Edit tour

Windows Analysis Report
LisectAVT_2403002A_262.exe

Overview

General Information

Sample name:	LisectAVT_2403002A_262.exe
Analysis ID:	1481019
MD5:	6efb242ee7f7a8fac1e25dec0ac7f516
SHA1:	65f5091253ff71b5fe2c5539413034dfdded3bdf
SHA256:	7cb0ebf40882b541a0afbe9e0c1fa73f78df98778d745e821d4abb209df37966
Tags:	exe
Infos:

Detection

RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected RisePro Stealer

AI detected suspicious sample

Found API chain indicative of sandbox detection

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found potential dummy code loops (likely to delay analysis)

Found stalling execution ending in API Sleep call

Machine Learning detection for sample

PE file contains section with special chars

Potential thread-based time evasion detected

Switches to a custom stack to bypass stack traces

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

LisectAVT_2403002A_262.exe (PID: 3300 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_262.exe" MD5: 6EFB242EE7F7A8FAC1E25DEC0AC7F516)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: LisectAVT_2403002A_262.exe PID: 3300	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 193.233.132.190

Timestamp:	2024-07-25T03:00:23.355182+0200
SID:	2046269
Source Port:	49730
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 13.85.23.86 - Destination IP: 192.168.2.4

Timestamp:	2024-07-25T03:00:38.371393+0200
SID:	2022930
Source Port:	443
Destination Port:	49731
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE RisePro TCP Heartbeat Packet - Source IP: 192.168.2.4 - Destination IP: 193.233.132.190

Timestamp:	2024-07-25T03:00:20.371409+0200
SID:	2049060
Source Port:	49730
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.12.23.50 - Destination IP: 192.168.2.4

Timestamp:	2024-07-25T03:01:16.344989+0200
SID:	2022930
Source Port:	443
Destination Port:	49737
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002A_262.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: LisectAVT_2403002A_262.exe	ReversingLabs: Detection: 55%
Source: LisectAVT_2403002A_262.exe	Virustotal: Detection: 60%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: LisectAVT_2403002A_262.exe

Joe Sandbox ML: detected

Source: LisectAVT_2403002A_262.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 193.233.132.190:50500

Source: Joe Sandbox View

IP Address: 193.233.132.190 193.233.132.190

Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.190
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.190
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.190
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.190
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.190

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Code function: 0_2_002CE0A0 recv,setsockopt,setsockopt,connect,setsockopt,

0_2_002CE0A0

Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105801737.00000000014AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT

System Summary

PE file contains section with special chars

Source: LisectAVT_2403002A_262.exe	Static PE information: section name: .vmp$PH
Source: LisectAVT_2403002A_262.exe	Static PE information: section name: .vmp$PH
Source: LisectAVT_2403002A_262.exe	Static PE information: section name: .vmp$PH

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_003340A0	0_2_003340A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0033E0F0	0_2_0033E0F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_002BE150	0_2_002BE150
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_00306270	0_2_00306270
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_003AE264	0_2_003AE264
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_003A8314	0_2_003A8314
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0033E300	0_2_0033E300
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0037E300	0_2_0037E300
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_00338370	0_2_00338370
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_003B0413	0_2_003B0413
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_002DC470	0_2_002DC470
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_00324450	0_2_00324450
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_002B24F0	0_2_002B24F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_003104D0	0_2_003104D0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0037C580	0_2_0037C580
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_00366630	0_2_00366630
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_00334610	0_2_00334610
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0039A65D	0_2_0039A65D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0036C770	0_2_0036C770
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0049885E	0_2_0049885E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0033A840	0_2_0033A840
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_002D88A0	0_2_002D88A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_002FA900	0_2_002FA900
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0039A99F	0_2_0039A99F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_00332A70	0_2_00332A70
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_002DEA60	0_2_002DEA60
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_00370A90	0_2_00370A90
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_002D4AD0	0_2_002D4AD0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0033CC30	0_2_0033CC30
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_002DAE30	0_2_002DAE30
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_00344EE0	0_2_00344EE0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_00394F58	0_2_00394F58
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_00396F90	0_2_00396F90
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0033CF80	0_2_0033CF80
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0034B000	0_2_0034B000
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_00335040	0_2_00335040
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0033F110	0_2_0033F110
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_00341110	0_2_00341110
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_00337100	0_2_00337100
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_002F3160	0_2_002F3160
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_002E11D0	0_2_002E11D0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_002FF280	0_2_002FF280
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_002D3330	0_2_002D3330
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_003453D0	0_2_003453D0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0046B450	0_2_0046B450
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0033D400	0_2_0033D400
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_00385470	0_2_00385470
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_00381450	0_2_00381450
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_002EB480	0_2_002EB480
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_003356F0	0_2_003356F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_003417F0	0_2_003417F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_002E77E0	0_2_002E77E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_002E58A0	0_2_002E58A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0038B900	0_2_0038B900

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: String function: 0038E9C0 appears 34 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: String function: 00340F50 appears 87 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: String function: 002B2AE0 appears 58 times

Source: LisectAVT_2403002A_262.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

File created: C:\Users\user\AppData\Local\Temp\adobe1UCxyIil7R_y

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LisectAVT_2403002A_262.exe, LisectAVT_2403002A_262.exe, 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: LisectAVT_2403002A_262.exe	ReversingLabs: Detection: 55%
Source: LisectAVT_2403002A_262.exe	Virustotal: Detection: 60%

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

File read: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Section loaded: devobj.dll	Jump to behavior

Source: LisectAVT_2403002A_262.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: LisectAVT_2403002A_262.exe

Static file information: File size 2956293 > 1048576

Source: LisectAVT_2403002A_262.exe

Static PE information: Raw size of .vmp$PH is bigger than: 0x100000 < 0x2ce800

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Code function: 0_2_002EB480 SHGetFolderPathA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_002EB480

