627->20628 20629 30e94a5 20628->20629 20630 30e95ef __dosmaperr 14 API calls 20629->20630 20631 30e93ac 20630->20631 20631->20609 20632->20577 20633->20558 20635 30eabcc 20634->20635 20636 30e7939 20634->20636 20638 30e8f00 20635->20638 20636->20538 20636->20539 20641 30e9007 20638->20641 20640 30e8f1c 20640->20636 20642 30e9035 20641->20642 20646 30e9031 __dosmaperr 20641->20646 20642->20646 20647 30e8f40 20642->20647 20645 30e904f GetProcAddress 20645->20646 20646->20640 20648 30e8f51 ___vcrt_FlsFree 20647->20648 20649 30e8f6f LoadLibraryExW 20648->20649 20651 30e8fe5 FreeLibrary 20648->20651 20652 30e8ffc 20648->20652 20653 30e8fbd LoadLibraryExW 20648->20653 20649->20648 20650 30e8f8a GetLastError 20649->20650 20650->20648 20651->20648 20652->20645 20652->20646 20653->20648 20400 558dd0 20401 570060 std::_Xinvalid_argument KiUserExceptionDispatcher 20400->20401 20402 558dfc 20401->20402 20403 558af0 20410 5698d0 20403->20410 20405 558b04 20413 5698e0 20405->20413 20419 56df60 20410->20419 20432 56e030 20413->20432 20416 5698f0 20445 56e100 20416->20445 20420 552290 22 API calls 20419->20420 20429 56df79 _Ptr_base 20420->20429 20421 551ca0 21 API calls 20421->20429 20422 551d00 21 API calls 20422->20429 20423 551e60 21 API calls 20423->20429 20424 5522e0 21 API calls 20424->20429 20425 56e003 20426 56f01f _Ptr_base 5 API calls 20425->20426 20427 5698d8 20426->20427 20427->20405 20428 551fa0 21 API calls 20428->20429 20429->20421 20429->20422 20429->20423 20429->20424 20429->20425 20429->20428 20430 56dff7 20429->20430 20431 552110 21 API calls 20430->20431 20431->20425 20433 552290 22 API calls 20432->20433 20438 56e049 _Ptr_base 20433->20438 20434 551ca0 21 API calls 20434->20438 20435 551d00 21 API calls 20435->20438 20436 551e60 21 API calls 20436->20438 20437 5522e0 21 API calls 20437->20438 20438->20434 20438->20435 20438->20436 20438->20437 20441 551fa0 21 API calls 20438->20441 20442 56e0c7 20438->20442 20444 56e0d3 20438->20444 20439 56f01f _Ptr_base 5 API calls 20440 558b20 Sleep 20439->20440 20440->20416 20441->20438 20443 552110 21 API calls 20442->20443 20443->20444 20444->20439 20446 552290 22 API calls 20445->20446 20449 56e119 _Ptr_base 20446->20449 20447 551ca0 21 API calls 20447->20449 20448 551d00 21 API calls 20448->20449 20449->20447 20449->20448 20450 551e60 21 API calls 20449->20450 20451 5522e0 21 API calls 20449->20451 20454 551fa0 21 API calls 20449->20454 20455 56e197 20449->20455 20457 56e1a3 20449->20457 20450->20449 20451->20449 20452 56f01f _Ptr_base 5 API calls 20453 558b2e 20452->20453 20454->20449 20456 552110 21 API calls 20455->20456 20456->20457 20457->20452 20654 558240 20655 558262 20654->20655 20656 567ff0 27 API calls 20655->20656 20657 558299 20656->20657 20674 569820 20657->20674 20659 55835a 20678 569900 20659->20678 20661 5583a5 20681 5699a0 20661->20681 20663 5583f2 20685 569c50 20663->20685 20665 558425 20666 56f032 _Allocate 16 API calls 20665->20666 20667 55844e 20666->20667 20688 568a70 20667->20688 20669 558496 20670 570060 std::_Xinvalid_argument KiUserExceptionDispatcher 20669->20670 20671 5584b6 20670->20671 20672 567f90 25 API calls 20671->20672 20673 5584c2 20672->20673 20675 569852 20674->20675 20676 56f032 _Allocate 16 API calls 20675->20676 20677 569871 Concurrency::details::GlobalCore::TopologyObject::TopologyObject 20676->20677 20677->20659 20679 56f032 _Allocate 16 API calls 20678->20679 20680 56992f 20679->20680 20680->20661 20682 5699d0 20681->20682 20683 56f032 _Allocate 16 API calls 20682->20683 20684 5699fc std::bad_function_call::bad_function_call 20683->20684 20684->20663 20686 56f032 _Allocate 16 API calls 20685->20686 20687 569c7f Concurrency::details::GlobalCore::TopologyObject::TopologyObject 20686->20687 20687->20665 20693 56d990 20688->20693 20691 56d580 5 API calls 20692 568ac0 20691->20692 20692->20669 20694 56d9c3 std::_Iterator_base::_Iterator_base 20693->20694 20695 56f032 _Allocate 16 API calls 20694->20695 20696 56d9dd Concurrency::details::VirtualProcessor::ClaimTicket::InitializeTicket 20695->20696 20697 56f01f _Ptr_base 5 API calls 20696->20697 20698 568aa4 20697->20698 20698->20691 20699 30e69fb 20700 30e6a04 20699->20700 20707 30e6ee5 IsProcessorFeaturePresent 20700->20707 20704 30e6a15 20705 30e6a19 20704->20705 20717 30e732c 20704->20717 20708 30e6a10 20707->20708 20709 30e730d 20708->20709 20723 30e896e 20709->20723 20712 30e7316 20712->20704 20714 30e731e 20715 30e7329 20714->20715 20737 30e89aa 20714->20737 20715->20704 20718 30e733f 20717->20718 20719 30e7335 20717->20719 20718->20705 20720 30e887c ___vcrt_uninitialize_ptd 6 API calls 20719->20720 20721 30e733a 20720->20721 20722 30e89aa ___vcrt_uninitialize_locks DeleteCriticalSection 20721->20722 20722->20718 20724 30e8977 20723->20724 20726 30e89a0 20724->20726 20727 30e7312 20724->20727 20741 30ec568 20724->20741 20728 30e89aa ___vcrt_uninitialize_locks DeleteCriticalSection 20726->20728 20727->20712 20729 30e8849 20727->20729 20728->20727 20760 30ec479 20729->20760 20732 30e885e 20732->20714 20735 30e8879 20735->20714 20738 30e89d4 20737->20738 20739 30e89b5 20737->20739 20738->20712 20740 30e89bf DeleteCriticalSection 20739->20740 20740->20738 20740->20740 20746 30ec64a 20741->20746 20744 30ec5a0 InitializeCriticalSectionAndSpinCount 20745 30ec58b 20744->20745 20745->20724 20747 30ec582 20746->20747 20748 30ec663 20746->20748 20747->20744 20747->20745 20748->20747 20752 30ec5af 20748->20752 20751 30ec678 GetProcAddress 20751->20747 20758 30ec5bb ___vcrt_FlsFree 20752->20758 20753 30ec630 20753->20747 20753->20751 20754 30ec5d2 LoadLibraryExW 20755 30ec637 20754->20755 20756 30ec5f0 GetLastError 20754->20756 20755->20753 20757 30ec63f FreeLibrary 20755->20757 20756->20758 20757->20753 20758->20753 20758->20754 20759 30ec612 LoadLibraryExW 20758->20759 20759->20755 20759->20758 20761 30ec64a ___vcrt_FlsFree 5 API calls 20760->20761 20762 30ec493 20761->20762 20763 30ec4ac TlsAlloc 20762->20763 20764 30e8853 20762->20764 20764->20732 20765 30ec52a 20764->20765 20766 30ec64a ___vcrt_FlsFree 5 API calls 20765->20766 20767 30ec544 20766->20767 20768 30ec55f TlsSetValue 20767->20768 20769 30e886c 20767->20769 20768->20769 20769->20735 20770 30e887c 20769->20770 20771 30e8886 20770->20771 20772 30e888c 20770->20772 20774 30ec4b4 20771->20774 20772->20732 20775 30ec64a ___vcrt_FlsFree 5 API calls 20774->20775 20776 30ec4ce 20775->20776 20777 30ec4e6 TlsFree 20776->20777 20778 30ec4da 20776->20778 20777->20778 20778->20772 20779 55650c 20780 556515 _Smanip 20779->20780 20789 569400 20780->20789 20782 5565da 20797 569560 20782->20797 20784 556625 _Smanip 20800 569610 20784->20800 20786 5566cd 20808 569770 20786->20808 20788 556718 20790 569430 20789->20790 20791 56f032 _Allocate 16 API calls 20790->20791 20792 56946b 20791->20792 20793 56f032 _Allocate 16 API calls 20792->20793 20794 5694b7 20793->20794 20795 56f032 _Allocate 16 API calls 20794->20795 20796 569500 20795->20796 20796->20782 20798 56f032 _Allocate 16 API calls 20797->20798 20799 56958f 20798->20799 20799->20784 20801 569640 20800->20801 20802 56f032 _Allocate 16 API calls 20801->20802 20803 56967b 20802->20803 20804 56f032 _Allocate 16 API calls 20803->20804 20805 5696c7 20804->20805 20806 56f032 _Allocate 16 API calls 20805->20806 20807 569710 20806->20807 20807->20786 20809 56f032 _Allocate 16 API calls 20808->20809 20810 56979f 20809->20810 20810->20788 20811 572e4d 20812 573ce9 _free 14 API calls 20811->20812 20813 572e65 20812->20813 20458 5534bb 20459 55349c 20458->20459 20460 5534be _Smanip 20458->20460 20473 568de0 20460->20473 20462 5535a3 20481 568f40 20462->20481 20464 55361a _Smanip 20484 568ff0 20464->20484 20466 5536d8 20492 569150 20466->20492 20468 553755 _Smanip 20495 569200 20468->20495 20470 553842 20503 569360 20470->20503 20472 5538aa 20474 568e10 20473->20474 20475 56f032 _Allocate 16 API calls 20474->20475 20476 568e4b Concurrency::details::GlobalCore::TopologyObject::TopologyObject 20475->20476 20477 56f032 _Allocate 16 API calls 20476->20477 20478 568e93 20477->20478 20479 56f032 _Allocate 16 API calls 20478->20479 20480 568edc 20479->20480 20480->20462 20482 56f032 _Allocate 16 API calls 20481->20482 20483 568f6f 20482->20483 20483->20464 20485 569020 20484->20485 20486 56f032 _Allocate 16 API calls 20485->20486 20487 56905b Concurrency::details::GlobalCore::TopologyObject::TopologyObject 20486->20487 20488 56f032 _Allocate 16 API calls 20487->20488 20489 5690a3 20488->20489 20490 56f032 _Allocate 16 API calls 20489->20490 20491 5690ec 20490->20491 20491->20466 20493 56f032 _Allocate 16 API calls 20492->20493 20494 56917f 20493->20494 20494->20468 20496 569230 20495->20496 20497 56f032 _Allocate 16 API calls 20496->20497 20498 56926b 20497->20498 20499 56f032 _Allocate 16 API calls 20498->20499 20500 5692b7 20499->20500 20501 56f032 _Allocate 16 API calls 20500->20501 20502 569300 20501->20502 20502->20470 20504 56f032 _Allocate 16 API calls 20503->20504 20505 569391 20504->20505 20505->20472

                                          Executed Functions

                                          Function 0055A738 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 324memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 00551860: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 0055186A
                                            • Part of subcall function 00569CE0: std::bad_function_call::bad_function_call.LIBCPMTD ref: 00569D54
                                            • Part of subcall function 00569F90: Concurrency::details::GlobalCore::TopologyObject::TopologyObject.LIBCMTD ref: 00569FD9
                                            • Part of subcall function 00567D50: _Ptr_base.LIBCMTD ref: 00567D5A
                                            • Part of subcall function 0056A040: Concurrency::details::GlobalCore::TopologyObject::TopologyObject.LIBCMTD ref: 0056A0B3
                                          • _Smanip.LIBCPMTD ref: 0055B296
                                          • VirtualAlloc.KERNELBASE(00000000,00000000,?,00000000,00000000), ref: 0055B3C2
                                            • Part of subcall function 0056A4D0: Concurrency::details::GlobalCore::TopologyObject::TopologyObject.LIBCMTD ref: 0056A543
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910312145.0000000000551000.00000040.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true
                                          • Associated: 00000000.00000002.1910296513.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910340992.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910359597.0000000000588000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910462857.0000000000707000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910506196.0000000000765000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_550000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: Topology$Concurrency::details::Core::GlobalObjectObject::$AllocIterator_baseIterator_base::_Ptr_baseSmanipVirtualstd::_std::bad_function_call::bad_function_call
                                          • String ID: syjf
                                          • API String ID: 96916843-942523633
                                          • Opcode ID: e30d022f0e75473873f5213944dd42b63f4eb0fb8d8544941a82ee064950718d
                                          • Instruction ID: 39e130106dce9e5927d71eebcad65819d2e7d1b79533023685b6ebdad61742f9
                                          • Opcode Fuzzy Hash: e30d022f0e75473873f5213944dd42b63f4eb0fb8d8544941a82ee064950718d
                                          • Instruction Fuzzy Hash: E7D18470D14209DBDB15EBB4C869BEEBFB4BF94304F1045AAE006A7192EF345A48CB91
                                          Function 0055B0D4 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 307memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 00551860: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 0055186A
                                            • Part of subcall function 00569CE0: std::bad_function_call::bad_function_call.LIBCPMTD ref: 00569D54
                                            • Part of subcall function 00569F90: Concurrency::details::GlobalCore::TopologyObject::TopologyObject.LIBCMTD ref: 00569FD9
                                            • Part of subcall function 00567D50: _Ptr_base.LIBCMTD ref: 00567D5A
                                            • Part of subcall function 0056A040: Concurrency::details::GlobalCore::TopologyObject::TopologyObject.LIBCMTD ref: 0056A0B3
                                          • _Smanip.LIBCPMTD ref: 0055B296
                                          • VirtualAlloc.KERNELBASE(00000000,00000000,?,00000000,00000000), ref: 0055B3C2
                                            • Part of subcall function 0056A4D0: Concurrency::details::GlobalCore::TopologyObject::TopologyObject.LIBCMTD ref: 0056A543
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910312145.0000000000551000.00000040.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true
                                          • Associated: 00000000.00000002.1910296513.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910340992.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910359597.0000000000588000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910462857.0000000000707000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910506196.0000000000765000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_550000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: Topology$Concurrency::details::Core::GlobalObjectObject::$AllocIterator_baseIterator_base::_Ptr_baseSmanipVirtualstd::_std::bad_function_call::bad_function_call
                                          • String ID: syjf
                                          • API String ID: 96916843-942523633
                                          • Opcode ID: a72c3720bc419cf26c379228dfa5a963e7fc94408a273215a7d0a2af77409d4c
                                          • Instruction ID: 28decc6b291ff2f350ee067b20fdbeba4b141f3cb22107b9e02ea3607c7ce7a8
                                          • Opcode Fuzzy Hash: a72c3720bc419cf26c379228dfa5a963e7fc94408a273215a7d0a2af77409d4c
                                          • Instruction Fuzzy Hash: 1ED16370914249DEDB15EBB0C86ABEEBFB4BF94304F1045A9E406A7192EF345B48CF91
                                          Function 0055B096 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 307COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910312145.0000000000551000.00000040.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true
                                          • Associated: 00000000.00000002.1910296513.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910340992.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910359597.0000000000588000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910462857.0000000000707000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910506196.0000000000765000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_550000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: syjf
                                          • API String ID: 0-942523633
                                          • Opcode ID: dec9652f8472732e7912a5cb5b33d6f67795f3b519d10783e304ef627572ee4f
                                          • Instruction ID: 99ffa85c7b9c8cf1f8dc5d2f42c093f90b4332aabd33ab28a54d6e567bdfc123
                                          • Opcode Fuzzy Hash: dec9652f8472732e7912a5cb5b33d6f67795f3b519d10783e304ef627572ee4f
                                          • Instruction Fuzzy Hash: 9AD18570D14249CADB15EBB0C869BEEBFB4BF94304F1045AAE406A7192EF345A48CF91
                                          Function 030E792F Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetCurrentProcess.KERNEL32(?,?,030E79E7,?,?,?,?,?,030ED281), ref: 030E7951
                                          • TerminateProcess.KERNEL32(00000000,?,030E79E7,?,?,?,?,?,030ED281), ref: 030E7958
                                          • ExitProcess.KERNEL32 ref: 030E796A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: Process$CurrentExitTerminate
                                          • String ID:
                                          • API String ID: 1703294689-0
                                          • Opcode ID: 9482fcdf41a3c292b5405ba80f9bd0e7e8e6d1b5e5b1d187b47e79e8f84d67c8
                                          • Instruction ID: ed084c696773a3fd1b8e79a141cd0d96a88a4a2fa6a4d419d51eb28d742c7d5b
                                          • Opcode Fuzzy Hash: 9482fcdf41a3c292b5405ba80f9bd0e7e8e6d1b5e5b1d187b47e79e8f84d67c8
                                          • Instruction Fuzzy Hash: 4FE0EC3125220DAFCF22BF64D9089993FA9FF44B51F144428F9098A525CB3BDD82CBA0
                                          Function 013A029B Relevance: .1, Instructions: 102COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910606723.00000000013A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_13a0000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3bc7d5dd0389f5a6f28defbe57c44fdefa06002c777c67ae431665cab42afbbf
                                          • Instruction ID: d4aa01be55913e0cc6ae3710e520beda96fea7fc382c9ab0f2e4ecbe309d368e
                                          • Opcode Fuzzy Hash: 3bc7d5dd0389f5a6f28defbe57c44fdefa06002c777c67ae431665cab42afbbf
                                          • Instruction Fuzzy Hash: 2731597351420E9BCB2E5A3CC9152E37B45EBA532CFC98204F649678D3E37598448B82
                                          Function 005534BB Relevance: 10.8, APIs: 7, Instructions: 283COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 00551860: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 0055186A
                                          • _Smanip.LIBCPMTD ref: 00553557
                                          • _Smanip.LIBCPMTD ref: 0055358C
                                            • Part of subcall function 00568DE0: Concurrency::details::GlobalCore::TopologyObject::TopologyObject.LIBCMTD ref: 00568E62
                                            • Part of subcall function 00567D50: _Ptr_base.LIBCMTD ref: 00567D5A
                                          • _Smanip.LIBCPMTD ref: 0055368C
                                          • _Smanip.LIBCPMTD ref: 005536C1
                                            • Part of subcall function 00568FF0: Concurrency::details::GlobalCore::TopologyObject::TopologyObject.LIBCMTD ref: 00569072
                                          • _Smanip.LIBCPMTD ref: 005537EE
                                          • _Smanip.LIBCPMTD ref: 0055380B
                                          • _Smanip.LIBCPMTD ref: 0055382B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910312145.0000000000551000.00000040.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true
                                          • Associated: 00000000.00000002.1910296513.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910340992.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910359597.0000000000588000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910462857.0000000000707000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910506196.0000000000765000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_550000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: Smanip$Topology$Concurrency::details::Core::GlobalObjectObject::$Iterator_baseIterator_base::_Ptr_basestd::_
                                          • String ID:
                                          • API String ID: 1410536233-0
                                          • Opcode ID: e2de6a112f831d96f06e23df83cf76e27bb956f3f22426dc12157899c1e86d6b
                                          • Instruction ID: 6fc0c7e0de5a5b15d230a123a02dfb0bee3f954dd0aedf63b6aa18169351cb44
                                          • Opcode Fuzzy Hash: e2de6a112f831d96f06e23df83cf76e27bb956f3f22426dc12157899c1e86d6b
                                          • Instruction Fuzzy Hash: 37D100719111199FCB15DB54CDA9FDEBBB4BF98300F1082DAA50A97161EB309F89CF90
                                          Function 00552CBA Relevance: 10.8, APIs: 7, Instructions: 281COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 00551860: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 0055186A
                                          • _Smanip.LIBCPMTD ref: 00553557
                                          • _Smanip.LIBCPMTD ref: 0055358C
                                            • Part of subcall function 00568DE0: Concurrency::details::GlobalCore::TopologyObject::TopologyObject.LIBCMTD ref: 00568E62
                                            • Part of subcall function 00567D50: _Ptr_base.LIBCMTD ref: 00567D5A
                                          • _Smanip.LIBCPMTD ref: 0055368C
                                          • _Smanip.LIBCPMTD ref: 005536C1
                                            • Part of subcall function 00568FF0: Concurrency::details::GlobalCore::TopologyObject::TopologyObject.LIBCMTD ref: 00569072
                                          • _Smanip.LIBCPMTD ref: 005537EE
                                          • _Smanip.LIBCPMTD ref: 0055380B
                                          • _Smanip.LIBCPMTD ref: 0055382B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910312145.0000000000551000.00000040.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true
                                          • Associated: 00000000.00000002.1910296513.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910340992.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910359597.0000000000588000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910462857.0000000000707000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910506196.0000000000765000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_550000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: Smanip$Topology$Concurrency::details::Core::GlobalObjectObject::$Iterator_baseIterator_base::_Ptr_basestd::_
                                          • String ID:
                                          • API String ID: 1410536233-0
                                          • Opcode ID: f704fcea967d861ab84eb8cd6f55ada59a03c82615fe2fec26517c5376f94d46
                                          • Instruction ID: 9ff6820bf6e9bdf2f30ee4d766de135206c5e1b9bc1a3dd63c36db7f8714c439
                                          • Opcode Fuzzy Hash: f704fcea967d861ab84eb8cd6f55ada59a03c82615fe2fec26517c5376f94d46
                                          • Instruction Fuzzy Hash: DBD12071811119DFCB15DB54CDA9BDEBBB4BF94300F1082DAA50A97161EB309F89CF90
                                          Function 005553E0 Relevance: 9.3, APIs: 6, Instructions: 263COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 208 5553e0-5553e5 209 5553e7-5553e8 208->209 210 55542e-555439 208->210 211 555405 209->211 212 5553ea-5553f1 209->212 213 55543a-555458 210->213 215 55622d 211->215 212->213 214 5553f3-555401 212->214 214->211 215->215
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910312145.0000000000551000.00000040.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true
                                          • Associated: 00000000.00000002.1910296513.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910340992.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910359597.0000000000588000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910462857.0000000000707000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910506196.0000000000765000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_550000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: Smanip
                                          • String ID:
                                          • API String ID: 2140389272-0
                                          • Opcode ID: e7c7c9b29b370640bae5d93d708ad8e8d9fe4a7edb44a0afd9985e21bbfd1e92
                                          • Instruction ID: f8e5dd6d40e0c7928a9f4ef472ccce5af0a46f1b999562c265c849e4d493a59e
                                          • Opcode Fuzzy Hash: e7c7c9b29b370640bae5d93d708ad8e8d9fe4a7edb44a0afd9985e21bbfd1e92
                                          • Instruction Fuzzy Hash: 8BA16171814149DFCB09DFA4C865AEEBFB4FF58300F14855EE4169B292EB309A49CF91
                                          Function 0055545A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 00551860: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 0055186A
                                          • _Smanip.LIBCPMTD ref: 00556592
                                          • _Smanip.LIBCPMTD ref: 005565A9
                                          • _Smanip.LIBCPMTD ref: 005565C3
                                            • Part of subcall function 00567D50: _Ptr_base.LIBCMTD ref: 00567D5A
                                          • _Smanip.LIBCPMTD ref: 00556682
                                          • _Smanip.LIBCPMTD ref: 0055669C
                                          • _Smanip.LIBCPMTD ref: 005566B6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910312145.0000000000551000.00000040.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true
                                          • Associated: 00000000.00000002.1910296513.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910340992.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910359597.0000000000588000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910462857.0000000000707000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910506196.0000000000765000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_550000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: Smanip$Iterator_baseIterator_base::_Ptr_basestd::_
                                          • String ID:
                                          • API String ID: 598482983-0
                                          • Opcode ID: 39acb8f65fcb2c7904ca3457f093e010dcabf38b8e160cc8524c8a17514be8b9
                                          • Instruction ID: b34b9a1ba93abd6e6cf2a89fcf4dd057d044c7fc78dc0576fa2a7541bc10d7c7
                                          • Opcode Fuzzy Hash: 39acb8f65fcb2c7904ca3457f093e010dcabf38b8e160cc8524c8a17514be8b9
                                          • Instruction Fuzzy Hash: FD812E71910149DFCB04DF94C8A5EEEBFB4BF98300F14855EE506AB291EB306A49CF91
                                          Function 00555784 Relevance: 9.2, APIs: 6, Instructions: 200COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 00551860: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 0055186A
                                          • _Smanip.LIBCPMTD ref: 00556592
                                          • _Smanip.LIBCPMTD ref: 005565A9
                                          • _Smanip.LIBCPMTD ref: 005565C3
                                            • Part of subcall function 00567D50: _Ptr_base.LIBCMTD ref: 00567D5A
                                          • _Smanip.LIBCPMTD ref: 00556682
                                          • _Smanip.LIBCPMTD ref: 0055669C
                                          • _Smanip.LIBCPMTD ref: 005566B6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910312145.0000000000551000.00000040.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true
                                          • Associated: 00000000.00000002.1910296513.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910340992.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910359597.0000000000588000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910462857.0000000000707000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910506196.0000000000765000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_550000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: Smanip$Iterator_baseIterator_base::_Ptr_basestd::_
                                          • String ID:
                                          • API String ID: 598482983-0
                                          • Opcode ID: 57b3877f7875aeab020a7b1aac86aa6543c478b2de09ec1077c9ad855526f00f
                                          • Instruction ID: 69e3775035e5d0c05e34fa75d6e2badd15b8de78d357962935256ced961947a8
                                          • Opcode Fuzzy Hash: 57b3877f7875aeab020a7b1aac86aa6543c478b2de09ec1077c9ad855526f00f
                                          • Instruction Fuzzy Hash: 50811B71D10149DFCB04DF94C8A5EEEBFB4BF98300F14855AE506AB291EB30AA49CF91
                                          Function 0055650C Relevance: 9.2, APIs: 6, Instructions: 198COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 00551860: std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 0055186A
                                          • _Smanip.LIBCPMTD ref: 00556592
                                          • _Smanip.LIBCPMTD ref: 005565A9
                                          • _Smanip.LIBCPMTD ref: 005565C3
                                            • Part of subcall function 00567D50: _Ptr_base.LIBCMTD ref: 00567D5A
                                          • _Smanip.LIBCPMTD ref: 00556682
                                          • _Smanip.LIBCPMTD ref: 0055669C
                                          • _Smanip.LIBCPMTD ref: 005566B6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910312145.0000000000551000.00000040.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true
                                          • Associated: 00000000.00000002.1910296513.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910340992.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910359597.0000000000588000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910462857.0000000000707000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910506196.0000000000765000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_550000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: Smanip$Iterator_baseIterator_base::_Ptr_basestd::_
                                          • String ID:
                                          • API String ID: 598482983-0
                                          • Opcode ID: e2a1230bd77709842e7560afd28eb0dac2faf64451f83e8fa4a47b7a0451b5e3
                                          • Instruction ID: a35039e4b2ca10f6601cb60c6e04a18b2d69da1916481f24fa0d4ee8fc7eee1d
                                          • Opcode Fuzzy Hash: e2a1230bd77709842e7560afd28eb0dac2faf64451f83e8fa4a47b7a0451b5e3
                                          • Instruction Fuzzy Hash: C8811C71910149DFCB04DF94C8A5EEEBFB4BF98304F04855EE506AB291EB30AA49CF91
                                          Function 00558F85 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 899 558f85-558f86 900 558f26-558f2c 899->900 901 558f88-558f8d 899->901 902 558f17 900->902 903 558f2e-558f3a 900->903 904 558f94-559dcd 901->904 905 558f8f-558f90 901->905 906 559308-5594e8 902->906 903->906 908 559eee 903->908 910 559f25-559f34 GetConsoleWindow ShowWindow 904->910 911 559dff 904->911 905->904 915 559d01 906->915 908->908 913 55ad94 910->913 911->911 913->913 915->915
                                          APIs
                                          • GetConsoleWindow.KERNELBASE(00000000), ref: 00559F27
                                          • ShowWindow.USER32(00000000), ref: 00559F2E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910312145.0000000000551000.00000040.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true
                                          • Associated: 00000000.00000002.1910296513.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910340992.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910359597.0000000000588000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910462857.0000000000707000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910506196.0000000000765000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_550000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: Window$ConsoleShow
                                          • String ID:
                                          • API String ID: 3999960783-0
                                          • Opcode ID: 2a8fcf61d388319f22123a380a84e01c0999c8793bf82cc1a97ad2e280bda2ba
                                          • Instruction ID: dd0713ea75bb03b4b0797fae40824a8e99e13c3ceaf590242ade2dd7dced082c
                                          • Opcode Fuzzy Hash: 2a8fcf61d388319f22123a380a84e01c0999c8793bf82cc1a97ad2e280bda2ba
                                          • Instruction Fuzzy Hash: 4CF02B6050C561CBC71542969D3B3B03E96BB28313F340D9BDD0BEA106D41D9A0FB343
                                          Function 00570060 Relevance: 1.5, APIs: 1, Instructions: 43COMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 916 570060-570078 917 5700a7-5700c9 KiUserExceptionDispatcher 916->917 918 57007a-57007d 916->918 919 57007f-57009b 918->919 920 57009d-5700a0 918->920 919->917 919->920 920->917 921 5700a2 920->921 921->917
                                          APIs
                                          • KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,0055135C,?,?,?,?,0055135C,?,00586E14), ref: 005700C0
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910312145.0000000000551000.00000040.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true
                                          • Associated: 00000000.00000002.1910296513.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910340992.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910359597.0000000000588000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910462857.0000000000707000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910506196.0000000000765000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_550000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: DispatcherExceptionUser
                                          • String ID:
                                          • API String ID: 6842923-0
                                          • Opcode ID: 10b5e33144e482adaa3d341168472db627f6a5f4e4e8114e61e6d77ee2bf8c7d
                                          • Instruction ID: eba09c7bc6e48054f66430ec2829239a86aef16e1917ba12f15caebf53cca6b2
                                          • Opcode Fuzzy Hash: 10b5e33144e482adaa3d341168472db627f6a5f4e4e8114e61e6d77ee2bf8c7d
                                          • Instruction Fuzzy Hash: 2F018F75900218EBDB01DF58E888B9EBFF8FF48714F55809AE949AB390D770AD01DB90
                                          Function 00573C8C Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 924 573c8c-573c97 925 573ca5-573cab 924->925 926 573c99-573ca3 924->926 928 573cc4-573cd5 RtlAllocateHeap 925->928 929 573cad-573cae 925->929 926->925 927 573cd9-573ce4 call 573c79 926->927 935 573ce6-573ce8 927->935 931 573cd7 928->931 932 573cb0-573cb7 call 572e11 928->932 929->928 931->935 932->927 937 573cb9-573cc2 call 5720dc 932->937 937->927 937->928
                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 00573CCD
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910312145.0000000000551000.00000040.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true
                                          • Associated: 00000000.00000002.1910296513.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910340992.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910359597.0000000000588000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910462857.0000000000707000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910506196.0000000000765000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_550000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: 2c3e92a87aa63c217768b676d22b5ff9ab35c5c297b502b8399ecb3de58e646f
                                          • Instruction ID: 12fbf9428a9ebd7bb25449540e67f7277ed84acb658d46b671e36c33cf747439
                                          • Opcode Fuzzy Hash: 2c3e92a87aa63c217768b676d22b5ff9ab35c5c297b502b8399ecb3de58e646f
                                          • Instruction Fuzzy Hash: 24F0B435614132AAEB231B22BC0AB5A7F4CBF80770F14C161BC0DBA190DA21DE10B6E0
                                          Function 00572165 Relevance: 1.5, APIs: 1, Instructions: 37memoryCOMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 940 572165-573bbe 942 573bf0-573bfb call 573c79 940->942 943 573bc0-573bc2 940->943 951 573bfd-573bff 942->951 944 573bc4-573bc5 943->944 945 573bdb-573bec RtlAllocateHeap 943->945 944->945 947 573bc7-573bce call 572e11 945->947 948 573bee 945->948 947->942 953 573bd0-573bd9 call 5720dc 947->953 948->951 953->942 953->945
                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 00573BE4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910312145.0000000000551000.00000040.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true
                                          • Associated: 00000000.00000002.1910296513.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910340992.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910359597.0000000000588000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910462857.0000000000707000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910506196.0000000000765000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_550000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: f5f32f5cb9dd7b309eb1a3c76f450228f370899032dd5b8966f5e843a67cc9d3
                                          • Instruction ID: 4db7d52a671d83bd0e37a80ea11e665978e1c0c4f98cca488744d23710ad6d3a
                                          • Opcode Fuzzy Hash: f5f32f5cb9dd7b309eb1a3c76f450228f370899032dd5b8966f5e843a67cc9d3
                                          • Instruction Fuzzy Hash: FCF0A731240227A6D72127667C1AB6B3E4CBB813B0F15C161EC0D961A0DF60DE51B1E5
                                          Function 00572E4D Relevance: 1.5, APIs: 1, Instructions: 11COMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 956 572e4d-572e60 call 573ce9 958 572e65-572e67 956->958
                                          APIs
                                          • _free.LIBCMT ref: 00572E60
                                            • Part of subcall function 00573CE9: RtlFreeHeap.NTDLL(00000000,00000000,?,00575B01,?,00000000,?,?,?,00575B28,?,00000007,?,?,00575F4E,?), ref: 00573CFF
                                            • Part of subcall function 00573CE9: GetLastError.KERNEL32(?,?,00575B01,?,00000000,?,?,?,00575B28,?,00000007,?,?,00575F4E,?,?), ref: 00573D11
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910312145.0000000000551000.00000040.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true
                                          • Associated: 00000000.00000002.1910296513.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910340992.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910359597.0000000000588000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910462857.0000000000707000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910506196.0000000000765000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_550000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: ErrorFreeHeapLast_free
                                          • String ID:
                                          • API String ID: 1353095263-0
                                          • Opcode ID: b763729fa36af64313081d04a502a034d2a7768466935b6725563d1ea8cfaf65
                                          • Instruction ID: ece8a6aad2d785c8ce5d362b6d9f4798fb1a706d51f4226bcee8e1c0c479546a
                                          • Opcode Fuzzy Hash: b763729fa36af64313081d04a502a034d2a7768466935b6725563d1ea8cfaf65
                                          • Instruction Fuzzy Hash: 4DC04C71550208FBDB059B45E91BA4E7FA9EB80364F204094F41567251DAB6EF44A690
                                          Function 013A0B58 Relevance: 1.5, APIs: 1, Instructions: 7memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 013A0B5E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910606723.00000000013A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_13a0000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: ProtectVirtual
                                          • String ID:
                                          • API String ID: 544645111-0
                                          • Opcode ID: 033b1f054502915a117c135b614654b7d3ef1bc40929a2721a5874fbf4aeb631
                                          • Instruction ID: 0f922ee5154203644f109e06f487774c1a16ada3fccda05d11c8a879041f776a
                                          • Opcode Fuzzy Hash: 033b1f054502915a117c135b614654b7d3ef1bc40929a2721a5874fbf4aeb631
                                          • Instruction Fuzzy Hash: 41B01214040208A28E0F2E08954A4DC395BC8046CCF400010B580009064238900086A6
                                          Function 00558AF0 Relevance: 1.3, APIs: 1, Instructions: 39sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Sleep.KERNELBASE(00000000), ref: 00558B20
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910312145.0000000000551000.00000040.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true
                                          • Associated: 00000000.00000002.1910296513.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910340992.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910359597.0000000000588000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910462857.0000000000707000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910506196.0000000000765000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_550000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: Sleep
                                          • String ID:
                                          • API String ID: 3472027048-0
                                          • Opcode ID: 4509ba07501e9242907fc174b2739505791dae46ddafa79490fd23ac8f527841
                                          • Instruction ID: 36525b26cb618dd7b3e1251ba3d75a1efa855c70e51f02ed4f53f6fc96532e5d
                                          • Opcode Fuzzy Hash: 4509ba07501e9242907fc174b2739505791dae46ddafa79490fd23ac8f527841
                                          • Instruction Fuzzy Hash: 1A01FB34A00109DFC744EFE4C59586DFBB5FF89300B208699E80997355DA35EE41DB90

                                          Non-executed Functions

                                          Function 030CDEC0 Relevance: 9.6, APIs: 2, Strings: 4, Instructions: 574COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 90Ap$90Ap$aLq$aLq
                                          • API String ID: 0-1201183554
                                          • Opcode ID: 616dd191a07b05f95599c9616b4e7f1deb7ddc27d387a1f3ed80e6e8372949c2
                                          • Instruction ID: 855ecdb403dae1b7a8f5b01ea61e0184220c74cae490d583763bdf34fe8a0640
                                          • Opcode Fuzzy Hash: 616dd191a07b05f95599c9616b4e7f1deb7ddc27d387a1f3ed80e6e8372949c2
                                          • Instruction Fuzzy Hash: 1B124572B251418FCB08CF7CC5A53EE7BE2AB493A1F14C51DD952EB394C63A8949CB24
                                          Function 030CD410 Relevance: 9.6, APIs: 2, Strings: 4, Instructions: 554COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: s#iT$zAYZ$]aP$]aP
                                          • API String ID: 0-2356027505
                                          • Opcode ID: 2d593654fde188229a3992751e60341040deb8af3de9fea732133f4a5102d248
                                          • Instruction ID: 3369ac4b0e740d0acd5a935ff94ca4ac54a892f514a4f2272650771a4588a138
                                          • Opcode Fuzzy Hash: 2d593654fde188229a3992751e60341040deb8af3de9fea732133f4a5102d248
                                          • Instruction Fuzzy Hash: 25125772A212418FDB08CF7CDAD53ED7BF2AB89350F14892CD41AE7395D6369D098B10
                                          Function 030CEE40 Relevance: 8.1, APIs: 2, Strings: 3, Instructions: 590COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: ErrorLast
                                          • String ID: &\L|$&\L|$/=KQ
                                          • API String ID: 1452528299-329327896
                                          • Opcode ID: 050a31f2b9198a09dc6456469a1a6aa35ebeb44e7b701ebc1d0706d27d18fb0f
                                          • Instruction ID: 06237820238b52e7b3678ec26603eebd5327e06ca955c501d8d7f6e3a3fa7a01
                                          • Opcode Fuzzy Hash: 050a31f2b9198a09dc6456469a1a6aa35ebeb44e7b701ebc1d0706d27d18fb0f
                                          • Instruction Fuzzy Hash: 38124676B111828FCB08CF7CD4953EE7BE3AB49361F14851DD812E7394D22B9909CB25
                                          Function 030E6CCC Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                          Download Yara Rule
                                          APIs
                                          • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 030E6CD8
                                          • IsDebuggerPresent.KERNEL32 ref: 030E6DA4
                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 030E6DC4
                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 030E6DCE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                          • String ID:
                                          • API String ID: 254469556-0
                                          • Opcode ID: a20bc58d542e52a28336ce6c829fd6f562e83f24917d7b7741af0df611c5cafd
                                          • Instruction ID: 4f6fdf18290354d2cf71ea6937fa3e09957f5d4996bd2ebca09335734451ce46
                                          • Opcode Fuzzy Hash: a20bc58d542e52a28336ce6c829fd6f562e83f24917d7b7741af0df611c5cafd
                                          • Instruction Fuzzy Hash: D5310975E4631C9FDB11EFA4D9497CDBBF8EF04304F10419AE409AB250EB769A858F44
                                          Function 030E1770 Relevance: 5.3, Strings: 4, Instructions: 320COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: }Ew.$}Ew.$zRt$zRt
                                          • API String ID: 0-1242651095
                                          • Opcode ID: 83c3a9bf730f2a117cff6d1a79007450bffd7cf33fa9e6c8247692bc94e940e5
                                          • Instruction ID: 0c005089a3ba421b19972fcf4239582f369b4da33acc83718e666fb00428f835
                                          • Opcode Fuzzy Hash: 83c3a9bf730f2a117cff6d1a79007450bffd7cf33fa9e6c8247692bc94e940e5
                                          • Instruction Fuzzy Hash: EEB1D376B052018FCF0CCE7CC5953EE7BF2AB4A364F145629D416EB390D23A9949CB61
                                          Function 030CE670 Relevance: 5.1, APIs: 2, Strings: 1, Instructions: 586COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: aSD
                                          • API String ID: 0-2188192639
                                          • Opcode ID: 1ec379da90130a250164cc094ba64d211d9d6889570e00461cd9229f04c09ed4
                                          • Instruction ID: 3da78f041a269c553225d2d99f5679b03301321017c69638eb24e07a38d2950c
                                          • Opcode Fuzzy Hash: 1ec379da90130a250164cc094ba64d211d9d6889570e00461cd9229f04c09ed4
                                          • Instruction Fuzzy Hash: D6128C36A152818FDB0CCF7CC9D53EE77E2AB49361F14961DC416EB398C22A8D09CB64
                                          Function 030EB976 Relevance: 4.7, APIs: 3, Instructions: 166fileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 030EAF16: HeapAlloc.KERNEL32(00000008,?,00000000,?,030E9361,00000001,00000364,00000008,000000FF,?,030EC067,?,00000004,00000000,?,?), ref: 030EAF57
                                          • _free.LIBCMT ref: 030EB9FD
                                          • _free.LIBCMT ref: 030EBA12
                                          • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 030EBAC5
                                          • FindNextFileW.KERNEL32(00000000,?), ref: 030EBB43
                                          • FindClose.KERNEL32(00000000), ref: 030EBB85
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: Find$File_free$AllocCloseFirstHeapNext
                                          • String ID:
                                          • API String ID: 1629906186-0
                                          • Opcode ID: f4e4863a028cc72f115b089728ed6196f142d2b96f5ad51df6ec68050bc4e3a7
                                          • Instruction ID: aa7713805dd8fc282ed2dc2416edf49e4c6d6e4fe48dc13250b5fc5dbd6ba918
                                          • Opcode Fuzzy Hash: f4e4863a028cc72f115b089728ed6196f142d2b96f5ad51df6ec68050bc4e3a7
                                          • Instruction Fuzzy Hash: 0F41267670A219AFDB24EF69CC84DBFB7ADEBC4310F0845A9F91597244EA30DD048660
                                          Function 030EBA2A Relevance: 4.6, APIs: 3, Instructions: 132fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 030EBAC5
                                          • FindNextFileW.KERNEL32(00000000,?), ref: 030EBB43
                                          • FindClose.KERNEL32(00000000), ref: 030EBB85
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: Find$File$CloseFirstNext
                                          • String ID:
                                          • API String ID: 3541575487-0
                                          • Opcode ID: b1f884e21ccf61bbf43002fda52493f9f4f290fd37e578d70efc81edc4a4800b
                                          • Instruction ID: 0f636903361028fdd2380846b3a547de0b341200beb629a8afca002bd26dc7d2
                                          • Opcode Fuzzy Hash: b1f884e21ccf61bbf43002fda52493f9f4f290fd37e578d70efc81edc4a4800b
                                          • Instruction Fuzzy Hash: F8419272B06219AFCF24EE65CC88DBBB7FDEBC5210F0845D9E40597148EA709E848B60
                                          Function 030EA299 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 030EA391
                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 030EA39B
                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 030EA3A8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                          • String ID:
                                          • API String ID: 3906539128-0
                                          • Opcode ID: 47666071c021d26c87c6d11eb769ec32b3f1fb80370da4b8830a7eb380498611
                                          • Instruction ID: 1e7e335649927e83ce26f30a2cd167c5ae6cfba807dbedfbf0a3cd117a8e5e2b
                                          • Opcode Fuzzy Hash: 47666071c021d26c87c6d11eb769ec32b3f1fb80370da4b8830a7eb380498611
                                          • Instruction Fuzzy Hash: 9231B575A4222C9FCB61DF24D9887CDBBF8AF48310F5042DAE81CA7250E7749B858F54
                                          Function 00571EC0 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00571FB8
                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00571FC2
                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00571FCF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910312145.0000000000551000.00000040.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true
                                          • Associated: 00000000.00000002.1910296513.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910340992.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910359597.0000000000588000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910462857.0000000000707000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910506196.0000000000765000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_550000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                          • String ID:
                                          • API String ID: 3906539128-0
                                          • Opcode ID: da11c113924c94bd74756af4ed57439fb5d73521fa41c18e43045cbbe14c0de1
                                          • Instruction ID: 67ed33687da96b8e1da4e80cfb92f9b9bfc2b961a4818f1a15f427078322e0a5
                                          • Opcode Fuzzy Hash: da11c113924c94bd74756af4ed57439fb5d73521fa41c18e43045cbbe14c0de1
                                          • Instruction Fuzzy Hash: C731C674901229ABCB21DF68EC8978DBBB8BF58310F5041EAE40CA7251E7709B859F54
                                          Function 030D5830 Relevance: 4.1, Strings: 3, Instructions: 336COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: }Q$}Q$-
                                          • API String ID: 0-4037040296
                                          • Opcode ID: 88436b18c21336904218f78e0b1d7eb401e8fdddf081b27d742a70644a506de7
                                          • Instruction ID: 77173c2007ba77b71e8b95c20bcb0298fc1a12db515116a5de083323b61e4547
                                          • Opcode Fuzzy Hash: 88436b18c21336904218f78e0b1d7eb401e8fdddf081b27d742a70644a506de7
                                          • Instruction Fuzzy Hash: 92B1F6B6A053058FDF08CE7CC8953EE7BF2AB5A360F145519D802EB394D73A9909DB21
                                          Function 030D5F70 Relevance: 4.1, Strings: 3, Instructions: 304COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 2Et2$K bz$K bz
                                          • API String ID: 0-2659073378
                                          • Opcode ID: f8596f364665717ec27fb24987df3f2efb7a2cc3d9eee662c545319cc53810fc
                                          • Instruction ID: 32253f4de6fcf9893bc00a26130d897de3a456e6b64e3921bf888497ff9a16b8
                                          • Opcode Fuzzy Hash: f8596f364665717ec27fb24987df3f2efb7a2cc3d9eee662c545319cc53810fc
                                          • Instruction Fuzzy Hash: 8AA1FF76A052098FCB08DEBCD4917EEBBF2AB4A360F584519D406EB354C33B9948CB25
                                          Function 030D9EC0 Relevance: 2.9, Strings: 2, Instructions: 352COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: U@:{$U@:{
                                          • API String ID: 0-3234945085
                                          • Opcode ID: 52ec57b0602da9fbf93cfd14c47ab6e05401f650ef03d98990762455901c98c4
                                          • Instruction ID: ee3d69a06fef9fbab220961304426f3416fbc4b4e03c05e01c52fd2d559bcdf1
                                          • Opcode Fuzzy Hash: 52ec57b0602da9fbf93cfd14c47ab6e05401f650ef03d98990762455901c98c4
                                          • Instruction Fuzzy Hash: FCC1F776B052018FCF08CE7CD4957EE7BF2AB4E320F145618E916EB394C32A9949CB64
                                          Function 030E2580 Relevance: 2.8, Strings: 2, Instructions: 334COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: wV*+$wV*+
                                          • API String ID: 0-2389419359
                                          • Opcode ID: 7a70833b588419ceea3fff5abd1d58b5a82ceed7a84beb5ddd1f039a7d158438
                                          • Instruction ID: 4b7fd0280c3910db3f8c16aeb0002a6792e08da80b39f7d3d937603c05efd603
                                          • Opcode Fuzzy Hash: 7a70833b588419ceea3fff5abd1d58b5a82ceed7a84beb5ddd1f039a7d158438
                                          • Instruction Fuzzy Hash: 79B15A76B012058FCF08EE7CC9957EE77FAAB8A320F145915D411DB3D4D23A8949CB20
                                          Function 030DA5F0 Relevance: 2.8, Strings: 2, Instructions: 320COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: E6)?$E6)?