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp$PH

Source: LisectAVT_2403002A_262.exe

Static PE information: real checksum: 0x2deb24 should be: 0x2deb29

Source: LisectAVT_2403002A_262.exe	Static PE information: section name: .vmp$PH
Source: LisectAVT_2403002A_262.exe	Static PE information: section name: .vmp$PH
Source: LisectAVT_2403002A_262.exe	Static PE information: section name: .vmp$PH

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0042A0AB push ss; iretd	0_2_0042A0EA
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_004C2120 pushad ; iretd	0_2_004C2191
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0038E588 push ecx; ret	0_2_0038E59B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_0041E97D push 7396A22Dh; iretd	0_2_0041E999
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_004DA980 push ebx; retf	0_2_004F2F2A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_004DCA60 push ebx; retf	0_2_004DCA6A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_004ECB3C push esp; retf 237Dh	0_2_004ECB5F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_004BF1AD push ecx; ret	0_2_004BF1C9

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Code function: 0_2_003340A0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_003340A0

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Sandbox detection routine: GetCursorPos, DecisionNode, Sleep

graph_0-86472

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Evasive API call chain: GetPEB, DecisionNodes, Sleep

graph_0-86473

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Stalling execution: Execution stalls by calling Sleep

graph_0-86563

Potential thread-based time evasion detected

Source: Initial file

Signature Results: Thread-based counter

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	API/Special instruction interceptor: Address: 52EEF2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	API/Special instruction interceptor: Address: 51EB62
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	API/Special instruction interceptor: Address: 521493
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	API/Special instruction interceptor: Address: 5AC5DF
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	API/Special instruction interceptor: Address: 563ADB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	API/Special instruction interceptor: Address: 55A082
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	API/Special instruction interceptor: Address: 617C84

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Code function: 0_2_004EA790 rdtsc

0_2_004EA790

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,

0_2_00312530

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Window / User API: threadDelayed 3118			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Window / User API: threadDelayed 5366			Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

API coverage: 4.7 %

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe TID: 1220	Thread sleep count: 3118 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe TID: 1220	Thread sleep time: -314918s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe TID: 3060	Thread sleep count: 303 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe TID: 1220	Thread sleep count: 5366 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe TID: 1220	Thread sleep time: -541966s >= -30000s	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Last function: Thread delayed

Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105722473.00000000010FC000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}J
Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105801737.00000000014AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105801737.00000000014CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105801737.00000000014CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}544
Source: LisectAVT_2403002A_262.exe, 00000000.00000003.1670745035.00000000014D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105801737.00000000014DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}t
Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105801737.00000000014CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_C88909DA
Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105801737.00000000014CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
Source: LisectAVT_2403002A_262.exe, 00000000.00000002.4105801737.00000000014AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000

Anti Debugging

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Process Stats: CPU usage > 42% for more than 60s

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Code function: 0_2_004EA790 rdtsc

0_2_004EA790

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Code function: 0_2_002EB480 SHGetFolderPathA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_002EB480

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_00312530 mov eax, dword ptr fs:[00000030h]	0_2_00312530
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_00312530 mov eax, dword ptr fs:[00000030h]	0_2_00312530
Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe	Code function: 0_2_002C4100 mov eax, dword ptr fs:[00000030h]	0_2_002C4100

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Code function: 0_2_0038E3B4 cpuid

0_2_0038E3B4

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Code function: 0_2_002BA480 GetProcAddress,GetVersionExA,

0_2_002BA480

Source: C:\Users\user\Desktop\LisectAVT_2403002A_262.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match

File source: Process Memory Space: LisectAVT_2403002A_262.exe PID: 3300, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match

File source: Process Memory Space: LisectAVT_2403002A_262.exe PID: 3300, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	211 Virtualization/Sandbox Evasion	OS Credential Dumping	421 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	211 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	224 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LisectAVT_2403002A_262.exe	55%	ReversingLabs	Win32.Trojan.Leonem
LisectAVT_2403002A_262.exe	61%	Virustotal		Browse
LisectAVT_2403002A_262.exe	100%	Avira	TR/AVI.ClipBankercoin.sphdl
LisectAVT_2403002A_262.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://www.winimage.com/zLibDll	0%	URL Reputation	safe
http://www.winimage.com/zLibDll	0%	URL Reputation	safe
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORT	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORT	0%	Virustotal		Browse
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	LisectAVT_2403002A_262.exe, 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.winimage.com/zLibDll	LisectAVT_2403002A_262.exe, 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://t.me/RiseProSUPPORT	LisectAVT_2403002A_262.exe, 00000000.00000002.4105801737.00000000014AE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.233.132.190	unknown	Russian Federation		2895	FREE-NET-ASFREEnetEU	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1481019
Start date and time:	2024-07-25 02:59:29 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002A_262.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
21:00:52	API Interceptor	1284779x Sleep call for process: LisectAVT_2403002A_262.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
193.233.132.190	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse
	file.exe	Get hash	malicious	Clipboard Hijacker, PrivateLoader, RisePro Stealer	Browse
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FREE-NET-ASFREEnetEU	LisectAVT_2403002A_224.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.74
	hunta[1].exe	Get hash	malicious	Bdaejec, RisePro Stealer	Browse	193.233.132.62
	External Own 4.20.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	147.45.47.64
	Aquantia_Setup 2.11.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	147.45.47.64
	AdobeUpdaterV131.exe	Get hash	malicious	Bdaejec, RisePro Stealer	Browse	193.233.132.62
	installer.exe	Get hash	malicious	LummaC, PureLog Stealer, Xmrig, zgRAT	Browse	147.45.47.81
	92.249.48.47-skid.arm7-2024-07-20T09_04_19.elf	Get hash	malicious	Mirai, Moobot	Browse	147.45.93.156
	conhost.exe	Get hash	malicious	Xmrig	Browse	147.45.47.81
	http://premium.davidabostic.com	Get hash	malicious	Unknown	Browse	147.45.78.74
	Software1.30.1.exe	Get hash	malicious	RedLine, Xmrig	Browse	147.45.47.81