                                          • API String ID: 0-3572157204
                                          • Opcode ID: 1d5adf08093c4318e4919d6d16ecfe17afbbcdf2195a2535a3a286f611eb78be
                                          • Instruction ID: 91689f870220caae66633f47b057df5d81415e37c64aeee78202c59ce9ef9cc3
                                          • Opcode Fuzzy Hash: 1d5adf08093c4318e4919d6d16ecfe17afbbcdf2195a2535a3a286f611eb78be
                                          • Instruction Fuzzy Hash: 1EB1E0B6B053418FCF08CE7CC5A57EEBBF2AB49360F145519D802EB394D32A99498B64
                                          Function 030DD0A0 Relevance: 2.8, Strings: 2, Instructions: 304COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: l` B$l` B
                                          • API String ID: 0-27810335
                                          • Opcode ID: adb5ea97ce909ae73b9151affbdb912e4408afe917c39d056a61418757476c22
                                          • Instruction ID: e467c3fa4e1a323019cd19962d8d21272311bdc32d0bfa5acb99122d1d2b34ad
                                          • Opcode Fuzzy Hash: adb5ea97ce909ae73b9151affbdb912e4408afe917c39d056a61418757476c22
                                          • Instruction Fuzzy Hash: E5A10176A042058FCF08DEBCD8956EDBBF2EF89324F189519D802E7754C33A9948CB25
                                          Function 030A4310 Relevance: 2.6, Strings: 2, Instructions: 135COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: %%$$%%$
                                          • API String ID: 0-58056140
                                          • Opcode ID: 05a633d539d33a3a26145a24f421179810a224be3a02d97e978ab0c187814409
                                          • Instruction ID: 83b61eed7a7e2a024dad013ab2211ffaccc9f666d166182572d2793d49f063a3
                                          • Opcode Fuzzy Hash: 05a633d539d33a3a26145a24f421179810a224be3a02d97e978ab0c187814409
                                          • Instruction Fuzzy Hash: 224179B6E05A048FDF08DFBCD4D53EE7BF2EB15364F008528D815DB781D12A99098B52
                                          Function 030D8000 Relevance: 2.6, Strings: 2, Instructions: 114COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4DsG$4DsG
                                          • API String ID: 0-670008365
                                          • Opcode ID: 47e528063cc379d373a6f1a398e1f9de1451f33f7304e841d6e337c1b25b8223
                                          • Instruction ID: a09a3826910d7a23307f180553cea3666b099466a20b3bf966fee143d17f6351
                                          • Opcode Fuzzy Hash: 47e528063cc379d373a6f1a398e1f9de1451f33f7304e841d6e337c1b25b8223
                                          • Instruction Fuzzy Hash: 05318C72A023014FDF08DA7CD9A53EF3BE69B12334F189B18C9219B3D5D227550D8B50
                                          Function 030F023C Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,030F0197,?,?,00000008,?,?,030EFE00,00000000), ref: 030F0469
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: ExceptionRaise
                                          • String ID:
                                          • API String ID: 3997070919-0
                                          • Opcode ID: 3fcd194afd5a5d64bdb3f9491ad0d53dc8e46e552e7379d16257cf7a8cf5d6a9
                                          • Instruction ID: 700e1ea1ca4659a4d413faf47086e0b2e9126f74f3fe7899360b6be4bfb3bb6a
                                          • Opcode Fuzzy Hash: 3fcd194afd5a5d64bdb3f9491ad0d53dc8e46e552e7379d16257cf7a8cf5d6a9
                                          • Instruction Fuzzy Hash: 43B16E71211608CFDB54CF28C486B69BBE0FF45364F198658E9D9CF6A2C335E992CB40
                                          Function 030E6EE5 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                          Download Yara Rule
                                          APIs
                                          • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 030E6EFB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: FeaturePresentProcessor
                                          • String ID:
                                          • API String ID: 2325560087-0
                                          • Opcode ID: f96a28a43265089ff267c7915d3acc09d1c3f53fcb835a59cd13d39a6e9555d1
                                          • Instruction ID: 919ac1a6f16568d23518eacf804f8af9b78bc0a229f8eed2599e5c07d9f9c096
                                          • Opcode Fuzzy Hash: f96a28a43265089ff267c7915d3acc09d1c3f53fcb835a59cd13d39a6e9555d1
                                          • Instruction Fuzzy Hash: ED516D71A022098FDB58DF58E4817AEBBF4FF98710F28846AD405EB395E375D980CB60
                                          Function 030DF3B0 Relevance: 1.6, Strings: 1, Instructions: 368COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: [k6
                                          • API String ID: 0-2551861869
                                          • Opcode ID: f407a999052e4de93e4a92ae65f2686e6ecc7745943b15f5caca7fc668b19227
                                          • Instruction ID: e32fb7a5e6ad73d16d098ea2c1c39864218e102dd040cf35287a7d3549679998
                                          • Opcode Fuzzy Hash: f407a999052e4de93e4a92ae65f2686e6ecc7745943b15f5caca7fc668b19227
                                          • Instruction Fuzzy Hash: 03C14876E057068FCF08CE7CC4A53DE7BF2AB5A320F149619D512EB7D4C22A89498B61
                                          Function 030DD7C0 Relevance: 1.6, Strings: 1, Instructions: 352COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: BPX
                                          • API String ID: 0-2269830218
                                          • Opcode ID: 84bd3580c873d69e5f2cb48fd4f6f71e9e7b9266e0ba81c559459c2e0521ece0
                                          • Instruction ID: d2984a9c02328f3a061101b69b23a2eaf94f07f884d94459d35ee6f953161d15
                                          • Opcode Fuzzy Hash: 84bd3580c873d69e5f2cb48fd4f6f71e9e7b9266e0ba81c559459c2e0521ece0
                                          • Instruction Fuzzy Hash: 12C12576A013018FCF09DEBCC5E53EE7BF2AF5A320F146618D412EB394D22699098B65
                                          Function 030E4910 Relevance: 1.6, Strings: 1, Instructions: 352COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: BfD
                                          • API String ID: 0-441913712
                                          • Opcode ID: f8a2d43cb1db5592ca6e259cd1e9494158f419ff02009146a43aaccfe85f2269
                                          • Instruction ID: 0a354df10e4934cab036797b192ec409624d7d21d9b072b5aa3ed274f7ebee2e
                                          • Opcode Fuzzy Hash: f8a2d43cb1db5592ca6e259cd1e9494158f419ff02009146a43aaccfe85f2269
                                          • Instruction Fuzzy Hash: EEC16B75B055118FDF08CEBCC4D53EE7BE2AB8E320F155619D912FB394C32A98098B24
                                          Function 030D66C0 Relevance: 1.6, Strings: 1, Instructions: 320COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: lu/V
                                          • API String ID: 0-2459627952
                                          • Opcode ID: d369c93612e6cd1e88ef271734f10ef800e37f5e55bd1564f2b51d937fa358c4
                                          • Instruction ID: 2c36790606e1de0a184f52affdb40ed6f4dcef2823304c39d9ec30ed62ebc246
                                          • Opcode Fuzzy Hash: d369c93612e6cd1e88ef271734f10ef800e37f5e55bd1564f2b51d937fa358c4
                                          • Instruction Fuzzy Hash: 01B1E376B012098FCB08CEBCD5957EEBBE2EB49320F149518D452EB394D32B9949CB25
                                          Function 030E1E60 Relevance: 1.6, Strings: 1, Instructions: 304COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 0EX
                                          • API String ID: 0-1366200391
                                          • Opcode ID: 44acf535a55c3d8b1f7176f206eac7d1beeafd338361227c3178e907689a8ee5
                                          • Instruction ID: 230ff6c637c4ab2bb44c2ce4296d288496992bf679d1d687148b82109f7313eb
                                          • Opcode Fuzzy Hash: 44acf535a55c3d8b1f7176f206eac7d1beeafd338361227c3178e907689a8ee5
                                          • Instruction Fuzzy Hash: 36A11776B012058FCB08DEBCD5853ED7BFAAB8A310F144919D415FB395D33A8A49CB25
                                          Function 030E4200 Relevance: 1.6, Strings: 1, Instructions: 302COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: o
                                          • API String ID: 0-252678980
                                          • Opcode ID: 82423a0162b06931b95fc699df37c117f7fdd8fe89c09db3470650ac01c2124b
                                          • Instruction ID: 1c97dd2782c14547f67e2ea0bfcbd2fc987b7812ed34ae92efa3ad20a7775bff
                                          • Opcode Fuzzy Hash: 82423a0162b06931b95fc699df37c117f7fdd8fe89c09db3470650ac01c2124b
                                          • Instruction Fuzzy Hash: 17A11676B051018FCB08CEBDD9953EE7BF2AB89354F144919D811DB354D63A9E09CF22
                                          Function 030D9140 Relevance: 1.5, Strings: 1, Instructions: 288COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: cI*)
                                          • API String ID: 0-1514497530
                                          • Opcode ID: 9a32d08769c2e933a5be2363f0e9b5e6c34c6dc2d4fcb43823cee17570130d82
                                          • Instruction ID: bff990e2c2d1e7ff3521b15a2474fc396f35f1b4f486281ba234fe55c2b5b32c
                                          • Opcode Fuzzy Hash: 9a32d08769c2e933a5be2363f0e9b5e6c34c6dc2d4fcb43823cee17570130d82
                                          • Instruction Fuzzy Hash: 12A1CD76A053058FCB08CEBCD9856EDBBF2EB5A350F188525D406E7384D33A9909CB65
                                          Function 030D8860 Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: aq!
                                          • API String ID: 0-708068916
                                          • Opcode ID: 5ea52bc9fe7f7da2874b76bb6e4ecf7cef190f57fecfd9997d3bdb3c3f3ae555
                                          • Instruction ID: d2ebea3d3cbc94a8371887d1f8e97e1cb28d5c966b710d164be0afe96442fef6
                                          • Opcode Fuzzy Hash: 5ea52bc9fe7f7da2874b76bb6e4ecf7cef190f57fecfd9997d3bdb3c3f3ae555
                                          • Instruction Fuzzy Hash: 934154B2A012049FDB08DF7CC5D53EEBBF5EB56325F188518D445EB384C23A4A098B62
                                          Function 030E1000 Relevance: .4, Instructions: 352COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8bf3e86779db4788c7250a43b91791262a726e3a1644a1ba3c313531a0084b28
                                          • Instruction ID: 1dac642e7a2327e56019ba5f9041caba0e6ba72865896468fe099ad12a2800ab
                                          • Opcode Fuzzy Hash: 8bf3e86779db4788c7250a43b91791262a726e3a1644a1ba3c313531a0084b28
                                          • Instruction Fuzzy Hash: 76C114B6B056018FCF0CCEBCC5A53EE7BF2AB4A321F045519D512EB394D23A9909CB61
                                          Function 030E5780 Relevance: .4, Instructions: 352COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: eca8c8383b2b3b35baaa3b4375c188acf35f422fcc0a1d3ff5ee991c83e163d3
                                          • Instruction ID: 10894bf6299b6b1a4d958c1005be9c9a8657bc07ec61c0aa6f5def5d2f8ded46
                                          • Opcode Fuzzy Hash: eca8c8383b2b3b35baaa3b4375c188acf35f422fcc0a1d3ff5ee991c83e163d3
                                          • Instruction Fuzzy Hash: FEC10675B056058FCF08CE7CC9953EE7BF2EB4A324F185A19D912EB3D4D6269809CB21
                                          Function 030DC940 Relevance: .4, Instructions: 352COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 91dad0bf93138349e44bd594ad9abc65f67814540b4b0129e8a23c66d0f1077f
                                          • Instruction ID: fc97c815afb27f6bc9bbd568431621fc2bab6b2c912e0bbe3561768a309745a8
                                          • Opcode Fuzzy Hash: 91dad0bf93138349e44bd594ad9abc65f67814540b4b0129e8a23c66d0f1077f
                                          • Instruction Fuzzy Hash: EBC13976A013018FEF08CE7CC5E53EE7BF2EB5A324F145519D412EB398D22A9809CB65
                                          Function 030DB3F0 Relevance: .3, Instructions: 336COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 835f1463a4948385a7f5889a48d3b527bd63f0455c60e6914867305ba902acf3
                                          • Instruction ID: 98f1e4c21092349ce4dc7457d6127b88e90c16389b3d84ffc2c6afacf0f436dd
                                          • Opcode Fuzzy Hash: 835f1463a4948385a7f5889a48d3b527bd63f0455c60e6914867305ba902acf3
                                          • Instruction Fuzzy Hash: 02B14576A013008FCF08CEBCC4953EE7BF2AB59360F155619D812EB394D73A9809CB61
                                          Function 030E08E0 Relevance: .3, Instructions: 336COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: be48c1d28c6c2ea93a9ede88c3b58179c0b304ba59284f2ffedffadc1354c1c4
                                          • Instruction ID: 5a3a4f0bda9f5401ebc481df808709db678ed43c15cfd3847a0c1da14a6b4c55
                                          • Opcode Fuzzy Hash: be48c1d28c6c2ea93a9ede88c3b58179c0b304ba59284f2ffedffadc1354c1c4
                                          • Instruction Fuzzy Hash: 90B15B76B052058FDF08CEBDD8A57DE7BF2AB4A320F145519D802EB394C27A9909CB61
                                          Function 030DDEE0 Relevance: .3, Instructions: 336COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d9b9e8baf490ec41075c429508b0033d193730d5be49ab167bd437a43adbb020
                                          • Instruction ID: cdc98cfc93e73850b190e4fc74442d03d67fda90b43b996503c91a0bca829549
                                          • Opcode Fuzzy Hash: d9b9e8baf490ec41075c429508b0033d193730d5be49ab167bd437a43adbb020
                                          • Instruction Fuzzy Hash: 39B12576A012108FCF08CE7CD4A57EE7BE2AB5A320F145619D822EF394D7369949CB25
                                          Function 030E2CC0 Relevance: .3, Instructions: 336COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6ab4ec3ba35313a3e0fb6d3b7f7aa6a1a6d0076937967831d3548a31e3d28100
                                          • Instruction ID: 60018bc6ceb5d3b487ac5e5699d95a1a7d9cd4a69e435a9474d80ce762bcb270
                                          • Opcode Fuzzy Hash: 6ab4ec3ba35313a3e0fb6d3b7f7aa6a1a6d0076937967831d3548a31e3d28100
                                          • Instruction Fuzzy Hash: 16B13A7AF052008FCF08DEBCD5953EE7BF6EF4A321F18595AD502EB390C22699058B60
                                          Function 030D4330 Relevance: .3, Instructions: 320COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b6ed0bc63925d2fc90f72fe413ee8a94a26b1dfda22e4a852a9a31d32f506f37
                                          • Instruction ID: bfa7ed9288e5ff2c70f5ad841ccb5e30f89d70d52656ae3e4e66f6175308340a
                                          • Opcode Fuzzy Hash: b6ed0bc63925d2fc90f72fe413ee8a94a26b1dfda22e4a852a9a31d32f506f37
                                          • Instruction Fuzzy Hash: 4CB10F7AB053458FCF08CE6CD8957EE7BF2AB4A360F145519D412FB394CA3A8948CB25
                                          Function 030E33F0 Relevance: .3, Instructions: 320COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 50718da5140b2855bbb50e0bc21b96565cf15dec2bca4a4a6b812ac3a98fc4c1
                                          • Instruction ID: f8c1c1dd3b400a508ea66a2f1d4fb206252e550bf802525551dbbf3eebf32b31
                                          • Opcode Fuzzy Hash: 50718da5140b2855bbb50e0bc21b96565cf15dec2bca4a4a6b812ac3a98fc4c1
                                          • Instruction Fuzzy Hash: ABB104BAB052018FDF08DE7CD5953EEBFF2AB89350F149559D402EB394D22A9909CB21
                                          Function 030DBB50 Relevance: .3, Instructions: 320COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1adbaaa811f287c094a4791ccd55c578efa5c8a53d276f1492b51c9d6cc2601d
                                          • Instruction ID: 513cc246d5c1f76c18246af20c528729d8619adc57ee57fa23d05018d77af24b
                                          • Opcode Fuzzy Hash: 1adbaaa811f287c094a4791ccd55c578efa5c8a53d276f1492b51c9d6cc2601d
                                          • Instruction Fuzzy Hash: 83B1F376A013058FCF08DEBCD5953DE7BF2AB4A360F159518E806EB3A4C63A9D45CB21
                                          Function 030D7BC0 Relevance: .3, Instructions: 320COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ed282824600ab00f37e45a03f94f0cc1af3e5d7fe955428efa4402e1937f0964
                                          • Instruction ID: 2837b0b5cfbddc6de3b5be1b7a52b5a6c0161bdf7575d85be0b7e258b2d25960
                                          • Opcode Fuzzy Hash: ed282824600ab00f37e45a03f94f0cc1af3e5d7fe955428efa4402e1937f0964
                                          • Instruction Fuzzy Hash: 6CB10676A013018FCF08CE7CC8D57EEBBF2AB59721F185519E412EB3A4D2369849CB25
                                          Function 030D4A80 Relevance: .3, Instructions: 320COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 58343e3124e9e456d87721106a624499a0e4252a5e742da42388b880c05e711d
                                          • Instruction ID: 7c7ef795cc6efd264f570029d233a64a8c704e684e98233404014954bc1632dd
                                          • Opcode Fuzzy Hash: 58343e3124e9e456d87721106a624499a0e4252a5e742da42388b880c05e711d
                                          • Instruction Fuzzy Hash: C1B10276A053058FCF08CEBCC9957EE7BF2AB59360F044529D402FB354DA3A9949CB25
                                          Function 030D6E10 Relevance: .3, Instructions: 320COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 39e2fe0dd1ca8e9c5cb1e7322296afff9a04e0e3e5c1f0668d4d51ea9f59128d
                                          • Instruction ID: 92724b548d0d9f6f71048440696a32421f0df107eed8d09fc6819c823e037966
                                          • Opcode Fuzzy Hash: 39e2fe0dd1ca8e9c5cb1e7322296afff9a04e0e3e5c1f0668d4d51ea9f59128d
                                          • Instruction Fuzzy Hash: 02B11676B053458FCF08CEBCC4953EE7BF2AB49720F145619E812EB394D23A9949CB61
                                          Function 030DACE0 Relevance: .3, Instructions: 320COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7e8acbd7dfc4184fc2cb647bdbc73b01add0f7dedda8bbf457ba9a6e9ebe500f
                                          • Instruction ID: 7c7037edabc9de1c00948d1da3515d24686e2f139210ab4d6270a96a9a65aa85
                                          • Opcode Fuzzy Hash: 7e8acbd7dfc4184fc2cb647bdbc73b01add0f7dedda8bbf457ba9a6e9ebe500f
                                          • Instruction Fuzzy Hash: C5B1F276B063008FCF08DE7CD9D53EE7BF2AB4A320F155619D402EB394D63A99498B25
                                          Function 030E5EE0 Relevance: .3, Instructions: 318COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1c6594b7c84064338e3ed3645bef03979bd6b072932179376e2889166bdecc70
                                          • Instruction ID: a324dd84839d44e82b76adaa0d084687306e646023c704cab1ca1460553df4b1
                                          • Opcode Fuzzy Hash: 1c6594b7c84064338e3ed3645bef03979bd6b072932179376e2889166bdecc70
                                          • Instruction Fuzzy Hash: EBB13576B022098FCB08CE7CD5D53EE7BF2AB5A314F144915D812EB3A5D23B8D498B61
                                          Function 030D8310 Relevance: .3, Instructions: 304COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3634cafcb12e0a1252b7e6fc2c93c0b2a47d2deb173fa53fd31ff3f4899b3699
                                          • Instruction ID: 6df5c559ec24400c4f1f9030c80826034932de953c509363194250a0f5ac66ad
                                          • Opcode Fuzzy Hash: 3634cafcb12e0a1252b7e6fc2c93c0b2a47d2deb173fa53fd31ff3f4899b3699
                                          • Instruction Fuzzy Hash: A6A1EE72A053058FCF08DEBCD8856EE7BF2EF49360F149518D406EB394D7269948CB65
                                          Function 030E0250 Relevance: .3, Instructions: 304COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 14284df101af0bf9cf674ab843c7a450301f83b260a37fa99d4e252b4acd3ed3
                                          • Instruction ID: 8d6f17df6052284f90a81d4922de32c4daec3a611ec0e1c4fae17e11dfc3dfc2
                                          • Opcode Fuzzy Hash: 14284df101af0bf9cf674ab843c7a450301f83b260a37fa99d4e252b4acd3ed3
                                          • Instruction Fuzzy Hash: 4AA10276B012058FCF08CEBCC4817EE7BF2AB8A354F144519E416EB394D77A9948CB65
                                          Function 030DC260 Relevance: .3, Instructions: 304COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e001d80ec7da99ee31872052f42ac952452cfa5307fd063d4b9950249b41d364
                                          • Instruction ID: 858732ca2537e84c0720a6764ecac36d45ccbbd75c3cc7afea32542fd6dc1529
                                          • Opcode Fuzzy Hash: e001d80ec7da99ee31872052f42ac952452cfa5307fd063d4b9950249b41d364
                                          • Instruction Fuzzy Hash: 14A10376A113048FEB08CEBCC5D42EEBBF2AB4A310F145618D416EB395D63A9948CB65
                                          Function 030D74F0 Relevance: .3, Instructions: 304COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2a6323157ade8ed60f6a9099dfb9e73a3c4bedd06264cadd21ad9144d90a3149
                                          • Instruction ID: 4e832815584af30c1b017e842a4512888911bb3810e89eb70cec0d6ca93fd4aa
                                          • Opcode Fuzzy Hash: 2a6323157ade8ed60f6a9099dfb9e73a3c4bedd06264cadd21ad9144d90a3149
                                          • Instruction Fuzzy Hash: 6EA1DC76B01345CFCF08CE7CC5957EEBBF2AB49310F144A19E402EB794D62A9949CB21
                                          Function 030DFB30 Relevance: .3, Instructions: 304COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1067cfd025cc67fab0de09bf90983a20090c27c913edfbb545f0570feb4687b6
                                          • Instruction ID: a81da5e02d2f4da939aa4771868890711205bc4b8f0e8f6ce2c54b7b23d10496
                                          • Opcode Fuzzy Hash: 1067cfd025cc67fab0de09bf90983a20090c27c913edfbb545f0570feb4687b6
                                          • Instruction Fuzzy Hash: D7A1F776A063068FCB08CE7CD9C16DE7BF2AF4A360F149515E806EB394D3369949CB61
                                          Function 030D8A20 Relevance: .3, Instructions: 304COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 49cc6be11e197802b48cbe3eb553099a27dae8703bbf867b315b7c38d779bbb0
                                          • Instruction ID: 067efb57b565b4a37886c320a69836031bfa5e20910c522fd98061d95741f5c6
                                          • Opcode Fuzzy Hash: 49cc6be11e197802b48cbe3eb553099a27dae8703bbf867b315b7c38d779bbb0
                                          • Instruction Fuzzy Hash: 80A116B6A053058FDB08CE7CD8957ED7BF2EB4D360F089519E402EB394D2369945CB26
                                          Function 030D9800 Relevance: .3, Instructions: 304COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bc7faba44b3a673f9b9e09ff20a488a6e65538d79981d3f39ed04ad60cc4c224
                                          • Instruction ID: 3ac4ae65f3348b7f15e4c42dd063878d8c08a8a5cfeeac375fafd343fdcab27d
                                          • Opcode Fuzzy Hash: bc7faba44b3a673f9b9e09ff20a488a6e65538d79981d3f39ed04ad60cc4c224
                                          • Instruction Fuzzy Hash: 33A1FF76B053058FDB08CEBCD8857EEBBF2AB8A314F18551AD406E7354D33A9949CB21
                                          Function 030D51A0 Relevance: .3, Instructions: 288COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e3ec784e1fbfb8a9ed8da615aa6fdfc00822bc368971b62b2d3a624169ec636f
                                          • Instruction ID: eceeac85f3e1ecf66b29004fe7a8c48b89323c887ada2f8d3af42b9c8523550e
                                          • Opcode Fuzzy Hash: e3ec784e1fbfb8a9ed8da615aa6fdfc00822bc368971b62b2d3a624169ec636f
                                          • Instruction Fuzzy Hash: 26A1D176A053018FCB08CEBCD9956EDBBF2AB4E350F144529D802FB354D33699488B25
                                          Function 030E5080 Relevance: .3, Instructions: 288COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c3d9bd3e3d532c0c7b711a80334c739c28c5ae70e3931cf90958ec506165de4c
                                          • Instruction ID: 886fdcce39204e9469b80d857c06a8075544c2031423af83247ea72008fe2f73
                                          • Opcode Fuzzy Hash: c3d9bd3e3d532c0c7b711a80334c739c28c5ae70e3931cf90958ec506165de4c
                                          • Instruction Fuzzy Hash: 02A1C0B6B052058FDF08CE7CDD812DDBBE2AB8A359F084A59D401EB794D239DD488B25
                                          Function 030DE5F0 Relevance: .3, Instructions: 288COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9d8920396805ec29dae14268417a48b7ab406ca826fe6eedca5e17574182f53d
                                          • Instruction ID: 27bbea9dfb5230bda0207e75839153f9eb28046dc9c758d0844f88966c63127a
                                          • Opcode Fuzzy Hash: 9d8920396805ec29dae14268417a48b7ab406ca826fe6eedca5e17574182f53d
                                          • Instruction Fuzzy Hash: 02A10076A063068FCB08DEBCC5912EEBBF2EB4D350F144928D446EF358D2399949CB65
                                          Function 030E3B00 Relevance: .3, Instructions: 288COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d6baa2702f49c0138e5818ee36117d7296b0cc22068ea50a70f15df9c082554c
                                          • Instruction ID: ef77064e9641c996d0ad1f0f5c83734324ab12a4d9a056674d359e3d1bb9b9b4
                                          • Opcode Fuzzy Hash: d6baa2702f49c0138e5818ee36117d7296b0cc22068ea50a70f15df9c082554c
                                          • Instruction Fuzzy Hash: FCA1DC7AB052058FCB08DEBCD9816EDBBF2BF89350F144559D802EB394D62A9D45CB21
                                          Function 030E23C0 Relevance: .1, Instructions: 137COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 79dde56d954b171823e97b332ba083f87a8157f08b2a746f1779bc1bb991f8a7
                                          • Instruction ID: 0b10f5f9f17133cccc4d107e94797df641ec60873a15828c2aee745f28deda36
                                          • Opcode Fuzzy Hash: 79dde56d954b171823e97b332ba083f87a8157f08b2a746f1779bc1bb991f8a7
                                          • Instruction Fuzzy Hash: A2415872F012058FDB04EF7CC9A53EE7BF99B56320F058818D515DB796D2398A0ACB51
                                          Function 030DC790 Relevance: .1, Instructions: 137COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b6ca573a27b2e7842b1a394943c5aa72d97e3745913c273d34d338da33b0bf17
                                          • Instruction ID: 321d97fcaeebfd7048084948758f66853f81c18c7c3ede1a05e1429fe0816c26
                                          • Opcode Fuzzy Hash: b6ca573a27b2e7842b1a394943c5aa72d97e3745913c273d34d338da33b0bf17
                                          • Instruction Fuzzy Hash: 6A413272E022158FDF04DFBCC5A93EEBBF1AB06320F154519D556EB380D2364A0ADBA1
                                          Function 030D6500 Relevance: .1, Instructions: 137COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3df2db24c22e9143801017d521fab56a3f77a228f03817991ef173185993d3e7
                                          • Instruction ID: d64609baa33f582b2eefdcc3b38617fe8c0df8fdd4005a546a0f8cddbbbd5c83
                                          • Opcode Fuzzy Hash: 3df2db24c22e9143801017d521fab56a3f77a228f03817991ef173185993d3e7
                                          • Instruction Fuzzy Hash: 92417676E027089FCB04DE7CC5963EF7BF59B06314F008519D805AB389D63B8A09CB91
                                          Function 030DEB40 Relevance: .1, Instructions: 137COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4c541167f590ed63e7cab26af217431b6eee885313c7562f4584d326a6719d0b
                                          • Instruction ID: 90db4e1ef8313bba2609320053be9748bca93e514dfedcd2926ef903cfb79e8a
                                          • Opcode Fuzzy Hash: 4c541167f590ed63e7cab26af217431b6eee885313c7562f4584d326a6719d0b
                                          • Instruction Fuzzy Hash: 26413672E016058FCF04DE7CD5963EF7BFAAB46321F105418E956DF381C22A8A0ACB55
                                          Function 030DF970 Relevance: .1, Instructions: 137COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 46d1ef263cd3e4919f2545831b42bbe12d684acd4fc989ce8a0e26356865aa0c
                                          • Instruction ID: aeddbf480ef97060bc0c1c64bc9dba4f4f505ac5e3c0b329bf0751057e585394
                                          • Opcode Fuzzy Hash: 46d1ef263cd3e4919f2545831b42bbe12d684acd4fc989ce8a0e26356865aa0c
                                          • Instruction Fuzzy Hash: BE4176B2E013468FCB04DE7CD4E53EFBBF29B46360F148159D95AEB384D126460ACB51
                                          Function 030DB990 Relevance: .1, Instructions: 137COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f4be8f3a1e3f3e469bedf5dc93e5c4c2caf1a509c2932bf7919f77ff54221d37
                                          • Instruction ID: 434b986244d3af222f74a9fa1c6d4c3e676d5b401b99a5b35a0d7d9ee8602780
                                          • Opcode Fuzzy Hash: f4be8f3a1e3f3e469bedf5dc93e5c4c2caf1a509c2932bf7919f77ff54221d37
                                          • Instruction Fuzzy Hash: 36417772E167448FCB04DEBCC4A53EFBFF59B56320F068518D846DB345C23A4A0A8B61
                                          Function 030D48D0 Relevance: .1, Instructions: 137COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3e492a434aa4553a2c137f0f404e14668049c06afaaa95e4a29e797191b11b82
                                          • Instruction ID: fc9d0d54bc310299f317fcf96f9204bb2c1b752821d998353102f4c2722fb60c
                                          • Opcode Fuzzy Hash: 3e492a434aa4553a2c137f0f404e14668049c06afaaa95e4a29e797191b11b82
                                          • Instruction Fuzzy Hash: 3E416572E052058FCB04EE7CD8953EEBBF1DB16364F148618D565AB390D6364A09CB91
                                          Function 030D8F80 Relevance: .1, Instructions: 137COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7b838080edebbbb8bf086c61f3e5c2ad8e34a074d9d480345dff68c74538c45a
                                          • Instruction ID: 3dbcb9b6d270453d32f858710e7c19d4fd4e03e1d21f4e0cefad648789cfeb1a
                                          • Opcode Fuzzy Hash: 7b838080edebbbb8bf086c61f3e5c2ad8e34a074d9d480345dff68c74538c45a
                                          • Instruction Fuzzy Hash: E3412172A012459FCF08EF7CD9A63EE7BF69B06320F149518D915DB384D33A5A09CBA1
                                          Function 030D4FE0 Relevance: .1, Instructions: 137COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f875cc09ff62d0a2b5714e6f9899286832abd69149331ecbab7087a53bb6e903
                                          • Instruction ID: a229cadecfe036c968bf5ba6b2411252f2450e6aedb543b355f3a4d0ef1927c2
                                          • Opcode Fuzzy Hash: f875cc09ff62d0a2b5714e6f9899286832abd69149331ecbab7087a53bb6e903
                                          • Instruction Fuzzy Hash: 2D418772E012059FCB04EF7CDDA53EE7FF19B16310F148429D945EB345D2364A0A8BA5
                                          Function 030E5D20 Relevance: .1, Instructions: 137COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ad0d0ce55a75911dd451db64ba506a81cb2fbab48a05db9a8d339cd144ee1fdd
                                          • Instruction ID: 302e1b412c595513bda173dfe25815f3fe63ef22692f178f7735fb646c7b4e92
                                          • Opcode Fuzzy Hash: ad0d0ce55a75911dd451db64ba506a81cb2fbab48a05db9a8d339cd144ee1fdd
                                          • Instruction Fuzzy Hash: 81417772F052428FCB08DFBCD8953EEBBF29B82324F054928D9559B395C2268A098B55
                                          Function 030C2090 Relevance: .1, Instructions: 135COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2cb7ba923e6ca5ad175709a3cc983928b01404303a39016546b8fdaf23eade9a
                                          • Instruction ID: 9f0ee5a645d929d8081000db3ad3943b6bdb93dff704e1798b97efa2e860193c
                                          • Opcode Fuzzy Hash: 2cb7ba923e6ca5ad175709a3cc983928b01404303a39016546b8fdaf23eade9a
                                          • Instruction Fuzzy Hash: AD4156B2E112859FDF04DFBCD8953EE7BF5AB15320F119818D905DB741C236990ACB51
                                          Function 0309E0B0 Relevance: .1, Instructions: 135COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c4862cf26c9779c4a62c3a5d6bbb1d13f141b7c9172368c76700f93d2752cd62
                                          • Instruction ID: 2b1597a9afe2509a4eff9f9202916a9b4b7dd2678fea8c75f693b1cb0479101d
                                          • Opcode Fuzzy Hash: c4862cf26c9779c4a62c3a5d6bbb1d13f141b7c9172368c76700f93d2752cd62
                                          • Instruction Fuzzy Hash: 024179B2E012459FEF08EEBCD8953EEBBF69B06320F144219C9159F3D0D2369909DB55
                                          Function 0308D4E0 Relevance: .1, Instructions: 135COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5687bae8a4b67cc4a9e4a0b3f262e8a4a14170b1e35a2370349be1f09d5b4fa5
                                          • Instruction ID: 0ad78e4b8a0fd33fba343acc8adbec85d88d0811b6c63fb7e7673e1b22371661
                                          • Opcode Fuzzy Hash: 5687bae8a4b67cc4a9e4a0b3f262e8a4a14170b1e35a2370349be1f09d5b4fa5
                                          • Instruction Fuzzy Hash: 884163B6E022088FDF08EFBCC1953EFBBF29B46324F148615D5499B3C4D12A8609CB55
                                          Function 0308CB90 Relevance: .1, Instructions: 135COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: da116519a3afecf8c915434a39c143d45e7579f583474aeeb7d96dbae4d8d3c6
                                          • Instruction ID: 1daa4a1b20d09bed7fe1721e464e0f07e9f3dfaeb3da40300b158f1ed9836d67
                                          • Opcode Fuzzy Hash: da116519a3afecf8c915434a39c143d45e7579f583474aeeb7d96dbae4d8d3c6
                                          • Instruction Fuzzy Hash: F94168B2E016458FEF08EFBCD5A53EFBBF19B56310F049928D445DB341D12A9909CBA2
                                          Function 030C1BE0 Relevance: .1, Instructions: 135COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e8d8f059bbccb7c3fb7992db35db6545ec7f27185edecd4c531c7085ef971101
                                          • Instruction ID: 6dd51933b8f09d2f4cbe724d6d2db2b0061caf3f661abf1c11c3e8240130598e
                                          • Opcode Fuzzy Hash: e8d8f059bbccb7c3fb7992db35db6545ec7f27185edecd4c531c7085ef971101
                                          • Instruction Fuzzy Hash: FC4169B2E116818FCF08DF7CC4E63EE7BF29B05320F158529D5118B392D23A9909CB95
                                          Function 0308CEC0 Relevance: .1, Instructions: 135COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 417d9e1f8c4b0a7150e66f3b874f6371435c16e75d3abd5d98276d17db9f0361
                                          • Instruction ID: 2cf721368b043e31225c20aeaa283428e9b5f967898afbc85e30949f8490821a
                                          • Opcode Fuzzy Hash: 417d9e1f8c4b0a7150e66f3b874f6371435c16e75d3abd5d98276d17db9f0361
                                          • Instruction Fuzzy Hash: A2414772E012458FEF08EF7CC5953EFBBF1AB02324F044618D955DB385C236890A8B51
                                          Function 0308DCF0 Relevance: .1, Instructions: 135COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 95bcf8f0e242fecccb2c0f39c3dcb49671971685dbc4fb6f170353ee35d7bba3
                                          • Instruction ID: 259211ccc85b47bb2389b4d4da37eae21ab034b2b200d927c82a210aaf7ecbbc
                                          • Opcode Fuzzy Hash: 95bcf8f0e242fecccb2c0f39c3dcb49671971685dbc4fb6f170353ee35d7bba3
                                          • Instruction Fuzzy Hash: 9E4145B6A012059FCF08EFBCD5953EE7BF19B12324F144724D4699B3D4E23A99098B51
                                          Function 03041FC0 Relevance: .1, Instructions: 122COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a8faf5e26fc745fe84bc5157312989f21b35a9e46e0047aad37edb4312a61a01
                                          • Instruction ID: a20765d9ae88e8943f016077d0605314e04e02df532af33be2b3629fbc8adb68
                                          • Opcode Fuzzy Hash: a8faf5e26fc745fe84bc5157312989f21b35a9e46e0047aad37edb4312a61a01
                                          • Instruction Fuzzy Hash: D841E1B9B012059FCB08CF6CC5917EEBBF6EB5D320F048865E901DB365C236AA09CB51
                                          Function 03042150 Relevance: .1, Instructions: 120COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c678b8153580ce1c83f08e0e1d9fa22c4c79b25f31005a536dd33c3eb9f5f92a
                                          • Instruction ID: 06343fc85f97256004c070c8407fbc243ea9b20feaacf0b925eb82bc403383bb
                                          • Opcode Fuzzy Hash: c678b8153580ce1c83f08e0e1d9fa22c4c79b25f31005a536dd33c3eb9f5f92a
                                          • Instruction Fuzzy Hash: 6641C1B6B11209DFCB08CEACC995BEEBBF5BB99310F148865E801D7361C2359B05CB50
                                          Function 030D4760 Relevance: .1, Instructions: 114COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5620eca67848dda1fce0540712d67f592e140cebed66a357a94dbd00d39a4d54
                                          • Instruction ID: 1634c6fc80da166ae8dcab9fd8245190e8716108a5be361103fb4d43195355eb
                                          • Opcode Fuzzy Hash: 5620eca67848dda1fce0540712d67f592e140cebed66a357a94dbd00d39a4d54
                                          • Instruction Fuzzy Hash: 26318B32E113618FDB08DA78C5E93EF77E29B62360F141A15D9219B3C5DA3B05098791
                                          Function 030DE9D0 Relevance: .1, Instructions: 114COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 463b2e96be163c15d225260815d6372cae5cdf8e99fe8e7358684e9a4f0df74e
                                          • Instruction ID: 82340b04192b19a4543ccab73d77e8157d71d4cab4ae975112a7c533eaab648a
                                          • Opcode Fuzzy Hash: 463b2e96be163c15d225260815d6372cae5cdf8e99fe8e7358684e9a4f0df74e
                                          • Instruction Fuzzy Hash: 53312676A122024FDB08D93CC8A93EF77E2AB52334F186729C9229F2D5D226560AC751
                                          Function 030EABB2 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7ffa0efc57d77d509e69dc645c43713535aa36acdd20e9caa2fd276f7f5d002b
                                          • Instruction ID: e29cdbd2047dbef5d74264ed3cbabf2bac5a90622d53e00e03edfe10b5410f54
                                          • Opcode Fuzzy Hash: 7ffa0efc57d77d509e69dc645c43713535aa36acdd20e9caa2fd276f7f5d002b
                                          • Instruction Fuzzy Hash: 8CE0EC72B26268EFCB15DB98C94498AF3EDEB89B51B554496F501D3251C270DE00D7D0
                                          Function 005518D0 Relevance: .0, Instructions: 5COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910312145.0000000000551000.00000040.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true
                                          • Associated: 00000000.00000002.1910296513.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910340992.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910359597.0000000000588000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910462857.0000000000707000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910506196.0000000000765000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_550000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a4738e9d22b7a670e957569a9947fd17b9771784ab9a70797d5a1e1428e800be
                                          • Instruction ID: be7eecee3400b42b3e558a840de4aeb97e4223185f45bdd8b65d759b642826a8
                                          • Opcode Fuzzy Hash: a4738e9d22b7a670e957569a9947fd17b9771784ab9a70797d5a1e1428e800be
                                          • Instruction Fuzzy Hash: 85A002321A5B8CC7C612A68DA651B51B3ECE348D54F440461A50D43E015659B9108495
                                          Function 030EB420 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • ___free_lconv_mon.LIBCMT ref: 030EB464
                                            • Part of subcall function 030EABE3: _free.LIBCMT ref: 030EAC00
                                            • Part of subcall function 030EABE3: _free.LIBCMT ref: 030EAC12
                                            • Part of subcall function 030EABE3: _free.LIBCMT ref: 030EAC24
                                            • Part of subcall function 030EABE3: _free.LIBCMT ref: 030EAC36
                                            • Part of subcall function 030EABE3: _free.LIBCMT ref: 030EAC48
                                            • Part of subcall function 030EABE3: _free.LIBCMT ref: 030EAC5A
                                            • Part of subcall function 030EABE3: _free.LIBCMT ref: 030EAC6C
                                            • Part of subcall function 030EABE3: _free.LIBCMT ref: 030EAC7E
                                            • Part of subcall function 030EABE3: _free.LIBCMT ref: 030EAC90
                                            • Part of subcall function 030EABE3: _free.LIBCMT ref: 030EACA2
                                            • Part of subcall function 030EABE3: _free.LIBCMT ref: 030EACB4
                                            • Part of subcall function 030EABE3: _free.LIBCMT ref: 030EACC6
                                            • Part of subcall function 030EABE3: _free.LIBCMT ref: 030EACD8
                                          • _free.LIBCMT ref: 030EB459
                                            • Part of subcall function 030EA182: HeapFree.KERNEL32(00000000,00000000,?,030EAE58,?,00000000,?,?,?,030EAD63,?,00000007,?,?,030EB5E0,?), ref: 030EA198
                                            • Part of subcall function 030EA182: GetLastError.KERNEL32(?,?,030EAE58,?,00000000,?,?,?,030EAD63,?,00000007,?,?,030EB5E0,?,?), ref: 030EA1AA
                                          • _free.LIBCMT ref: 030EB47B
                                          • _free.LIBCMT ref: 030EB490
                                          • _free.LIBCMT ref: 030EB49B
                                          • _free.LIBCMT ref: 030EB4BD
                                          • _free.LIBCMT ref: 030EB4D0
                                          • _free.LIBCMT ref: 030EB4DE
                                          • _free.LIBCMT ref: 030EB4E9
                                          • _free.LIBCMT ref: 030EB521
                                          • _free.LIBCMT ref: 030EB528
                                          • _free.LIBCMT ref: 030EB545
                                          • _free.LIBCMT ref: 030EB55D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                          • String ID:
                                          • API String ID: 161543041-0
                                          • Opcode ID: e970fe1d1c89e1c354125fd78dbdb12abf4ce2b58c2dbe8cf4e3879eef5aa408
                                          • Instruction ID: 75692ff75cc074d4841d5145108768e664ac1beb4904d75037857b789710fbeb
                                          • Opcode Fuzzy Hash: e970fe1d1c89e1c354125fd78dbdb12abf4ce2b58c2dbe8cf4e3879eef5aa408
                                          • Instruction Fuzzy Hash: 5D318D7670A300AFEB65EA3DD844B96B3E9FF44310F188469E069DB150DF34EE808B11
                                          Function 00575DB7 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • ___free_lconv_mon.LIBCMT ref: 00575DFB
                                            • Part of subcall function 00575970: _free.LIBCMT ref: 0057598D
                                            • Part of subcall function 00575970: _free.LIBCMT ref: 0057599F
                                            • Part of subcall function 00575970: _free.LIBCMT ref: 005759B1
                                            • Part of subcall function 00575970: _free.LIBCMT ref: 005759C3
                                            • Part of subcall function 00575970: _free.LIBCMT ref: 005759D5
                                            • Part of subcall function 00575970: _free.LIBCMT ref: 005759E7
                                            • Part of subcall function 00575970: _free.LIBCMT ref: 005759F9
                                            • Part of subcall function 00575970: _free.LIBCMT ref: 00575A0B
                                            • Part of subcall function 00575970: _free.LIBCMT ref: 00575A1D
                                            • Part of subcall function 00575970: _free.LIBCMT ref: 00575A2F
                                            • Part of subcall function 00575970: _free.LIBCMT ref: 00575A41
                                            • Part of subcall function 00575970: _free.LIBCMT ref: 00575A53
                                            • Part of subcall function 00575970: _free.LIBCMT ref: 00575A65
                                          • _free.LIBCMT ref: 00575DF0
                                            • Part of subcall function 00573CE9: RtlFreeHeap.NTDLL(00000000,00000000,?,00575B01,?,00000000,?,?,?,00575B28,?,00000007,?,?,00575F4E,?), ref: 00573CFF
                                            • Part of subcall function 00573CE9: GetLastError.KERNEL32(?,?,00575B01,?,00000000,?,?,?,00575B28,?,00000007,?,?,00575F4E,?,?), ref: 00573D11
                                          • _free.LIBCMT ref: 00575E12
                                          • _free.LIBCMT ref: 00575E27
                                          • _free.LIBCMT ref: 00575E32
                                          • _free.LIBCMT ref: 00575E54
                                          • _free.LIBCMT ref: 00575E67
                                          • _free.LIBCMT ref: 00575E75
                                          • _free.LIBCMT ref: 00575E80
                                          • _free.LIBCMT ref: 00575EB8
                                          • _free.LIBCMT ref: 00575EBF
                                          • _free.LIBCMT ref: 00575EDC
                                          • _free.LIBCMT ref: 00575EF4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910312145.0000000000551000.00000040.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true
                                          • Associated: 00000000.00000002.1910296513.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910340992.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910359597.0000000000588000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910462857.0000000000707000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910506196.0000000000765000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_550000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                          • String ID:
                                          • API String ID: 161543041-0
                                          • Opcode ID: 4c039b0ca1839cdcdc91ccdd7ac0af083729957590b582104df3f2dea053b076
                                          • Instruction ID: 6f15fc22f1fcf890d69d54409b1a20442cf15f231683505d8f9a2561bff12211
                                          • Opcode Fuzzy Hash: 4c039b0ca1839cdcdc91ccdd7ac0af083729957590b582104df3f2dea053b076
                                          • Instruction Fuzzy Hash: D5314F31540B01DFEB219A79F845B5A7BECBF40320F148499E84DE6151EBB6AE44A710
                                          Function 030E94D0 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 030E94E6
                                            • Part of subcall function 030EA182: HeapFree.KERNEL32(00000000,00000000,?,030EAE58,?,00000000,?,?,?,030EAD63,?,00000007,?,?,030EB5E0,?), ref: 030EA198
                                            • Part of subcall function 030EA182: GetLastError.KERNEL32(?,?,030EAE58,?,00000000,?,?,?,030EAD63,?,00000007,?,?,030EB5E0,?,?), ref: 030EA1AA
                                          • _free.LIBCMT ref: 030E94F2
                                          • _free.LIBCMT ref: 030E94FD
                                          • _free.LIBCMT ref: 030E9508
                                          • _free.LIBCMT ref: 030E9513
                                          • _free.LIBCMT ref: 030E951E
                                          • _free.LIBCMT ref: 030E9529
                                          • _free.LIBCMT ref: 030E9534
                                          • _free.LIBCMT ref: 030E953F
                                          • _free.LIBCMT ref: 030E954D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: cd7e01ff93e08fde6acf5ecc8a809711a000f261488be83713e4de5240c65b10
                                          • Instruction ID: 4366c8df7d06e7175334164c8f7ee94799c9879f2a3911164b49e2cce7d308b4
                                          • Opcode Fuzzy Hash: cd7e01ff93e08fde6acf5ecc8a809711a000f261488be83713e4de5240c65b10
                                          • Instruction Fuzzy Hash: 2C217A7AA01208BFCB46EF99C880DDD7BB9BF48244F0141A6E5559F121DB35DB54CB81
                                          Function 030EF903 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMON
                                          Download Yara Rule
                                          APIs
                                          • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,030EF26F), ref: 030EF91C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: DecodePointer
                                          • String ID: acos$asin$exp$log$log10$pow$sqrt
                                          • API String ID: 3527080286-3064271455
                                          • Opcode ID: 478eeca34da5362ecb31bc402bafddf16224cea70f5f467ff59b3c9cd75d087b
                                          • Instruction ID: c461d54864c0f2d25e7a8038d21d8740a5792185cb6ad47e2c6f1a41585bda8e
                                          • Opcode Fuzzy Hash: 478eeca34da5362ecb31bc402bafddf16224cea70f5f467ff59b3c9cd75d087b
                                          • Instruction Fuzzy Hash: 0E516CB1B02A0BDFCB10DF99E8481AEBBF4FF45704F4F4085D991AA658CB7486658B50
                                          Function 030E7390 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
                                          Download Yara Rule
                                          APIs
                                          • _ValidateLocalCookies.LIBCMT ref: 030E73C7
                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 030E73CF
                                          • _ValidateLocalCookies.LIBCMT ref: 030E7458
                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 030E7483
                                          • _ValidateLocalCookies.LIBCMT ref: 030E74D8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                          • String ID: csm
                                          • API String ID: 1170836740-1018135373
                                          • Opcode ID: 95fbffdf8e020d32844c8e17f0d6e2c961266b31e373510bc7a553531652ef88
                                          • Instruction ID: 202f155dd26793627c07bd9eb62503e17b90177ab7e37c30ec617491cf256509
                                          • Opcode Fuzzy Hash: 95fbffdf8e020d32844c8e17f0d6e2c961266b31e373510bc7a553531652ef88
                                          • Instruction Fuzzy Hash: 7A41B175B02218AFCF10DF68D880A9EBFF4EF85724F088095E858AB756D731A905CB90
                                          Function 030E8F40 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: api-ms-$ext-ms-
                                          • API String ID: 0-537541572
                                          • Opcode ID: 877a9ca7bf2c143079ccc43ed6513757f11b11ad59085835b3e4c17cfffd5790
                                          • Instruction ID: 441f83170fba9d2b191db5399bc7094f4d979b4e76fc0130640809e6add8c14b
                                          • Opcode Fuzzy Hash: 877a9ca7bf2c143079ccc43ed6513757f11b11ad59085835b3e4c17cfffd5790
                                          • Instruction Fuzzy Hash: 3121D271B07225EFCB71DA288C40B6E7799EF41FB0F194610ED16AB280D734E900C6E4
                                          Function 0057613C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910312145.0000000000551000.00000040.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true
                                          • Associated: 00000000.00000002.1910296513.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910340992.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910359597.0000000000588000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910462857.0000000000707000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910506196.0000000000765000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_550000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: api-ms-$ext-ms-
                                          • API String ID: 0-537541572
                                          • Opcode ID: f3a49736c1a4ca4da23710c633b4815144ab38e452f6c6e41730b495bad1251f
                                          • Instruction ID: 4118afb4bd18d3cb1588f307865107e250430b57394804c6f90d1f515e1035b7
                                          • Opcode Fuzzy Hash: f3a49736c1a4ca4da23710c633b4815144ab38e452f6c6e41730b495bad1251f
                                          • Instruction Fuzzy Hash: 4921E771A01A21ABCB318B24BC4DA5E3F68BB157A0F648560ED0DB7292D670DD04F7E0
                                          Function 030EAD4A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 030EAE2E: _free.LIBCMT ref: 030EAE53
                                          • _free.LIBCMT ref: 030EAD98
                                            • Part of subcall function 030EA182: HeapFree.KERNEL32(00000000,00000000,?,030EAE58,?,00000000,?,?,?,030EAD63,?,00000007,?,?,030EB5E0,?), ref: 030EA198
                                            • Part of subcall function 030EA182: GetLastError.KERNEL32(?,?,030EAE58,?,00000000,?,?,?,030EAD63,?,00000007,?,?,030EB5E0,?,?), ref: 030EA1AA
                                          • _free.LIBCMT ref: 030EADA3
                                          • _free.LIBCMT ref: 030EADAE
                                          • _free.LIBCMT ref: 030EAE02
                                          • _free.LIBCMT ref: 030EAE0D
                                          • _free.LIBCMT ref: 030EAE18
                                          • _free.LIBCMT ref: 030EAE23
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 105f548c2afa8a44679e1146f4cbb258c4c62ef68efa744c5b0780804a295bbf
                                          • Instruction ID: fb81ff75dca67cf5ba7117849bba351d32afc01186136e009106e2762ec4a546
                                          • Opcode Fuzzy Hash: 105f548c2afa8a44679e1146f4cbb258c4c62ef68efa744c5b0780804a295bbf
                                          • Instruction Fuzzy Hash: F911813DB82B14BED525FBB4CC05FCB7B9D9F8C700F404814A2A96E260DA38BA044761
                                          Function 00575B0F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00575AD7: _free.LIBCMT ref: 00575AFC
                                          • _free.LIBCMT ref: 00575B5D
                                            • Part of subcall function 00573CE9: RtlFreeHeap.NTDLL(00000000,00000000,?,00575B01,?,00000000,?,?,?,00575B28,?,00000007,?,?,00575F4E,?), ref: 00573CFF
                                            • Part of subcall function 00573CE9: GetLastError.KERNEL32(?,?,00575B01,?,00000000,?,?,?,00575B28,?,00000007,?,?,00575F4E,?,?), ref: 00573D11
                                          • _free.LIBCMT ref: 00575B68
                                          • _free.LIBCMT ref: 00575B73
                                          • _free.LIBCMT ref: 00575BC7
                                          • _free.LIBCMT ref: 00575BD2
                                          • _free.LIBCMT ref: 00575BDD
                                          • _free.LIBCMT ref: 00575BE8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910312145.0000000000551000.00000040.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true
                                          • Associated: 00000000.00000002.1910296513.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910340992.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910359597.0000000000588000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910462857.0000000000707000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910506196.0000000000765000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_550000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 43f91f4fdd977be9fb4a905f4cf1d1f333007fad726a386e49fa4933e662f8fb
                                          • Instruction ID: 2beda19c76ba56ea0e004e8eb20fbfa7c992c7c2801fa76f1a617b7e10b5c513
                                          • Opcode Fuzzy Hash: 43f91f4fdd977be9fb4a905f4cf1d1f333007fad726a386e49fa4933e662f8fb
                                          • Instruction Fuzzy Hash: 1A118471580F25E6D625B770DC4BFCB7F9CBF80701F408928B79D66052EAA6B9047A50
                                          Function 030ED437 Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 030ED47F
                                          • __fassign.LIBCMT ref: 030ED664
                                          • __fassign.LIBCMT ref: 030ED681
                                          • WriteFile.KERNEL32(?,030EAA44,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 030ED6C9
                                          • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 030ED709
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 030ED7B1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: FileWrite__fassign$ConsoleErrorLastOutput
                                          • String ID:
                                          • API String ID: 1735259414-0
                                          • Opcode ID: 1129dc4421e0e360a700b2e40c52f4685e66cec64fd99c24fb044e1fe30782ee
                                          • Instruction ID: 685fc25b28735e691cbad40d4cbc2028efb0a943d4049ad28c102fa613e2efb7
                                          • Opcode Fuzzy Hash: 1129dc4421e0e360a700b2e40c52f4685e66cec64fd99c24fb044e1fe30782ee
                                          • Instruction Fuzzy Hash: 1AC19EB5E012589FCF15DFA8C9809EDFBB5EF48304F28416AE855BB345E631A942CF60
                                          Function 030E91BF Relevance: 9.1, APIs: 6, Instructions: 128COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(?,?,?,030ED3FA,?,00000001,030EA930,?,030ED281,00000001,?,?,?,030EAA44,?,?), ref: 030E91C4
                                          • _free.LIBCMT ref: 030E9221
                                          • _free.LIBCMT ref: 030E9257
                                          • SetLastError.KERNEL32(00000000,00000008,000000FF,?,030ED281,00000001,?,?,?,030EAA44,?,?,?,030F73A0,0000002C,030EA930), ref: 030E9262
                                          • _free.LIBCMT ref: 030E92CC
                                          • _free.LIBCMT ref: 030E9300
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: _free$ErrorLast
                                          • String ID:
                                          • API String ID: 3291180501-0
                                          • Opcode ID: 519b361242b286f7afbc2158a9c1cc0420140c92817829e99ce337f7cc639428
                                          • Instruction ID: 6fa7ff912170356cbb1df450445c890a3e2a2594aa21c991455c3fc89bdf88a9
                                          • Opcode Fuzzy Hash: 519b361242b286f7afbc2158a9c1cc0420140c92817829e99ce337f7cc639428
                                          • Instruction Fuzzy Hash: 3B31293B7073217FDA95F6F85C44EAE229D9FE5A75F184724F820AE1D5EB198C004160
                                          Function 030E88A5 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(?,?,030E889C,030E72A8,030E6E2B), ref: 030E88B3
                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 030E88C1
                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 030E88DA
                                          • SetLastError.KERNEL32(00000000,030E889C,030E72A8,030E6E2B), ref: 030E892C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: ErrorLastValue___vcrt_
                                          • String ID:
                                          • API String ID: 3852720340-0
                                          • Opcode ID: 023b8293ed524b16437b71cc4bf781cf31133e78a79a6b4ded7ee024750c835a
                                          • Instruction ID: 2c7a5c3e0cc409fba7a665f4988c686e751a504682d594feb1a9ada692fba53e
                                          • Opcode Fuzzy Hash: 023b8293ed524b16437b71cc4bf781cf31133e78a79a6b4ded7ee024750c835a
                                          • Instruction Fuzzy Hash: 3301473770F312AFF668F6747C85AAE27D8DB85D30728436AE5205D0E8FE134894A161
                                          Function 030EC5AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • FreeLibrary.KERNEL32(00000000,?,?,?,030EC672,?,?,031B7994,00000000,?,030EC582,00000004,InitializeCriticalSectionEx,030F1F20,030F1F28,00000000), ref: 030EC640
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: FreeLibrary
                                          • String ID: api-ms-
                                          • API String ID: 3664257935-2084034818
                                          • Opcode ID: e874ff6ed93df520fc11b9f8639efca98823aae422c1ca79cbc287c925d02ac5
                                          • Instruction ID: 0ab4c2b47c878a2669b66dc7cddf3f94c876f8dc0377f71f24267485948ace93
                                          • Opcode Fuzzy Hash: e874ff6ed93df520fc11b9f8639efca98823aae422c1ca79cbc287c925d02ac5
                                          • Instruction Fuzzy Hash: 7311E332F03225AFEB22DB689C4075F33E8EF41770F191260E911AB280D766ED0186D5
                                          Function 030E78DC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,030E7966,?,?,030E79E7,?,?,?), ref: 030E78F1
                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 030E7904
                                          • FreeLibrary.KERNEL32(00000000,?,?,030E7966,?,?,030E79E7,?,?,?), ref: 030E7927
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: AddressFreeHandleLibraryModuleProc
                                          • String ID: CorExitProcess$mscoree.dll
                                          • API String ID: 4061214504-1276376045
                                          • Opcode ID: 7e527d6308f6beace0bc3edb18660f2e82fadebce5e6cefad0db445889982c3e
                                          • Instruction ID: f0a32aad13249799392309c1606236f03111e84676e8d459363ff0854bc364f5
                                          • Opcode Fuzzy Hash: 7e527d6308f6beace0bc3edb18660f2e82fadebce5e6cefad0db445889982c3e
                                          • Instruction Fuzzy Hash: 48F08231603219FFCB11EB60DD09B9EBAB5EF00B56F184068A801A2461CB758F01DB90
                                          Function 030EACE1 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 030EACF9
                                            • Part of subcall function 030EA182: HeapFree.KERNEL32(00000000,00000000,?,030EAE58,?,00000000,?,?,?,030EAD63,?,00000007,?,?,030EB5E0,?), ref: 030EA198
                                            • Part of subcall function 030EA182: GetLastError.KERNEL32(?,?,030EAE58,?,00000000,?,?,?,030EAD63,?,00000007,?,?,030EB5E0,?,?), ref: 030EA1AA
                                          • _free.LIBCMT ref: 030EAD0B
                                          • _free.LIBCMT ref: 030EAD1D
                                          • _free.LIBCMT ref: 030EAD2F
                                          • _free.LIBCMT ref: 030EAD41
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 0bccd5dcfef192709d4511837f443344de802c54b6969418046a8716173413ee
                                          • Instruction ID: 92878d28b67e4e7e7809c5506a611cdbd7e7867cbd94e8ea094af84a8ab779c1
                                          • Opcode Fuzzy Hash: 0bccd5dcfef192709d4511837f443344de802c54b6969418046a8716173413ee
                                          • Instruction Fuzzy Hash: 67F06236706300BFCA69FBACF480C6AB3EAEA4C2167684805F419DB504DB38FCC08660
                                          Function 00575A6E Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 00575A86
                                            • Part of subcall function 00573CE9: RtlFreeHeap.NTDLL(00000000,00000000,?,00575B01,?,00000000,?,?,?,00575B28,?,00000007,?,?,00575F4E,?), ref: 00573CFF
                                            • Part of subcall function 00573CE9: GetLastError.KERNEL32(?,?,00575B01,?,00000000,?,?,?,00575B28,?,00000007,?,?,00575F4E,?,?), ref: 00573D11
                                          • _free.LIBCMT ref: 00575A98
                                          • _free.LIBCMT ref: 00575AAA
                                          • _free.LIBCMT ref: 00575ABC
                                          • _free.LIBCMT ref: 00575ACE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910312145.0000000000551000.00000040.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true
                                          • Associated: 00000000.00000002.1910296513.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910340992.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910359597.0000000000588000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910462857.0000000000707000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910506196.0000000000765000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_550000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: b319cc7abe092b594cdcf9a6f6ab4ae45c0ba56d7da8e1e4361ca34dbd69417e
                                          • Instruction ID: d2902013a6bcd65bde77f0cfdd1e1e886c2c6490438896f2758c8cf3e88b62c6
                                          • Opcode Fuzzy Hash: b319cc7abe092b594cdcf9a6f6ab4ae45c0ba56d7da8e1e4361ca34dbd69417e
                                          • Instruction Fuzzy Hash: CBF0C232444A00AB8720EB25F5CAC2A7BDDFE503203A48954F40CE7600EB76FC84BB50
                                          Function 030E7C33 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: C:\Users\user\Desktop\LisectAVT_2403002A_138.exe
                                          • API String ID: 0-831462017
                                          • Opcode ID: 2fa8c114c1ba0ae040305259a721dde140303fbef76dac27ae92adabd70e9457
                                          • Instruction ID: 070d21842a13274bd569d6db947551ad15a2ce5528acc8d1e381f93e57736664
                                          • Opcode Fuzzy Hash: 2fa8c114c1ba0ae040305259a721dde140303fbef76dac27ae92adabd70e9457
                                          • Instruction Fuzzy Hash: 42418675B05219AFCB25EFD9DC84DEEBBFCEFC8750B14009AE41597240E6718A41C7A0
                                          Function 030E9316 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(?,?,?,030EAE8F,030EE3EA,?,030EC067,?,00000004,00000000,?,?,?,030E80D7,?,00000000), ref: 030E931B
                                          • _free.LIBCMT ref: 030E9378
                                          • _free.LIBCMT ref: 030E93AE
                                          • SetLastError.KERNEL32(00000000,00000008,000000FF,?,030EC067,?,00000004,00000000,?,?,?,030E80D7,?,00000000,00000004), ref: 030E93B9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: ErrorLast_free
                                          • String ID:
                                          • API String ID: 2283115069-0
                                          • Opcode ID: 63cfae74e93eed0f4ad63c419e7d5f309f4f41919963c3a3b3fbb4e5820cb063
                                          • Instruction ID: e43a942ab11ea25b3a540ad9fb178b138309fbfe1a70e168559cfe77f1e85224
                                          • Opcode Fuzzy Hash: 63cfae74e93eed0f4ad63c419e7d5f309f4f41919963c3a3b3fbb4e5820cb063
                                          • Instruction Fuzzy Hash: F811447B3073042FC755FAF85C84EAB22AEDBE45B6F280324F4209A1C5EF29CC004220
                                          Function 00573A17 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(?,?,?,00573C7E,00573BF5,?,?,0056FFE5,?,?,?,?,?,0055109F,?,?), ref: 00573A1C
                                          • _free.LIBCMT ref: 00573A79
                                          • _free.LIBCMT ref: 00573AAF
                                          • SetLastError.KERNEL32(00000000,00000005,000000FF,?,?,0056FFE5,?,?,?,?,?,0055109F,?,?,E18E7672), ref: 00573ABA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910312145.0000000000551000.00000040.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true
                                          • Associated: 00000000.00000002.1910296513.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910340992.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910359597.0000000000588000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910462857.0000000000707000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910506196.0000000000765000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_550000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: ErrorLast_free
                                          • String ID:
                                          • API String ID: 2283115069-0
                                          • Opcode ID: d09c3099c843273862e97bd018eef001c31745ac7ccc0d59ee4e1b4780e8dbcb
                                          • Instruction ID: 20d660511a94234474dd07684866d2520c4b232f3dd81f5d05c7e6c6a9e408f7
                                          • Opcode Fuzzy Hash: d09c3099c843273862e97bd018eef001c31745ac7ccc0d59ee4e1b4780e8dbcb
                                          • Instruction Fuzzy Hash: 4311C672240602EBD71167B97C8BE6B2E59FBD1770B348628F91CA71D1DD728D0CB220
                                          Function 030EEAE6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,030EE7B8,?,00000001,?,00000001,?,030ED80E,?,?,00000001), ref: 030EEAFD
                                          • GetLastError.KERNEL32(?,030EE7B8,?,00000001,?,00000001,?,030ED80E,?,?,00000001,?,00000001,?,030ED2A2,030EAA44), ref: 030EEB09
                                            • Part of subcall function 030EEB5A: CloseHandle.KERNEL32(FFFFFFFE,030EEB19,?,030EE7B8,?,00000001,?,00000001,?,030ED80E,?,?,00000001,?,00000001), ref: 030EEB6A
                                          • ___initconout.LIBCMT ref: 030EEB19
                                            • Part of subcall function 030EEB3B: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,030EEAD7,030EE7A5,00000001,?,030ED80E,?,?,00000001,?), ref: 030EEB4E
                                          • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,030EE7B8,?,00000001,?,00000001,?,030ED80E,?,?,00000001,?), ref: 030EEB2E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910890476.0000000003040000.00000040.00001000.00020000.00000000.sdmp, Offset: 03040000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_3040000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                          • String ID:
                                          • API String ID: 2744216297-0
                                          • Opcode ID: 348f0779332771f47879ae589b568b60a316b48f4ef3e61958d1fca132cd24e1
                                          • Instruction ID: 83fdcca40647173c6453ce76e6871140ce066de57a3f5603df2d984c3f16b97b
                                          • Opcode Fuzzy Hash: 348f0779332771f47879ae589b568b60a316b48f4ef3e61958d1fca132cd24e1
                                          • Instruction Fuzzy Hash: 84F0123620211DFFCF226FD1DC089CA3FA6EB48260F044115FA0996514D732C860EB90
                                          Function 0056DE70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Iterator_base::_Iterator_base.LIBCPMTD ref: 0056DE9E
                                          • Concurrency::details::VirtualProcessor::ClaimTicket::InitializeTicket.LIBCMTD ref: 0056DF04
                                            • Part of subcall function 0056EA30: std::_Ref_count_base::_Ref_count_base.LIBCPMTD ref: 0056EA66
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910312145.0000000000551000.00000040.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true
                                          • Associated: 00000000.00000002.1910296513.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910340992.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910359597.0000000000588000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910462857.0000000000707000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910506196.0000000000765000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_550000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: std::_$ClaimConcurrency::details::InitializeIterator_baseIterator_base::_Processor::Ref_count_baseRef_count_base::_TicketTicket::Virtual
                                          • String ID: u U
                                          • API String ID: 1893620424-603910768
                                          • Opcode ID: 91c4a247841751c5041aa1cdbf34bd402638f8fae05600456fbef730932de11e
                                          • Instruction ID: f39a554f1d73985c2c9fe6f63979997209ba48c9b26c0502777b4984f142ff48
                                          • Opcode Fuzzy Hash: 91c4a247841751c5041aa1cdbf34bd402638f8fae05600456fbef730932de11e
                                          • Instruction Fuzzy Hash: F721F571E0020A9BCB04DF98D956BEEBBB4BB48300F104629E516AB2C1DB756E04CBA5
                                          Function 0056E880 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Ref_count_base::_Ref_count_base.LIBCPMTD ref: 0056E8B6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1910312145.0000000000551000.00000040.00000001.01000000.00000003.sdmp, Offset: 00550000, based on PE: true
                                          • Associated: 00000000.00000002.1910296513.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910340992.000000000057E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910359597.0000000000588000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910462857.0000000000707000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.1910506196.0000000000765000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_550000_LisectAVT_2403002A_138.jbxd
                                          Similarity
                                          • API ID: Ref_count_baseRef_count_base::_std::_
                                          • String ID: @V$CV
                                          • API String ID: 1391782822-4045293446
                                          • Opcode ID: a345dadc1c2d5ecbe81b341f2982be02aa562e42baa80783a5a0984f17717f67
                                          • Instruction ID: 97fae84c6556437975fc988ab4e9a9f31048927c5e1df4f9b00d7940cb5b9046
                                          • Opcode Fuzzy Hash: a345dadc1c2d5ecbe81b341f2982be02aa562e42baa80783a5a0984f17717f67
                                          • Instruction Fuzzy Hash: 2901FBB5904659DFC704CF58D940B6EBBF4FB49720F10866EE82997780D7359900CF54

                                          Execution Graph

                                          Execution Coverage:1.6%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:9.5%
                                          Total number of Nodes:891
                                          Total number of Limit Nodes:25
                                          execution_graph 49509 468e45 GetFileAttributesA 49510 481a40 RtlUnwind 49198 46764a 49199 46766e __EH_prolog3 49198->49199 49212 467e12 GetCurrentHwProfileA 49199->49212 49206 412f41 77 API calls 49207 4676c2 49206->49207 49230 413e6f 77 API calls 49207->49230 49209 4676d2 numpunct 49210 46f26f __except_handler4 5 API calls 49209->49210 49211 467733 49210->49211 49213 467e4a 49212->49213 49214 402e63 numpunct 77 API calls 49213->49214 49215 467e5a 49214->49215 49216 46f26f __except_handler4 5 API calls 49215->49216 49217 467693 49216->49217 49218 412f41 49217->49218 49219 402fd0 numpunct 77 API calls 49218->49219 49220 412f66 49219->49220 49221 467e69 49220->49221 49231 479780 49221->49231 49224 467ee5 RegCloseKey CharToOemA 49226 402e63 numpunct 77 API calls 49224->49226 49225 467eca RegQueryValueExA 49225->49224 49227 467f16 49226->49227 49228 46f26f __except_handler4 5 API calls 49227->49228 49229 4676b1 49228->49229 49229->49206 49230->49209 49232 467ea9 RegOpenKeyExA 49231->49232 49232->49224 49232->49225 49392 40104c GetPEB lstrcmpiW ExitProcess 49512 41d64d IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 49396 47ac53 InitializeCriticalSectionAndSpinCount 49400 47d466 95 API calls 3 library calls 49524 43620b 6 API calls _memset 49402 41600c CryptUnprotectData LocalAlloc LocalFree _memmove 49405 472c1a 5 API calls ___security_init_cookie 49526 46ee37 144 API calls 3 library calls 49529 4112cd 90 API calls __except_handler4 49532 406ed0 83 API calls 3 library calls 49535 47eedd 89 API calls 7 library calls 49419 43c8d8 89 API calls 2 library calls 49420 47e4e3 84 API calls 4 library calls 49538 4032ea 77 API calls numpunct 49540 46eeea 85 API calls 5 library calls 49542 4176f4 154 API calls 5 library calls 49544 4156f8 19 API calls 3 library calls 49256 4110fe 49257 41110a __EH_prolog3_GS 49256->49257 49274 40356b 77 API calls numpunct 49257->49274 49259 41113a 49275 410235 49259->49275 49261 4111d8 49262 402f5c numpunct 77 API calls 49261->49262 49270 4111e9 numpunct 49262->49270 49263 411143 numpunct 49263->49261 49264 4111c5 lstrlenA 49263->49264 49333 403216 67 API calls 2 library calls 49263->49333 49264->49261 49266 4111e1 49264->49266 49268 402e63 numpunct 77 API calls 49266->49268 49267 4111ab 49334 470b0e 66 API calls 2 library calls 49267->49334 49268->49270 49335 473561 5 API calls __except_handler4 49270->49335 49271 4111c0 49271->49264 49274->49259 49276 410259 __EH_prolog3 49275->49276 49336 4100f1 49276->49336 49278 4102d4 numpunct 49279 410352 49278->49279 49280 410388 49278->49280 49281 402f5c numpunct 77 API calls 49279->49281 49282 412f41 77 API calls 49280->49282 49283 410379 numpunct 49281->49283 49282->49283 49340 414317 49283->49340 49285 41045e numpunct 49286 4104b3 49285->49286 49287 410495 49285->49287 49350 40356b 77 API calls numpunct 49286->49350 49288 412f41 77 API calls 49287->49288 49290 4104a9 numpunct 49288->49290 49291 410525 49290->49291 49292 41053f 49290->49292 49293 412f41 77 API calls 49291->49293 49294 402f5c numpunct 77 API calls 49292->49294 49295 410535 numpunct 49293->49295 49294->49295 49296 412f41 77 API calls 49295->49296 49297 4105d1 numpunct 49296->49297 49298 410613 49297->49298 49299 4105f5 49297->49299 49300 402f5c numpunct 77 API calls 49298->49300 49301 412f41 77 API calls 49299->49301 49302 410609 numpunct 49300->49302 49301->49302 49303 4106c9 49302->49303 49304 4106a9 49302->49304 49306 402f5c numpunct 77 API calls 49303->49306 49305 412f41 77 API calls 49304->49305 49307 4106bc numpunct 49305->49307 49306->49307 49308 410777 49307->49308 49309 41075a 49307->49309 49351 40356b 77 API calls numpunct 49308->49351 49311 412f41 77 API calls 49309->49311 49312 41076a numpunct 49311->49312 49313 4107e4 DeleteUrlCacheEntry 49312->49313 49314 410800 DeleteUrlCacheEntry InternetOpenA 49313->49314 49315 4107fa 49313->49315 49316 410821 InternetConnectA 49314->49316 49317 4108b0 49314->49317 49315->49314 49320 410901 InternetCloseHandle 49316->49320 49321 410855 HttpOpenRequestA 49316->49321 49319 402e63 numpunct 77 API calls 49317->49319 49330 410927 numpunct 49319->49330 49320->49317 49323 410882 HttpSendRequestA HttpQueryInfoA 49321->49323 49324 4108f8 InternetCloseHandle 49321->49324 49323->49317 49325 4108b7 49323->49325 49324->49320 49346 470873 49325->49346 49328 4108f1 InternetCloseHandle 49328->49324 49329 4108d0 InternetReadFile 49329->49328 49331 46f26f __except_handler4 5 API calls 49330->49331 49332 410993 49331->49332 49332->49263 49333->49267 49334->49271 49337 410105 49336->49337 49338 41022e 49337->49338 49339 402f5c numpunct 77 API calls 49337->49339 49338->49278 49339->49338 49341 414323 __EH_prolog3_catch 49340->49341 49352 413f5f 49341->49352 49343 414333 49344 414364 std::locale::_Locimp::_Locimp_dtor 49343->49344 49356 41436c 77 API calls 2 library calls 49343->49356 49344->49285 49347 47085d 49346->49347 49358 47aa04 49347->49358 49350->49290 49351->49312 49353 413f77 49352->49353 49354 413f6a 49352->49354 49353->49343 49354->49353 49357 403069 77 API calls 2 library calls 49354->49357 49356->49343 49357->49353 49359 47aa1d 49358->49359 49362 47a7d9 49359->49362 49374 46fe69 49362->49374 49364 47a7fd 49382 47595b 66 API calls __getptd_noexit 49364->49382 49367 47a802 49383 476748 11 API calls ___crtsetenv 49367->49383 49369 47a833 49372 47a87a 49369->49372 49384 480b0c 79 API calls 3 library calls 49369->49384 49370 4108c3 49370->49317 49370->49328 49370->49329 49372->49370 49385 47595b 66 API calls __getptd_noexit 49372->49385 49375 46fe7c 49374->49375 49381 46fec9 49374->49381 49386 47944a 66 API calls 2 library calls 49375->49386 49377 46fe81 49378 46fea9 49377->49378 49387 4791e4 74 API calls 5 library calls 49377->49387 49378->49381 49388 478a63 68 API calls 6 library calls 49378->49388 49381->49364 49381->49369 49382->49367 49383->49370 49384->49369 49385->49370 49386->49377 49387->49378 49388->49381 49430 41a886 99 API calls _setvbuf 49433 475c8e 77 API calls 4 library calls 49553 46969f SHGetFolderPathA 49555 4846a9 76 API calls __fassign_l 49437 4070a6 EnterCriticalSection LeaveCriticalSection std::ios_base::_Ios_base_dtor moneypunct 49439 47f0ae 87 API calls 5 library calls 49449 47d141 68 API calls IsInExceptionSpec 49452 403553 66 API calls std::exception::exception 48504 40115a GetCurrentProcess VirtualAllocExNuma 48505 401102 VirtualAlloc 48504->48505 48506 40117b ExitProcess 48504->48506 48509 401122 _memset 48505->48509 48508 401156 48509->48508 48510 40113f VirtualFree 48509->48510 48510->48508 49566 40335a RaiseException __CxxThrowException@8 numpunct 49568 468b5b GdipCloneImage GdipAlloc 49570 417363 156 API calls 5 library calls 49460 467d63 79 API calls numpunct 49461 46ed63 68 API calls 2 library calls 49467 471d07 81 API calls __fread_nolock 49470 407d0d 118 API calls 3 library calls 49578 478309 73 API calls __calloc_crt 49472 469112 80 API calls 2 library calls 49474 47311e 72 API calls ___InternalCxxFrameHandler 49583 41a71c 111 API calls __fseeki64 49586 415f1f 6 API calls 49476 419923 116 API calls __wgetenv 49478 47d521 71 API calls 2 library calls 49590 469b21 135 API calls 2 library calls 49591 467f2e 78 API calls 2 library calls 49593 475f30 6 API calls 2 library calls 49233 46773b GetSystemInfo 49236 468e62 49233->49236 49237 468e71 __EH_prolog3_GS 49236->49237 49250 41aa95 117 API calls 2 library calls 49237->49250 49239 468ec3 49251 41aea3 83 API calls 5 library calls 49239->49251 49241 468eea 49252 4696c4 114 API calls 3 library calls 49241->49252 49243 468f16 49253 413237 77 API calls 49243->49253 49245 468f25 numpunct 49254 412b70 EnterCriticalSection LeaveCriticalSection std::ios_base::_Ios_base_dtor 49245->49254 49247 468f49 49255 473561 5 API calls __except_handler4 49247->49255 49250->49239 49251->49241 49252->49243 49253->49245 49254->49247 48511 4011ca 49132 402d44 Sleep LocalAlloc Sleep Sleep 48511->49132 48514 402d44 4 API calls 48515 4011f6 48514->48515 48516 402d44 4 API calls 48515->48516 48517 40120f 48516->48517 48518 402d44 4 API calls 48517->48518 48519 401228 48518->48519 48520 402d44 4 API calls 48519->48520 48521 40123f 48520->48521 48522 402d44 4 API calls 48521->48522 48523 401255 48522->48523 48524 402d44 4 API calls 48523->48524 48525 40126c 48524->48525 48526 402d44 4 API calls 48525->48526 48527 401283 48526->48527 48528 402d44 4 API calls 48527->48528 48529 40129a 48528->48529 48530 402d44 4 API calls 48529->48530 48531 4012b1 48530->48531 48532 402d44 4 API calls 48531->48532 48533 4012c8 48532->48533 48534 402d44 4 API calls 48533->48534 48535 4012df 48534->48535 48536 402d44 4 API calls 48535->48536 48537 4012f6 48536->48537 48538 402d44 4 API calls 48537->48538 48539 40130d 48538->48539 48540 402d44 4 API calls 48539->48540 48541 401324 48540->48541 48542 402d44 4 API calls 48541->48542 48543 40133b 48542->48543 48544 402d44 4 API calls 48543->48544 48545 401352 48544->48545 48546 402d44 4 API calls 48545->48546 48547 401368 48546->48547 48548 402d44 4 API calls 48547->48548 48549 40137c 48548->48549 48550 402d44 4 API calls 48549->48550 48551 401392 48550->48551 48552 402d44 4 API calls 48551->48552 48553 4013a9 48552->48553 48554 402d44 4 API calls 48553->48554 48555 4013c0 48554->48555 48556 402d44 4 API calls 48555->48556 