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9567746793562995
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LisectAVT_2403002A_262.exe
File size:	2'956'293 bytes
MD5:	6efb242ee7f7a8fac1e25dec0ac7f516
SHA1:	65f5091253ff71b5fe2c5539413034dfdded3bdf
SHA256:	7cb0ebf40882b541a0afbe9e0c1fa73f78df98778d745e821d4abb209df37966
SHA512:	c4c45accca846279eb8bd0bd6cca89bdaea9a2eb144a62d1a40ee81123c7b4ba5f6a368f512d6f1246c559e3d4ff77d32eefbe3cad85fb6f850b2be239386bab
SSDEEP:	49152:daMLcLQK2pQxjS8p8/wXkT34LDMHcVKLu4Ncn/TC12oaho0U3sFOM+Hi9OiQHZZ8:3G2afwOaoLDMH8KK4NcCaysh+HiYi4Zn
TLSH:	5AD52344AAD71159D58957340B03FFBC31B23EA54BA48D59B7B8BACAE8F725421F3203
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...fS.e..............."..............6...........@...........................R.....$.-...@.........................4.1.J..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x76feb1
Entrypoint Section:	.vmp$PH
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x65FC5366 [Thu Mar 21 15:33:58 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	410a0b262f1c4d9a86c700f5864e57ee

Entrypoint Preview

Instruction
push esi
mov esi, 888DEE22h
not si
push esi
pushfd
sub byte ptr [esp+esi+7772EE27h], FFFFFF9Ch
xor word ptr [esp+esi+7772EE27h], si
mov esi, dword ptr [esp+esi+7772EE2Bh]
mov dword ptr [esp+08h], 856776FFh
push dword ptr [esp+00h]
popfd
lea esp, dword ptr [esp+08h]
call 00007F2DA47B1CC4h
push 5FBFE51Dh
call 00007F2DA473C4AAh
push ebx
bt eax, eax
imul bp, bp
mov ebp, edi
movzx ebx, al
ror bl, FFFFFFE6h
add bl, bh
mov ebx, edx
movsx edx, ax
dec eax
mov edx, ebx
sal edx, 02h
mov eax, ebp
call 00007F2DA47C097Ah
mov edx, 323C68A9h
btc edx, edx
movzx eax, dl
mov al, byte ptr [eax+edi-000000A9h]
adc dl, FFFFFFBDh
adc edx, 8BB804A6h
add dl, dh
adc edi, 00000001h
jmp 00007F2DA46C83CBh
and dl, al
not dl
jmp 00007F2DA4790CDCh
mov dword ptr [edi], ecx
jmp 00007F2DA46B9062h
push 7B3B273Dh
sbb edi, 00000008h
call 00007F2DA4966A9Eh
mov si, word ptr [edi]
mov ecx, 6F18162Ah
mov ax, word ptr [edi+ecx-6F181628h]
sal cx, FFC8h
adc cl, byte ptr [edi+ecx+00E7D604h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x311634	0x4a	.vmp$PH
IMAGE_DIRECTORY_ENTRY_IMPORT	0x342f14	0x12c	.vmp$PH
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x523000	0x8940	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x521000	0x1a50	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x5202e0	0x40	.vmp$PH
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x251000	0x84	.vmp$PH
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x10bbe8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x10d000	0x23b78	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x131000	0x48c0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vmp$PH	0x136000	0x11aec9	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.vmp$PH	0x251000	0x560	0x600	0221fb5e4225cc340ee4e43c8a9cb136	False	0.06770833333333333	data	0.40873607633360837	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vmp$PH	0x252000	0x2ce700	0x2ce800	4492772c4a9fb270cce5fba8cc9cd4f3	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x521000	0x1a50	0x1c00	7f8eddde7fe19b79a3dbaa85406a4958	False	0.37723214285714285	data	5.789048687758576	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x523000	0x8940	0xe00	e14a07ab56bcb473b6e032789458bd8b	False	0.32254464285714285	data	3.5602061214740988	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x523d08	0x2	data			5.0
AFX_DIALOG_LAYOUT	0x523d0c	0x2	data			5.0
RT_DIALOG	0x523d10	0x8e	data			0.08450704225352113
RT_DIALOG	0x523da0	0x1ea	data			0.125
RT_DIALOG	0x523f8c	0x1bc	empty			0
RT_STRING	0x524148	0x44c	empty			0
RT_STRING	0x524594	0x422	empty			0
RT_STRING	0x5249b8	0x45e	empty			0
RT_STRING	0x524e18	0x426	empty			0
RT_STRING	0x525240	0x3c2	empty			0
RT_STRING	0x525604	0x2d6	empty			0
RT_STRING	0x5258dc	0x62	empty			0
RT_RCDATA	0x525940	0x6000	empty	English	United States	0
RT_MESSAGETABLE	0x5233a4	0x74c	Matlab v4 mat-file (little endian) T, text, rows 200, columns 225, imaginary	English	United States	0.30085653104925053
RT_MANIFEST	0x523af0	0x216	ASCII text, with CRLF line terminators			0.5411985018726592

Imports

DLL	Import
KERNEL32.dll	GetVersionExA
USER32.dll	wsprintfA
GDI32.dll	CreateCompatibleBitmap
ADVAPI32.dll	RegCloseKey
SHELL32.dll	ShellExecuteA
ole32.dll	CoInitialize
WS2_32.dll	WSAStartup
CRYPT32.dll	CryptUnprotectData
SHLWAPI.dll	PathFindExtensionA
gdiplus.dll	GdipGetImageEncoders
SETUPAPI.dll	SetupDiEnumDeviceInfo
ntdll.dll	RtlUnicodeStringToAnsiString
RstrtMgr.DLL	RmStartSession
KERNEL32.dll	HeapAlloc, HeapFree, ExitProcess, GetModuleHandleA, LoadLibraryA, GetProcAddress