48557 4013d6 48556->48557 48558 402d44 4 API calls 48557->48558 48559 4013ed 48558->48559 48560 402d44 4 API calls 48559->48560 48561 401404 48560->48561 48562 402d44 4 API calls 48561->48562 48563 40141b 48562->48563 48564 402d44 4 API calls 48563->48564 48565 401432 48564->48565 48566 402d44 4 API calls 48565->48566 48567 401446 48566->48567 48568 402d44 4 API calls 48567->48568 48569 40145d 48568->48569 48570 402d44 4 API calls 48569->48570 48571 401474 48570->48571 48572 402d44 4 API calls 48571->48572 48573 40148b 48572->48573 48574 402d44 4 API calls 48573->48574 48575 4014a1 48574->48575 48576 402d44 4 API calls 48575->48576 48577 4014b8 48576->48577 48578 402d44 4 API calls 48577->48578 48579 4014cf 48578->48579 48580 402d44 4 API calls 48579->48580 48581 4014e6 48580->48581 48582 402d44 4 API calls 48581->48582 48583 4014fd 48582->48583 48584 402d44 4 API calls 48583->48584 48585 401513 48584->48585 48586 402d44 4 API calls 48585->48586 48587 401529 48586->48587 48588 402d44 4 API calls 48587->48588 48589 401540 48588->48589 48590 402d44 4 API calls 48589->48590 48591 401556 48590->48591 48592 402d44 4 API calls 48591->48592 48593 40156d 48592->48593 48594 402d44 4 API calls 48593->48594 48595 401584 48594->48595 48596 402d44 4 API calls 48595->48596 48597 401598 48596->48597 48598 402d44 4 API calls 48597->48598 48599 4015af 48598->48599 48600 402d44 4 API calls 48599->48600 48601 4015c6 48600->48601 48602 402d44 4 API calls 48601->48602 48603 4015dd 48602->48603 48604 402d44 4 API calls 48603->48604 48605 4015f4 48604->48605 48606 402d44 4 API calls 48605->48606 48607 40160b 48606->48607 48608 402d44 4 API calls 48607->48608 48609 401622 48608->48609 48610 402d44 4 API calls 48609->48610 48611 401639 48610->48611 48612 402d44 4 API calls 48611->48612 48613 401650 48612->48613 48614 402d44 4 API calls 48613->48614 48615 401667 48614->48615 48616 402d44 4 API calls 48615->48616 48617 40167e 48616->48617 48618 402d44 4 API calls 48617->48618 48619 401694 48618->48619 48620 402d44 4 API calls 48619->48620 48621 4016ab 48620->48621 48622 402d44 4 API calls 48621->48622 48623 4016c2 48622->48623 48624 402d44 4 API calls 48623->48624 48625 4016d9 48624->48625 48626 402d44 4 API calls 48625->48626 48627 4016f0 48626->48627 48628 402d44 4 API calls 48627->48628 48629 401707 48628->48629 48630 402d44 4 API calls 48629->48630 48631 40171e 48630->48631 48632 402d44 4 API calls 48631->48632 48633 401735 48632->48633 48634 402d44 4 API calls 48633->48634 48635 40174c 48634->48635 48636 402d44 4 API calls 48635->48636 48637 401763 48636->48637 48638 402d44 4 API calls 48637->48638 48639 401779 48638->48639 48640 402d44 4 API calls 48639->48640 48641 401790 48640->48641 48642 402d44 4 API calls 48641->48642 48643 4017a4 48642->48643 48644 402d44 4 API calls 48643->48644 48645 4017bb 48644->48645 48646 402d44 4 API calls 48645->48646 48647 4017d2 48646->48647 48648 402d44 4 API calls 48647->48648 48649 4017e8 48648->48649 48650 402d44 4 API calls 48649->48650 48651 4017ff 48650->48651 48652 402d44 4 API calls 48651->48652 48653 401816 48652->48653 48654 402d44 4 API calls 48653->48654 48655 40182d 48654->48655 48656 402d44 4 API calls 48655->48656 48657 401844 48656->48657 48658 402d44 4 API calls 48657->48658 48659 40185a 48658->48659 48660 402d44 4 API calls 48659->48660 48661 401871 48660->48661 48662 402d44 4 API calls 48661->48662 48663 401887 48662->48663 48664 402d44 4 API calls 48663->48664 48665 40189e 48664->48665 48666 402d44 4 API calls 48665->48666 48667 4018b5 48666->48667 48668 402d44 4 API calls 48667->48668 48669 4018cc 48668->48669 48670 402d44 4 API calls 48669->48670 48671 4018e3 48670->48671 48672 402d44 4 API calls 48671->48672 48673 4018f9 48672->48673 48674 402d44 4 API calls 48673->48674 48675 401910 48674->48675 48676 402d44 4 API calls 48675->48676 48677 401927 48676->48677 48678 402d44 4 API calls 48677->48678 48679 40193d 48678->48679 48680 402d44 4 API calls 48679->48680 48681 401951 48680->48681 48682 402d44 4 API calls 48681->48682 48683 401968 48682->48683 48684 402d44 4 API calls 48683->48684 48685 40197e 48684->48685 48686 402d44 4 API calls 48685->48686 48687 401995 48686->48687 48688 402d44 4 API calls 48687->48688 48689 4019ab 48688->48689 48690 402d44 4 API calls 48689->48690 48691 4019c2 48690->48691 48692 402d44 4 API calls 48691->48692 48693 4019d9 48692->48693 48694 402d44 4 API calls 48693->48694 48695 4019ef 48694->48695 48696 402d44 4 API calls 48695->48696 48697 401a06 48696->48697 48698 402d44 4 API calls 48697->48698 48699 401a1d 48698->48699 48700 402d44 4 API calls 48699->48700 48701 401a34 48700->48701 48702 402d44 4 API calls 48701->48702 48703 401a4a 48702->48703 48704 402d44 4 API calls 48703->48704 48705 401a61 48704->48705 48706 402d44 4 API calls 48705->48706 48707 401a78 48706->48707 48708 402d44 4 API calls 48707->48708 48709 401a8e 48708->48709 48710 402d44 4 API calls 48709->48710 48711 401aa4 48710->48711 48712 402d44 4 API calls 48711->48712 48713 401abb 48712->48713 48714 402d44 4 API calls 48713->48714 48715 401ad2 48714->48715 48716 402d44 4 API calls 48715->48716 48717 401ae9 48716->48717 48718 402d44 4 API calls 48717->48718 48719 401aff 48718->48719 48720 402d44 4 API calls 48719->48720 48721 401b16 48720->48721 48722 402d44 4 API calls 48721->48722 48723 401b2c 48722->48723 48724 402d44 4 API calls 48723->48724 48725 401b43 48724->48725 48726 402d44 4 API calls 48725->48726 48727 401b5a 48726->48727 48728 402d44 4 API calls 48727->48728 48729 401b71 48728->48729 48730 402d44 4 API calls 48729->48730 48731 401b87 48730->48731 48732 402d44 4 API calls 48731->48732 48733 401b9e 48732->48733 48734 402d44 4 API calls 48733->48734 48735 401bb5 48734->48735 48736 402d44 4 API calls 48735->48736 48737 401bcc 48736->48737 48738 402d44 4 API calls 48737->48738 48739 401be2 48738->48739 48740 402d44 4 API calls 48739->48740 48741 401bf8 48740->48741 48742 402d44 4 API calls 48741->48742 48743 401c0f 48742->48743 48744 402d44 4 API calls 48743->48744 48745 401c26 48744->48745 48746 402d44 4 API calls 48745->48746 48747 401c3d 48746->48747 48748 402d44 4 API calls 48747->48748 48749 401c54 48748->48749 48750 402d44 4 API calls 48749->48750 48751 401c6a 48750->48751 48752 402d44 4 API calls 48751->48752 48753 401c81 48752->48753 48754 402d44 4 API calls 48753->48754 48755 401c95 48754->48755 48756 402d44 4 API calls 48755->48756 48757 401cac 48756->48757 48758 402d44 4 API calls 48757->48758 48759 401cc0 48758->48759 48760 402d44 4 API calls 48759->48760 48761 401cd7 48760->48761 48762 402d44 4 API calls 48761->48762 48763 401cee 48762->48763 48764 402d44 4 API calls 48763->48764 48765 401d05 48764->48765 48766 402d44 4 API calls 48765->48766 48767 401d1c 48766->48767 48768 402d44 4 API calls 48767->48768 48769 401d33 48768->48769 48770 402d44 4 API calls 48769->48770 48771 401d4a 48770->48771 48772 402d44 4 API calls 48771->48772 48773 401d61 48772->48773 48774 402d44 4 API calls 48773->48774 48775 401d78 48774->48775 48776 402d44 4 API calls 48775->48776 48777 401d8e 48776->48777 48778 402d44 4 API calls 48777->48778 48779 401da5 48778->48779 48780 402d44 4 API calls 48779->48780 48781 401dbc 48780->48781 48782 402d44 4 API calls 48781->48782 48783 401dd0 48782->48783 48784 402d44 4 API calls 48783->48784 48785 401de4 48784->48785 48786 402d44 4 API calls 48785->48786 48787 401dfb 48786->48787 48788 402d44 4 API calls 48787->48788 48789 401e12 48788->48789 48790 402d44 4 API calls 48789->48790 48791 401e29 48790->48791 48792 402d44 4 API calls 48791->48792 48793 401e40 48792->48793 48794 402d44 4 API calls 48793->48794 48795 401e57 48794->48795 48796 402d44 4 API calls 48795->48796 48797 401e6e 48796->48797 48798 402d44 4 API calls 48797->48798 48799 401e85 48798->48799 48800 402d44 4 API calls 48799->48800 48801 401e9c 48800->48801 48802 402d44 4 API calls 48801->48802 48803 401eb3 48802->48803 48804 402d44 4 API calls 48803->48804 48805 401ec9 48804->48805 48806 402d44 4 API calls 48805->48806 48807 401edf 48806->48807 48808 402d44 4 API calls 48807->48808 48809 401ef6 48808->48809 48810 402d44 4 API calls 48809->48810 48811 401f0d 48810->48811 48812 402d44 4 API calls 48811->48812 48813 401f24 48812->48813 48814 402d44 4 API calls 48813->48814 48815 401f3b 48814->48815 48816 402d44 4 API calls 48815->48816 48817 401f52 48816->48817 48818 402d44 4 API calls 48817->48818 48819 401f68 48818->48819 48820 402d44 4 API calls 48819->48820 48821 401f7f 48820->48821 48822 402d44 4 API calls 48821->48822 48823 401f96 48822->48823 48824 402d44 4 API calls 48823->48824 48825 401fad 48824->48825 48826 402d44 4 API calls 48825->48826 48827 401fc4 48826->48827 48828 402d44 4 API calls 48827->48828 48829 401fdb 48828->48829 48830 402d44 4 API calls 48829->48830 48831 401ff2 48830->48831 48832 402d44 4 API calls 48831->48832 48833 402009 48832->48833 48834 402d44 4 API calls 48833->48834 48835 402020 48834->48835 48836 402d44 4 API calls 48835->48836 48837 402036 48836->48837 48838 402d44 4 API calls 48837->48838 48839 40204d 48838->48839 48840 402d44 4 API calls 48839->48840 48841 402064 48840->48841 48842 402d44 4 API calls 48841->48842 48843 40207b 48842->48843 48844 402d44 4 API calls 48843->48844 48845 402092 48844->48845 48846 402d44 4 API calls 48845->48846 48847 4020a9 48846->48847 48848 402d44 4 API calls 48847->48848 48849 4020bf 48848->48849 48850 402d44 4 API calls 48849->48850 48851 4020d6 48850->48851 48852 402d44 4 API calls 48851->48852 48853 4020ed 48852->48853 48854 402d44 4 API calls 48853->48854 48855 402104 48854->48855 48856 402d44 4 API calls 48855->48856 48857 40211b 48856->48857 48858 402d44 4 API calls 48857->48858 48859 402132 48858->48859 48860 402d44 4 API calls 48859->48860 48861 402149 48860->48861 48862 402d44 4 API calls 48861->48862 48863 402160 48862->48863 48864 402d44 4 API calls 48863->48864 48865 402177 48864->48865 48866 402d44 4 API calls 48865->48866 48867 40218e 48866->48867 48868 402d44 4 API calls 48867->48868 48869 4021a5 48868->48869 48870 402d44 4 API calls 48869->48870 48871 4021bc 48870->48871 48872 402d44 4 API calls 48871->48872 48873 4021d3 48872->48873 48874 402d44 4 API calls 48873->48874 48875 4021ea 48874->48875 48876 402d44 4 API calls 48875->48876 48877 402201 48876->48877 48878 402d44 4 API calls 48877->48878 48879 402218 48878->48879 48880 402d44 4 API calls 48879->48880 48881 40222e 48880->48881 48882 402d44 4 API calls 48881->48882 48883 402245 48882->48883 48884 402d44 4 API calls 48883->48884 48885 40225c 48884->48885 48886 402d44 4 API calls 48885->48886 48887 402273 48886->48887 48888 402d44 4 API calls 48887->48888 48889 40228a 48888->48889 48890 402d44 4 API calls 48889->48890 48891 4022a1 48890->48891 48892 402d44 4 API calls 48891->48892 48893 4022b8 48892->48893 48894 402d44 4 API calls 48893->48894 48895 4022cf 48894->48895 48896 402d44 4 API calls 48895->48896 48897 4022e5 48896->48897 48898 402d44 4 API calls 48897->48898 48899 4022fc 48898->48899 48900 402d44 4 API calls 48899->48900 48901 402313 48900->48901 48902 402d44 4 API calls 48901->48902 48903 40232a 48902->48903 48904 402d44 4 API calls 48903->48904 48905 402340 48904->48905 48906 402d44 4 API calls 48905->48906 48907 402357 48906->48907 48908 402d44 4 API calls 48907->48908 48909 40236e 48908->48909 48910 402d44 4 API calls 48909->48910 48911 402385 48910->48911 48912 402d44 4 API calls 48911->48912 48913 40239c 48912->48913 48914 402d44 4 API calls 48913->48914 48915 4023b3 48914->48915 48916 402d44 4 API calls 48915->48916 48917 4023ca 48916->48917 48918 402d44 4 API calls 48917->48918 48919 4023e1 48918->48919 48920 402d44 4 API calls 48919->48920 48921 4023f7 48920->48921 48922 402d44 4 API calls 48921->48922 48923 40240e 48922->48923 48924 402d44 4 API calls 48923->48924 48925 402425 48924->48925 48926 402d44 4 API calls 48925->48926 48927 40243c 48926->48927 48928 402d44 4 API calls 48927->48928 48929 402453 48928->48929 48930 402d44 4 API calls 48929->48930 48931 40246a 48930->48931 48932 402d44 4 API calls 48931->48932 48933 402481 48932->48933 48934 402d44 4 API calls 48933->48934 48935 402498 48934->48935 48936 402d44 4 API calls 48935->48936 48937 4024af 48936->48937 48938 402d44 4 API calls 48937->48938 48939 4024c6 48938->48939 48940 402d44 4 API calls 48939->48940 48941 4024dd 48940->48941 48942 402d44 4 API calls 48941->48942 48943 4024f4 48942->48943 48944 402d44 4 API calls 48943->48944 48945 40250a 48944->48945 48946 402d44 4 API calls 48945->48946 48947 402520 48946->48947 48948 402d44 4 API calls 48947->48948 48949 402537 48948->48949 48950 402d44 4 API calls 48949->48950 48951 40254e 48950->48951 48952 402d44 4 API calls 48951->48952 48953 402565 48952->48953 48954 402d44 4 API calls 48953->48954 48955 40257c 48954->48955 48956 402d44 4 API calls 48955->48956 48957 402593 48956->48957 48958 402d44 4 API calls 48957->48958 48959 4025aa 48958->48959 48960 402d44 4 API calls 48959->48960 48961 4025c0 48960->48961 48962 402d44 4 API calls 48961->48962 48963 4025d7 48962->48963 48964 402d44 4 API calls 48963->48964 48965 4025ee 48964->48965 48966 402d44 4 API calls 48965->48966 48967 402605 48966->48967 48968 402d44 4 API calls 48967->48968 48969 40261b 48968->48969 48970 402d44 4 API calls 48969->48970 48971 402632 48970->48971 48972 402d44 4 API calls 48971->48972 48973 402649 48972->48973 48974 402d44 4 API calls 48973->48974 48975 40265f 48974->48975 48976 402d44 4 API calls 48975->48976 48977 402675 48976->48977 48978 402d44 4 API calls 48977->48978 48979 40268c 48978->48979 48980 402d44 4 API calls 48979->48980 48981 4026a3 48980->48981 48982 402d44 4 API calls 48981->48982 48983 4026ba 48982->48983 48984 402d44 4 API calls 48983->48984 48985 4026d1 48984->48985 48986 402d44 4 API calls 48985->48986 48987 4026e8 48986->48987 48988 402d44 4 API calls 48987->48988 48989 4026ff 48988->48989 48990 402d44 4 API calls 48989->48990 48991 402716 48990->48991 48992 402d44 4 API calls 48991->48992 48993 40272d 48992->48993 48994 402d44 4 API calls 48993->48994 48995 402743 48994->48995 48996 402d44 4 API calls 48995->48996 48997 402759 48996->48997 48998 402d44 4 API calls 48997->48998 48999 40276d 48998->48999 49000 402d44 4 API calls 48999->49000 49001 402784 49000->49001 49002 402d44 4 API calls 49001->49002 49003 40279b 49002->49003 49004 402d44 4 API calls 49003->49004 49005 4027b1 49004->49005 49006 402d44 4 API calls 49005->49006 49007 4027c5 49006->49007 49008 402d44 4 API calls 49007->49008 49009 4027dc 49008->49009 49010 402d44 4 API calls 49009->49010 49011 4027f2 49010->49011 49012 402d44 4 API calls 49011->49012 49013 402809 49012->49013 49014 402d44 4 API calls 49013->49014 49015 402820 49014->49015 49016 402d44 4 API calls 49015->49016 49017 402839 49016->49017 49018 402d44 4 API calls 49017->49018 49019 402850 49018->49019 49020 402d44 4 API calls 49019->49020 49021 402867 49020->49021 49022 402d44 4 API calls 49021->49022 49023 40287e 49022->49023 49024 402d44 4 API calls 49023->49024 49025 402895 49024->49025 49026 402d44 4 API calls 49025->49026 49027 4028ac 49026->49027 49028 402d44 4 API calls 49027->49028 49029 4028c3 49028->49029 49030 402d44 4 API calls 49029->49030 49031 4028da 49030->49031 49032 402d44 4 API calls 49031->49032 49033 4028f1 49032->49033 49034 402d44 4 API calls 49033->49034 49035 402908 49034->49035 49036 402d44 4 API calls 49035->49036 49037 40291e 49036->49037 49038 402d44 4 API calls 49037->49038 49039 402935 49038->49039 49040 402d44 4 API calls 49039->49040 49041 40294c 49040->49041 49042 402d44 4 API calls 49041->49042 49043 402963 49042->49043 49044 402d44 4 API calls 49043->49044 49045 40297a 49044->49045 49046 402d44 4 API calls 49045->49046 49047 402990 49046->49047 49048 402d44 4 API calls 49047->49048 49049 4029a7 49048->49049 49050 402d44 4 API calls 49049->49050 49051 4029bd 49050->49051 49052 402d44 4 API calls 49051->49052 49053 4029d4 49052->49053 49054 402d44 4 API calls 49053->49054 49055 4029eb 49054->49055 49056 402d44 4 API calls 49055->49056 49057 402a01 49056->49057 49058 402d44 4 API calls 49057->49058 49059 402a18 49058->49059 49060 402d44 4 API calls 49059->49060 49061 402a2e 49060->49061 49062 402d44 4 API calls 49061->49062 49063 402a42 49062->49063 49064 402d44 4 API calls 49063->49064 49065 402a59 49064->49065 49066 402d44 4 API calls 49065->49066 49067 402a70 49066->49067 49068 402d44 4 API calls 49067->49068 49069 402a87 49068->49069 49070 402d44 4 API calls 49069->49070 49071 402a9d 49070->49071 49072 402d44 4 API calls 49071->49072 49073 402ab1 49072->49073 49074 402d44 4 API calls 49073->49074 49075 402ac5 49074->49075 49076 402d44 4 API calls 49075->49076 49077 402ad9 49076->49077 49078 402d44 4 API calls 49077->49078 49079 402af0 49078->49079 49080 402d44 4 API calls 49079->49080 49081 402b07 49080->49081 49082 402d44 4 API calls 49081->49082 49083 402b1e 49082->49083 49084 402d44 4 API calls 49083->49084 49085 402b35 49084->49085 49086 402d44 4 API calls 49085->49086 49087 402b4b 49086->49087 49088 402d44 4 API calls 49087->49088 49089 402b62 49088->49089 49090 402d44 4 API calls 49089->49090 49091 402b79 49090->49091 49092 402d44 4 API calls 49091->49092 49093 402b90 49092->49093 49094 402d44 4 API calls 49093->49094 49095 402ba6 49094->49095 49096 402d44 4 API calls 49095->49096 49097 402bbd 49096->49097 49098 402d44 4 API calls 49097->49098 49099 402bd3 49098->49099 49100 402d44 4 API calls 49099->49100 49101 402be9 49100->49101 49102 402d44 4 API calls 49101->49102 49103 402c00 49102->49103 49104 402d44 4 API calls 49103->49104 49105 402c17 49104->49105 49106 402d44 4 API calls 49105->49106 49107 402c2d 49106->49107 49108 402d44 4 API calls 49107->49108 49109 402c44 49108->49109 49110 402d44 4 API calls 49109->49110 49111 402c5a 49110->49111 49112 402d44 4 API calls 49111->49112 49113 402c70 49112->49113 49114 402d44 4 API calls 49113->49114 49115 402c87 49114->49115 49116 402d44 4 API calls 49115->49116 49117 402c9e 49116->49117 49118 402d44 4 API calls 49117->49118 49119 402cb5 49118->49119 49120 402d44 4 API calls 49119->49120 49121 402ccb 49120->49121 49122 402d44 4 API calls 49121->49122 49123 402ce2 49122->49123 49124 402d44 4 API calls 49123->49124 49125 402cf8 49124->49125 49126 402d44 4 API calls 49125->49126 49127 402d0f 49126->49127 49128 402d44 4 API calls 49127->49128 49129 402d26 49128->49129 49130 402d44 4 API calls 49129->49130 49131 402d3a 49130->49131 49133 4011e2 49132->49133 49133->48514 49487 47e5c9 85 API calls 5 library calls 49597 40f3d6 160 API calls 5 library calls 49490 47eddb 86 API calls 4 library calls 49493 4715ea 102 API calls 3 library calls 49495 46f9f4 136 API calls __wfsopen 49602 4693f4 82 API calls 49603 4753f5 95 API calls 8 library calls 49606 417bf8 77 API calls _free 49496 41c9fe 102 API calls 49500 46f18f DeleteCriticalSection 49134 412b8a 49147 467c2a 49134->49147 49138 412bcd numpunct 49139 412c07 49138->49139 49155 467dae GetUserNameA 49138->49155 49160 46f26f 49139->49160 49142 412c14 49145 412bfb numpunct 49145->49139 49146 412bff ExitProcess 49145->49146 49168 482950 49147->49168 49150 467c76 49170 402e63 49150->49170 49153 46f26f __except_handler4 5 API calls 49154 412ba5 lstrcmpA 49153->49154 49154->49138 49156 402e63 numpunct 77 API calls 49155->49156 49157 467dfb 49156->49157 49158 46f26f __except_handler4 5 API calls 49157->49158 49159 412bd9 lstrcmpA 49158->49159 49159->49145 49161 46f277 49160->49161 49162 46f279 IsDebuggerPresent 49160->49162 49161->49142 49197 480ed5 49162->49197 49165 475ba9 SetUnhandledExceptionFilter UnhandledExceptionFilter 49166 475bc6 __call_reportfault 49165->49166 49167 475bce GetCurrentProcess TerminateProcess 49165->49167 49166->49167 49167->49142 49169 467c3c GetComputerNameA 49168->49169 49169->49150 49171 402e6d 49170->49171 49171->49171 49174 402f5c 49171->49174 49173 402e82 49173->49153 49175 402f6a numpunct 49174->49175 49176 402f8b 49175->49176 49177 402f6e 49175->49177 49192 403069 77 API calls 2 library calls 49176->49192 49181 402fd0 49177->49181 49180 402f89 _memmove 49180->49173 49182 402fe5 49181->49182 49183 402fef 49181->49183 49193 46e7c1 67 API calls 2 library calls 49182->49193 49185 403019 49183->49185 49186 402fff 49183->49186 49196 403069 77 API calls 2 library calls 49185->49196 49194 403216 67 API calls 2 library calls 49186->49194 49189 40300b 49195 403216 67 API calls 2 library calls 49189->49195 49191 403017 _memmove 49191->49180 49192->49180 49193->49183 49194->49189 49195->49191 49196->49191 49197->49165 48484 46ad94 LoadLibraryA 48485 46adde 8 API calls 48484->48485 48486 46adae GetProcAddress GetProcAddress 48484->48486 48487 46aec4 48485->48487 48488 46ae58 6 API calls 48485->48488 48491 46add9 48486->48491 48489 46aef2 48487->48489 48490 46aeca GetProcAddress GetProcAddress 48487->48490 48488->48487 48492 46af9c 48489->48492 48493 46aefa 9 API calls 48489->48493 48490->48489 48491->48485 48494 46afa4 12 API calls 48492->48494 48495 46b07c 48492->48495 48493->48492 48494->48495 48496 46b084 7 API calls 48495->48496 48497 46b102 48495->48497 48496->48497 48498 46b130 48497->48498 48499 46b108 GetProcAddress GetProcAddress 48497->48499 48500 46b1cb 48498->48500 48501 46b13b 8 API calls 48498->48501 48499->48498 48502 46b1d3 GetProcAddress GetProcAddress GetProcAddress 48500->48502 48503 46b20f 48500->48503 48501->48500 48502->48503 49503 47d191 94 API calls 2 library calls 49504 40719c 138 API calls 5 library calls 49621 415fb3 CryptStringToBinaryA LocalAlloc CryptStringToBinaryA LocalFree

                                          Executed Functions

                                          Function 0046AD94 Relevance: 90.3, APIs: 60, Instructions: 267libraryloaderCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 621 46ad94-46adac LoadLibraryA 622 46adde-46ae56 LoadLibraryA * 8 621->622 623 46adae-46add9 GetProcAddress * 2 621->623 624 46aec4-46aec8 622->624 625 46ae58-46aebf GetProcAddress * 6 622->625 623->622 626 46aef2-46aef4 624->626 627 46aeca-46aeed GetProcAddress * 2 624->627 625->624 629 46af9c-46af9e 626->629 630 46aefa-46af97 GetProcAddress * 9 626->630 627->626 631 46afa4-46b077 GetProcAddress * 12 629->631 632 46b07c-46b082 629->632 630->629 631->632 633 46b084-46b0fd GetProcAddress * 7 632->633 634 46b102-46b106 632->634 633->634 635 46b130-46b135 634->635 636 46b108-46b12b GetProcAddress * 2 634->636 637 46b1cb-46b1d1 635->637 638 46b13b-46b1c6 GetProcAddress * 8 635->638 636->635 639 46b1d3-46b20a GetProcAddress * 3 637->639 640 46b20f-46b210 637->640 638->637 639->640
                                          APIs
                                          • LoadLibraryA.KERNEL32(00000283,0000007B,00000CEC,00412E39), ref: 0046ADA2
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046ADBB
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046ADC9
                                          • LoadLibraryA.KERNEL32(000000EA), ref: 0046ADE5
                                          • LoadLibraryA.KERNEL32 ref: 0046ADF3
                                          • LoadLibraryA.KERNEL32 ref: 0046AE02
                                          • LoadLibraryA.KERNEL32 ref: 0046AE10
                                          • LoadLibraryA.KERNEL32 ref: 0046AE1E
                                          • LoadLibraryA.KERNEL32 ref: 0046AE2D
                                          • LoadLibraryA.KERNEL32 ref: 0046AE3C
                                          • LoadLibraryA.KERNEL32 ref: 0046AE4B
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046AE5F
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046AE71
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046AE83
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046AE95
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046AEA7
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046AEB9
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046AED3
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046AEE7
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046AF01
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046AF13
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046AF25
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046AF37
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046AF49
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046AF5B
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046AF6D
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046AF7F
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046AF91
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046AFAB
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046AFBD
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046AFCF
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046AFE1
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046AFF3
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046B005
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046B017
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046B029
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046B03B
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046B04D
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046B05F
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046B071
                                          • GetProcAddress.KERNEL32(?), ref: 0046B08B
                                          • GetProcAddress.KERNEL32(?), ref: 0046B09D
                                          • GetProcAddress.KERNEL32(?), ref: 0046B0AF
                                          • GetProcAddress.KERNEL32(?), ref: 0046B0C1
                                          • GetProcAddress.KERNEL32(?), ref: 0046B0D3
                                          • GetProcAddress.KERNEL32(?), ref: 0046B0E5
                                          • GetProcAddress.KERNEL32(?), ref: 0046B0F7
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046B111
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046B125
                                          • GetProcAddress.KERNEL32(?), ref: 0046B142
                                          • GetProcAddress.KERNEL32(?), ref: 0046B154
                                          • GetProcAddress.KERNEL32(?), ref: 0046B166
                                          • GetProcAddress.KERNEL32(?), ref: 0046B178
                                          • GetProcAddress.KERNEL32(?), ref: 0046B18A
                                          • GetProcAddress.KERNEL32(?), ref: 0046B19C
                                          • GetProcAddress.KERNEL32(?), ref: 0046B1AE
                                          • GetProcAddress.KERNEL32(?), ref: 0046B1C0
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046B1DC
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046B1F0
                                          • GetProcAddress.KERNEL32(00000000), ref: 0046B204
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressProc$LibraryLoad
                                          • String ID:
                                          • API String ID: 2238633743-0
                                          • Opcode ID: c0f47093976bda64183157144aceae28c7dbb64b6ff39991bf1ba2ab2be4320c
                                          • Instruction ID: 39f909714af4ffec9a8b09c58311e2016a85532501525c70cda2c0203c710557
                                          • Opcode Fuzzy Hash: c0f47093976bda64183157144aceae28c7dbb64b6ff39991bf1ba2ab2be4320c
                                          • Instruction Fuzzy Hash: 68C127B5801611EFDF029FA0AC4886A7FB6FB4F601784443AFD02926B0DB764D61EF59
                                          Function 00410235 Relevance: 28.5, APIs: 12, Strings: 4, Instructions: 529networkfileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 641 410235-410312 call 473475 call 4100f1 call 41386d call 402dc8 call 413ac8 652 410314-41032c call 413ac8 641->652 653 41032e 641->653 652->653 655 410331-410350 call 413a3a 652->655 653->655 659 410352-410386 call 402f5c 655->659 660 410388-4103a1 call 412f41 655->660 665 4103a8-4103b9 call 41386d 659->665 660->665 668 4103bb-4103c5 call 402dc8 665->668 669 4103ca-4103d5 665->669 668->669 671 4103d7-4103e4 call 402dc8 669->671 672 4103e9-4103f5 669->672 671->672 674 4103f7-4103fe 672->674 675 410408-41040f 672->675 676 410400-410406 674->676 677 41041d-41042c 674->677 678 410411 675->678 679 410417 675->679 676->677 680 410434-410493 call 414317 call 41386d call 402dc8 call 412f1c 677->680 681 41042e 677->681 678->679 679->677 690 4104b3-4104c9 call 40356b 680->690 691 410495-4104b1 call 412f41 680->691 681->680 696 4104cd-4104de call 41386d 690->696 691->696 699 4104e0-4104ea call 402dc8 696->699 700 4104ef-4104fa 696->700 699->700 702 4104fc-410509 call 402dc8 700->702 703 41050e-410523 call 412f1c 700->703 702->703 707 410525-41053d call 412f41 703->707 708 41053f-410571 call 402f5c 703->708 713 410577-410585 call 41386d 707->713 708->713 716 410587-410594 call 402dc8 713->716 717 410599-4105a4 713->717 716->717 719 4105b5-4105bb 717->719 720 4105a6-4105b0 call 402dc8 717->720 722 4105c3-4105f3 call 412f41 call 41386d call 402dc8 719->722 723 4105bd 719->723 720->719 730 410613-410648 call 402f5c 722->730 731 4105f5-410611 call 412f41 722->731 723->722 736 41064e-41065c call 41386d 730->736 731->736 739 410673-41067e 736->739 740 41065e-41066e call 402dc8 736->740 742 410680-41068a call 402dc8 739->742 743 41068f-4106a7 call 412f1c 739->743 740->739 742->743 747 4106c9-4106fe call 402f5c 743->747 748 4106a9-4106c7 call 412f41 743->748 753 410704-410715 call 41386d 747->753 748->753 756 410717-410727 call 402dc8 753->756 757 41072c-41073a 753->757 756->757 759 41073c-410749 call 402dc8 757->759 760 41074e-410758 757->760 759->760 762 410777-410787 call 40356b 760->762 763 41075a-410775 call 412f41 760->763 768 41078e-4107a5 call 41386d 762->768 763->768 771 4107a7-4107b3 call 402dc8 768->771 772 4107b8-4107c6 768->772 771->772 774 4107d5-4107df 772->774 775 4107c8-4107d0 call 402dc8 772->775 777 4107e1 774->777 778 4107e4-4107f8 DeleteUrlCacheEntry 774->778 775->774 777->778 779 410800-41081b DeleteUrlCacheEntry InternetOpenA 778->779 780 4107fa 778->780 781 410821-41082b 779->781 782 41090a-410910 779->782 780->779 783 410830-41084f InternetConnectA 781->783 784 41082d 781->784 785 410911-41099a call 402e63 call 402dc8 * 7 call 46f26f 782->785 787 410901-410904 InternetCloseHandle 783->787 788 410855-410862 783->788 784->783 787->782 790 410864 788->790 791 41086a-410880 HttpOpenRequestA 788->791 790->791 793 410882-4108ae HttpSendRequestA HttpQueryInfoA 791->793 794 4108f8-4108fb InternetCloseHandle 791->794 796 4108b0-4108b5 793->796 797 4108b7-4108c9 call 470873 793->797 794->787 796->785 797->796 803 4108cb-4108ce 797->803 805 4108f1-4108f2 InternetCloseHandle 803->805 806 4108d0-4108ea InternetReadFile 803->806 805->794 806->805
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00410254
                                            • Part of subcall function 0041386D: _memmove.LIBCMT ref: 00413889
                                            • Part of subcall function 00402DC8: _memmove.LIBCMT ref: 00402DE7
                                            • Part of subcall function 00402F5C: _memmove.LIBCMT ref: 00402FAD
                                          • DeleteUrlCacheEntry.WININET(?), ref: 004107E5
                                          • DeleteUrlCacheEntry.WININET(?), ref: 00410801
                                          • InternetOpenA.WININET(0049109F,00000000,00000000,00000000,00000000), ref: 00410810
                                          • InternetConnectA.WININET(000000FF,?,000001BB,00000000,00000000,00000003,04800000,00000000), ref: 00410844
                                          • HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,04800000,00000000), ref: 00410876
                                          • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00410887
                                          • HttpQueryInfoA.WININET(00000000,00000013,?,0000000F,00000000), ref: 004108A6
                                          • InternetReadFile.WININET(00000000,?,00000BB7,00000400), ref: 004108E1
                                          • InternetCloseHandle.WININET(00000000), ref: 004108F2
                                          • InternetCloseHandle.WININET(?), ref: 004108FB
                                          • InternetCloseHandle.WININET(000000FF), ref: 00410904
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Internet$CloseHandleHttp_memmove$CacheDeleteEntryOpenRequest$ConnectFileH_prolog3InfoQueryReadSend
                                          • String ID: ERROR$GET$http://$https://
                                          • API String ID: 1920747694-367639009
                                          • Opcode ID: 7c4f22447a567f2ba812a32dfb5dd25a9793212ad7504d9276ddb6f0c97c3a1c
                                          • Instruction ID: cb7f285807aac4a97ee61bee9cfa3be1a1c858b1dd14fe6dd6102ed1c3b967d6
                                          • Opcode Fuzzy Hash: 7c4f22447a567f2ba812a32dfb5dd25a9793212ad7504d9276ddb6f0c97c3a1c
                                          • Instruction Fuzzy Hash: 7F227D7140028DAEEB20DF64CD45BEE7BB8BF05314F10462AE915AB1D1CBB85F88CB65
                                          Function 00467DAE Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 905 467dae-467df6 GetUserNameA call 402e63 907 467dfb-467e11 call 46f26f 905->907
                                          APIs
                                          • GetUserNameA.ADVAPI32(?,?), ref: 00467DDC
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: NameUser
                                          • String ID:
                                          • API String ID: 2645101109-0
                                          • Opcode ID: fb03df6bf386c41e70aba9431a8b14f8d16d556e1477b28e19e7dcf65daf5980
                                          • Instruction ID: cb1b678348aa213c2cb054e342b7130d2e168a2fa5325308fd1be92c6ed69872
                                          • Opcode Fuzzy Hash: fb03df6bf386c41e70aba9431a8b14f8d16d556e1477b28e19e7dcf65daf5980
                                          • Instruction Fuzzy Hash: 8FF0BD7151060C8BDB30DFA8D8457DDB7F8BB08709F50456DD495D6181EFB8524C8BA5
                                          Function 0046773B Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 910 46773b-467755 GetSystemInfo call 468e62 912 46775a-46775e 910->912
                                          APIs
                                          • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,00000CEC,00412E39), ref: 00467749
                                            • Part of subcall function 00468E62: __EH_prolog3_GS.LIBCMT ref: 00468E6C
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: H_prolog3_InfoSystem
                                          • String ID:
                                          • API String ID: 2966166590-0
                                          • Opcode ID: fdfc5e9d9d85483b514004ed1b39e7dd6981abbb3d57e7f1ceeb8023393d722e
                                          • Instruction ID: 36207b6c57c00b96f3688c4631bc1c3d4477035532a853af19524bd3280345fb
                                          • Opcode Fuzzy Hash: fdfc5e9d9d85483b514004ed1b39e7dd6981abbb3d57e7f1ceeb8023393d722e
                                          • Instruction Fuzzy Hash: 88D05E7190010CEBCB00EBA0C4499DD7BB8BB18348F004018E500A6150DB34DA44CBA5
                                          Function 00467E69 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 57registryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • _memset.LIBCMT ref: 00467EA4
                                          • RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 00467EC0
                                          • RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,?,?,?,?), ref: 00467EDF
                                          • RegCloseKey.ADVAPI32(?,?,?,?), ref: 00467EE8
                                          • CharToOemA.USER32(?,?), ref: 00467EF9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CharCloseOpenQueryValue_memset
                                          • String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
                                          • API String ID: 2235053359-1211650757
                                          • Opcode ID: e91fe3e7671b750d2d8cd00f8bac268afac1d3a4f5d105a93517e65b7173b4da
                                          • Instruction ID: 2277e0bda2dea6c5fc95363319adec13cafdd049fc912a90bdbe0bcd28bc11b9
                                          • Opcode Fuzzy Hash: e91fe3e7671b750d2d8cd00f8bac268afac1d3a4f5d105a93517e65b7173b4da
                                          • Instruction Fuzzy Hash: DA114CB154024DAFEB30DFA4DC85BEE7BBCEB08708F50443AE915D6151EA749A488B54
                                          Function 0040115A Relevance: 9.1, APIs: 6, Instructions: 54memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 826 40115a-401179 GetCurrentProcess VirtualAllocExNuma 827 401182 VirtualAlloc 826->827 828 40117b-40117c ExitProcess 826->828 830 401122-401125 827->830 831 401127-40112d 827->831 830->831 832 401156-401159 831->832 833 40112f-401150 call 479780 VirtualFree 831->833 833->832
                                          APIs
                                          • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,00000283,0000007B), ref: 00401114
                                          • _memset.LIBCMT ref: 0040113A
                                          • VirtualFree.KERNEL32(00000000,17C841C0,00008000), ref: 00401150
                                          • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,00412D05), ref: 0040116A
                                          • VirtualAllocExNuma.KERNEL32(00000000), ref: 00401171
                                          • ExitProcess.KERNEL32 ref: 0040117C
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Virtual$AllocProcess$CurrentExitFreeNuma_memset
                                          • String ID:
                                          • API String ID: 1859398019-0
                                          • Opcode ID: fbdb35e7c3f9be52e4ce8bfd9377820d49f89580534d6290076fbf023fa90f17
                                          • Instruction ID: eddb22d5bf8e92cdc387b99111ae482792865610e40a7654d189085fb4d43229
                                          • Opcode Fuzzy Hash: fbdb35e7c3f9be52e4ce8bfd9377820d49f89580534d6290076fbf023fa90f17
                                          • Instruction Fuzzy Hash: D0F028713813107BE12426252C5EFAF2A5CC745F52F204429F708FE2E0C774980082AC
                                          Function 00412B8A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54stringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 836 412b8a-412ba9 call 467c2a 839 412bab 836->839 840 412bad-412bcf lstrcmpA call 402dc8 836->840 839->840 843 412bd1-412bd4 call 467dae 840->843 844 412c07-412c15 call 46f26f 840->844 848 412bd9-412bdd 843->848 849 412be1-412bfd lstrcmpA call 402dc8 848->849 850 412bdf 848->850 849->844 853 412bff-412c01 ExitProcess 849->853 850->849
                                          APIs
                                            • Part of subcall function 00467C2A: GetComputerNameA.KERNEL32(?,?), ref: 00467C5E
                                          • lstrcmpA.KERNEL32(00000000,HAL9TH), ref: 00412BB9
                                          • lstrcmpA.KERNEL32(00000000,JohnDoe,00000001,00000000), ref: 00412BE7
                                          • ExitProcess.KERNEL32 ref: 00412C01
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcmp$ComputerExitNameProcess
                                          • String ID: HAL9TH$JohnDoe
                                          • API String ID: 253259721-3469431008
                                          • Opcode ID: 3ae9c34045e1ed42ac767508270d84a0a36dacb4131c703cf99dd0095ef4261f
                                          • Instruction ID: 92345d39dd48cd704c32039c6c79dcbb1ce0b06217e13be6b0edd375627ba1ea
                                          • Opcode Fuzzy Hash: 3ae9c34045e1ed42ac767508270d84a0a36dacb4131c703cf99dd0095ef4261f
                                          • Instruction Fuzzy Hash: 1B01D635740208AFDB04EF69DE46BEE7764EF45704F10046AE501E71E1EAF89C08C699
                                          Function 00402D44 Relevance: 5.0, APIs: 4, Instructions: 49sleepmemoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 854 402d44-402d74 Sleep LocalAlloc Sleep * 2 855 402d76-402d7b 854->855 856 402daf-402db4 854->856 857 402d7e-402d81 855->857 858 402d84-402d89 857->858 858->858 859 402d8b-402dad 858->859 859->856 859->857
                                          APIs
                                          • Sleep.KERNEL32(0000000A), ref: 00402D52
                                          • LocalAlloc.KERNEL32(00000040,?), ref: 00402D5A
                                          • Sleep.KERNEL32(0000000A), ref: 00402D64
                                          • Sleep.KERNEL32(0000000A), ref: 00402D6C
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Sleep$AllocLocal
                                          • String ID:
                                          • API String ID: 814519487-0
                                          • Opcode ID: 4ac73b6444d2335920b24b5755dadf42a4e834461da5f26e5f981b91b1943507
                                          • Instruction ID: 19cabc51f2500a9ff4b103dddc2a5242629ce8f8a79de38a2b821571877bf37a
                                          • Opcode Fuzzy Hash: 4ac73b6444d2335920b24b5755dadf42a4e834461da5f26e5f981b91b1943507
                                          • Instruction Fuzzy Hash: 42019631600259AFDB11CF68C958B997BE9EF4A350F1880A6E944EB291D6B4DE05CB90
                                          Function 00467C2A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 860 467c2a-467c74 call 482950 GetComputerNameA 863 467c76-467c7b 860->863 864 467c7d-467c80 860->864 865 467c81-467c9d call 402e63 call 46f26f 863->865 864->865
                                          APIs
                                          • GetComputerNameA.KERNEL32(?,?), ref: 00467C5E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ComputerName
                                          • String ID: Unknown
                                          • API String ID: 3545744682-1654365787
                                          • Opcode ID: c997373558ae42c9ede51afd1c7447ca2c3d5ec4788242b378f13b0e70a3ff87
                                          • Instruction ID: 64e05eefe2a4c8b4e951da97119da4325606af5ba6b6fd313f0e0d6019b2ab3d
                                          • Opcode Fuzzy Hash: c997373558ae42c9ede51afd1c7447ca2c3d5ec4788242b378f13b0e70a3ff87
                                          • Instruction Fuzzy Hash: 3CF0A470A0424A8BDB20DFA9DD945AEBBE8BF08348F40087ED459D7240EF78A5088B56