Exports

Name	Ordinal	Address
Start	1	0x465970

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T03:00:23.355182+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49730	50500	192.168.2.4	193.233.132.190
2024-07-25T03:00:38.371393+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49731	13.85.23.86	192.168.2.4
2024-07-25T03:00:20.371409+0200	TCP	2049060	ET MALWARE RisePro TCP Heartbeat Packet	49730	50500	192.168.2.4	193.233.132.190
2024-07-25T03:01:16.344989+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49737	20.12.23.50	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 03:00:20.336462975 CEST	49730	50500	192.168.2.4	193.233.132.190
Jul 25, 2024 03:00:20.341460943 CEST	50500	49730	193.233.132.190	192.168.2.4
Jul 25, 2024 03:00:20.341548920 CEST	49730	50500	192.168.2.4	193.233.132.190
Jul 25, 2024 03:00:20.371408939 CEST	49730	50500	192.168.2.4	193.233.132.190
Jul 25, 2024 03:00:20.376594067 CEST	50500	49730	193.233.132.190	192.168.2.4
Jul 25, 2024 03:00:23.355181932 CEST	49730	50500	192.168.2.4	193.233.132.190
Jul 25, 2024 03:00:23.362112999 CEST	50500	49730	193.233.132.190	192.168.2.4
Jul 25, 2024 03:00:41.776778936 CEST	50500	49730	193.233.132.190	192.168.2.4
Jul 25, 2024 03:00:41.776973009 CEST	49730	50500	192.168.2.4	193.233.132.190

Target ID:	0
Start time:	21:00:18
Start date:	24/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_262.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_262.exe"
Imagebase:	0x7ff7699e0000
File size:	2'956'293 bytes
MD5 hash:	6EFB242EE7F7A8FAC1E25DEC0AC7F516
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.5%
Total number of Nodes:	76
Total number of Limit Nodes:	20

Executed Functions

Function 00312530 Relevance: 7.7, APIs: 5, Instructions: 156
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCursorPos.USER32(?), ref: 00312543
GetCursorPos.USER32(?), ref: 00312549
Sleep.KERNELBASE(000003E9), ref: 003125F8
GetCursorPos.USER32(?), ref: 003125FE
Sleep.KERNELBASE(00000001), ref: 003126AA

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: Cursor$Sleep
String ID:
API String ID: 1847515627-0
Opcode ID: ba450522d8b852cce82a6ad40c87fdeeab15800a7dbbd308e5d3770b60103837
Instruction ID: 6751e5902564f7b2ccb9661868063c498c065fd84e0525a5b3fbc86be543c9c7
Opcode Fuzzy Hash: ba450522d8b852cce82a6ad40c87fdeeab15800a7dbbd308e5d3770b60103837
Instruction Fuzzy Hash: D751CD35A002198FCB1ACF58C8D0EEAB7B6FF89704F1A4099D845AB351D731ED95CB80

Function 002CE0A0 Relevance: .1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96ff1605327ca316c8b9a043386054d5797c7744aad8e1b5d4ccb2ea62d7317e
Instruction ID: 78d5166d7f77c71d01861de1a8154755338ce21d1759e17a0bb375b9027baf14
Opcode Fuzzy Hash: 96ff1605327ca316c8b9a043386054d5797c7744aad8e1b5d4ccb2ea62d7317e
Instruction Fuzzy Hash: E3310671504301ABDB209F29C805B6BBBF4FF85338F040B1EF9A8922E1D3759C248B92

Function 002BB865 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 194
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExA.KERNELBASE(00000000,}PQ[][SpMP^,00000000,00020019,?,00000400,67747E63,80000002,67747E63,00000000,00020119,00000000), ref: 002BB9A9

Strings

c~tg, xrefs: 002BB8E9
ctdr, xrefs: 002BB8F0
e_Y][BX, xrefs: 002BB893, 002BB8CC
_, xrefs: 002BBAC6
_, xrefs: 002BBB25
6<63, xrefs: 002BB90C
'.8*, xrefs: 002BB913
_, xrefs: 002BBB32
}PQ[][SpMP^, xrefs: 002BB9A2, 002BB9A5
dtSX, xrefs: 002BB8F7
NRMP, xrefs: 002BB8FE

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: QueryValue
String ID: '.8*$6<63$NRMP$_$_$_$ctdr$c~tg$dtSX$e_Y][BX$}PQ[][SpMP^
API String ID: 3660427363-1506859272
Opcode ID: 130e4c59e912ac15ef55f314adccb1dfdfa04fd9361e30f4603eeafc43295483
Instruction ID: e5ce2f195cb22646b1ff76611d031e1b035a63e3f13184e0788822583d8ee9e6
Opcode Fuzzy Hash: 130e4c59e912ac15ef55f314adccb1dfdfa04fd9361e30f4603eeafc43295483
Instruction Fuzzy Hash: 1F81CF70C1428C9EDF15CFA4C855BEEBBF9AF05348F1481ADE449AB242EBB0560ACF51

Function 002CF1D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(00000260,0000FFFF,00001006,?,00000008), ref: 002CF274
recv.WS2_32(?,00000004,00000002), ref: 002CF28B

Strings

S>, xrefs: 002CF221

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: recvsetsockopt
String ID: S>
API String ID: 2397466200-2549845198
Opcode ID: 88d935d4710ae9d49388e7894b0277525267ccda352db4ffc364127f1a6b5e2b
Instruction ID: 624933514917e0dde2326e803b36b5ec84155ce642523443d0ab0a165bb39371
Opcode Fuzzy Hash: 88d935d4710ae9d49388e7894b0277525267ccda352db4ffc364127f1a6b5e2b
Instruction Fuzzy Hash: D52127789446849FEB26DF64EC85FA677BDF704718FA04329E6209B2E0C7B01804CB55

Function 002BA6A9 Relevance: 4.5, APIs: 3, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE ref: 002BA6BE
GetLastError.KERNEL32 ref: 002BA6C9
__Mtx_unlock.LIBCPMT ref: 002BA6EE

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: AttributesErrorFileLastMtx_unlock
String ID:
API String ID: 441747541-0
Opcode ID: 4e45bfc3a3c17087ebaf1c9ff800823212b7e38193282472c18d511615fe2595
Instruction ID: 29abd1726ad12eea6f307fffad7cddf50b9ab498b5832c015d9e4089d14acb34
Opcode Fuzzy Hash: 4e45bfc3a3c17087ebaf1c9ff800823212b7e38193282472c18d511615fe2595
Instruction Fuzzy Hash: 3EF02BF15650530A0D391E3868950FC770E86533ECB6C0752D44BCB591D213CCB7CA53

Function 003A3605 Relevance: 3.1, APIs: 2, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,003A34EC,00000000,CF830579,003DEFD8,0000000C,003A35A8,003976AD,?), ref: 003A365B
GetLastError.KERNEL32(?,003A34EC,00000000,CF830579,003DEFD8,0000000C,003A35A8,003976AD,?), ref: 003A3665

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: a51f84e6314bb7b32ae0a3d1e3432aac957c5bdfd59ad7f78f8ae800e62ab674
Instruction ID: 65371f456101f4aed7615b4bbf905ec8fb90f5a3bbf49b2adecc7d37f1cac26a
Opcode Fuzzy Hash: a51f84e6314bb7b32ae0a3d1e3432aac957c5bdfd59ad7f78f8ae800e62ab674
Instruction Fuzzy Hash: B61108326091603AD6272334A98AB6E675DCB87B34F26025AF9199F3E2DB70CD414251

Function 0031F050 Relevance: 1.6, APIs: 1, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0031F19E

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: f172ecc2e940ff007fa3d7d83195642a696be6f15b40698ec908d00291fcb43d
Instruction ID: 00f7845859960e2782846ed831fd8f00ac7d5028b76034047b324753db24543d
Opcode Fuzzy Hash: f172ecc2e940ff007fa3d7d83195642a696be6f15b40698ec908d00291fcb43d
Instruction Fuzzy Hash: 0941B372A002149FCB1AEF68D8806EE7BA5AF4D350F1546B9F809DB342D631DE9487E1

Non-executed Functions

Function 002F3160 Relevance: 483.9, APIs: 40, Strings: 235, Instructions: 2616fileCOMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000), ref: 002F31F0
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 002F324C
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 002F327D
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 002F33B8
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 002F33E7
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 002F34E6
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 002F35BD
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 002F361B
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 002F3756
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 002F37E4
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 002F395B
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 002F3B09
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 002F3C91
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 002F3D3B
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 002F3EE2
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 002F3F7A
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 002F40B7
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 002F414E
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 002F42D0
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 002F4365