                                          Function 00467E12 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 870 467e12-467e48 GetCurrentHwProfileA 871 467e50 870->871 872 467e4a-467e4e 870->872 873 467e55-467e68 call 402e63 call 46f26f 871->873 872->873
                                          APIs
                                          • GetCurrentHwProfileA.ADVAPI32(?), ref: 00467E32
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CurrentProfile
                                          • String ID: Unknown
                                          • API String ID: 2104809126-1654365787
                                          • Opcode ID: 67d343e6dd05ca42c7567a636a38be683b56e72ca92012e5bc313e9e6f4e6171
                                          • Instruction ID: 6b55a04879ebd68c8d7d7c9edfc77c1d10852acf283c1d6349430f0c97650706
                                          • Opcode Fuzzy Hash: 67d343e6dd05ca42c7567a636a38be683b56e72ca92012e5bc313e9e6f4e6171
                                          • Instruction Fuzzy Hash: 1BF08270A043099FDB20DFB9D98575ABBF8AB08B48F50047EA142D7281EA759D088B55
                                          Function 0046764A Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00467669
                                            • Part of subcall function 00467E12: GetCurrentHwProfileA.ADVAPI32(?), ref: 00467E32
                                            • Part of subcall function 00467E69: _memset.LIBCMT ref: 00467EA4
                                            • Part of subcall function 00467E69: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 00467EC0
                                            • Part of subcall function 00467E69: RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,?,?,?,?), ref: 00467EDF
                                            • Part of subcall function 00467E69: RegCloseKey.ADVAPI32(?,?,?,?), ref: 00467EE8
                                            • Part of subcall function 00467E69: CharToOemA.USER32(?,?), ref: 00467EF9
                                            • Part of subcall function 0041386D: _memmove.LIBCMT ref: 00413889
                                            • Part of subcall function 00402DC8: _memmove.LIBCMT ref: 00402DE7
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _memmove$CharCloseCurrentH_prolog3OpenProfileQueryValue_memset
                                          • String ID:
                                          • API String ID: 577691565-0
                                          • Opcode ID: b135b3f852b03b6197d08d4536549927a5947160d51859af1c2266fb265211ab
                                          • Instruction ID: 56574f88141e954e77c1dcb01ee87c9c5cfaf44dbcd80f149c64dbf8a554db03
                                          • Opcode Fuzzy Hash: b135b3f852b03b6197d08d4536549927a5947160d51859af1c2266fb265211ab
                                          • Instruction Fuzzy Hash: F821D172900248AADB10EF26CD01BDF7BB8EF95304F10406EFC05E7282DA785B09D7A1

                                          Non-executed Functions

                                          Function 0040F3D6 Relevance: 48.2, APIs: 8, Strings: 19, Instructions: 907COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1142 40f3d6-40f427 call 482950 1145 40f429 1142->1145 1146 40f42e-40f46e call 470b0e call 470bcb 1142->1146 1145->1146 1151 40f474-40f47a 1146->1151 1152 40f480-40f487 1151->1152 1153 40f55b-40f561 1151->1153 1154 40f505-40f511 1152->1154 1155 40f489-40f48a 1152->1155 1156 40f567 1153->1156 1157 4100be-4100ea call 4708dc call 46f26f 1153->1157 1158 40f518-40f51e call 402e63 1154->1158 1159 40f4f0-40f503 1155->1159 1160 40f48c-40f48d 1155->1160 1161 40f56d-40f579 1156->1161 1169 40f523-40f53f call 470b0e 1158->1169 1159->1158 1164 40f4db-40f4ee 1160->1164 1165 40f48f-40f490 1160->1165 1161->1157 1166 40f57f-40f5b4 call 40356b call 412f1c 1161->1166 1164->1158 1170 40f492-40f493 1165->1170 1171 40f4c6-40f4d9 1165->1171 1184 40f67a-40f690 call 412f1c 1166->1184 1185 40f5ba-40f678 call 412ebe call 467dae call 413e38 call 412ede call 40356b call 40744a call 41386d call 402dc8 * 3 1166->1185 1182 40f541-40f547 1169->1182 1183 40f54d-40f556 1169->1183 1175 40f4b1-40f4c4 1170->1175 1176 40f495-40f496 1170->1176 1171->1158 1175->1158 1176->1169 1180 40f49c-40f4af 1176->1180 1180->1158 1182->1183 1183->1151 1191 40f721-40f737 call 412f1c 1184->1191 1192 40f696-40f71f call 402e63 call 470cea call 412ebe call 40356b call 40744a call 41386d call 402dc8 1184->1192 1185->1184 1200 40f7c8-40f7e1 call 412f1c 1191->1200 1201 40f73d-40f7c6 call 402e63 call 470cea call 412ebe call 40356b call 40744a call 41386d call 402dc8 1191->1201 1192->1191 1213 40f8d3-40f8e9 call 412f1c 1200->1213 1214 40f7e7-40f8d2 call 402e63 call 467dae call 413e38 call 413e01 call 412ede call 40356b call 40744a call 41386d call 402dc8 * 4 1200->1214 1201->1200 1229 40f9db-40f9f1 call 412f1c 1213->1229 1230 40f8ef-40f9da call 402e63 call 467dae call 413e38 call 413e01 call 412ede call 40356b call 40744a call 41386d call 402dc8 * 4 1213->1230 1214->1213 1248 40fa83-40fa99 call 412f1c 1229->1248 1249 40f9f7-40fa82 call 402e63 * 2 call 40356b call 40744a call 41386d call 402dc8 1229->1249 1230->1229 1267 40fb28-40fb68 GetLogicalDriveStringsA call 40356b 1248->1267 1268 40fa9f-40fb26 call 402e63 * 2 call 40356b call 40744a call 41386d call 402dc8 1248->1268 1249->1248 1287 40fb6a 1267->1287 1288 40fb6c-40fba8 call 470b0e call 413d75 1267->1288 1268->1267 1287->1288 1314 40fbaa 1288->1314 1315 40fbac-40fbc8 call 46e453 call 402dc8 1288->1315 1314->1315 1331 40fbcd-40fbd3 1315->1331 1335 40fbd9-40fbdf 1331->1335 1336 41006d-41006f 1331->1336 1341 40fbe2-40fbec 1335->1341 1339 410071-410079 1336->1339 1340 410084 call 46e591 1336->1340 1339->1340 1344 41007b-410082 call 406fd9 1339->1344 1355 410089-4100b9 call 402dc8 * 2 1340->1355 1345 40fbf2-40fc15 GetDriveTypeA call 412f1c 1341->1345 1346 40ffb9-40ffbf 1341->1346 1344->1355 1366 40fd29-40fd3f call 412f1c 1345->1366 1367 40fc1b-40fc28 1345->1367 1350 40ffc5-40ffdc 1346->1350 1351 41004d-410068 call 470b0e 1346->1351 1356 40ffe0-41001e call 470873 call 412ebe call 468fc3 1350->1356 1357 40ffde 1350->1357 1351->1331 1355->1161 1392 410020 1356->1392 1393 410022-410048 call 4074d6 call 402f1f 1356->1393 1357->1356 1377 40fd45-40fd52 1366->1377 1378 40fe58-40fe6d call 412f1c 1366->1378 1367->1366 1371 40fc2e-40fca8 call 402e63 call 412ebe call 40356b call 40744a 1367->1371 1409 40fcaa 1371->1409 1410 40fcac-40fcea call 470873 call 412ebe call 468fc3 1371->1410 1377->1378 1381 40fd58-40fdd7 call 402e63 call 412ebe call 40356b call 40744a 1377->1381 1389 40fe73-40fe7a 1378->1389 1390 40ff9c-40ffa4 1378->1390 1421 40fdd9 1381->1421 1422 40fddb-40fe19 call 470873 call 412ebe call 468fc3 1381->1422 1389->1390 1395 40fe80-40fe92 1389->1395 1398 40ffa7-40ffac 1390->1398 1392->1393 1393->1351 1395->1390 1400 40fe98-40ff1b call 402e63 call 412ebe call 40356b call 40744a 1395->1400 1398->1398 1403 40ffae-40ffb4 1398->1403 1435 40ff1d 1400->1435 1436 40ff1f-40ff5d call 470873 call 412ebe call 468fc3 1400->1436 1403->1341 1409->1410 1433 40fcec 1410->1433 1434 40fcee-40fd27 call 4074d6 call 402f1f call 402dc8 1410->1434 1421->1422 1444 40fe1b 1422->1444 1445 40fe1d-40fe56 call 4074d6 call 402f1f call 402dc8 1422->1445 1433->1434 1434->1366 1435->1436 1456 40ff61-40ff9a call 4074d6 call 402f1f call 402dc8 1436->1456 1457 40ff5f 1436->1457 1444->1445 1445->1378 1456->1390 1457->1456
                                          APIs
                                          • _strtok.LIBCMT ref: 0040F436
                                          • _strtok.LIBCMT ref: 0040F52B
                                            • Part of subcall function 0040744A: __EH_prolog3.LIBCMT ref: 00407451
                                            • Part of subcall function 0041386D: _memmove.LIBCMT ref: 00413889
                                            • Part of subcall function 00402DC8: _memmove.LIBCMT ref: 00402DE7
                                          • __wgetenv.LIBCMT ref: 0040F6BC
                                          • __wgetenv.LIBCMT ref: 0040F763
                                          • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 0040FB2E
                                            • Part of subcall function 00467DAE: GetUserNameA.ADVAPI32(?,?), ref: 00467DDC
                                          • _strtok.LIBCMT ref: 0040FB74
                                          • GetDriveTypeA.KERNEL32(?,00000001,00000000,?,?,0000003A,?), ref: 0040FBF3
                                            • Part of subcall function 004074D6: __EH_prolog3_GS.LIBCMT ref: 004074E0
                                            • Part of subcall function 004074D6: _memset.LIBCMT ref: 00407512
                                            • Part of subcall function 004074D6: _memset.LIBCMT ref: 00407528
                                            • Part of subcall function 004074D6: _memset.LIBCMT ref: 00407539
                                            • Part of subcall function 004074D6: _memset.LIBCMT ref: 0040754A
                                            • Part of subcall function 004074D6: lstrcpyW.KERNEL32(?,?), ref: 0040755A
                                            • Part of subcall function 004074D6: lstrcatW.KERNEL32(?,\*.*), ref: 00407572
                                            • Part of subcall function 004074D6: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004969E4,?,?), ref: 00407582
                                            • Part of subcall function 004074D6: lstrcpyW.KERNEL32(?,?), ref: 0040759B
                                            • Part of subcall function 004074D6: lstrcatW.KERNEL32(?,00496A58), ref: 004075AD
                                            • Part of subcall function 004074D6: lstrcatW.KERNEL32(?,?), ref: 004075BD
                                            • Part of subcall function 004074D6: lstrcpyW.KERNEL32(?,?), ref: 004075CC
                                            • Part of subcall function 004074D6: lstrcatW.KERNEL32(?,00496A58), ref: 004075DE
                                            • Part of subcall function 004074D6: lstrcatW.KERNEL32(?,?), ref: 004075EE
                                            • Part of subcall function 004074D6: lstrcmpW.KERNEL32(?,00496A5C), ref: 00407605
                                            • Part of subcall function 004074D6: lstrcmpW.KERNEL32(?,00496A60), ref: 0040761F
                                            • Part of subcall function 00402F1F: _memmove.LIBCMT ref: 00402F39
                                          • _strtok.LIBCMT ref: 00410055
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcat$_memset_strtok$_memmovelstrcpy$Drive__wgetenvlstrcmp$FileFindFirstH_prolog3H_prolog3_LogicalNameStringsTypeUser
                                          • String ID: %APPDATA%$%C%$%DESKTOP%$%DOCUMENTS%$%DRIVE_FIXED%$%DRIVE_REMOVABLE%$%LOCALAPPDATA%$%PROGRAMFILES%$%PROGRAMFILES_86%$($.zip$APPDATA$C:\$C:\Program Files$C:\Program Files (x86)$C:\Users\$LOCALAPPDATA$\Desktop$\Documents
                                          • API String ID: 134026673-4147038198
                                          • Opcode ID: b6d357e4ad9f8bdc5ff1750871187effd680f6b190f17d6a191aaa33d191dadd
                                          • Instruction ID: 242d278282c42caac547bf29b6668d2e9b95705c619a3b60152e13de5aa236aa
                                          • Opcode Fuzzy Hash: b6d357e4ad9f8bdc5ff1750871187effd680f6b190f17d6a191aaa33d191dadd
                                          • Instruction Fuzzy Hash: EC82A571801258EADB25EBA98D4DADD7BB4AF15304F1041FFE404A72C2D7785F88CBA6
                                          Function 00417856 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 179fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _sprintf.LIBCMT ref: 004178A6
                                          • FindFirstFileA.KERNEL32(?,?), ref: 004178BC
                                          • _sprintf.LIBCMT ref: 0041791A
                                            • Part of subcall function 00470377: __output_l.LIBCMT ref: 004703D2
                                          • _memset.LIBCMT ref: 0041792D
                                          • _sprintf.LIBCMT ref: 00417958
                                            • Part of subcall function 00470377: __flsbuf.LIBCMT ref: 004703ED
                                            • Part of subcall function 00416400: __EH_prolog3_GS.LIBCMT ref: 0041640A
                                            • Part of subcall function 00416400: GetCurrentDirectoryA.KERNEL32(00000104,?,00000180,0041798E,?,?,?), ref: 00416438
                                            • Part of subcall function 00416400: lstrcatA.KERNEL32(?,\temp), ref: 0041644A
                                            • Part of subcall function 00416400: CopyFileA.KERNEL32(?,?,00000001), ref: 0041645A
                                            • Part of subcall function 00416400: DeleteFileA.KERNEL32(?,?,?,00000001), ref: 00416747
                                          • FindNextFileA.KERNEL32(?,?), ref: 00417ACE
                                          • FindClose.KERNEL32(?), ref: 00417AE2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$Find_sprintf$CloseCopyCurrentDeleteDirectoryFirstH_prolog3_Next__flsbuf__output_l_memsetlstrcat
                                          • String ID: %s\%s$%s\%s\%s\%s$%s\*$Cookies$History$Network
                                          • API String ID: 1380358021-2179649295
                                          • Opcode ID: 6e9791d67373f77d84863312410aad51335f718cae7a234b7e2aa169a77ec857
                                          • Instruction ID: 62176025aec5f8ae1757ae46062dfb8c44e38e45520d1202130d7481884d011d
                                          • Opcode Fuzzy Hash: 6e9791d67373f77d84863312410aad51335f718cae7a234b7e2aa169a77ec857
                                          • Instruction Fuzzy Hash: 65613DB190422DABCF24DB60DC85EDEB778AF05304F5040EAB609A2191EB359FC5CF69
                                          Function 00407D0D Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 203fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 00407D17
                                          • _sprintf.LIBCMT ref: 00407D53
                                          • FindFirstFileA.KERNEL32(?,?), ref: 00407D69
                                          • _sprintf.LIBCMT ref: 00407DDB
                                            • Part of subcall function 00402DC8: _memmove.LIBCMT ref: 00402DE7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _sprintf$FileFindFirstH_prolog3__memmove
                                          • String ID: %s\%s$%s\*
                                          • API String ID: 3424056942-2848263008
                                          • Opcode ID: 900e7bc2bfeba56dd156f72899bcac52920cf59c1a51af7a70625ea529ac01ac
                                          • Instruction ID: b8d7f204a1997863d3ca231cba062339bbbba67efa6e3da75bb4826230bd50b3
                                          • Opcode Fuzzy Hash: 900e7bc2bfeba56dd156f72899bcac52920cf59c1a51af7a70625ea529ac01ac
                                          • Instruction Fuzzy Hash: E3712CB1800268AADB21DB61CD49FDE7B7CEF55305F1040EAF609B2181DB745F84DB69
                                          Function 00406439 Relevance: 14.4, APIs: 3, Strings: 5, Instructions: 399timeCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004055F0: SetFilePointer.KERNEL32(?,00000000,00000000,00000002,004057A6), ref: 0040561C
                                          • __fassign.LIBCMT ref: 00406664
                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 004067D8
                                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00406804
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileTime$LocalPointerSystem__fassign
                                          • String ID: $/../$/..\$\../$\..\
                                          • API String ID: 3768451866-3209527955
                                          • Opcode ID: 27a6bff1563651338762a0a3813bbe73c2c0069b6d409105a5a620b5c64dc1ce
                                          • Instruction ID: 1438e1500d0fe3e4df0883985549f61488f60175263e39dc414dd205fd3c0c0a
                                          • Opcode Fuzzy Hash: 27a6bff1563651338762a0a3813bbe73c2c0069b6d409105a5a620b5c64dc1ce
                                          • Instruction Fuzzy Hash: 48F1C1719042548BDB24CF28C8897D97BF0EF59304F1945FAE889EB282D7399E91CF58
                                          Function 00432F3F Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 468COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __fprintf_l
                                          • String ID: %s-mjXXXXXX9XXz$-mj%06X9%02X$1&E$MJ collide: %s$MJ delete: %s$d
                                          • API String ID: 3906573944-3610483488
                                          • Opcode ID: d5dc53018ca6d4b9bb60d3910d369fd1f9cfdc3cb95378c9c95b3a294d3eb80b
                                          • Instruction ID: 1d9b4cc4d515554b4121240f9d9c2b9fd053f050942fdc1017acbba671b5132e
                                          • Opcode Fuzzy Hash: d5dc53018ca6d4b9bb60d3910d369fd1f9cfdc3cb95378c9c95b3a294d3eb80b
                                          • Instruction Fuzzy Hash: C102BF70A08301AFDB24DF25D48172BBBE0AF98315F14985FF89987352C778DA85CB5A
                                          Function 0046DE6E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 374COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: UT
                                          • API String ID: 0-894488996
                                          • Opcode ID: c892c159aee7d5f0fdbd02571aaacad2cd97a01b1958aaaa13da5aa405451916
                                          • Instruction ID: 9597f45a59ba20157c2a817b7c897a81029579d4f0838ddf2f28defb534b2e08
                                          • Opcode Fuzzy Hash: c892c159aee7d5f0fdbd02571aaacad2cd97a01b1958aaaa13da5aa405451916
                                          • Instruction Fuzzy Hash: 68F19374E042548BCF25CF29C8903AE7BB1AF55304F1444EED949AB346E7389E85CF9A
                                          Function 00417AF9 Relevance: 9.1, APIs: 6, Instructions: 82processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _malloc.LIBCMT ref: 00417B17
                                            • Part of subcall function 00470057: __FF_MSGBANNER.LIBCMT ref: 00470070
                                            • Part of subcall function 00470057: __NMSG_WRITE.LIBCMT ref: 00470077
                                            • Part of subcall function 00470057: HeapAlloc.KERNEL32(00000000,00000001,?,00000001,?,?,0046F40D,00000001,00000000,?,00000003,?,0046F46B,004034F5,?), ref: 0047009C
                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00417B30
                                          • CloseHandle.KERNEL32(00000000), ref: 00417B41
                                          • Process32First.KERNEL32(?,00000128), ref: 00417B5B
                                          • Process32Next.KERNEL32(?,00000128), ref: 00417BCC
                                          • CloseHandle.KERNEL32(?), ref: 00417BDC
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandleProcess32$AllocCreateFirstHeapNextSnapshotToolhelp32_malloc
                                          • String ID:
                                          • API String ID: 2312346443-0
                                          • Opcode ID: 0c1fdefb831a4b6b8e9e5e10b92643a8e39f94e0d48b30430fd6ce4b83a8295b
                                          • Instruction ID: 4f8b7e7fd4c555e3e6b23cce8feb31e7dbd7681f31879cd5b6efa03ca4494cfa
                                          • Opcode Fuzzy Hash: 0c1fdefb831a4b6b8e9e5e10b92643a8e39f94e0d48b30430fd6ce4b83a8295b
                                          • Instruction Fuzzy Hash: ED31A7709081189FCB209F30DC85BEBBBB5EF16318F1044EAE559E6251D7356E84CF88
                                          Function 0047ECE6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,?,?,0047F323,?,00473B72,?,000000BC,?,00000001,00000000,00000000), ref: 0047ED25
                                          • GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,?,?,0047F323,?,00473B72,?,000000BC,?,00000001,00000000,00000000), ref: 0047ED4E
                                          • GetACP.KERNEL32(?,?,0047F323,?,00473B72,?,000000BC,?,00000001,00000000), ref: 0047ED62
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InfoLocale
                                          • String ID: ACP$OCP
                                          • API String ID: 2299586839-711371036
                                          • Opcode ID: 7264b729f23bfed791a095df6bb8f87bec5872f09beac497c8774998b38938a8
                                          • Instruction ID: 6adb5aae6e07e85339e07dbdd1a0207fba0319cc821da1d25e654035cc51df2f
                                          • Opcode Fuzzy Hash: 7264b729f23bfed791a095df6bb8f87bec5872f09beac497c8774998b38938a8
                                          • Instruction Fuzzy Hash: B501B93050120BBAE73157629C05BDE72A89B0535CF14899BE405E5181DB68DA41879D
                                          Function 0046F26F Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • IsDebuggerPresent.KERNEL32 ref: 00475B97
                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00475BAC
                                          • UnhandledExceptionFilter.KERNEL32(0048BEF0), ref: 00475BB7
                                          • GetCurrentProcess.KERNEL32(C0000409), ref: 00475BD3
                                          • TerminateProcess.KERNEL32(00000000), ref: 00475BDA
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                          • String ID:
                                          • API String ID: 2579439406-0
                                          • Opcode ID: bb1f69c795252cc365a70b3699e9f85244b2801c44ba21212d92ce807e1cbb8d
                                          • Instruction ID: 7ef8a5c218725990bed2237a4771330c1081eefc566ea1ae6a3892cfa2c7b7bf
                                          • Opcode Fuzzy Hash: bb1f69c795252cc365a70b3699e9f85244b2801c44ba21212d92ce807e1cbb8d
                                          • Instruction Fuzzy Hash: 5C21EDB9519204DFD760DF29ED4965A3FA0FB1A311F5089BAE80887371E3B55D808F8D
                                          Function 0041624B Relevance: 7.6, APIs: 5, Instructions: 50encryptionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _malloc.LIBCMT ref: 00416259
                                            • Part of subcall function 00470057: __FF_MSGBANNER.LIBCMT ref: 00470070
                                            • Part of subcall function 00470057: __NMSG_WRITE.LIBCMT ref: 00470077
                                            • Part of subcall function 00470057: HeapAlloc.KERNEL32(00000000,00000001,?,00000001,?,?,0046F40D,00000001,00000000,?,00000003,?,0046F46B,004034F5,?), ref: 0047009C
                                          • _memmove.LIBCMT ref: 00416261
                                          • _malloc.LIBCMT ref: 0041626D
                                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00416286
                                          • _memmove.LIBCMT ref: 0041629C
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _malloc_memmove$AllocCryptDataHeapUnprotect
                                          • String ID:
                                          • API String ID: 1919570851-0
                                          • Opcode ID: 5ea23b5d3cbec1dd28063996fe7e563ed1a6a51f37320d29bc350cb99e68b440
                                          • Instruction ID: 3c49e61a30393e7039012c24013aaf95a503e31b98671f18cd89ef6c5739e021
                                          • Opcode Fuzzy Hash: 5ea23b5d3cbec1dd28063996fe7e563ed1a6a51f37320d29bc350cb99e68b440
                                          • Instruction Fuzzy Hash: DBF06873D01114BB8B11BAFA9C45CEFBB7CDD81254B05487BF509E3241E5B9D90187B9
                                          Function 0041600C Relevance: 6.0, APIs: 4, Instructions: 44memoryencryptionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0041602C
                                          • LocalAlloc.KERNEL32(00000040,?), ref: 00416040
                                          • _memmove.LIBCMT ref: 00416055
                                          • LocalFree.KERNEL32(?), ref: 00416060
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Local$AllocCryptDataFreeUnprotect_memmove
                                          • String ID:
                                          • API String ID: 3008826695-0
                                          • Opcode ID: 3e8b5ab1a88c2e6b0e926b7a8093fddf14456c43b07c27b8abc04fa04072d55c
                                          • Instruction ID: 17c56a47bb7e7f2ffd805f265ce5806d964b2ae3098bf64e7cd0f515e879f0ba
                                          • Opcode Fuzzy Hash: 3e8b5ab1a88c2e6b0e926b7a8093fddf14456c43b07c27b8abc04fa04072d55c
                                          • Instruction Fuzzy Hash: 84F031B6900218EFCB01DFE4DC898DEBBB9EB09700F104866E915D7251E3759A549B94
                                          Function 00415FB3 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00415FCB
                                          • LocalAlloc.KERNEL32(00000040,?,?,00000000,00000000), ref: 00415FD9
                                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 00415FEF
                                          • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000), ref: 00415FFE
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: BinaryCryptLocalString$AllocFree
                                          • String ID:
                                          • API String ID: 4291131564-0
                                          • Opcode ID: 7d5f49acdf54735736ebc8d86f591bcb403753bfae5c06ae36f6ad2e04c07143
                                          • Instruction ID: baec4b68066b81be2af5f381eda8b6a13ad41fe80d30ded99f7bdf82632557c0
                                          • Opcode Fuzzy Hash: 7d5f49acdf54735736ebc8d86f591bcb403753bfae5c06ae36f6ad2e04c07143
                                          • Instruction Fuzzy Hash: F6F0C4B0511234BFCB329F66CC49E9B7EB9EF0ABA0B100055F80A96250D3718940DBE5
                                          Function 004560FA Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 459COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _memset
                                          • String ID: P$P
                                          • API String ID: 2102423945-159270896
                                          • Opcode ID: bfd8c31deddb398b48a9967069bd856fc6208688df727058eb818b8b43a04596
                                          • Instruction ID: 9dd4c9a12cb89ddf228e7564a69c0099ad06dbac8803ebdca41ff4bcda8eb706
                                          • Opcode Fuzzy Hash: bfd8c31deddb398b48a9967069bd856fc6208688df727058eb818b8b43a04596
                                          • Instruction Fuzzy Hash: 17123771900605EFCF14CF58C9816AABBB1FF08305F6681AAEC04AB313D7399995CF98
                                          Function 00401000 Relevance: 1.3, APIs: 1, Instructions: 40stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcmpi
                                          • String ID:
                                          • API String ID: 1586166983-0
                                          • Opcode ID: 497a9cc1a305303e8336f67bb200411f51754dda66b3d1f868b0c0c3b2169892
                                          • Instruction ID: 92f4c89ad19f2db30cbd1b9c44405fff6ebe2128e604f6bae2beac15fdf0abbc
                                          • Opcode Fuzzy Hash: 497a9cc1a305303e8336f67bb200411f51754dda66b3d1f868b0c0c3b2169892
                                          • Instruction Fuzzy Hash: 94F08236A00144EBCF21CF55D904AAEF7B9EB43360F253065D445B3651C338ED41EA9C
                                          Function 00416400 Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 248filestringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 0041640A
                                          • GetCurrentDirectoryA.KERNEL32(00000104,?,00000180,0041798E,?,?,?), ref: 00416438
                                          • lstrcatA.KERNEL32(?,\temp), ref: 0041644A
                                          • CopyFileA.KERNEL32(?,?,00000001), ref: 0041645A
                                          • DeleteFileA.KERNEL32(?,?,?,00000001), ref: 00416747
                                            • Part of subcall function 004719B0: __fsopen.LIBCMT ref: 004719BD
                                          • _fprintf.LIBCMT ref: 0041656D
                                          • _fprintf.LIBCMT ref: 0041657E
                                          • _fprintf.LIBCMT ref: 00416588
                                          • _fprintf.LIBCMT ref: 00416599
                                          • _fprintf.LIBCMT ref: 004165A3
                                          • _fprintf.LIBCMT ref: 004165B4
                                          • _fprintf.LIBCMT ref: 004165BE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _fprintf$File$CopyCurrentDeleteDirectoryH_prolog3___fsopenlstrcat
                                          • String ID: Host: %s$Login: %s$Password: %s$Soft: %s$\temp
                                          • API String ID: 97202321-2676079308
                                          • Opcode ID: e028f6bb8aa9845874044d6166f2ac8d754ae874a701ac1e0137ff8268aec1f6
                                          • Instruction ID: f5b38341e0ee959e2150b3432493bede525637e30f753d57a574c0ed7002c3b8
                                          • Opcode Fuzzy Hash: e028f6bb8aa9845874044d6166f2ac8d754ae874a701ac1e0137ff8268aec1f6
                                          • Instruction Fuzzy Hash: 8881F472804214BBDF256B21EC46FEE7B34EF05714F5040EFF508A2192EE396E858A9D
                                          Function 0045E08F Relevance: 42.2, APIs: 4, Strings: 20, Instructions: 177COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __fprintf_l
                                          • String ID: AS %s$ SUBQUERY %d$ TABLE %s$ USING $ USING INTEGER PRIMARY KEY $ VIRTUAL TABLE INDEX %d:%s$(rowid<?)$(rowid=?)$(rowid>? AND rowid<?)$(rowid>?)$0$@$@$AUTOMATIC COVERING INDEX$COVERING INDEX %s$INDEX %s$PRIMARY KEY$SCAN$SEARCH$d
                                          • API String ID: 3906573944-4185468390
                                          • Opcode ID: 97ee420aac0bf94b82f7647cc802613608b760b9dafda6dc9e551a453f70088f
                                          • Instruction ID: 4ffbcd779f73119eef9b338e9619e9bc216fc90449599b778100cf74fec52fd6
                                          • Opcode Fuzzy Hash: 97ee420aac0bf94b82f7647cc802613608b760b9dafda6dc9e551a453f70088f
                                          • Instruction Fuzzy Hash: 47616071D003189ADF28DBA2C945B9A7BB8AB04315F1041EBED0967283D77C9E89CF59
                                          Function 00416A76 Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 175filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _fprintf$File$CopyCurrentDeleteDirectory__fsopen_memset_sprintflstrcat
                                          • String ID: CC\%s_%s.txt$Card: %s$Month: %s$Name: %s$Year: %s$\temp
                                          • API String ID: 1529569132-3508537252
                                          • Opcode ID: c53c4fc084b001ac36a1f83a18d24c7cfa0f91bf68fdcf79cf2a220ed2838cef
                                          • Instruction ID: 9d9567f7be530903f68ddbf5f79de396c846d351ee31e6f14767a365d8367087
                                          • Opcode Fuzzy Hash: c53c4fc084b001ac36a1f83a18d24c7cfa0f91bf68fdcf79cf2a220ed2838cef
                                          • Instruction Fuzzy Hash: A051A4729002186ACF21AB25DC4AFDE7B78EF08714F1001AEF508B6161EA799E848F59
                                          Function 0041C35F Relevance: 33.7, APIs: 7, Strings: 12, Instructions: 499COMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 0041C43A
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041C474
                                          • _strncmp.LIBCMT ref: 0041C6FB
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041C79A
                                          • __allrem.LIBCMT ref: 0041C7A5
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041C81E
                                            • Part of subcall function 0041C201: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041C2A3
                                            • Part of subcall function 0041C201: __localtime64_s.LIBCMT ref: 0041C2C6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__allrem__localtime64_s_memset_strncmp
                                          • String ID: -$day$hour$localtime$minute$month$second$start of $unixepoch$utc$weekday $year
                                          • API String ID: 3149664924-3507268942
                                          • Opcode ID: 6cb7d256b48f677e8efacd63b231420e909b5686991c8a14476e4c44bc041c2e
                                          • Instruction ID: 639a7cb70fc3d4c4c7cda9d2da34f57234f39f726347d5c4178a1932c330f5e8
                                          • Opcode Fuzzy Hash: 6cb7d256b48f677e8efacd63b231420e909b5686991c8a14476e4c44bc041c2e
                                          • Instruction Fuzzy Hash: 480226B2D842189BDF149F75DC817ED7BB4EF04324F25816BE404BB292DB3898858B9D
                                          Function 00416753 Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 231stringfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 0041679C
                                          • lstrcatA.KERNEL32(?,\temp), ref: 004167B4
                                          • CopyFileA.KERNEL32(?,?,00000001), ref: 004167C0
                                          • _memset.LIBCMT ref: 004167D1
                                          • lstrcatA.KERNEL32(?), ref: 004167E6
                                          • lstrcatA.KERNEL32(?,00496A68), ref: 004167F4
                                          • lstrcatA.KERNEL32(?,?), ref: 00416803
                                          • lstrcatA.KERNEL32(?,0049961C), ref: 00416811
                                          • lstrcatA.KERNEL32(?,?), ref: 00416820
                                          • lstrcatA.KERNEL32(?,.txt), ref: 0041682E
                                          • DeleteFileA.KERNEL32(?), ref: 00416A61
                                            • Part of subcall function 004719B0: __fsopen.LIBCMT ref: 004719BD
                                          • lstrcatA.KERNEL32(?), ref: 0041693E
                                          • lstrcatA.KERNEL32(?), ref: 0041696A
                                          • lstrcatA.KERNEL32(?,0049962C,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00416982
                                          • _fprintf.LIBCMT ref: 004169F8
                                          • _fprintf.LIBCMT ref: 00416A1A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcat$File_fprintf$CopyCurrentDeleteDirectory__fsopen_memset
                                          • String ID: %s%s%s%s%s%s%s$.txt$\temp
                                          • API String ID: 1987428508-1558371589
                                          • Opcode ID: 7a4c6f52169789d06baf291a97312dbbc91675c633334afd77cafa7d0e63eecf
                                          • Instruction ID: 7c14338098b7e7db1ca7ba23e33387902211346134f1223a526911191d2195f0
                                          • Opcode Fuzzy Hash: 7a4c6f52169789d06baf291a97312dbbc91675c633334afd77cafa7d0e63eecf
                                          • Instruction Fuzzy Hash: 18817271D00218ABDF24AB65DC89FDEB779EF49304F1005EAF508A6160EB799EC18F18
                                          Function 004156F8 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 141networksleepfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00415731
                                          • InternetOpenA.WININET(0049109F,00000000,00000000,00000000,00000000), ref: 00415742
                                          • StrCmpCA.SHLWAPI(http://,https://,?,004116B8,00000000,?,00000001,00000000), ref: 0041575E
                                          • InternetSetOptionA.WININET(?,00000006,?,00000004), ref: 00415784
                                          • InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,00000000), ref: 004157A1
                                          • HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,00000000,04400100,00000000), ref: 004157D1
                                          • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004157E8
                                          • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 004157FD
                                          • StrCmpCA.SHLWAPI(?,200,?,00000050,00000000,00000000,00000003,00000000,00000000,?,004116B8,00000000,?,00000001,00000000), ref: 00415813
                                          • Sleep.KERNEL32(00007530,?,00000050,00000000,00000000,00000003,00000000,00000000,?,004116B8,00000000,?,00000001,00000000), ref: 00415822
                                          • lstrcatA.KERNEL32(?,?,?,00000050,00000000,00000000,00000003,00000000,00000000,?,004116B8,00000000,?,00000001,00000000), ref: 00415850
                                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00415863
                                          • InternetCloseHandle.WININET(00000000), ref: 0041586E
                                          • InternetCloseHandle.WININET(?), ref: 00415877
                                          • InternetCloseHandle.WININET(?), ref: 00415880
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Internet$CloseHandleHttp$OpenRequest$ConnectFileInfoOptionQueryReadSendSleep_memsetlstrcat
                                          • String ID: 200$GET$http://$https://
                                          • API String ID: 692990806-2803709044
                                          • Opcode ID: 432128ca09addc5861bb4e93d75ed0533bb3e00cd3d39669b3a20e36f2b3087e
                                          • Instruction ID: 414aba829c8352d4bf88419e54bfbec12f25811a8ab32e29fabf8d5da088297b
                                          • Opcode Fuzzy Hash: 432128ca09addc5861bb4e93d75ed0533bb3e00cd3d39669b3a20e36f2b3087e
                                          • Instruction Fuzzy Hash: FA41A272A00208EFEF20AFA19C89EEE7BBCEB49744F10443AF915A6191D7354D508F29
                                          Function 0041CBEB Relevance: 31.9, APIs: 12, Strings: 6, Instructions: 369COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041C945: _memset.LIBCMT ref: 0041C955
                                          • __fprintf_l.LIBCMT ref: 0041CDB9
                                          • __fprintf_l.LIBCMT ref: 0041CDE1
                                          • __fprintf_l.LIBCMT ref: 0041CE24
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041CE75
                                          • __allrem.LIBCMT ref: 0041CE7F
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041CEA1
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041CF10
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041CF35
                                          • __allrem.LIBCMT ref: 0041CF3F
                                          • __fprintf_l.LIBCMT ref: 0041CF64
                                          • __fprintf_l.LIBCMT ref: 0041CF81
                                          • __fprintf_l.LIBCMT ref: 0041CFBD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __fprintf_l$Unothrow_t@std@@@__ehfuncinfo$??2@$__allrem$_memset
                                          • String ID: %.16g$%02d$%03d$%04d$%06.3f$%lld
                                          • API String ID: 2116274655-866662573
                                          • Opcode ID: fb5638c7ed1271ae65138dcda30e8bb038b269448a7fec5c11668d525bb7a531
                                          • Instruction ID: 836c92775124e24b61907e493c8b8b69f00f6fe5decce97297a8ac07e7ef8314
                                          • Opcode Fuzzy Hash: fb5638c7ed1271ae65138dcda30e8bb038b269448a7fec5c11668d525bb7a531
                                          • Instruction Fuzzy Hash: 24B169B25883419BD7209F68DCC5BAF7B95EB85708F14092FF48497281E328DD82879F
                                          Function 004323A1 Relevance: 31.7, APIs: 5, Strings: 13, Instructions: 182COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __fprintf_l$_memmove
                                          • String ID: %.16g$%lld$%s(%d)$(%.20s)$(blob)$BINARY$NULL$c)C$intarray$k(%d$nil$program$vtab:%p:%p
                                          • API String ID: 3461008893-2278253969
                                          • Opcode ID: a448064c649f97faae7fd6785b52616178a3f2d0222657c96b4337d8c66bef1f
                                          • Instruction ID: 18f2d00733bee78c9bafebd6f5414a25abf2a19029b85e8924bbc26d8d92c15c
                                          • Opcode Fuzzy Hash: a448064c649f97faae7fd6785b52616178a3f2d0222657c96b4337d8c66bef1f
                                          • Instruction Fuzzy Hash: 9B61D970900215EFCB14CF58CA95A7A7BB0FF08714F24559BF5115B2A2E3BCDA41CBA9
                                          Function 004150BA Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 124networkfilesleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetOpenA.WININET(0049109F,00000001,00000000,00000000,00000000), ref: 004150FA
                                            • Part of subcall function 00415046: _memset.LIBCMT ref: 00415061
                                            • Part of subcall function 00415046: _memset.LIBCMT ref: 0041506E
                                            • Part of subcall function 00415046: lstrlenA.KERNEL32(00000000,10000000,?), ref: 00415094
                                            • Part of subcall function 00415046: InternetCrackUrlA.WININET(00000000,00000000), ref: 0041509C
                                          • StrCmpCA.SHLWAPI(00000000,https), ref: 00415116
                                          • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,00000100,00000000), ref: 0041513E
                                          • HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 00415158
                                          • StrCmpCA.SHLWAPI(?,200), ref: 0041516E
                                          • Sleep.KERNEL32(00007530), ref: 0041517D