Strings

;g(", xrefs: 002F3ABD
lBSE, xrefs: 002F3700
#)'1, xrefs: 002F3820
lt^V, xrefs: 002F4EFF
P, xrefs: 002F5D2A
lwWR, xrefs: 002F3F26
]b]M, xrefs: 002F3A9F
'7'!, xrefs: 002F3D7D
lb[T, xrefs: 002F517A
c[JO, xrefs: 002F340D
qabw, xrefs: 002F5971
RI, xrefs: 002F3F44
ZV^R, xrefs: 002F3A8B
4.0", xrefs: 002F4F27
,, xrefs: 002F41C2
Zcfy, xrefs: 002F5F3D
kSBG, xrefs: 002F3497
lE^R, xrefs: 002F3E6B
:42:, xrefs: 002F3DB9
Zcfy, xrefs: 002F5FB0
lbW@, xrefs: 002F5447
lwfc, xrefs: 002F31C9, 002F31D1
FZEX, xrefs: 002F4D53
dNYC, xrefs: 002F3403
l, xrefs: 002F60FC
ZPUE, xrefs: 002F3B38
. &., xrefs: 002F3B6A
,$1m, xrefs: 002F3E93
?$<', xrefs: 002F41AE
<,+&, xrefs: 002F46AA
#)'1, xrefs: 002F3B56
TX, xrefs: 002F3299
H, xrefs: 002F428E
[@XC, xrefs: 002F4067
lt^VYPXC, xrefs: 002F4EC2, 002F4EC8
qabw, xrefs: 002F3FEA
lv@\, xrefs: 002F35D1
lBC_, xrefs: 002F5556
xtfg, xrefs: 002F368B
RJUU, xrefs: 002F57BF
lBC_, xrefs: 002F5611
lbFVUX, xrefs: 002F462D, 002F4633
l}]P, xrefs: 002F52DF
Q^Rc, xrefs: 002F3D69
ZV^R, xrefs: 002F38F0
[@XC, xrefs: 002F5DD4
lsSG, xrefs: 002F4379
la[W, xrefs: 002F5BE9
lTKl, xrefs: 002F4AA5
GPXP, xrefs: 002F4C9C
l~BV, xrefs: 002F5F31
lxqb, xrefs: 002F5033, 002F5036
YPXC, xrefs: 002F4F09
TS, xrefs: 002F44C8
l}G], xrefs: 002F40FB
qabw, xrefs: 002F43BB
CAYG, xrefs: 002F3635
QX, xrefs: 002F35E5
WDNZ, xrefs: 002F4D67
'{"/, xrefs: 002F41B8
[X, xrefs: 002F529B
CAYG, xrefs: 002F35DB
l}]P, xrefs: 002F527D
JfWH, xrefs: 002F3A95
G\YY, xrefs: 002F5451
A[U_, xrefs: 002F3E75
7=3%, xrefs: 002F3DA5
l|[P, xrefs: 002F4D49
#)'1, xrefs: 002F39A8
", xrefs: 002F3AC7
lw[_, xrefs: 002F3285
.6)), xrefs: 002F3E9D
{US^, xrefs: 002F3F3A
N\YZ, xrefs: 002F5465
le~R, xrefs: 002F3CF1
qabw, xrefs: 002F3A0A
lUSG, xrefs: 002F5740
??, xrefs: 002F3B7E
G\YY, xrefs: 002F54E1
qabw, xrefs: 002F50AE
lw[_, xrefs: 002F3203
P\Hg, xrefs: 002F3D5F
NRXV, xrefs: 002F3E89
ebwa, xrefs: 002F41EF
lR]], xrefs: 002F491B
_RKQ, xrefs: 002F3904
ZTDT, xrefs: 002F4168
JfJI, xrefs: 002F3C30
Y_Ng, xrefs: 002F380C
duUX, xrefs: 002F4F13
G\YY, xrefs: 002F53E6
UT[U, xrefs: 002F3371
RJUU, xrefs: 002F582F
:$6, xrefs: 002F4DA3
FZQE, xrefs: 002F4678
7*(, xrefs: 002F3918
l|[], xrefs: 002F379A
l, xrefs: 002F4523
7*(, xrefs: 002F3FBC
]K, xrefs: 002F3D05
RX]K, xrefs: 002F5F51
;, xrefs: 002F5FE2
qabw, xrefs: 002F3DF4
lbYJDP, xrefs: 002F4D0F, 002F4D12
lPQP, xrefs: 002F4270
lsSG, xrefs: 002F4314
lUSG, xrefs: 002F56CA
lE]K, xrefs: 002F593F
lxqb, xrefs: 002F506D
FZQE, xrefs: 002F46F8
9?, xrefs: 002F4B55
7*(, xrefs: 002F3C4E
Y_Ng, xrefs: 002F3994
S[WS, xrefs: 002F3C3A
Jf[X, xrefs: 002F38FA
[@XC, xrefs: 002F427A
P\KQ, xrefs: 002F3816
?c$<, xrefs: 002F3B74
U@XT, xrefs: 002F3D55
UQ[L, xrefs: 002F470C
??, xrefs: 002F3848
lR]], xrefs: 002F57AB
`i:{, xrefs: 002F4696
QXfH, xrefs: 002F363F
le]G, xrefs: 002F335D
qabw, xrefs: 002F4DD4
`'-1, xrefs: 002F4D71
l]SF, xrefs: 002F3C1C
# , xrefs: 002F4F31
lPQP, xrefs: 002F5D0C
l]SF, xrefs: 002F38E6
]J, xrefs: 002F5752
lR]], xrefs: 002F4976
lPQP, xrefs: 002F5D6F
ZPUE, xrefs: 002F398A
lbW@, xrefs: 002F53DC
QVDV, xrefs: 002F37A4
%(, xrefs: 002F4720
?c$<, xrefs: 002F383E
Je[X, xrefs: 002F3F9E
l]SF, xrefs: 002F3A81
UA^R, xrefs: 002F3F94
[X, xrefs: 002F5386
gyse, xrefs: 002F33F9
UYuX, xrefs: 002F3367
ZPUE, xrefs: 002F3802
SS, xrefs: 002F407B
lUSG, xrefs: 002F5672
z7?9, xrefs: 002F39DA
[X, xrefs: 002F52FD
Q\TO, xrefs: 002F410F
^Mfh, xrefs: 002F4D5D
qabw, xrefs: 002F386F
Qo_[, xrefs: 002F328F
lvS^QF, xrefs: 002F358E, 002F3599
l}]P, xrefs: 002F5366
lPQP, xrefs: 002F405D
lR]], xrefs: 002F581B
TP_U, xrefs: 002F4172
#=%;, xrefs: 002F4D85
45+-, xrefs: 002F4186
]J, xrefs: 002F56DE
'<$?, xrefs: 002F3834
%2l), xrefs: 002F3C44
)$/8, xrefs: 002F419A
N\YZ, xrefs: 002F53FA
UGu[, xrefs: 002F4105
42l), xrefs: 002F3FB2
UWWD, xrefs: 002F567C
LVHZ, xrefs: 002F5291
qabw, xrefs: 002F6038
P\KQ, xrefs: 002F399E
|xnz, xrefs: 002F3695
lvzz, xrefs: 002F33EF
UQ[L, xrefs: 002F468C
Y_Ng, xrefs: 002F3B42
UWWD, xrefs: 002F56D4
lv@\, xrefs: 002F362B
HaMZ, xrefs: 002F417C
n(,*, xrefs: 002F3417
GS, xrefs: 002F4AEE
lPQP, xrefs: 002F5DC8
RX]K, xrefs: 002F5FC4
42l), xrefs: 002F390E
ZV^R, xrefs: 002F3C26
lBC_, xrefs: 002F55A3
qabw, xrefs: 002F3BA5
]KeK, xrefs: 002F3E7F
LVHZ, xrefs: 002F537C
l, xrefs: 002F485D
_RKQ, xrefs: 002F3FA8
l, xrefs: 002F5AFB
TX, xrefs: 002F3217
lFQK, xrefs: 002F348D
A[U_, xrefs: 002F3CFB
?<, xrefs: 002F4DAD
90> , xrefs: 002F39D0
@Z]R, xrefs: 002F4AAF
|~qr, xrefs: 002F3681
@]SE, xrefs: 002F3F30
DI, xrefs: 002F4AC3
(,&, xrefs: 002F3D73
lbW@, xrefs: 002F54D7
l~BV, xrefs: 002F5FA6
<0'=, xrefs: 002F3D9B
N\YZ, xrefs: 002F54F7
^M, xrefs: 002F37AE
CEWR, xrefs: 002F2F8E
Qo_[, xrefs: 002F320D
]J, xrefs: 002F5686
le]K, xrefs: 002F5905, 002F5908
S^\U, xrefs: 002F44F2
CBT], xrefs: 002F4842, 002F4845
L, xrefs: 002F3714
qabw, xrefs: 002F5214
UWWD, xrefs: 002F5746
lb[T, xrefs: 002F51DD
[@XC, xrefs: 002F5D16
l|W@, xrefs: 002F4C92
qabw, xrefs: 002F5C97
lgb}, xrefs: 002F5EF5, 002F5EFD
(( ;, xrefs: 002F39C6
P\KQ, xrefs: 002F3B4C
]R, xrefs: 002F44FC
[@XC, xrefs: 002F5D79
P, xrefs: 002F5DE8
lR]], xrefs: 002F4A03
LVHZ, xrefs: 002F52F3
0,'+, xrefs: 002F3AB3
%%'-, xrefs: 002F3AA9
qabw, xrefs: 002F4F58
P, xrefs: 002F5D8D
dgyq, xrefs: 002F41F9
",*", xrefs: 002F5FD8
FEZR, xrefs: 002F5C4A

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: CreateDirectory$CopyFile$FolderPath
String ID: (,&$ :$6$"$",*"$# $#)'1$#)'1$#)'1$#=%;$%%'-$%($%2l)$'7'!$'<$?$'{"/$(( ;$)$/8$,$,$1m$. &.$.6))$0,'+$4.0"$42l)$42l)$45+-$7*($7*($7*($7=3%$90> $9?$:42:$;$;g("$<,+&$<0'=$?$<'$?<$??$??$?c$<$?c$<$@Z]R$@]SE$A[U_$A[U_$CAYG$CAYG$CBT]$CEWR$DI$FEZR$FZEX$FZQE$FZQE$GPXP$GS$G\YY$G\YY$G\YY$H$HaMZ$Je[X$JfJI$JfWH$Jf[X$L$LVHZ$LVHZ$LVHZ$NRXV$N\YZ$N\YZ$N\YZ$P$P$P$P\Hg$P\KQ$P\KQ$P\KQ$QVDV$QX$QXfH$Q\TO$Q^Rc$Qo_[$Qo_[$RI$RJUU$RJUU$RX]K$RX]K$SS$S[WS$S^\U$TP_U$TS$TX$TX$U@XT$UA^R$UGu[$UQ[L$UQ[L$UT[U$UWWD$UWWD$UWWD$UYuX$WDNZ$YPXC$Y_Ng$Y_Ng$Y_Ng$ZPUE$ZPUE$ZPUE$ZTDT$ZV^R$ZV^R$ZV^R$Zcfy$Zcfy$[@XC$[@XC$[@XC$[@XC$[@XC$[X$[X$[X$]J$]J$]J$]K$]KeK$]R$]b]M$^M$^Mfh$_RKQ$_RKQ$`'-1$`i:{$c[JO$dNYC$dgyq$duUX$ebwa$gyse$kSBG$l$l$l$l$lBC_$lBC_$lBC_$lBSE$lE]K$lE^R$lFQK$lPQP$lPQP$lPQP$lPQP$lPQP$lR]]$lR]]$lR]]$lR]]$lR]]$lTKl$lUSG$lUSG$lUSG$l]SF$l]SF$l]SF$la[W$lbFVUX$lbW@$lbW@$lbW@$lbYJDP$lb[T$lb[T$le]G$le]K$le~R$lgb}$lsSG$lsSG$lt^V$lt^VYPXC$lv@\$lv@\$lvS^QF$lvzz$lwWR$lw[_$lw[_$lwfc$lxqb$lxqb$l|W@$l|[P$l|[]$l}G]$l}]P$l}]P$l}]P$l~BV$l~BV$n(,*$qabw$qabw$qabw$qabw$qabw$qabw$qabw$qabw$qabw$qabw$qabw$qabw$qabw$xtfg$z7?9${US^$|xnz$|~qr
API String ID: 3277442881-1190981108
Opcode ID: 6ba2cde1bf5955e28320054635bc47cc62e753c5561f7042043e0f4af55a486d
Instruction ID: 553654bac1febccfa3f9f9cdf2972a0d5a60485d3d0e81ff2a0e106fc8041042
Opcode Fuzzy Hash: 6ba2cde1bf5955e28320054635bc47cc62e753c5561f7042043e0f4af55a486d
Instruction Fuzzy Hash: 7D436DB0C14268DADF25EB60CC56BEEBB74AF14344F4441D8D54977282EB706B98CFA2

Function 002BE150 Relevance: 442.8, APIs: 46, Strings: 206, Instructions: 1778COMMON