                                          • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 0041519F
                                          • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 004151C0
                                          • InternetReadFile.WININET(?,?,00000400,?), ref: 004151E3
                                          • _memset.LIBCMT ref: 004151F3
                                          • CloseHandle.KERNEL32(00000000), ref: 004151FC
                                          • InternetCloseHandle.WININET(?), ref: 00415205
                                          • InternetCloseHandle.WININET(?), ref: 0041520E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Internet$CloseFileHandle_memset$Open$CrackCreateHttpInfoQueryReadSleepWritelstrlen
                                          • String ID: 200$ERROR$\update.zip$https
                                          • API String ID: 1246493084-2376130104
                                          • Opcode ID: c419faa05e0146ca9418a0ebe1d6364786048201664cdbd98eb7838bf257019d
                                          • Instruction ID: b9b7a9e89276d6c01d343d6fa1f7af144817747d10d19916eebe6eaad0efc315
                                          • Opcode Fuzzy Hash: c419faa05e0146ca9418a0ebe1d6364786048201664cdbd98eb7838bf257019d
                                          • Instruction Fuzzy Hash: 02411771A01218AFDF229FA5DC48BEE7EB8FB49755F10002AF909AA151E7744944CB68
                                          Function 0042FA60 Relevance: 28.5, APIs: 2, Strings: 14, Instructions: 471COMMON
                                          Download Yara Rule
                                          Strings
                                          • Corruption detected in cell %d on page %d, xrefs: 0042FEC4
                                          • Child page depth differs, xrefs: 0042FC7E
                                          • Rowid %lld out of order (previous was %lld), xrefs: 0042FB9C
                                          • Rowid %lld out of order (max larger than parent min of %lld), xrefs: 0042FD4F
                                          • unable to get the page. error code=%d, xrefs: 0042FACE
                                          • Rowid %lld out of order (max larger than parent max of %lld), xrefs: 0042FD9A
                                          • Page %d: , xrefs: 0042FAB8, 0042FCFE
                                          • Rowid %lld out of order (min less than parent max of %lld), xrefs: 0042FDD5
                                          • On tree page %d cell %d: , xrefs: 0042FB38
                                          • Fragmentation of %d bytes reported as %d on page %d, xrefs: 0042FF76
                                          • On page %d at right child: , xrefs: 0042FCC0
                                          • Rowid %lld out of order (min less than parent min of %lld), xrefs: 0042FD70
                                          • Multiple uses for byte %d of page %d, xrefs: 0042FF5B
                                          • btreeInitPage() returns error code %d, xrefs: 0042FAF7
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: Child page depth differs$Corruption detected in cell %d on page %d$Fragmentation of %d bytes reported as %d on page %d$Multiple uses for byte %d of page %d$On page %d at right child: $On tree page %d cell %d: $Page %d: $Rowid %lld out of order (max larger than parent max of %lld)$Rowid %lld out of order (max larger than parent min of %lld)$Rowid %lld out of order (min less than parent max of %lld)$Rowid %lld out of order (min less than parent min of %lld)$Rowid %lld out of order (previous was %lld)$btreeInitPage() returns error code %d$unable to get the page. error code=%d
                                          • API String ID: 0-2326541033
                                          • Opcode ID: 448db321e91c2ccef7395b74a32e930d33ed20296aa25c4f1b18476cd5179cda
                                          • Instruction ID: f85b82b4060a57e0ff8fb6a2bf43201a5dc7e793933f730d20a68e6b844a1852
                                          • Opcode Fuzzy Hash: 448db321e91c2ccef7395b74a32e930d33ed20296aa25c4f1b18476cd5179cda
                                          • Instruction Fuzzy Hash: CC028171E00129AFCF15DFA5E981AAEBBB1FF04304F94817BF815A7242D7389954CB98
                                          Function 00417363 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 172stringfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00417393
                                          • lstrcatA.KERNEL32(?,\temp), ref: 004173A5
                                          • CopyFileA.KERNEL32(?,?,00000001), ref: 004173B5
                                          • _memset.LIBCMT ref: 004173C6
                                          • _sprintf.LIBCMT ref: 004173E1
                                          • DeleteFileA.KERNEL32(?), ref: 004175A7
                                            • Part of subcall function 004719B0: __fsopen.LIBCMT ref: 004719BD
                                          • lstrcatA.KERNEL32(?,FALSE), ref: 004174EE
                                          • lstrcatA.KERNEL32(?,FALSE), ref: 0041751C
                                          • _fprintf.LIBCMT ref: 00417557
                                          • _fprintf.LIBCMT ref: 0041756A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: lstrcat$File_fprintf$CopyCurrentDeleteDirectory__fsopen_memset_sprintf
                                          • String ID: %s%s%s%s%s%s%s$Cookies\%s_%s.txt$FALSE$SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies$TRUE$\temp
                                          • API String ID: 3460225999-2261803944
                                          • Opcode ID: d2c7d617309d55b52eff96d3ff9fe57b77ad52917699a480e8a55d4126c38b16
                                          • Instruction ID: 1488e544df49d096f02867bb4a705a12e58e787b2e0ad9f3fa6e1869c7c65d81
                                          • Opcode Fuzzy Hash: d2c7d617309d55b52eff96d3ff9fe57b77ad52917699a480e8a55d4126c38b16
                                          • Instruction Fuzzy Hash: FE518D71D40218BBDF20ABB5AC8AFDE7779AB0C714F1005EBF509A2151EB795E808F58
                                          Function 0044F734 Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 272COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __fprintf_l$_memmove
                                          • String ID: %s.%s$_init$error during initialization: %s$lib$no entry point [%s] in shared library [%s]$not authorized$sqlite3_$sqlite3_extension_init$unable to open shared library [%s]$zTC
                                          • API String ID: 3461008893-3362877074
                                          • Opcode ID: 64dfa963d34e00a822b42be724267fe2222ee6fd3f184d13606ac56c7f7d69d6
                                          • Instruction ID: 2ece3f874d2e242e84e2cfe96c4295213c33eaf8b7c7b93cb5f2f2745ab8a568
                                          • Opcode Fuzzy Hash: 64dfa963d34e00a822b42be724267fe2222ee6fd3f184d13606ac56c7f7d69d6
                                          • Instruction Fuzzy Hash: C591D4B1908341AFDB10DF25D841A6B7BE4EF98314F14483FF8999B241E738D949CB9A
                                          Function 004226AD Relevance: 23.0, APIs: 4, Strings: 9, Instructions: 222COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __fprintf_l$_memset
                                          • String ID: F$2F$FF$etilqs_$winGetTempname1$winGetTempname2$winGetTempname3$winGetTempname4$winGetTempname5
                                          • API String ID: 639243752-880078377
                                          • Opcode ID: 216e0beb9c497ced8917cbef2160721d78f58f10b86ea0e6cf9185d60497f669
                                          • Instruction ID: 703037f987de32d31ffa36dba255fc1b185ea0c7e31d886d61cd7d79347f57cb
                                          • Opcode Fuzzy Hash: 216e0beb9c497ced8917cbef2160721d78f58f10b86ea0e6cf9185d60497f669
                                          • Instruction Fuzzy Hash: F8614771708111BEDB15BB69B942ABE3B99DF84354B54013FF4018B283EF7CD88286AD
                                          Function 0040719C Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 004071BB
                                          • _memset.LIBCMT ref: 004071CF
                                          • _strtok_s.LIBCMT ref: 004071FC
                                          • lstrlenA.KERNEL32(?,?,?,?,?,?,00000048), ref: 00407218
                                          • lstrcatA.KERNEL32(?,?,?,?,?,?,00000048), ref: 00407231
                                          • lstrcatA.KERNEL32(?,00000000,00000014,?,?,?,?,?,00000048), ref: 0040724A
                                          • lstrcatA.KERNEL32(?,00000001,00000000,?,?,?,?,?,00000048), ref: 00407261
                                          • _memset.LIBCMT ref: 00407276
                                          • ShellExecuteExA.SHELL32(?,?,?,?,?,?,?,?,?,?,00000048), ref: 004072B0
                                          • _memset.LIBCMT ref: 004072BD
                                          • _memset.LIBCMT ref: 004072CC
                                          • _strtok_s.LIBCMT ref: 004072DA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _memset$lstrcat$_strtok_s$ExecuteH_prolog3Shelllstrlen
                                          • String ID: open
                                          • API String ID: 403364113-2758837156
                                          • Opcode ID: 1579606e2508a460704f550a14be693ccefd6fb430a0664eb122a99bd1944a1d
                                          • Instruction ID: 65886099bf9420d69eea922b84e637271f04a02a1162e84bb99c4615add86de1
                                          • Opcode Fuzzy Hash: 1579606e2508a460704f550a14be693ccefd6fb430a0664eb122a99bd1944a1d
                                          • Instruction Fuzzy Hash: 5C416CB1800209AFDB15EFA1DC45EEE7BB8EF44304F50442AE515AA190E778AA19CB59
                                          Function 00466894 Relevance: 21.4, APIs: 1, Strings: 11, Instructions: 360COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _memmove
                                          • String ID: %s mode not allowed: %s$@$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                                          • API String ID: 4104443479-3038509144
                                          • Opcode ID: ce730b6001f0b01edeb1d3365f68a86adca06910f221659e2b10667d6467a73e
                                          • Instruction ID: ee29e363ec3d7fe93fec5ebea08a3586577f662e3d02ac3948cf6c1cce9aa3c7
                                          • Opcode Fuzzy Hash: ce730b6001f0b01edeb1d3365f68a86adca06910f221659e2b10667d6467a73e
                                          • Instruction Fuzzy Hash: DEC11B71D042199BCF24CF99C4807EEBBB1AF56314F26806FD845BB341E7389D86875A
                                          Function 00435EFE Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 227COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __fprintf_l
                                          • String ID: %!.15g$%02x$%lld$'%.*q'$-- $NULL$d$zeroblob(%d)
                                          • API String ID: 3906573944-567025912
                                          • Opcode ID: 899481913a87f12b594c8c4d0ae31eedb71b64afa80ef272ad3fb1c3d05703db
                                          • Instruction ID: 287645ac5c942f7a377bd5c6393b7f6c0e8d54fbcf7ab4675126e58199232e1e
                                          • Opcode Fuzzy Hash: 899481913a87f12b594c8c4d0ae31eedb71b64afa80ef272ad3fb1c3d05703db
                                          • Instruction Fuzzy Hash: 77918E71904359AFDF20DF64CC41BD9BBB5AF09304F1180AFE549A7282DB38AA85CF59
                                          Function 004176F4 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 113filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00417724
                                          • lstrcatA.KERNEL32(?,\temp), ref: 00417736
                                          • CopyFileA.KERNEL32(?,?,00000001), ref: 00417746
                                          • _memset.LIBCMT ref: 00417757
                                          • _sprintf.LIBCMT ref: 00417772
                                          • DeleteFileA.KERNEL32(?), ref: 00417841
                                            • Part of subcall function 004719B0: __fsopen.LIBCMT ref: 004719BD
                                          • _fprintf.LIBCMT ref: 00417802
                                          • _fprintf.LIBCMT ref: 0041780D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File_fprintf$CopyCurrentDeleteDirectory__fsopen_memset_sprintflstrcat
                                          • String ID: %s%s$Autofill\%s_%s.txt$SELECT fieldname, value FROM moz_formhistory$\temp
                                          • API String ID: 2288810340-1758122038
                                          • Opcode ID: 953a9519ea8b2e42264d9e987ad3bb7fc1e1529b645f5cc8387c7bc6fff4cc59
                                          • Instruction ID: aab2bed86a7b505dd0a97804253aec4dc9e9a1e859fc92dbd931ab3644bcd388
                                          • Opcode Fuzzy Hash: 953a9519ea8b2e42264d9e987ad3bb7fc1e1529b645f5cc8387c7bc6fff4cc59
                                          • Instruction Fuzzy Hash: 3031C97294021C7ACB10A7A5AC8AEDF777CAF09704F1004AFF504E2151EB789E858B99
                                          Function 0040104C Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 58COMMON
                                          Download Yara Rule
                                          APIs
                                          • ExitProcess.KERNEL32 ref: 004010FB
                                            • Part of subcall function 00401000: lstrcmpiW.KERNEL32(?,?), ref: 00401032
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExitProcesslstrcmpi
                                          • String ID: api_log.dll$avghooka.dll$avghookx.dll$cmdvrt32.dll$cmdvrt64.dll$dir_watch.dll$pstorec.dll$sbiedll.dll$snxhk.dll$vmcheck.dll$wpespy.dll
                                          • API String ID: 1394296034-3272603366
                                          • Opcode ID: a4994808c6eee96c8166c261970ad5bf5a73958c33fb154591237c9fa408be38
                                          • Instruction ID: 27d73b48cb7fa6a120ba8535b162b5f147d7994e6c4a8c9c044614cda590af0c
                                          • Opcode Fuzzy Hash: a4994808c6eee96c8166c261970ad5bf5a73958c33fb154591237c9fa408be38
                                          • Instruction Fuzzy Hash: 9601C62968079320EC3A369A6817B5D13080B57BEEB3049AFF4C03ADF78E7D04C5526E
                                          Function 00406C02 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209filetimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __fassign.LIBCMT ref: 00406CF2
                                          • wsprintfA.USER32 ref: 00406D20
                                          • CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,?,00000000), ref: 00406D51
                                          • wsprintfA.USER32 ref: 00406DB8
                                          • WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406E43
                                          • SetFileTime.KERNEL32(?,?,?,?), ref: 00406E8F
                                          • CloseHandle.KERNEL32(?), ref: 00406E9B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$wsprintf$CloseCreateHandleTimeWrite__fassign
                                          • String ID: %s%s$%s%s%s$:$\
                                          • API String ID: 3651047468-1100577047
                                          • Opcode ID: 4ae819e93c8a374387ecb72db7b8a96ed8b81845e2619ed4f27929ea60b96565
                                          • Instruction ID: d8363900ac054a3bd745f18083ab7e04190d9d8ee84a7fda3d72f2c2d953f243
                                          • Opcode Fuzzy Hash: 4ae819e93c8a374387ecb72db7b8a96ed8b81845e2619ed4f27929ea60b96565
                                          • Instruction Fuzzy Hash: DE8104719042189BEF259B24CC44BEAB7B8EF09314F0500FBE54AB62D0D7786E95CF99
                                          Function 00416CD5 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 114filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00416D05
                                          • lstrcatA.KERNEL32(?,\temp), ref: 00416D17
                                          • CopyFileA.KERNEL32(?,?,00000001), ref: 00416D27
                                          • _memset.LIBCMT ref: 00416D38
                                          • _sprintf.LIBCMT ref: 00416D53
                                          • DeleteFileA.KERNEL32(?), ref: 00416E24
                                            • Part of subcall function 004719B0: __fsopen.LIBCMT ref: 004719BD
                                          • _fprintf.LIBCMT ref: 00416DE5
                                          • _fprintf.LIBCMT ref: 00416DF0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File_fprintf$CopyCurrentDeleteDirectory__fsopen_memset_sprintflstrcat
                                          • String ID: %s%s$Autofill\%s_%s.txt$\temp
                                          • API String ID: 2288810340-2986410175
                                          • Opcode ID: 8b427d9cbdb538c1a8dc64dc1ad47ab58ef79c49ba505b70d647db18f3ed25d3
                                          • Instruction ID: 0a80041feb00e455a35efcc86cc83999eda5f4d94bfee1dc73df70f2a9f510de
                                          • Opcode Fuzzy Hash: 8b427d9cbdb538c1a8dc64dc1ad47ab58ef79c49ba505b70d647db18f3ed25d3
                                          • Instruction Fuzzy Hash: 5D31B57294021C7BCB10ABA5EC86EDF777CEB19308F1005AFF504E2152EA789E854B99
                                          Function 00416E39 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 106filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00416E69
                                          • lstrcatA.KERNEL32(?,\temp), ref: 00416E7B
                                          • CopyFileA.KERNEL32(?,?,00000001), ref: 00416E8B
                                          • _memset.LIBCMT ref: 00416E9C
                                          • _sprintf.LIBCMT ref: 00416EB7
                                          • DeleteFileA.KERNEL32(?), ref: 00416F68
                                            • Part of subcall function 004719B0: __fsopen.LIBCMT ref: 004719BD
                                          • _fprintf.LIBCMT ref: 00416F33
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CopyCurrentDeleteDirectory__fsopen_fprintf_memset_sprintflstrcat
                                          • String ID: %s$History\%s_%s.txt$SELECT url FROM urls$\temp
                                          • API String ID: 440339207-2199967400
                                          • Opcode ID: 5f2473492f4b3efb99e5985638ae1ecda01570846d07142150ff5a071163d37b
                                          • Instruction ID: 97fccef67a44b366e3e42864fbaf8d430b2e077efaa0c3e8320b5855aaf714c2
                                          • Opcode Fuzzy Hash: 5f2473492f4b3efb99e5985638ae1ecda01570846d07142150ff5a071163d37b
                                          • Instruction Fuzzy Hash: 3731BB7294011C6BCB10EB65EC86EDF777CEF19714F1004AFF504E2151EA789E858B99
                                          Function 00469324 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 79windowmemoryfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateCompatibleDC.GDI32(00000000), ref: 0046933B
                                          • GetDC.USER32(00000000), ref: 00469347
                                          • CreateCompatibleBitmap.GDI32(00000000), ref: 0046934E
                                          • SelectObject.GDI32(?,00000000), ref: 0046935B
                                          • GetDC.USER32(00000000), ref: 00469369
                                          • BitBlt.GDI32(?,00000000,00000000,?,?,00000000), ref: 00469377
                                          • GdipAlloc.GDIPLUS(00000010,?,?,00000000), ref: 0046937F
                                          • GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?,?,?,00000000), ref: 0046939C
                                          • GdipSaveImageToFile.GDIPLUS(?,screenshot.jpg,?,00000000,?,?,00000000), ref: 004693C6
                                          • DeleteObject.GDI32(?), ref: 004693DE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateGdip$BitmapCompatibleObject$AllocDeleteFileFromImageSaveSelect
                                          • String ID: screenshot.jpg
                                          • API String ID: 1869477856-673422685
                                          • Opcode ID: b91d926e9f77e9e885d28987a04c963d82c18fc132e684579bae82d702d23041
                                          • Instruction ID: 3ada2519e5d3528cd7aecf744976a862f6fed03cfff2f89ddee8790b3bea0b0d
                                          • Opcode Fuzzy Hash: b91d926e9f77e9e885d28987a04c963d82c18fc132e684579bae82d702d23041
                                          • Instruction Fuzzy Hash: 3E2128B190121AAFCB109FA6DC4D9AFBFBCEF49710B10442AF905D2290DB745D41CBA9
                                          Function 00422E6C Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 185COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __fprintf_l
                                          • String ID: %s%c%s$2F$\F$bF$winFullPathname1$winFullPathname2$winFullPathname3$winFullPathname4
                                          • API String ID: 3906573944-3408376605
                                          • Opcode ID: f96086a4d04be8a15a1531758245934d682aea957b5ed9270e9cd62fe9e6b858
                                          • Instruction ID: eb20ade8cb82df6a3f5c168320609a12eadf8295a8f4d63e4b4ec74772b9f16f
                                          • Opcode Fuzzy Hash: f96086a4d04be8a15a1531758245934d682aea957b5ed9270e9cd62fe9e6b858
                                          • Instruction Fuzzy Hash: 29518E716082607BD711EB61BD09E6B3BE9DF85364F5A001FF84486242EB7CCC41D66D
                                          Function 0046D72C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 175fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileInformationByHandle.KERNEL32(?,?,00000000,?,0000000B), ref: 0046D760
                                          • GetFileSize.KERNEL32(?,00000000), ref: 0046D7D9
                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 0046D7F5
                                          • ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 0046D809
                                          • SetFilePointer.KERNEL32(?,00000024,00000000,00000000), ref: 0046D812
                                          • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0046D822
                                          • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 0046D840
                                          • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0046D850
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$PointerRead$HandleInformationSize
                                          • String ID: $W{s
                                          • API String ID: 2979504256-1149720830
                                          • Opcode ID: 247b5dcb25fb6dc936b302178cf502ac4dd840b47c7e89ed045a3c5337dff808
                                          • Instruction ID: c77dee643f47d611a4b5bb784e698a7edf7f37581ea951eb40f330551c3a6604
                                          • Opcode Fuzzy Hash: 247b5dcb25fb6dc936b302178cf502ac4dd840b47c7e89ed045a3c5337dff808
                                          • Instruction Fuzzy Hash: 165104B1E00218AFDB28DF99DC85AAEBBB8EF04305F10442AE515E7260E7389D45CF56
                                          Function 00416F7D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 111filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00416FAD
                                          • lstrcatA.KERNEL32(?,\temp), ref: 00416FBF
                                          • CopyFileA.KERNEL32(?,?,00000001), ref: 00416FCF
                                          • _memset.LIBCMT ref: 00416FE0
                                          • _sprintf.LIBCMT ref: 00416FFB
                                          • DeleteFileA.KERNEL32(?), ref: 004170C6
                                            • Part of subcall function 004719B0: __fsopen.LIBCMT ref: 004719BD
                                          • _fprintf.LIBCMT ref: 0041708D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CopyCurrentDeleteDirectory__fsopen_fprintf_memset_sprintflstrcat
                                          • String ID: %s%s$Downloads\%s_%s.txt$\temp
                                          • API String ID: 440339207-2902098628
                                          • Opcode ID: f19ed5366d6092c80c188e77a5f1ebbde3ed57894ff1e84bf47b1946ce9aef68
                                          • Instruction ID: 62b05dcd01068bd3718fe582b933a23af59e94c6184c0360b824b57b15f7f555
                                          • Opcode Fuzzy Hash: f19ed5366d6092c80c188e77a5f1ebbde3ed57894ff1e84bf47b1946ce9aef68
                                          • Instruction Fuzzy Hash: 3F31797294021CABCB10ABA5EC85EDF777CEB19314F1004AFF509E2151E6789E854B59
                                          Function 00419923 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 75libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __wgetenv.LIBCMT ref: 0041993A
                                          • LoadLibraryA.KERNEL32(013C17F8,75568A60,00419AC5,?,?,?,?,?,?), ref: 00419974
                                          • GetProcAddress.KERNEL32(00000000), ref: 00419990
                                          • GetProcAddress.KERNEL32 ref: 004199A3
                                          • GetProcAddress.KERNEL32 ref: 004199B6
                                          • GetProcAddress.KERNEL32 ref: 004199C9
                                          • GetProcAddress.KERNEL32 ref: 004199DC
                                          • GetProcAddress.KERNEL32 ref: 004199EF
                                            • Part of subcall function 00472513: __lock.LIBCMT ref: 00472521
                                            • Part of subcall function 00472513: __putenv_helper.LIBCMT ref: 00472530
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressProc$LibraryLoad__lock__putenv_helper__wgetenv
                                          • String ID: PATH$PATH=
                                          • API String ID: 1998870925-3104081819
                                          • Opcode ID: 460df2660369aa06879142de807aed1554b8ec429b574c7f282d22779d426b1e
                                          • Instruction ID: ba147d358acc782ad4957c5eadb3a54c8c3d663bec26a69a9750b6c2edf3110f
                                          • Opcode Fuzzy Hash: 460df2660369aa06879142de807aed1554b8ec429b574c7f282d22779d426b1e
                                          • Instruction Fuzzy Hash: AB212870925510EFCB226F25AC148A73FB5FB877D4324453BE90492235EA3A0C94DB9C
                                          Function 0043B3CD Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 386COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041DD19: _memset.LIBCMT ref: 0041DD38
                                          • _memset.LIBCMT ref: 0043B445
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _memset
                                          • String ID: 2$cannot open %s column for writing$cannot open table without rowid: %s$cannot open view: %s$cannot open virtual table: %s$foreign key$indexed$no such column: "%s"
                                          • API String ID: 2102423945-2177023506
                                          • Opcode ID: 0f63d455f1e6be7a47bb9eccf6778375fdcc6337e5ece0660cca58abbccdbb72
                                          • Instruction ID: a7b1da17eadb06f3d49f2faf0ad9e1da5ad186fd40cf3b940315e5aa10262812
                                          • Opcode Fuzzy Hash: 0f63d455f1e6be7a47bb9eccf6778375fdcc6337e5ece0660cca58abbccdbb72
                                          • Instruction Fuzzy Hash: 77E16771A043019FCB10DF25C981A6ABBE1FF88718F145A2EF99997352D738DC45CB8A
                                          Function 004138B1 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 162COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _memmove$Xinvalid_argumentstd::_
                                          • String ID: invalid string position$string too long
                                          • API String ID: 1771113911-4289949731
                                          • Opcode ID: c0623549330897a79cb21477fa513fc1adf091afa5618c9e607052f2c13a3071
                                          • Instruction ID: 0c1a98e4bd01564518a87c26fbbffd9bc2ccc73b963f323bfe3afc68843e58da
                                          • Opcode Fuzzy Hash: c0623549330897a79cb21477fa513fc1adf091afa5618c9e607052f2c13a3071
                                          • Instruction Fuzzy Hash: 5F518170710244EBCF24DF58D9919ADBBB6EF41705B24451EE1C29B281C7B8AEC5CB8D
                                          Function 0046AA6A Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 0046AA71
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0046AA7B
                                            • Part of subcall function 004159AB: std::_Lockit::_Lockit.LIBCPMT ref: 004159B9
                                          • std::bad_exception::bad_exception.LIBCMT ref: 0046AAC8
                                          • __CxxThrowException@8.LIBCMT ref: 0046AAD6
                                          • std::locale::facet::_Incref.LIBCPMT ref: 0046AAE6
                                          • std::locale::facet::_Facet_Register.LIBCPMT ref: 0046AAEC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_H_prolog3IncrefRegisterThrowstd::bad_exception::bad_exception
                                          • String ID: 9.A$bad cast
                                          • API String ID: 158301680-1452094767
                                          • Opcode ID: 8b2ded8df522f92195594727f25c8bc21d0687b01c3e45b143d2ca7eaa6ab6e9
                                          • Instruction ID: f9403ee8ce91676a3182dfa33fcd5828c093e245243fc24193929b01f581da5b
                                          • Opcode Fuzzy Hash: 8b2ded8df522f92195594727f25c8bc21d0687b01c3e45b143d2ca7eaa6ab6e9
                                          • Instruction Fuzzy Hash: 2E01A171810929DBCB15FF62C9426EE7360AF40764F10425BE5107B292EB7C5E05CB9A
                                          Function 004460C7 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 142COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __fprintf_l$_memmove
                                          • String ID: $, $CREATE TABLE
                                          • API String ID: 3461008893-3459038510
                                          • Opcode ID: 2246409c6891276655c9dd2150b603920a329345b3e75750b0f4c8bffc2e79e9
                                          • Instruction ID: d5d51236a40b9d80f1b128f635d7e348fdc9d694b95f1d1d1fcadfafcd974161
                                          • Opcode Fuzzy Hash: 2246409c6891276655c9dd2150b603920a329345b3e75750b0f4c8bffc2e79e9
                                          • Instruction Fuzzy Hash: E05150B1D00119EFDF10DF98C8819AFBBF4EF45309F2141ABE845A7206E7389A45CB99
                                          Function 00413FA7 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 122COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _memmove$Xinvalid_argumentstd::_
                                          • String ID: invalid string position$string too long
                                          • API String ID: 1771113911-4289949731
                                          • Opcode ID: c402f788af3e9adf79e724835916fb1bff48fef1f9cd2f87c2bb5e76ceb76c79
                                          • Instruction ID: 17bbcaf676acf3874342fd074754c94887b6ddcdbce79a03c42ca3b66bb9dd07
                                          • Opcode Fuzzy Hash: c402f788af3e9adf79e724835916fb1bff48fef1f9cd2f87c2bb5e76ceb76c79
                                          • Instruction Fuzzy Hash: 87310A703001009BDB28DE1FC9819AABBEADBC9704724091FE693CB681D779DDC1879D
                                          Function 00468D43 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 88sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_catch_GS.LIBCMT ref: 00468D4A
                                          • Sleep.KERNEL32(00000064,ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789,00000024,00000038,004115AE,00000013), ref: 00468D90
                                          • __time64.LIBCMT ref: 00468D97
                                            • Part of subcall function 00470D64: GetSystemTimeAsFileTime.KERNEL32(00468D9C,?,?,?,00468D9C,00000000), ref: 00470D6F
                                            • Part of subcall function 00470D64: __aulldiv.LIBCMT ref: 00470D8F
                                            • Part of subcall function 00468CE0: __EH_prolog3_catch.LIBCMT ref: 00468CE7
                                            • Part of subcall function 00468CE0: _malloc.LIBCMT ref: 00468CF4
                                            • Part of subcall function 00468CE0: GetTickCount.KERNEL32 ref: 00468CFE
                                            • Part of subcall function 00468CE0: _rand.LIBCMT ref: 00468D12
                                            • Part of subcall function 00468CE0: _sprintf.LIBCMT ref: 00468D25
                                            • Part of subcall function 00470C30: __getptd.LIBCMT ref: 00470C35
                                          • _rand.LIBCMT ref: 00468DC5
                                            • Part of subcall function 00470C42: __getptd.LIBCMT ref: 00470C42
                                          • std::_Xinvalid_argument.LIBCPMT ref: 00468DDA
                                          Strings
                                          • ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789, xrefs: 00468D62
                                          • invalid string position, xrefs: 00468DD5
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Time__getptd_rand$CountFileH_prolog3_catchH_prolog3_catch_SleepSystemTickXinvalid_argument__aulldiv__time64_malloc_sprintfstd::_
                                          • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789$invalid string position
                                          • API String ID: 751668783-3173898365
                                          • Opcode ID: aaf3d40fe02032f8973a66470ca7e68f85174e0bd6a8b6678b91e0ceec9fc121
                                          • Instruction ID: 31d77f795c3fa666ae8ac8bfe7d79618fc1b36c1e8bbf2c6ca20ccdc458986e0
                                          • Opcode Fuzzy Hash: aaf3d40fe02032f8973a66470ca7e68f85174e0bd6a8b6678b91e0ceec9fc121
                                          • Instruction Fuzzy Hash: B931C470A00204EFDB14EFA9D885A9CBBB1BF04704F60451FF001A72C2EBB959408B5A
                                          Function 0041B38B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 0041B392
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0041B39C
                                            • Part of subcall function 004159AB: std::_Lockit::_Lockit.LIBCPMT ref: 004159B9
                                          • std::bad_exception::bad_exception.LIBCMT ref: 0041B3EB
                                          • __CxxThrowException@8.LIBCMT ref: 0041B3F9
                                          • std::locale::facet::_Incref.LIBCPMT ref: 0041B409
                                          • std::locale::facet::_Facet_Register.LIBCPMT ref: 0041B40F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_H_prolog3IncrefRegisterThrowstd::bad_exception::bad_exception
                                          • String ID: bad cast
                                          • API String ID: 158301680-3145022300
                                          • Opcode ID: 26fe675a22f14ea96669d76886712f310fcef279c0e6201edff8676de032c3cc
                                          • Instruction ID: a0b7a620ed2f901a0b09d01554e91d5113fc83927e1c45db18c392e609148d22
                                          • Opcode Fuzzy Hash: 26fe675a22f14ea96669d76886712f310fcef279c0e6201edff8676de032c3cc
                                          • Instruction Fuzzy Hash: 9901A571C10529DBCB11EB61C8426DE73A0AF40764F24421FE4147B292EF7C5E4187DD
                                          Function 0046AB06 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 0046AB0D
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0046AB17
                                            • Part of subcall function 004159AB: std::_Lockit::_Lockit.LIBCPMT ref: 004159B9
                                          • std::bad_exception::bad_exception.LIBCMT ref: 0046AB64
                                          • __CxxThrowException@8.LIBCMT ref: 0046AB72
                                          • std::locale::facet::_Incref.LIBCPMT ref: 0046AB82
                                          • std::locale::facet::_Facet_Register.LIBCPMT ref: 0046AB88
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_H_prolog3IncrefRegisterThrowstd::bad_exception::bad_exception
                                          • String ID: bad cast
                                          • API String ID: 158301680-3145022300
                                          • Opcode ID: 5dd94853ef4abbd08bf1e40d69dd1439f4b84ce3d2f6c7f2b470fbbb481077c3
                                          • Instruction ID: 5f8112d9e2a95bfbfef5114238310b051da32a37842198de0f989b0d129f2e29
                                          • Opcode Fuzzy Hash: 5dd94853ef4abbd08bf1e40d69dd1439f4b84ce3d2f6c7f2b470fbbb481077c3
                                          • Instruction Fuzzy Hash: F7010471810A28DBCB01FF65C9426EE7360AF41B64F10421BE5117B2E2EB3C9E01CB9B
                                          Function 004158A1 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 004158A8
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 004158B5
                                          • std::exception::exception.LIBCMT ref: 004158EC
                                            • Part of subcall function 0046F44B: std::exception::_Copy_str.LIBCMT ref: 0046F466
                                          • __CxxThrowException@8.LIBCMT ref: 00415901
                                            • Part of subcall function 00472C24: RaiseException.KERNEL32(0040350A,?,5@,?,?,?,?,?,0040350A,?,004A0880,00000000), ref: 00472C66
                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0041590A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: std::_$Copy_strExceptionException@8H_prolog3Locinfo::_Locinfo_ctorLockitLockit::_RaiseThrowstd::exception::_std::exception::exception
                                          • String ID: ]A$bad locale name
                                          • API String ID: 637683493-4264931153
                                          • Opcode ID: 8666257732214583c4d175c2ffb480de030ee41863b3acfc9107dc8fcba13060
                                          • Instruction ID: c1fc605785f2206d458f7cda5c28db69d08d00dc007be9e086da2b99334466ab
                                          • Opcode Fuzzy Hash: 8666257732214583c4d175c2ffb480de030ee41863b3acfc9107dc8fcba13060
                                          • Instruction Fuzzy Hash: 6A0171B1404744EECB21EF5A80814CEBFF4BF28314B90C51FE19957201D738A648CB9E
                                          Function 00406AAC Relevance: 12.1, APIs: 8, Instructions: 115COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileAttributesA.KERNEL32(?,?,?,?), ref: 00406B16
                                          • CreateDirectoryA.KERNEL32(?,00000000,?,?,?), ref: 00406B27
                                          • __fassign.LIBCMT ref: 00406AE3
                                            • Part of subcall function 0046FFC3: __mbsnbcpy_l.LIBCMT ref: 0046FFD3
                                          • _memmove.LIBCMT ref: 00406B59
                                          • __fassign.LIBCMT ref: 00406B89
                                          • __fassign.LIBCMT ref: 00406BBB
                                          • GetFileAttributesA.KERNEL32(?,?,?,?), ref: 00406BD1
                                          • CreateDirectoryA.KERNEL32(?,00000000,?,?,?), ref: 00406BE5
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __fassign$AttributesCreateDirectoryFile$__mbsnbcpy_l_memmove
                                          • String ID:
                                          • API String ID: 2134100740-0
                                          • Opcode ID: f125caf788eba540ac7ca6445daf082bfabdae13354adbe13082b575fe714ade
                                          • Instruction ID: 2e6788328f2d83357382bcbca35e2e1f18d51935998e4d92b5959787771b062a
                                          • Opcode Fuzzy Hash: f125caf788eba540ac7ca6445daf082bfabdae13354adbe13082b575fe714ade
                                          • Instruction Fuzzy Hash: E341F6B15001589EDF20DF689C84FEB3BACAB06304F44017BE995D72C1EF389A188765
                                          Function 00472710 Relevance: 12.1, APIs: 8, Instructions: 63threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ___set_flsgetvalue.LIBCMT ref: 00472735
                                          • __calloc_crt.LIBCMT ref: 00472741
                                          • __getptd.LIBCMT ref: 0047274E
                                          • __initptd.LIBCMT ref: 00472757
                                          • CreateThread.KERNEL32(?,?,004726AB,00000000,?,?), ref: 00472785
                                          • GetLastError.KERNEL32(?,00000000,?,0041F331,00000000,00000000,0041F2CC,00000000,00000000,00000004), ref: 0047278F
                                          • _free.LIBCMT ref: 00472798
                                          • __dosmaperr.LIBCMT ref: 004727A3
                                            • Part of subcall function 0047595B: __getptd_noexit.LIBCMT ref: 0047595B
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit__initptd_free
                                          • String ID:
                                          • API String ID: 73303432-0
                                          • Opcode ID: 32c9dc7a7bbd80de58c623ba85e604c3e7f719ae45d7f4044c45028ab7289bbc
                                          • Instruction ID: 1f9ef344ebc59fdd27f0dd76c026b9767e5ae42c85e983da7769f93d3c7f35d3
                                          • Opcode Fuzzy Hash: 32c9dc7a7bbd80de58c623ba85e604c3e7f719ae45d7f4044c45028ab7289bbc
                                          • Instruction Fuzzy Hash: 79110632104706AFD7146FA59D419DF3BA8DF45334710802FF91C8A292DBB8C81147A9
                                          Function 00421394 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 111COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _memmove$_memset
                                          • String ID: F$2F$winRead
                                          • API String ID: 1357608183-2637546548
                                          • Opcode ID: 497db2005169d5257db4d08593ecb03e827985cb11b0d74e2b13d934b314228b
                                          • Instruction ID: 3397c657ec376099b5cb6ecaff4947f4185291e7a52c4351fab93aaba1498668
                                          • Opcode Fuzzy Hash: 497db2005169d5257db4d08593ecb03e827985cb11b0d74e2b13d934b314228b
                                          • Instruction Fuzzy Hash: B1316C72A002199BCF10EF58ED8299E37B9EF54314B54401AFD18EB261D734EA61CB95
                                          Function 0047648B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0047ADCD: __mtinitlocknum.LIBCMT ref: 0047ADE3
                                            • Part of subcall function 0047ADCD: __amsg_exit.LIBCMT ref: 0047ADEF
                                            • Part of subcall function 0047ADCD: EnterCriticalSection.KERNEL32(00000000,00000000,?,00479367,0000000D), ref: 0047ADF7
                                          • __mtinitlocknum.LIBCMT ref: 004764E2
                                          • __malloc_crt.LIBCMT ref: 00476523
                                          • InitializeCriticalSectionAndSpinCount.KERNEL32(004A51C0,00000FA0,004A04C8,00000010,00471945,004A01E8,0000000C,004719C2,?,75584B00,00000040,?,00419B36,00499628,75584B00,?), ref: 00476547
                                          • _free.LIBCMT ref: 00476559
                                          • EnterCriticalSection.KERNEL32(004A51C0,?,00419B36,00499628,75584B00,?,00000000), ref: 00476570
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalSection$Enter__mtinitlocknum$CountInitializeSpin__amsg_exit__malloc_crt_free
                                          • String ID: (I
                                          • API String ID: 2015852156-3060581122
                                          • Opcode ID: eab7311cc5394eada1f46b0969d0080bd8141af771670a4c473c618d0657d379
                                          • Instruction ID: fa0533b2d420c28a40a3f8f1fa78118ee1d18cd48cc80da44eb0edc7f1d82021
                                          • Opcode Fuzzy Hash: eab7311cc5394eada1f46b0969d0080bd8141af771670a4c473c618d0657d379
                                          • Instruction Fuzzy Hash: C031A571504A01AFCB20EF69E88599DB7F5BF06314B51812EE4998B6A1CB3CD805DF49
                                          Function 00444559 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 94COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • cannot detach database %s, xrefs: 004445FE
                                          • cannot DETACH database within transaction, xrefs: 0044460B
                                          • no such database: %s, xrefs: 004445EC
                                          • database %s is locked, xrefs: 00444653
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __fprintf_l
                                          • String ID: cannot DETACH database within transaction$cannot detach database %s$database %s is locked$no such database: %s
                                          • API String ID: 3906573944-3374617522
                                          • Opcode ID: a7a71669ebb5bf31b259375af2ac1ee8d78aa3331f8b3cc4bed6bcd2cdc2e410
                                          • Instruction ID: 2a2638df5ab093c361b84eaabe263aeb21e08baa48d18ebf0631e30a49f781e5
                                          • Opcode Fuzzy Hash: a7a71669ebb5bf31b259375af2ac1ee8d78aa3331f8b3cc4bed6bcd2cdc2e410
                                          • Instruction Fuzzy Hash: 1A31E331900618AFEF20DF24DC82BA9B7B1FF85314F1145DBE10997282DB39AD998F59
                                          Function 004735A7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • __getptd_noexit.LIBCMT ref: 004735AE
                                            • Part of subcall function 004793D1: GetLastError.KERNEL32(?,00000001,00475960,004700E0,?,?,0046F40D,00000001,00000000,?,00000003,?,0046F46B,004034F5,?), ref: 004793D5
                                            • Part of subcall function 004793D1: ___set_flsgetvalue.LIBCMT ref: 004793E3
                                            • Part of subcall function 004793D1: __calloc_crt.LIBCMT ref: 004793F7
                                            • Part of subcall function 004793D1: DecodePointer.KERNEL32(00000000,?,0046F40D,00000001,00000000,?,00000003,?,0046F46B,004034F5,?), ref: 00479411
                                            • Part of subcall function 004793D1: __initptd.LIBCMT ref: 00479420
                                            • Part of subcall function 004793D1: GetCurrentThreadId.KERNEL32 ref: 00479427
                                            • Part of subcall function 004793D1: SetLastError.KERNEL32(00000000,?,0046F40D,00000001,00000000,?,00000003,?,0046F46B,004034F5,?), ref: 0047943F
                                          • __calloc_crt.LIBCMT ref: 004735D0
                                          • __get_sys_err_msg.LIBCMT ref: 004735EE
                                          • _strcpy_s.LIBCMT ref: 004735F6
                                          • __invoke_watson.LIBCMT ref: 0047360B
                                          Strings
                                          • Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 004735BB, 004735DE
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast__calloc_crt$CurrentDecodePointerThread___set_flsgetvalue__get_sys_err_msg__getptd_noexit__initptd__invoke_watson_strcpy_s
                                          • String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
                                          • API String ID: 69636372-798102604
                                          • Opcode ID: 1f7a51e15511e4cd781b45dfd73197224c0a70e2e2c53d4a44c211c420348ec2
                                          • Instruction ID: 01beb7c12f31a204e9f6f4ee87a31c3b70523a4d57810d1695b4b585b3716122
                                          • Opcode Fuzzy Hash: 1f7a51e15511e4cd781b45dfd73197224c0a70e2e2c53d4a44c211c420348ec2
                                          • Instruction Fuzzy Hash: F2F0F0626442147BCB203D375C818EB768CCB40B2AB11893FFA0D9B201E62E9F01629D
                                          Function 0046FDE9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _malloc.LIBCMT ref: 0046FE03
                                            • Part of subcall function 00470057: __FF_MSGBANNER.LIBCMT ref: 00470070
                                            • Part of subcall function 00470057: __NMSG_WRITE.LIBCMT ref: 00470077
                                            • Part of subcall function 00470057: HeapAlloc.KERNEL32(00000000,00000001,?,00000001,?,?,0046F40D,00000001,00000000,?,00000003,?,0046F46B,004034F5,?), ref: 0047009C
                                          • std::exception::exception.LIBCMT ref: 0046FE38
                                          • std::exception::exception.LIBCMT ref: 0046FE52
                                          • __CxxThrowException@8.LIBCMT ref: 0046FE63
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: std::exception::exception$AllocException@8HeapThrow_malloc
                                          • String ID: bad allocation$4@
                                          • API String ID: 1414122017-3952491998
                                          • Opcode ID: fc662333d74a995bd878dbb2be042c116a31afd27733efdfa44a9321236996f4
                                          • Instruction ID: 22cab7638b4ed1fdf4b733d03dfa7cfa68ec5250c006ee94f637a64ea3994a95
                                          • Opcode Fuzzy Hash: fc662333d74a995bd878dbb2be042c116a31afd27733efdfa44a9321236996f4
                                          • Instruction Fuzzy Hash: 6BF0F971500105AACB14FB56EC06AAE3AA8AF41718F10443FE844A61D1EF7D9A098B9F
                                          Function 00415C01 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 40COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBCMT ref: 00415C12
                                          • std::exception::exception.LIBCMT ref: 00415C39
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Exception@8Throwstd::exception::exception
                                          • String ID: ]A$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                          • API String ID: 3728558374-3310331674
                                          • Opcode ID: 950ef8694af053978bdae8352320c5635b43a37216827f4144ffa3e709e0aa62
                                          • Instruction ID: 98f467a132ab69448da2e1f70b869d771fd3999f8b12cd9e686dd19e5599cfdb
                                          • Opcode Fuzzy Hash: 950ef8694af053978bdae8352320c5635b43a37216827f4144ffa3e709e0aa62
                                          • Instruction Fuzzy Hash: 78014471404308EB8F11EFA5C9454EA7BE8AD41348724802BE4059B201E778DA87C7AA
                                          Function 00468CE0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 34COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_catch.LIBCMT ref: 00468CE7
                                          • _malloc.LIBCMT ref: 00468CF4
                                            • Part of subcall function 00470057: __FF_MSGBANNER.LIBCMT ref: 00470070
                                            • Part of subcall function 00470057: __NMSG_WRITE.LIBCMT ref: 00470077
                                            • Part of subcall function 00470057: HeapAlloc.KERNEL32(00000000,00000001,?,00000001,?,?,0046F40D,00000001,00000000,?,00000003,?,0046F46B,004034F5,?), ref: 0047009C
                                          • GetTickCount.KERNEL32 ref: 00468CFE
                                            • Part of subcall function 00470C30: __getptd.LIBCMT ref: 00470C35
                                          • _rand.LIBCMT ref: 00468D12
                                            • Part of subcall function 00470C42: __getptd.LIBCMT ref: 00470C42
                                          • _sprintf.LIBCMT ref: 00468D25
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __getptd$AllocCountH_prolog3_catchHeapTick_malloc_rand_sprintf
                                          • String ID: %s%d
                                          • API String ID: 3491278282-1110647743
                                          • Opcode ID: 32938aaca2103d89748ce604e79e8ebc5409cbcb517643315e7870a0e8258a2e
                                          • Instruction ID: 44e2904dba0f09c4abf977196d07cbb47c43af8ebdadbb90fc59845e8c012902
                                          • Opcode Fuzzy Hash: 32938aaca2103d89748ce604e79e8ebc5409cbcb517643315e7870a0e8258a2e
                                          • Instruction Fuzzy Hash: 0BF027B2206210FED706BF769C069AE2E40EF61354B60C11FF10C5A042DA3CD94183BE
                                          Function 00415F1F Relevance: 9.1, APIs: 6, Instructions: 58filememoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00415F3A
                                          • GetFileSizeEx.KERNEL32(00000000,?), ref: 00415F51
                                          • LocalAlloc.KERNEL32(00000040,?), ref: 00415F68
                                          • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 00415F7F
                                          • LocalFree.KERNEL32(?,?,?,00000000), ref: 00415F9E
                                          • CloseHandle.KERNEL32(?), ref: 00415FA7
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                          • String ID:
                                          • API String ID: 2311089104-0
                                          • Opcode ID: 4f26130f9f2abfea9e789a6399a3e3afb9e65248cd0d2b6d568aaf095941d909
                                          • Instruction ID: da6643f4fd7ec7de7dfb8e41e03d040d6a755f32f9651022cd5e762b8198e8c3
                                          • Opcode Fuzzy Hash: 4f26130f9f2abfea9e789a6399a3e3afb9e65248cd0d2b6d568aaf095941d909
                                          • Instruction Fuzzy Hash: 38113D70900604EFDF219FA5DC48EEF7BB4EF85700F20095AF515E6290D7349A86DB66
                                          Function 00474668 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __CreateFrameInfo.LIBCMT ref: 00474690
                                            • Part of subcall function 00473370: __getptd.LIBCMT ref: 0047337E
                                            • Part of subcall function 00473370: __getptd.LIBCMT ref: 0047338C
                                          • __getptd.LIBCMT ref: 0047469A
                                            • Part of subcall function 0047944A: __getptd_noexit.LIBCMT ref: 0047944D
                                            • Part of subcall function 0047944A: __amsg_exit.LIBCMT ref: 0047945A
                                          • __getptd.LIBCMT ref: 004746A8
                                          • __getptd.LIBCMT ref: 004746B6
                                          • __getptd.LIBCMT ref: 004746C1
                                          • _CallCatchBlock2.LIBCMT ref: 004746E7
                                            • Part of subcall function 00473415: __CallSettingFrame@12.LIBCMT ref: 00473461
                                            • Part of subcall function 0047478E: __getptd.LIBCMT ref: 0047479D
                                            • Part of subcall function 0047478E: __getptd.LIBCMT ref: 004747AB
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                          • String ID:
                                          • API String ID: 1602911419-0
                                          • Opcode ID: 8d4f4b7af71596b065fedc15545b7f783f6395b761534336323e3c194370b448
                                          • Instruction ID: ff324b995f295052bf3b531d3060c3b1fcc4bb07ea105b0635ca0a9a3979e753
                                          • Opcode Fuzzy Hash: 8d4f4b7af71596b065fedc15545b7f783f6395b761534336323e3c194370b448
                                          • Instruction Fuzzy Hash: D811DA71C00209DFDB00EFA5C545AED77B0FF05319F10C06AF818AB251DB789A129F55
                                          Function 00478A63 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __getptd.LIBCMT ref: 00478A6F
                                            • Part of subcall function 0047944A: __getptd_noexit.LIBCMT ref: 0047944D
                                            • Part of subcall function 0047944A: __amsg_exit.LIBCMT ref: 0047945A
                                          • __amsg_exit.LIBCMT ref: 00478A8F
                                          • __lock.LIBCMT ref: 00478A9F
                                          • InterlockedDecrement.KERNEL32(?), ref: 00478ABC
                                          • _free.LIBCMT ref: 00478ACF
                                          • InterlockedIncrement.KERNEL32(02FD1670), ref: 00478AE7
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                          • String ID:
                                          • API String ID: 3470314060-0
                                          • Opcode ID: ca54a008eff71e500419f7a108a9107db84d3742cfe54bbc1e23c4d67f4d7760
                                          • Instruction ID: c991d1b93805b1fcfdd4dc93a1a88ae87758dbc193754b6990191fce9c627b05
                                          • Opcode Fuzzy Hash: ca54a008eff71e500419f7a108a9107db84d3742cfe54bbc1e23c4d67f4d7760
                                          • Instruction Fuzzy Hash: 4E01C431940B12ABCB20AB65940D7DE7760BF05724F15801FE418AB690DF7CA941CFDD
                                          Function 0041591B Relevance: 9.0, APIs: 6, Instructions: 41COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00415922
                                          • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00415932
                                            • Part of subcall function 0046EC21: _setlocale.LIBCMT ref: 0046EC33
                                          • _free.LIBCMT ref: 00415940
                                            • Part of subcall function 0046FFDD: HeapFree.KERNEL32(00000000,00000000,?,0047943B,00000000,?,0046F40D,00000001,00000000,?,00000003,?,0046F46B,004034F5,?), ref: 0046FFF3
                                            • Part of subcall function 0046FFDD: GetLastError.KERNEL32(00000000,?,0047943B,00000000,?,0046F40D,00000001,00000000,?,00000003,?,0046F46B,004034F5,?), ref: 00470005
                                          • _free.LIBCMT ref: 00415952
                                          • _free.LIBCMT ref: 00415964
                                          • _free.LIBCMT ref: 00415976
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorFreeH_prolog3HeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
                                          • String ID:
                                          • API String ID: 2259855018-0
                                          • Opcode ID: 54916657d707eb9de85383e317c6f01b5328d41f8e2f0ced5ad715491970a2a8
                                          • Instruction ID: 3152936bbf872293c04eedf94512849d4edf8e70a8d39f78bb4ea3b7921d0317
                                          • Opcode Fuzzy Hash: 54916657d707eb9de85383e317c6f01b5328d41f8e2f0ced5ad715491970a2a8
                                          • Instruction Fuzzy Hash: 4D014FB1610B01DBE724AE66D406B9B73E89F00739F10891FE055DB581DB3CE9489FAA
                                          Function 0046052A Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 234COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _memset
                                          • String ID: H$RF
                                          • API String ID: 2102423945-2696182222
                                          • Opcode ID: c0e5ff17bf3ec00b08b244fd3bab94813187b98bf379e5518af75ab68fb49ff9
                                          • Instruction ID: d7e8402d95018ca35f2900962dfcb053ffb4f26d5c13de51d0636423b10b3ebf
                                          • Opcode Fuzzy Hash: c0e5ff17bf3ec00b08b244fd3bab94813187b98bf379e5518af75ab68fb49ff9
                                          • Instruction Fuzzy Hash: C9A15B75900228CFDB24DF24C984BAAB3B4FF48305F1145DAE84DAB252E734AE85CF59
                                          Function 004471D5 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 232COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • unknown column "%s" in foreign key definition, xrefs: 004473C5
                                          • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00447259
                                          • foreign key on %s should reference only one column of table %T, xrefs: 00447230
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _memmove
                                          • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                          • API String ID: 4104443479-272990098
                                          • Opcode ID: f78ef6ab467308ede4b65970583c2435364d49a34f2c58e8c0af9bef932a856f
                                          • Instruction ID: a488c733f36502abfd858a29e8c5faf4f57b52bd85da04280e4b3098553ab2b1
                                          • Opcode Fuzzy Hash: f78ef6ab467308ede4b65970583c2435364d49a34f2c58e8c0af9bef932a856f
                                          • Instruction Fuzzy Hash: 70916071A04206DFDF10DF99C9819AEBBF1FF48304F14819AE815AB312D739E956CB94
                                          Function 0044AE7F Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 191COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __fprintf_l
                                          • String ID: %!.15g$%!.20e$NULL
                                          • API String ID: 3906573944-1578054726
                                          • Opcode ID: 525feb5d1b290548ca724e3e0ccebfcaaadb3f9397000371360fb6bdd981de72
                                          • Instruction ID: 59003817a1017fa8b022a6340757c72e32b34267809c91623f1e0bc4cfb2334c
                                          • Opcode Fuzzy Hash: 525feb5d1b290548ca724e3e0ccebfcaaadb3f9397000371360fb6bdd981de72
                                          • Instruction Fuzzy Hash: 6D514BB140C3415AF7119B64CC02B7BB794EF49324F29469FF4E4972C2EB29D81683AA
                                          Function 004214B2 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 135COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _memmove
                                          • String ID: 2F$winWrite1$winWrite2
                                          • API String ID: 4104443479-1202468874
                                          • Opcode ID: d6814a74fea1923d7d9b1164c8b23fe8bbbb736f4ff7b147fa4413e12f14ed6a
                                          • Instruction ID: 01f33946318b22680af2f6fe0d16e067e1051e573efaf092bb0747706c24e18b
                                          • Opcode Fuzzy Hash: d6814a74fea1923d7d9b1164c8b23fe8bbbb736f4ff7b147fa4413e12f14ed6a
                                          • Instruction Fuzzy Hash: B841BF31B00229EBCF00CF94D88169E77B5FFA4314F68816AE805A7261D778DE91CBC9
                                          Function 004162B2 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 110memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 004162B9
                                          • _memset.LIBCMT ref: 0041630D
                                          • LocalAlloc.KERNEL32(00000040,?,00000074,004169BE,00000000,?,?,?), ref: 00416348
                                            • Part of subcall function 0041386D: _memmove.LIBCMT ref: 00413889
                                            • Part of subcall function 00402DC8: _memmove.LIBCMT ref: 00402DE7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _memmove$AllocH_prolog3_Local_memset
                                          • String ID: NULL$v10
                                          • API String ID: 1135815740-1391045996
                                          • Opcode ID: 0c118ec7abd670605aa9d109fdd02dbbeb3015b05cc5c806e18f94a10de0cb73
                                          • Instruction ID: ebe6a040dd2ceec815419f930ec8e3a3d7d4f7ce1358943e6248a11cdb22a172
                                          • Opcode Fuzzy Hash: 0c118ec7abd670605aa9d109fdd02dbbeb3015b05cc5c806e18f94a10de0cb73
                                          • Instruction Fuzzy Hash: AC417F71D00218ABDF14DFA9D885BEEBBB5EF44704F11406EF815AB282C7B89944DB98
                                          Function 0042161F Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                          Download Yara Rule
                                          APIs
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00421651
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                          • String ID: 2F$winSeekFile$winTruncate1$winTruncate2
                                          • API String ID: 885266447-303022128
                                          • Opcode ID: ecb49400b8c28bb153a6f71584b16d3f3dd81a02129618698be6cf9517c14068
                                          • Instruction ID: 77d017541dca60edfef155cb5292f45ec8ef3cc0cfbc87e1d9e4cfb0b9d4d2bf
                                          • Opcode Fuzzy Hash: ecb49400b8c28bb153a6f71584b16d3f3dd81a02129618698be6cf9517c14068
                                          • Instruction Fuzzy Hash: CF31E6717003009FDB20DF65E845A6B77E5FB98710F548A2EF955CB7A0D738E8018B59
                                          Function 004110FE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 00411105
                                            • Part of subcall function 00410235: __EH_prolog3.LIBCMT ref: 00410254
                                            • Part of subcall function 0041386D: _memmove.LIBCMT ref: 00413889
                                            • Part of subcall function 00402DC8: _memmove.LIBCMT ref: 00402DE7
                                          • _strtok.LIBCMT ref: 004111BB
                                          • lstrlenA.KERNEL32(?,?,?,00000010,00000001,00000000), ref: 004111C8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _memmove$H_prolog3H_prolog3__strtoklstrlen
                                          • String ID: ERROR$ERROR
                                          • API String ID: 3318954604-2579291623
                                          • Opcode ID: ce61bfa9b6e2d2f32a2dc0e7f25d08226a90c1d937ec24c3dbbd13c0bcdd77ea
                                          • Instruction ID: 78b81244ee0cf7d086fa2b3e72b74054e233e928f9981691e63daf3010d78583
                                          • Opcode Fuzzy Hash: ce61bfa9b6e2d2f32a2dc0e7f25d08226a90c1d937ec24c3dbbd13c0bcdd77ea
                                          • Instruction Fuzzy Hash: 62319071D00208ABDB11EFE9C946ADEBB74EF19304F10802EF615B71D1D7B85E848BA9
                                          Function 0041423B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 95COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _memmove$Xinvalid_argumentstd::_
                                          • String ID: string too long
                                          • API String ID: 1771113911-2556327735
                                          • Opcode ID: 6fd6c35555ff30c776765c2249e10924d802e5d911fb244f04c9c7a97fbf24b4
                                          • Instruction ID: a2cd4743f0c6d6b75bd449a9ebe8678a5747b019e26980ca7f3e1a6ba384b501
                                          • Opcode Fuzzy Hash: 6fd6c35555ff30c776765c2249e10924d802e5d911fb244f04c9c7a97fbf24b4
                                          • Instruction Fuzzy Hash: FC21A570700215ABC704DFADD981AA9B3A6BFD07A43240A6BF411CB681D738EDD1879D
                                          Function 00443782 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __fprintf_l$__aulldiv_memset
                                          • String ID: %llu$%llu
                                          • API String ID: 2327972778-4283164361
                                          • Opcode ID: 96dffc4c8daea94286ca1eefbe561252bc9e8b0506d76c0d30ecf67e2f3316a3
                                          • Instruction ID: f711e884e708a7769fce264caaebacbb2b0e13dcaa186d6460d32d492cb33a19
                                          • Opcode Fuzzy Hash: 96dffc4c8daea94286ca1eefbe561252bc9e8b0506d76c0d30ecf67e2f3316a3
                                          • Instruction Fuzzy Hash: C4212BB26043016FD710FE55CC82E6777E9DB84725F104A3EF861872C2EB78A94586A9
                                          Function 00469269 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON
                                          Download Yara Rule
                                          APIs
                                          • GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 00469280
                                          • _malloc.LIBCMT ref: 00469294
                                          • _free.LIBCMT ref: 00469319
                                            • Part of subcall function 0046FFDD: HeapFree.KERNEL32(00000000,00000000,?,0047943B,00000000,?,0046F40D,00000001,00000000,?,00000003,?,0046F46B,004034F5,?), ref: 0046FFF3
                                            • Part of subcall function 0046FFDD: GetLastError.KERNEL32(00000000,?,0047943B,00000000,?,0046F40D,00000001,00000000,?,00000003,?,0046F46B,004034F5,?), ref: 00470005
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: EncodersErrorFreeGdipHeapImageLastSize_free_malloc
                                          • String ID: image/jpeg
                                          • API String ID: 34177290-3785015651
                                          • Opcode ID: 196e4e62256fda8a59c6d1b800d982aa1e5595c41d52a6710e08fa027f7338a2
                                          • Instruction ID: cebcc0332babaa6d4924bb30eb39fe6c872bdce39305e5c0eb3c58f6f5e14000
                                          • Opcode Fuzzy Hash: 196e4e62256fda8a59c6d1b800d982aa1e5595c41d52a6710e08fa027f7338a2
                                          • Instruction Fuzzy Hash: 1F219272C00018FBCB11DFA5D88049EBB7DEE19764B2146A7E815A7390F7769E81C78A
                                          Function 004141A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 61COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Xinvalid_argument.LIBCPMT ref: 004141B6
                                            • Part of subcall function 0046E7C1: std::exception::exception.LIBCMT ref: 0046E7D6
                                            • Part of subcall function 0046E7C1: __CxxThrowException@8.LIBCMT ref: 0046E7EB
                                            • Part of subcall function 0046E7C1: std::exception::exception.LIBCMT ref: 0046E7FC
                                          • std::_Xinvalid_argument.LIBCPMT ref: 004141D5
                                          • _memmove.LIBCMT ref: 00414216
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
                                          • String ID: invalid string position$string too long
                                          • API String ID: 3404309857-4289949731
                                          • Opcode ID: 35219eb203bbae8a2d8c45b5c587e1bffc4f97d554f16b103de44b788201f013
                                          • Instruction ID: 0c979b993cf7efdb6d66e3d407979369a1a60985f61b3f46b72d5c8d4b4f6a4e
                                          • Opcode Fuzzy Hash: 35219eb203bbae8a2d8c45b5c587e1bffc4f97d554f16b103de44b788201f013
                                          • Instruction Fuzzy Hash: 1E112F30300205AF8B04DFA9D9C4C9973F5BF95359310066EF816CB641D734EAD9CB99
                                          Function 00413CAE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Xinvalid_argument.LIBCPMT ref: 00413CC4
                                            • Part of subcall function 0046E7C1: std::exception::exception.LIBCMT ref: 0046E7D6
                                            • Part of subcall function 0046E7C1: __CxxThrowException@8.LIBCMT ref: 0046E7EB
                                            • Part of subcall function 0046E7C1: std::exception::exception.LIBCMT ref: 0046E7FC
                                          • std::_Xinvalid_argument.LIBCPMT ref: 00413CE3
                                          • _memmove.LIBCMT ref: 00413D20
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
                                          • String ID: invalid string position$string too long
                                          • API String ID: 3404309857-4289949731
                                          • Opcode ID: 9df4e1fb2d0f4b419d84241fe378836247d9a03cc1c06c4d9bc7ed2bdca915c0
                                          • Instruction ID: 599b760bf8d31027f7b41a3be15f02acddcdf1132dce5a4f6902639784aab972
                                          • Opcode Fuzzy Hash: 9df4e1fb2d0f4b419d84241fe378836247d9a03cc1c06c4d9bc7ed2bdca915c0
                                          • Instruction Fuzzy Hash: ED11E7713003009FDB24DE5DE681A96B7E5EF01702F50092FF452CB692D778EE848799
                                          Function 0046A0B3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Xinvalid_argument.LIBCPMT ref: 0046A0C0
                                            • Part of subcall function 0046E7C1: std::exception::exception.LIBCMT ref: 0046E7D6
                                            • Part of subcall function 0046E7C1: __CxxThrowException@8.LIBCMT ref: 0046E7EB
                                            • Part of subcall function 0046E7C1: std::exception::exception.LIBCMT ref: 0046E7FC
                                          • std::_Xinvalid_argument.LIBCPMT ref: 0046A0D7
                                          • _memmove.LIBCMT ref: 0046A119
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
                                          • String ID: invalid string position$string too long
                                          • API String ID: 3404309857-4289949731
                                          • Opcode ID: a69029cac7f36f9787dfa850f8bc0c25b3fe2304dbecc2fbb4efc96932e3ff17
                                          • Instruction ID: 26a2518a9920f6c070e86c007fc2be2d854f83fbd875a2cbf2b7ecf49030b6c0
                                          • Opcode Fuzzy Hash: a69029cac7f36f9787dfa850f8bc0c25b3fe2304dbecc2fbb4efc96932e3ff17
                                          • Instruction Fuzzy Hash: CE11C630300B408BDA249E2DCC91A2BB7E6DF81704F24091FF0C2A7692EB68D8548B5F
                                          Function 00415046 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38stringnetworkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00415061
                                          • _memset.LIBCMT ref: 0041506E
                                          • lstrlenA.KERNEL32(00000000,10000000,?), ref: 00415094
                                          • InternetCrackUrlA.WININET(00000000,00000000), ref: 0041509C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _memset$CrackInternetlstrlen
                                          • String ID: http
                                          • API String ID: 3332450456-2541227442
                                          • Opcode ID: 4d09fdda77e63f99938514b64d8f5d3830ede10d3ac4cf2ff780045ac4e63f25
                                          • Instruction ID: e83c810f0a941009888ad0c37b31e5fac29faa6b5c4730242c39a3de81101bc4
                                          • Opcode Fuzzy Hash: 4d09fdda77e63f99938514b64d8f5d3830ede10d3ac4cf2ff780045ac4e63f25
                                          • Instruction Fuzzy Hash: 4E01C2709102089BEB10DFA5DD45FDE77BCAB04704F50442EF615E7181DB78A9048B59
                                          Function 0041AEA3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 0041AEAA
                                          • std::_Mutex::_Mutex.LIBCPMT ref: 0041AEBB
                                            • Part of subcall function 0046FDE9: _malloc.LIBCMT ref: 0046FE03
                                          • std::locale::_Init.LIBCPMT ref: 0041AED2
                                            • Part of subcall function 0046ED84: __EH_prolog3.LIBCMT ref: 0046ED8B
                                            • Part of subcall function 0046ED84: std::_Lockit::_Lockit.LIBCPMT ref: 0046EDA1
                                            • Part of subcall function 0046ED84: std::locale::_Locimp::_Locimp.LIBCPMT ref: 0046EDC3
                                            • Part of subcall function 0046ED84: std::locale::_Setgloballocale.LIBCPMT ref: 0046EDCD
                                            • Part of subcall function 0046ED84: _Yarn.LIBCPMT ref: 0046EDE3
                                            • Part of subcall function 0046ED84: std::locale::facet::_Incref.LIBCPMT ref: 0046EDF0
                                          • std::locale::facet::_Incref.LIBCPMT ref: 0041AEE0
                                            • Part of subcall function 004159DC: std::_Lockit::_Lockit.LIBCPMT ref: 004159E8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: std::_std::locale::_$H_prolog3IncrefLockitLockit::_std::locale::facet::_$InitLocimpLocimp::_MutexMutex::_SetgloballocaleYarn_malloc
                                          • String ID: 7A
                                          • API String ID: 3596770912-1978484142
                                          • Opcode ID: 99389cc243d81f09d22359825db420aaa525bf4f3d8d8722a0c0fe6282afd272
                                          • Instruction ID: fbb50a59eca94c65cf2554631d577cf40bd371bda702cb422db8419d07eebd6a
                                          • Opcode Fuzzy Hash: 99389cc243d81f09d22359825db420aaa525bf4f3d8d8722a0c0fe6282afd272
                                          • Instruction Fuzzy Hash: 49F0A0B5600701D6CB00BF7B840239DB2D09F80718F20801FE1454B242EF7CA946878F
                                          Function 00471ABD Relevance: 7.7, APIs: 5, Instructions: 160COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _memset$__filbuf__getptd_noexit__read_memcpy_s
                                          • String ID:
                                          • API String ID: 4048096073-0
                                          • Opcode ID: cfb700e2196a6ab6e80c7ad284b2dd026213ff03aabe3697f153a7164e63fba0
                                          • Instruction ID: 6f706d7d27ba0f1676dcc5fe81541593ab389981b8ac1f5dad63e7b2463d4818
                                          • Opcode Fuzzy Hash: cfb700e2196a6ab6e80c7ad284b2dd026213ff03aabe3697f153a7164e63fba0
                                          • Instruction Fuzzy Hash: 1351C630A00605DFCB259FAD89846DEB7B5AF40324F24C62BE82D562A0D778EE51CB59
                                          Function 00472163 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _malloc.LIBCMT ref: 00472171
                                            • Part of subcall function 00470057: __FF_MSGBANNER.LIBCMT ref: 00470070
                                            • Part of subcall function 00470057: __NMSG_WRITE.LIBCMT ref: 00470077
                                            • Part of subcall function 00470057: HeapAlloc.KERNEL32(00000000,00000001,?,00000001,?,?,0046F40D,00000001,00000000,?,00000003,?,0046F46B,004034F5,?), ref: 0047009C
                                          • _free.LIBCMT ref: 00472184
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocHeap_free_malloc
                                          • String ID:
                                          • API String ID: 2734353464-0
                                          • Opcode ID: ceed4d0050993771c05ffd82fbebd03bf03c8ec19be0524a0ca6690fa7dee61e
                                          • Instruction ID: b09810037615c4d030322994c5e530de5122256e511bb2590184ff5252305950
                                          • Opcode Fuzzy Hash: ceed4d0050993771c05ffd82fbebd03bf03c8ec19be0524a0ca6690fa7dee61e
                                          • Instruction Fuzzy Hash: B1110872400615EBCB212B31AD046DE3B95FB41374B61C42FFA5D9B250DFBC8981979D
                                          Function 004791E4 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __getptd.LIBCMT ref: 004791F0
                                            • Part of subcall function 0047944A: __getptd_noexit.LIBCMT ref: 0047944D
                                            • Part of subcall function 0047944A: __amsg_exit.LIBCMT ref: 0047945A
                                          • __getptd.LIBCMT ref: 00479207
                                          • __amsg_exit.LIBCMT ref: 00479215
                                          • __lock.LIBCMT ref: 00479225
                                          • __updatetlocinfoEx_nolock.LIBCMT ref: 00479239
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                          • String ID:
                                          • API String ID: 938513278-0
                                          • Opcode ID: 7c797d0d16fb5b5e64bf413eee213e9bd83e432a991a8923ea2481db89b744f6
                                          • Instruction ID: 75eea38f8c7892975e1cfe8a081bb94e78e131462b2c937ee1473f2297d17ce1
                                          • Opcode Fuzzy Hash: 7c797d0d16fb5b5e64bf413eee213e9bd83e432a991a8923ea2481db89b744f6
                                          • Instruction Fuzzy Hash: ADF09632D44B00AAD724B76958077DE37A0AF41728F55C54FF01D6A2D3CB6C9D028A5E
                                          Function 00469444 Relevance: 7.5, APIs: 5, Instructions: 32fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_catch.LIBCMT ref: 0046944B
                                          • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,0000000C,00407A8C,?,00000001), ref: 00469468
                                          • GetFileSizeEx.KERNEL32(00000000,?), ref: 0046947A
                                          • CloseHandle.KERNEL32(00000000), ref: 00469485
                                          • CloseHandle.KERNEL32(00000000), ref: 00469497
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseFileHandle$CreateH_prolog3_catchSize
                                          • String ID:
                                          • API String ID: 1922246528-0
                                          • Opcode ID: ed63791921861f503243211bd55d6656694d29fc89e32cdd2359867ee085e569
                                          • Instruction ID: 3ad62bf7b1af9e2c19c207e37cb6debfd62233fc2185e4c7da90adf6776d3071
                                          • Opcode Fuzzy Hash: ed63791921861f503243211bd55d6656694d29fc89e32cdd2359867ee085e569
                                          • Instruction Fuzzy Hash: 5CF0B435500101AFE7109B708D09FAF3B68EB45310F108525FE10E6280D7388E0557A9
                                          Function 00460ED2 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 476COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _memmove_memset
                                          • String ID: $no query solution
                                          • API String ID: 3555123492-326442043
                                          • Opcode ID: 00fa670a6a58fcb0b377f8a0ef0209bc96201d881912f1f3910822b733083efa
                                          • Instruction ID: 9c8f9f6423679284f772144e187e7b04298bbc687492f2d7ef6b0d637837e5df
                                          • Opcode Fuzzy Hash: 00fa670a6a58fcb0b377f8a0ef0209bc96201d881912f1f3910822b733083efa
                                          • Instruction Fuzzy Hash: BC128B70D006599FDB24CF99C4809EEBBF1FF48314F18815AE855EB761E338A981CB99
                                          Function 0046A1A7 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 389COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 0046A1B1
                                            • Part of subcall function 00415C79: std::locale::facet::_Incref.LIBCPMT ref: 00415C80
                                            • Part of subcall function 0046AB06: __EH_prolog3.LIBCMT ref: 0046AB0D
                                            • Part of subcall function 0046AB06: std::_Lockit::_Lockit.LIBCPMT ref: 0046AB17
                                          • _localeconv.LIBCMT ref: 0046A254
                                          • _strcspn.LIBCMT ref: 0046A361
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: H_prolog3H_prolog3_IncrefLockitLockit::__localeconv_strcspnstd::_std::locale::facet::_
                                          • String ID: e
                                          • API String ID: 441263477-4024072794
                                          • Opcode ID: 107db1b1a0ae9de959e2b1454da22e63d3cda44217e9425b154d18821b4c6017
                                          • Instruction ID: c627f1669220a6afc4812298e77939095c636ff3c9ccea81eabd55f49aad1f67
                                          • Opcode Fuzzy Hash: 107db1b1a0ae9de959e2b1454da22e63d3cda44217e9425b154d18821b4c6017
                                          • Instruction Fuzzy Hash: 5FF14671D002489FCF15DFA8C980ADCBBB1BF08308F15815AE908BB352E779A955CF5A
                                          Function 00432704 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 285COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: %.2x$:QC$unknown error
                                          • API String ID: 0-3793392224
                                          • Opcode ID: 3125b6199c76f16c0c09638b6f4fac451524f54a740542b192ac1d3c320b8376
                                          • Instruction ID: 5eed6c69f8193918c183c0403997c0ca1084ce43994a398fa33c4b3ed24d7065
                                          • Opcode Fuzzy Hash: 3125b6199c76f16c0c09638b6f4fac451524f54a740542b192ac1d3c320b8376
                                          • Instruction Fuzzy Hash: B2B1BD71A007019FCB18DF28C581BAAB7E1FF48314F20896ED596DB391E7B4E981CB49
                                          Function 00421EDC Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 173COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _memset
                                          • String ID: %s-shm$2F$winOpenShm
                                          • API String ID: 2102423945-4137637214
                                          • Opcode ID: e431d53efd6fc30d5a9a898e8c679eaeb33e602abed02868c0d27c2a58e22daf
                                          • Instruction ID: 8383cc07c8a79d2da9b72b99f6e809639115188e047f339e21f8b1a512b582ab
                                          • Opcode Fuzzy Hash: e431d53efd6fc30d5a9a898e8c679eaeb33e602abed02868c0d27c2a58e22daf
                                          • Instruction Fuzzy Hash: 7451E4B1704312ABEB10AF65AD42B5B37D4EF50714F50052FFA408A2E2EBB9D801C79D
                                          Function 00443374 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 151COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041DD19: _memset.LIBCMT ref: 0041DD38
                                          • _memmove.LIBCMT ref: 00443473
                                          Strings
                                          • virtual tables may not be altered, xrefs: 004433B1
                                          • Cannot add a column to a view, xrefs: 004433C8
                                          • sqlite_altertab_%s, xrefs: 00443444
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _memmove_memset
                                          • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                          • API String ID: 3555123492-2063813899
                                          • Opcode ID: 2b2b249fd50e6bb0236a82765cbbcfcfdc435db70941b2b06d6e3c1ae2b5d4f2
                                          • Instruction ID: ec25fcf4a79ec6bf156db4a473cb367cdbd04506ced1fd006827204e40f65931
                                          • Opcode Fuzzy Hash: 2b2b249fd50e6bb0236a82765cbbcfcfdc435db70941b2b06d6e3c1ae2b5d4f2
                                          • Instruction Fuzzy Hash: F7518F72900705AFEB10DF69C881A9EBBF4EF08715F10446FE845DB252E739EA50CB58
                                          Function 004700EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                          Download Yara Rule
                                          APIs
                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004700F9
                                            • Part of subcall function 0046FE69: __getptd.LIBCMT ref: 0046FE7C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Locale$UpdateUpdate::___getptd
                                          • String ID: f@
                                          • API String ID: 3914705266-2188841539
                                          • Opcode ID: be845716cc29c4f29944e621e7e78d49b325e173f2bf0318f673237a9234b997
                                          • Instruction ID: fcb50998c2b921f90858bfde76de20ff8c781b1341063111350e6292dd6e7212
                                          • Opcode Fuzzy Hash: be845716cc29c4f29944e621e7e78d49b325e173f2bf0318f673237a9234b997
                                          • Instruction Fuzzy Hash: 2841B971906285EFEB229B74C8457EE7FA0EF01324F18C1CAD4A95B2E2D7799D81C748
                                          Function 0045DF4E Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 116COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __fprintf_l
                                          • String ID: AND $ANY(%s)$rowid
                                          • API String ID: 3906573944-2531995277
                                          • Opcode ID: 92ce01023a5f9a409f2b410bd59dced6bb63995be88f3b0b3811384ded623dbe
                                          • Instruction ID: 33cb7b09193f657027f536eec9ed210dd9378bbbb9ccaaafe258e5649d52876c
                                          • Opcode Fuzzy Hash: 92ce01023a5f9a409f2b410bd59dced6bb63995be88f3b0b3811384ded623dbe
                                          • Instruction Fuzzy Hash: EE41B376A00214BBCB14DF9AC881AAD7BB4EF04B55F10409BFC45AB293D779EE448798
                                          Function 004140A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _memmove$Xinvalid_argumentstd::_
                                          • String ID: string too long
                                          • API String ID: 1771113911-2556327735
                                          • Opcode ID: 9865b63f00dd25548e063c9403973555462a415b7eeb565fba6baf5384a58e97
                                          • Instruction ID: f2983a96493a86017eb7f7343d9153724be439e377d7c8752d672c7e72df0fc5
                                          • Opcode Fuzzy Hash: 9865b63f00dd25548e063c9403973555462a415b7eeb565fba6baf5384a58e97
                                          • Instruction Fuzzy Hash: DE11E730300710ABDA349E2DDD899ABBBE5EF95700B14091FF492CB782D7689CC5879E
                                          Function 004310B4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __fprintf_l
                                          • String ID: %!.15g$%lld$_D
                                          • API String ID: 3906573944-2418140789
                                          • Opcode ID: 120c62b50593f0220e1cce8d79731b06da0241ebe518d1fabfe1618a3393d5b9
                                          • Instruction ID: 1f04546ce31181fa594acb86845045097a480a9ca141a91e0b99e3aee667d253
                                          • Opcode Fuzzy Hash: 120c62b50593f0220e1cce8d79731b06da0241ebe518d1fabfe1618a3393d5b9
                                          • Instruction Fuzzy Hash: 3D11E262204B42BAD7149F66C846721BB60FF0C314F248A2BE564CAAD1E76CE4E0C799
                                          Function 0046ACAE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_catch.LIBCMT ref: 0046ACB5
                                          • _localeconv.LIBCMT ref: 0046ACBD
                                            • Part of subcall function 00472803: __getptd.LIBCMT ref: 00472803
                                            • Part of subcall function 0046F169: ____lc_handle_func.LIBCMT ref: 0046F16C
                                            • Part of subcall function 0046F169: ____lc_codepage_func.LIBCMT ref: 0046F174
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: H_prolog3_catch____lc_codepage_func____lc_handle_func__getptd_localeconv
                                          • String ID: false$true
                                          • API String ID: 2930029256-2658103896
                                          • Opcode ID: f65dd86c2decb5182c6a449c12369314c30587ef5676340dd6e788597456c42b
                                          • Instruction ID: 864408f380e703aa08b7e2871bbc0fd82ba730ca3e25a9706ae7137322359e01
                                          • Opcode Fuzzy Hash: f65dd86c2decb5182c6a449c12369314c30587ef5676340dd6e788597456c42b
                                          • Instruction Fuzzy Hash: 2801ED64A05B40CFC720FFB6D41114ABAE05F05744B44C86FA0958B602E77CED088B6B
                                          Function 00467D63 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32(?), ref: 00467D74
                                          • IsWow64Process.KERNEL32(00000000), ref: 00467D7B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$CurrentWow64
                                          • String ID: x64$x86
                                          • API String ID: 1905925150-1778291495
                                          • Opcode ID: 097bcbd01c815b2f1153f11778b95488e26df6cdccdd80c848993622d66cc921
                                          • Instruction ID: 8f267a0cdf2e4e916721b9ec31f0d73e64dad50abacb0a8b4fc1075ab89b1e86
                                          • Opcode Fuzzy Hash: 097bcbd01c815b2f1153f11778b95488e26df6cdccdd80c848993622d66cc921
                                          • Instruction Fuzzy Hash: 18F06C71A05305EFDB20DFD5C98995EBBFCEF047447100D7FD14192241D7B89A049795
                                          Function 0043F75A Relevance: 6.2, APIs: 4, Instructions: 184COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _memmove$_memset
                                          • String ID:
                                          • API String ID: 1357608183-0
                                          • Opcode ID: 464103fdf8daabfd260ddc3383c33260fc9b7cbb707ac6c21da962425f429954
                                          • Instruction ID: 8e7799887051d8b496863b9f9d9b35702d77bf0583de25781952307597f47ea5
                                          • Opcode Fuzzy Hash: 464103fdf8daabfd260ddc3383c33260fc9b7cbb707ac6c21da962425f429954
                                          • Instruction Fuzzy Hash: 5F61D2B1904702AFD714DF15C881B6BB7E5FF88314F00893EF95886251D338E958CB9A
                                          Function 00472876 Relevance: 6.2, APIs: 4, Instructions: 173COMMON
                                          Download Yara Rule
                                          APIs
                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00472884
                                            • Part of subcall function 0046FE69: __getptd.LIBCMT ref: 0046FE7C
                                            • Part of subcall function 0047595B: __getptd_noexit.LIBCMT ref: 0047595B
                                          • __stricmp_l.LIBCMT ref: 004728F1
                                            • Part of subcall function 00470270: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0047027F
                                          • ___crtLCMapStringA.LIBCMT ref: 00472947
                                          • ___crtLCMapStringA.LIBCMT ref: 004729C8
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Locale$StringUpdateUpdate::____crt$__getptd__getptd_noexit__stricmp_l
                                          • String ID:
                                          • API String ID: 2544346105-0
                                          • Opcode ID: c47b189c7457162736d3f7c86c94ba1d2f02a6646294c5601ca56e06a65fba16
                                          • Instruction ID: 1afc3a333f425732801d2557d6a3cd546425fef75dd53b55e0e24d8df733b0ce
                                          • Opcode Fuzzy Hash: c47b189c7457162736d3f7c86c94ba1d2f02a6646294c5601ca56e06a65fba16
                                          • Instruction Fuzzy Hash: F9515DB0D04159ABDF358B55C585BFE7BB0AB01324F28C28FE1A96B1D2D3B88E42D715
                                          Function 00471D99 Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                          • String ID:
                                          • API String ID: 2782032738-0
                                          • Opcode ID: ca0e789e057f1527f5fcb80f897a439dc24f8a36dc4cfc77d58af06e81140788
                                          • Instruction ID: 4e568d22c8f8f5c2516783b2c4857ce7c11a4dd367b3bf85eec034b20ab3327d
                                          • Opcode Fuzzy Hash: ca0e789e057f1527f5fcb80f897a439dc24f8a36dc4cfc77d58af06e81140788
                                          • Instruction Fuzzy Hash: 9341C631A007459BDB349F6D8884AEFBBB5AF80324F24C52EE85D97260D778ED45CB48
                                          Function 004829BD Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004829F1
                                          • __isleadbyte_l.LIBCMT ref: 00482A24
                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000,?,?,?,00000000,?,00000000), ref: 00482A55
                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,00000000,00000000,?,?,?,00000000,?,00000000), ref: 00482AC3
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                          • String ID:
                                          • API String ID: 3058430110-0
                                          • Opcode ID: 1dd5cebde9288b099ae6765b675f42b4c2e1dca6e2799da2fc446a5db40fe21f
                                          • Instruction ID: a6819b59e0dd70b1dd84052b9789e0d9d681d0146e7f3e0805cec784094fb587
                                          • Opcode Fuzzy Hash: 1dd5cebde9288b099ae6765b675f42b4c2e1dca6e2799da2fc446a5db40fe21f
                                          • Instruction Fuzzy Hash: 4231C071A00286EFDB24EF64CD859AF3BA5AF01310F14896AE4629B291E3B4DD40DB59
                                          Function 0046DB1E Relevance: 6.1, APIs: 4, Instructions: 94timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,0046DAFD,00000000,?,0046DF1C,00000000,00000000), ref: 0046DB71
                                          • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,?,0046DAFD,00000000,?,0046DF1C,00000000), ref: 0046DBA1
                                          • GetLocalTime.KERNEL32(00000000,?,?,?,?,0046DAFD,00000000,?,0046DF1C,00000000,00000000,00000000), ref: 0046DBC4
                                          • SystemTimeToFileTime.KERNEL32(00000000,?,?,?,?,?,0046DAFD,00000000,?,0046DF1C,00000000,00000000,00000000), ref: 0046DBD2
                                            • Part of subcall function 0046D72C: GetFileInformationByHandle.KERNEL32(?,?,00000000,?,0000000B), ref: 0046D760
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$Time$Pointer$HandleInformationLocalSystem
                                          • String ID:
                                          • API String ID: 3986731826-0
                                          • Opcode ID: 1076a68a474dce7126c735e88863028279e24dd794936320a5ec82ea010c7fd3
                                          • Instruction ID: 42e430b4331c6f30c105572a90031b40b716f5c5a91aa7c64663442cf55b5f8e
                                          • Opcode Fuzzy Hash: 1076a68a474dce7126c735e88863028279e24dd794936320a5ec82ea010c7fd3
                                          • Instruction Fuzzy Hash: D6314B71D002099FCF10DF69C884ADEBBF8FF49310F1445AAE814EA266E3749945CFA5
                                          Function 00484F77 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                          • String ID:
                                          • API String ID: 3016257755-0
                                          • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                          • Instruction ID: e823844d5b8c11ccf805009164a0a6cdf1339aedf8365cf69da1f8d11bbe2cc2
                                          • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                          • Instruction Fuzzy Hash: AD11723640014BFBCF126F85CC05CEE3F62BB98355B19881AFF1959130C63AC9B2AB85
                                          Function 00407C8A Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 00407C91
                                          • _strtok.LIBCMT ref: 00407CA5
                                            • Part of subcall function 00470B0E: __getptd.LIBCMT ref: 00470B2C
                                          • CreateDirectoryA.KERNEL32(?,00000000,?,00496A68,?,00000000,?,?,?,?,?,?,00000024), ref: 00407CE6
                                          • _strtok.LIBCMT ref: 00407CF1
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _strtok$CreateDirectoryH_prolog3___getptd
                                          • String ID:
                                          • API String ID: 2807274917-0
                                          • Opcode ID: fb60e8b0de3fb6e312bdb30740411579f71dca2840fd223ae85d62b9b5f547c5
                                          • Instruction ID: 6224ed12c9cfb33b57d49821ff9a5f9e2be3ef2883ce8cf0ef8fea6a697c4a4d
                                          • Opcode Fuzzy Hash: fb60e8b0de3fb6e312bdb30740411579f71dca2840fd223ae85d62b9b5f547c5
                                          • Instruction Fuzzy Hash: E1014071D18209AEEB04EBE5D986DEE7778EF04308F10842FF115B7181DA78A644CB69
                                          Function 00483A1B Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetEnvironmentStringsW.KERNEL32(00000000,0047CA27,00000000,00000000,7556DF80,?,004724F3,00419AC5,00000000,?,?,?,?,?,?,00000000), ref: 00483A1E
                                          • __malloc_crt.LIBCMT ref: 00483A4D
                                          • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,00000000,?,004724F3,00419AC5,00000000,?,?,?,?,?,?,00000000,013C17F8), ref: 00483A5A
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: EnvironmentStrings$Free__malloc_crt
                                          • String ID:
                                          • API String ID: 237123855-0
                                          • Opcode ID: 5873c0b5e740d17dba60fbdb8e92d89fcf0a9e20bd1ac6e48db2453090af9cc0
                                          • Instruction ID: 6ed68ff2a05ea66e70b07ed708303af874cbb5f75a579cf577aef89026210657
                                          • Opcode Fuzzy Hash: 5873c0b5e740d17dba60fbdb8e92d89fcf0a9e20bd1ac6e48db2453090af9cc0
                                          • Instruction Fuzzy Hash: EBF02E375001115B8B397F79BC4989F1328DAD1B963064C1BF442C7340F6288F41C3E9
                                          Function 00417BF8 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00417AF9: _malloc.LIBCMT ref: 00417B17
                                            • Part of subcall function 00417AF9: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00417B30
                                            • Part of subcall function 00417AF9: CloseHandle.KERNEL32(00000000), ref: 00417B41
                                          • OpenProcess.KERNEL32(001FFFFF,00000000,00000000,?,75584B00,?,00000000,?,00419B4A,?,?,00000000), ref: 00417C1C
                                          • TerminateProcess.KERNEL32(00000000,00000000,?,00419B4A,?,?,00000000), ref: 00417C2C
                                          • CloseHandle.KERNEL32(00000000,?,00419B4A,?,?,00000000), ref: 00417C33
                                          • _free.LIBCMT ref: 00417C40
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandleProcess$CreateOpenSnapshotTerminateToolhelp32_free_malloc
                                          • String ID:
                                          • API String ID: 486718275-0
                                          • Opcode ID: 94c9ed2ec75a032e0597b31d1296a7ab3460dcec607872b3d20fe657d3c1aee3
                                          • Instruction ID: 5ae6edb7b1b26dc77aa6250ce5f1715643dd323de6ce0ff1f1937b1b9ea83197
                                          • Opcode Fuzzy Hash: 94c9ed2ec75a032e0597b31d1296a7ab3460dcec607872b3d20fe657d3c1aee3
                                          • Instruction Fuzzy Hash: A1F0E9321081187FC6112B65DD45E9F3B39EB467A4F10453AF6216B0D1D774588287D8
                                          Function 004693F4 Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                          Download Yara Rule
                                          APIs
                                          • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00469417
                                          • GetSystemMetrics.USER32(00000000), ref: 0046941E
                                          • GetSystemMetrics.USER32(00000001), ref: 00469428
                                            • Part of subcall function 00469324: CreateCompatibleDC.GDI32(00000000), ref: 0046933B
                                            • Part of subcall function 00469324: GetDC.USER32(00000000), ref: 00469347
                                            • Part of subcall function 00469324: CreateCompatibleBitmap.GDI32(00000000), ref: 0046934E
                                            • Part of subcall function 00469324: SelectObject.GDI32(?,00000000), ref: 0046935B
                                            • Part of subcall function 00469324: GetDC.USER32(00000000), ref: 00469369
                                            • Part of subcall function 00469324: BitBlt.GDI32(?,00000000,00000000,?,?,00000000), ref: 00469377
                                            • Part of subcall function 00469324: GdipAlloc.GDIPLUS(00000010,?,?,00000000), ref: 0046937F
                                            • Part of subcall function 00469324: GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?,?,?,00000000), ref: 0046939C
                                            • Part of subcall function 00469324: GdipSaveImageToFile.GDIPLUS(?,screenshot.jpg,?,00000000,?,?,00000000), ref: 004693C6
                                            • Part of subcall function 00469324: DeleteObject.GDI32(?), ref: 004693DE
                                          • GdiplusShutdown.GDIPLUS(?), ref: 0046943A
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateGdip$BitmapCompatibleGdiplusMetricsObjectSystem$AllocDeleteFileFromImageSaveSelectShutdownStartup
                                          • String ID:
                                          • API String ID: 2538933268-0
                                          • Opcode ID: 3c886ad49d7c510d61c26a72e54639903662d02c3c9abe7a37a3a561e2ff8ab6
                                          • Instruction ID: 4afc63cc8e16e2808b0c18807e0eb73711e95732c4d80f9a573fc50d23df8963
                                          • Opcode Fuzzy Hash: 3c886ad49d7c510d61c26a72e54639903662d02c3c9abe7a37a3a561e2ff8ab6
                                          • Instruction Fuzzy Hash: FDF01C72D00129AFCB01AFE99D4D9CEBBBCEB08745F10016AF901E6291D7B55F008BE9
                                          Function 0046019C Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 316COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _memset
                                          • String ID: %s.xBestIndex() malfunction$RF
                                          • API String ID: 2102423945-1559809547
                                          • Opcode ID: 71bf06843675f3f44e23e48862525640ff4234a175581e0ca14f202767148d88
                                          • Instruction ID: 1fa7e57ca3c5981ff311c5f4e856bc36da7785b48b27d371aeccc9d047c90afe
                                          • Opcode Fuzzy Hash: 71bf06843675f3f44e23e48862525640ff4234a175581e0ca14f202767148d88
                                          • Instruction Fuzzy Hash: D2D19070900206DFCF18CF98D595AAABBF1FF48305F10419AD845A7392E738E991CF99
                                          Function 004229AE Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 211COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _memset
                                          • String ID: psow$winOpen
                                          • API String ID: 2102423945-4101858489
                                          • Opcode ID: 6ac75b2ffea438fbe47fec3823146c9d9a311e3c43b9cc27e3b7b75959f1d9d4
                                          • Instruction ID: 5afc2ba9a763e4bd8b4b4163189bd389247227f2c0e38ad8bb0d7567aa6ecda0
                                          • Opcode Fuzzy Hash: 6ac75b2ffea438fbe47fec3823146c9d9a311e3c43b9cc27e3b7b75959f1d9d4
                                          • Instruction Fuzzy Hash: 3571B371A08311AFC710DF25E94164ABBE0FF48728F544A2EF45897291D3B8ED50CB8A
                                          Function 0043F44F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 172COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • variable number must be between ?1 and ?%d, xrefs: 0043F4DC
                                          • too many SQL variables, xrefs: 0043F643
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _memset
                                          • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                                          • API String ID: 2102423945-515162456
                                          • Opcode ID: 8a6a476172b7cad97b2833bc5e3a27e1c242eb7fe2f5bfee722ed76510c13250
                                          • Instruction ID: 780dd81f505c33ca2d8c5ab72794ea41605e821f6ed21c1460bf4db05b481091
                                          • Opcode Fuzzy Hash: 8a6a476172b7cad97b2833bc5e3a27e1c242eb7fe2f5bfee722ed76510c13250
                                          • Instruction Fuzzy Hash: A7519F70E04705AFCB24DF68C481BABB7F5AF2C304F10556FD46A97292DB39A949CB48
                                          Function 004316E5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 137COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: BINARY$_D
                                          • API String ID: 0-283136081
                                          • Opcode ID: b27206e806f903d785f43afa4a64497d4fbea1f3f5645f790a41dd6f59b239b6
                                          • Instruction ID: 51f87de8bac97d7d2350b511b9fec7206204ebc083fa157dfdb79822689b30db
                                          • Opcode Fuzzy Hash: b27206e806f903d785f43afa4a64497d4fbea1f3f5645f790a41dd6f59b239b6
                                          • Instruction Fuzzy Hash: F541C675E04345ABCB20DFA5C4816AE7BF0AF08354F28946BE456CB361E73CDA85CB18
                                          Function 0041C201 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041C17E: __allrem.LIBCMT ref: 0041C1A7
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041C2A3
                                          • __localtime64_s.LIBCMT ref: 0041C2C6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__localtime64_s
                                          • String ID: local time unavailable
                                          • API String ID: 1840914312-3313036412
                                          • Opcode ID: f854dd340b584d59ef9b5807d38d574e5bb5e957e4ff29a1726b75fccc390fb6
                                          • Instruction ID: d05da75b2070da177e8f3f384e153baf819bd41d5375c2c70ff8e7f6c368b340
                                          • Opcode Fuzzy Hash: f854dd340b584d59ef9b5807d38d574e5bb5e957e4ff29a1726b75fccc390fb6
                                          • Instruction Fuzzy Hash: 3C410071E0022C9FCF10DFA9D881ACDBBB5BF48314F20816AE518BB251DA74A995CF58
                                          Function 004210A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __fprintf_l
                                          • String ID: OsError 0x%lx (%lu)
                                          • API String ID: 3906573944-3720535092
                                          • Opcode ID: 5faae7d0877dc42815e10ee45b6c672a0708afd41a2188357b0319f1e3cdf8a5
                                          • Instruction ID: 135141fce87c4dca150214754db578516e275706a8128c0172b09a67349fe8f7
                                          • Opcode Fuzzy Hash: 5faae7d0877dc42815e10ee45b6c672a0708afd41a2188357b0319f1e3cdf8a5
                                          • Instruction Fuzzy Hash: 07219F71D01128BACF217FA1EC06CDF7F79EF09794B504066F905A2121DB384E909A98
                                          Function 00402FD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • std::_Xinvalid_argument.LIBCPMT ref: 00402FEA
                                            • Part of subcall function 0046E7C1: std::exception::exception.LIBCMT ref: 0046E7D6
                                            • Part of subcall function 0046E7C1: __CxxThrowException@8.LIBCMT ref: 0046E7EB
                                            • Part of subcall function 0046E7C1: std::exception::exception.LIBCMT ref: 0046E7FC
                                            • Part of subcall function 00403069: std::_Xinvalid_argument.LIBCPMT ref: 00403078
                                          • _memmove.LIBCMT ref: 00403045
                                          Strings
                                          • invalid string position, xrefs: 00402FE5
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
                                          • String ID: invalid string position
                                          • API String ID: 3404309857-1799206989
                                          • Opcode ID: 2189c013a16082627d0c21879b82daa552e9d8277ecd9908ab579c09e6aca264
                                          • Instruction ID: c092f17f9e08c65e32106b9b5ad1bc598c4a7e82c26def6abc5c7d1a0423c081
                                          • Opcode Fuzzy Hash: 2189c013a16082627d0c21879b82daa552e9d8277ecd9908ab579c09e6aca264
                                          • Instruction Fuzzy Hash: 3511C4313052509BCB249E1DC940A2ABBADEB85756F10053FF816A73C6CBB9DE41879D
                                          Function 00403104 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Xinvalid_argument.LIBCPMT ref: 0040311A
                                            • Part of subcall function 0046E7C1: std::exception::exception.LIBCMT ref: 0046E7D6
                                            • Part of subcall function 0046E7C1: __CxxThrowException@8.LIBCMT ref: 0046E7EB
                                            • Part of subcall function 0046E7C1: std::exception::exception.LIBCMT ref: 0046E7FC
                                            • Part of subcall function 0040319A: std::_Xinvalid_argument.LIBCPMT ref: 004031A7
                                          • _memmove.LIBCMT ref: 00403175
                                          Strings
                                          • invalid string position, xrefs: 00403115
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
                                          • String ID: invalid string position
                                          • API String ID: 3404309857-1799206989
                                          • Opcode ID: 8a5d2d71ad42bbeb89056f1edc241a0f38c595aef05121edd77b796af91a53b7
                                          • Instruction ID: 820eead20b4458ad219c23f8544a1ff6bff5b33d1cac2f473272bf85eec8c123
                                          • Opcode Fuzzy Hash: 8a5d2d71ad42bbeb89056f1edc241a0f38c595aef05121edd77b796af91a53b7
                                          • Instruction Fuzzy Hash: 4311B231204214DBCB14EF2DD8C08697BADBF4931A700453BF816AF281D738EE55CB99
                                          Function 00413C1D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Xinvalid_argument_memmovestd::_
                                          • String ID: string too long
                                          • API String ID: 256744135-2556327735
                                          • Opcode ID: 8975f657d9a7cfb133e53d7065bef3770500d825dd1e41e8462f4c839f89806f
                                          • Instruction ID: dec5a78bac541e7cc96ed1c9926c605749eb25628199ec0efa7e0c2a690b53d3
                                          • Opcode Fuzzy Hash: 8975f657d9a7cfb133e53d7065bef3770500d825dd1e41e8462f4c839f89806f
                                          • Instruction Fuzzy Hash: 9611CA723107108BD7349E3D89415A7B3E5DF81702B10092FF483A7281F7789E8586DD
                                          Function 00415A5D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 00415A64
                                            • Part of subcall function 0046FDE9: _malloc.LIBCMT ref: 0046FE03
                                          • __Getctype.LIBCPMT ref: 00415ABA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: GetctypeH_prolog3_malloc
                                          • String ID: [A
                                          • API String ID: 2305669768-3164954885
                                          • Opcode ID: 653bee470e3880e49cd3b1acab034f8a093366ff9c59995831d00000ed81ea4c
                                          • Instruction ID: 163edd8d4773ffff7cc1e66bb886d02164814d0e396392becf00b18e32c95b77
                                          • Opcode Fuzzy Hash: 653bee470e3880e49cd3b1acab034f8a093366ff9c59995831d00000ed81ea4c
                                          • Instruction Fuzzy Hash: E811C171900A04DFCF11DF95C4806DEB7F4EF88350F14455BE854AF281E3B89A808744
                                          Function 00468E62 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3_GS.LIBCMT ref: 00468E6C
                                            • Part of subcall function 0041AA95: __EH_prolog3.LIBCMT ref: 0041AA9C
                                            • Part of subcall function 0041AEA3: __EH_prolog3.LIBCMT ref: 0041AEAA
                                            • Part of subcall function 0041AEA3: std::_Mutex::_Mutex.LIBCPMT ref: 0041AEBB
                                            • Part of subcall function 0041AEA3: std::locale::_Init.LIBCPMT ref: 0041AED2
                                            • Part of subcall function 0041AEA3: std::locale::facet::_Incref.LIBCPMT ref: 0041AEE0
                                            • Part of subcall function 004696C4: __EH_prolog3_catch.LIBCMT ref: 004696CB
                                            • Part of subcall function 0041386D: _memmove.LIBCMT ref: 00413889
                                            • Part of subcall function 00402DC8: _memmove.LIBCMT ref: 00402DE7
                                            • Part of subcall function 00412B70: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00412B82
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: H_prolog3_memmove$H_prolog3_H_prolog3_catchIncrefInitIos_base_dtorMutexMutex::_std::_std::ios_base::_std::locale::_std::locale::facet::_
                                          • String ID: PI$Q8A
                                          • API String ID: 3326898877-3209418460
                                          • Opcode ID: 6b002bf545458a85ac84c8e84c514c88b14ac2923dd59a29698a259208f73397
                                          • Instruction ID: d8c3c6f2414f6ee8b1375675848af608c8b7589b3eec2d4c16630e6f12b12ed1
                                          • Opcode Fuzzy Hash: 6b002bf545458a85ac84c8e84c514c88b14ac2923dd59a29698a259208f73397
                                          • Instruction Fuzzy Hash: B721EDB18012599EDB10DF99C885BCDBBB4BF08348F5085AFE408A7241CBB85F88DF55
                                          Function 00403216 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • std::_Xinvalid_argument.LIBCPMT ref: 00403229
                                            • Part of subcall function 0046E7C1: std::exception::exception.LIBCMT ref: 0046E7D6
                                            • Part of subcall function 0046E7C1: __CxxThrowException@8.LIBCMT ref: 0046E7EB
                                            • Part of subcall function 0046E7C1: std::exception::exception.LIBCMT ref: 0046E7FC
                                          • _memmove.LIBCMT ref: 00403264
                                          Strings
                                          • invalid string position, xrefs: 00403224
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                          • String ID: invalid string position
                                          • API String ID: 1785806476-1799206989
                                          • Opcode ID: 913fe7c3a78abb7d13fb4d31d0efe0944df7613cf3b413e51a11c8fbc756c172
                                          • Instruction ID: 9e786481701b129658338054be47c4e6b52ae1ac80014c80246de9a8a94ffe85
                                          • Opcode Fuzzy Hash: 913fe7c3a78abb7d13fb4d31d0efe0944df7613cf3b413e51a11c8fbc756c172
                                          • Instruction Fuzzy Hash: 3401F5313002118BD7248EAC99C0817BBEAEB857027300D7ED48297285DB78ED468399
                                          Function 00446DFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                          Download Yara Rule
                                          APIs
                                          • __fprintf_l.LIBCMT ref: 00446E3A
                                            • Part of subcall function 00444FDF: _memset.LIBCMT ref: 00445025
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __fprintf_l_memset
                                          • String ID: DELETE FROM %Q.%s WHERE %s=%Q$sqlite_stat%d
                                          • API String ID: 4274417252-3667113883
                                          • Opcode ID: 942f8fb08ff4eae55ab3d13b89d6c5308b0d0d66e4ee93c02a7561b1870ca5d9
                                          • Instruction ID: f8589e8d9a26ae43d124d58f499ae8f0ed0af93f440458fc021c4f035606a9cb
                                          • Opcode Fuzzy Hash: 942f8fb08ff4eae55ab3d13b89d6c5308b0d0d66e4ee93c02a7561b1870ca5d9
                                          • Instruction Fuzzy Hash: 50111E75A0010DABDF00DF99CC819EEBBB9EF4C318F20046AE905B7241D73AA915CB69
                                          Function 0040336F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Xinvalid_argument.LIBCPMT ref: 0040337E
                                            • Part of subcall function 0046E7C1: std::exception::exception.LIBCMT ref: 0046E7D6
                                            • Part of subcall function 0046E7C1: __CxxThrowException@8.LIBCMT ref: 0046E7EB
                                            • Part of subcall function 0046E7C1: std::exception::exception.LIBCMT ref: 0046E7FC
                                          • _memmove.LIBCMT ref: 004033B9
                                          Strings
                                          • invalid string position, xrefs: 00403379
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                          • String ID: invalid string position
                                          • API String ID: 1785806476-1799206989
                                          • Opcode ID: 9eb7faf2e6faeb41fa55d8dcc56a8afe5ff73efbb7683bf621f3ac37bc0f839b
                                          • Instruction ID: 0bda39f820f30059c7e57027e894e507119243c9990409212f2f444c69b5ec92
                                          • Opcode Fuzzy Hash: 9eb7faf2e6faeb41fa55d8dcc56a8afe5ff73efbb7683bf621f3ac37bc0f839b
                                          • Instruction Fuzzy Hash: AF0175313046158BC720CE69D9C481EB7EEAFC07063300A3FD492D7A45EF78EA468759
                                          Function 0047478E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004733C3: __getptd.LIBCMT ref: 004733C9
                                            • Part of subcall function 004733C3: __getptd.LIBCMT ref: 004733D9
                                          • __getptd.LIBCMT ref: 0047479D
                                            • Part of subcall function 0047944A: __getptd_noexit.LIBCMT ref: 0047944D
                                            • Part of subcall function 0047944A: __amsg_exit.LIBCMT ref: 0047945A
                                          • __getptd.LIBCMT ref: 004747AB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __getptd$__amsg_exit__getptd_noexit
                                          • String ID: csm
                                          • API String ID: 803148776-1018135373
                                          • Opcode ID: 404f56d50f3b26f7e211339cfdf0b266a93c548570b92cdd4404ac09152d15cf
                                          • Instruction ID: b8131f9b7ebfff7731b9603a12a8baccfe68af38b0e134df07205102745ca2ab
                                          • Opcode Fuzzy Hash: 404f56d50f3b26f7e211339cfdf0b266a93c548570b92cdd4404ac09152d15cf
                                          • Instruction Fuzzy Hash: BF018F398102088BCF34AF61D5406FEB3B4AF80315F25C82FE44956661CB3C8E92CF5A
                                          Function 0041DE94 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _memmove
                                          • String ID: BINARY$_D
                                          • API String ID: 4104443479-283136081
                                          • Opcode ID: 5b22f8b50b5f2133c931cfbea7fffa0d2320d9deaa1fd83a2e7fc2918a5741c7
                                          • Instruction ID: 01fe36ac2e30555e739da06b3692a6852457e35666898bfbb06df9ac68006b8a
                                          • Opcode Fuzzy Hash: 5b22f8b50b5f2133c931cfbea7fffa0d2320d9deaa1fd83a2e7fc2918a5741c7
                                          • Instruction Fuzzy Hash: 4EE02BB3A08B216BC611EA11DC00DDB6355CBD0762F10482FF0016B201DB289C4587ED
                                          Function 0041AA95 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 0041AA9C
                                            • Part of subcall function 0041A9AA: __EH_prolog3.LIBCMT ref: 0041A9B1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2640894838.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_400000_LisectAVT_2403002A_138.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: H_prolog3
                                          • String ID: 8A$y7A
                                          • API String ID: 431132790-986163295
                                          • Opcode ID: 675b6c8e314a701651642a6a65e2df11dbf11e1fc083ea397396e9c8fc74456e
                                          • Instruction ID: 203f62c7af7097697ea8d2d9f78f1757dd958db0e0812375e33c072b0d345903
                                          • Opcode Fuzzy Hash: 675b6c8e314a701651642a6a65e2df11dbf11e1fc083ea397396e9c8fc74456e
                                          • Instruction Fuzzy Hash: 9BE012B5210610ABCB22EF18C805A9DBBE0BF49304F05C84AF9994B352C379EE108B99