Download Yara Rule

Strings

]AU_, xrefs: 002C0976
UYCD, xrefs: 002C32A1
l|]], xrefs: 002C0CE2
LVHZ, xrefs: 002C252F
[X, xrefs: 002C1277
G\YY, xrefs: 002C2666
Uunx, xrefs: 002C0BFE
@\RX, xrefs: 002C2998
PQ[K, xrefs: 002C20A7
[X, xrefs: 002C116B
$,>8, xrefs: 002C1989
LVHZ, xrefs: 002C1161
lt^VWADBUeMZPQ[K3, xrefs: 002C07F0, 002C080F
oIQM, xrefs: 002C14F9
l{SK, xrefs: 002C156D
U[UR, xrefs: 002C1F5B
]KNB, xrefs: 002C0E8A
l}]P, xrefs: 002C11C0
Ua}S, xrefs: 002C196B
Y\Uk, xrefs: 002C05EE
[X, xrefs: 002C2539
ZPNS, xrefs: 002C1B2D
l}]P, xrefs: 002C1257
( 24, xrefs: 002C168D
tPA[, xrefs: 002C2BC5
tPWW, xrefs: 002C3297
WZ_Y, xrefs: 002C2AD2
lFS_, xrefs: 002C02A1
lt^V, xrefs: 002C086A
[X, xrefs: 002C25D2
lx\WQMSS|{, xrefs: 002BEA5D, 002BEA8E
w^^W, xrefs: 002C2D11
}TURWZ_Y, xrefs: 002C2E7E, 002C2E83
lx\W, xrefs: 002C237B
t^UV, xrefs: 002C2AC8
Vz[H, xrefs: 002C1CF0
ls[], xrefs: 002C1F51
[VSU, xrefs: 002C2DD3
rXFP, xrefs: 002C2A75
2$l), xrefs: 002C1EA4
lbW@, xrefs: 002C26D8
!-.&, xrefs: 002C098A
ipq\, xrefs: 002C3012
l}]P, xrefs: 002C251B
`C[^QVY^V, xrefs: 002C2F71
WADX, xrefs: 002C1D81
bTVWWZ_Y, xrefs: 002C324E, 002C3264
wZ_Y, xrefs: 002C2D1B
jRS@\, xrefs: 002C3080, 002C309C
|{, xrefs: 002C10C3
lR]^, xrefs: 002C0E76
RS[K, xrefs: 002C32B5
QGYk, xrefs: 002C0CE9
LizX, xrefs: 002C14E5
lbW@, xrefs: 002C2778
|XFVWZ_Y, xrefs: 002C31DD, 002C31F3
y, xrefs: 002C337B
dXJK, xrefs: 002C1E90
G\YY, xrefs: 002C1387
Vz[H, xrefs: 002C1D8B
lr]Z, xrefs: 002C165B
][, xrefs: 002C301C
~P_V, xrefs: 002C2F05
V, xrefs: 002C2FCC
N\YZ, xrefs: 002C143D
j2'+, xrefs: 002C286E
lbW@, xrefs: 002C265C
QMSS, xrefs: 002C2385
l|G_, xrefs: 002C283C
QW, xrefs: 002C2C30
|{, xrefs: 002C2326
lx\W, xrefs: 002C10AD
wZDR, xrefs: 002C2BCF
lbW@, xrefs: 002C141D
[X, xrefs: 002C24C6
_\, xrefs: 002C2935
WADB, xrefs: 002C0BF4
N\YZ, xrefs: 002C139B
LVHZ, xrefs: 002C25C8
ls[], xrefs: 002C1E7C
G\YY, xrefs: 002C26E2
l}]P, xrefs: 002C24A8
$,>, xrefs: 002C2878
G\YY, xrefs: 002C1427
WZ_Y, xrefs: 002C2F0F
N\YZ, xrefs: 002C267A
lfS@, xrefs: 002C1A2A
l|]], xrefs: 002C0D87
rscp, xrefs: 002C2B72
lS[G, xrefs: 002C1C21
lt^V, xrefs: 002C1D77
@TZT, xrefs: 002C3143
OXVW, xrefs: 002C0CF0
l}]P, xrefs: 002C114D
QGSB, xrefs: 002C2093
QGSB, xrefs: 002C2124
RRSV, xrefs: 002C1679
|{, xrefs: 002C1034
y_TZ, xrefs: 002C2DBD
|{, xrefs: 002C238F
l{SK, xrefs: 002C14DB
l{SK, xrefs: 002C0F3A
l\G_, xrefs: 002C298E
ls[G, xrefs: 002C1B19
y~q\, xrefs: 002C2D71
,-'7, xrefs: 002C0B45
\PDk, xrefs: 002C1B23
4, xrefs: 002C29B6
vCWZ, xrefs: 002C2CBC
U, xrefs: 002C087E
G\YY, xrefs: 002C130B
YJ[Y, xrefs: 002C1961
8, xrefs: 002C0E9E
QMSS, xrefs: 002C231C
l}]P, xrefs: 002C25B2
WADB, xrefs: 002C0B27
][, xrefs: 002C2D7B
UeMZ, xrefs: 002C209D
dT@A, xrefs: 002C2FB6
[X, xrefs: 002C11DE
XPB`, xrefs: 002C1957
lvGR, xrefs: 002C22A8
QMSS, xrefs: 002C0FC1
!&', xrefs: 002C1503
lx\W, xrefs: 002C2312
@\rX, xrefs: 002C2846
ZZ[^, xrefs: 002C1665
lx\W, xrefs: 002C1020
ls[G, xrefs: 002C1BB7
$.%&, xrefs: 002C2864
|{, xrefs: 002C241E
vCS], xrefs: 002C2C70
lbW@, xrefs: 002C1301
lt^V, xrefs: 002C0BEA
T, xrefs: 002C1D95
tVYZ, xrefs: 002C05F8
LVHZ, xrefs: 002C11D4
lt^V, xrefs: 002C0B1D
", xrefs: 002C1B41
WADB, xrefs: 002C0874
Z\BR, xrefs: 002C2DC7
)$,7, xrefs: 002C1975
ltJ\, xrefs: 002C0A2E
lx\WQMSS|{, xrefs: 002BECA9, 002BECD9
v]]A, xrefs: 002C2C1A
7, xrefs: 002C0B4F
Z\HO, xrefs: 002C0F4E
ZZ[^, xrefs: 002C1703
lfS_, xrefs: 002C194D
7, xrefs: 002C1D0E
UVY^, xrefs: 002C2FC0
N\YZ, xrefs: 002C2798
lr]Z, xrefs: 002C16F9
TaI^, xrefs: 002C1CFA
\[, xrefs: 002C1C35
WADX, xrefs: 002C1CE6
WZ_Y, xrefs: 002C2B27
LVHZ, xrefs: 002C24BC
lx\W, xrefs: 002C0FB7
U[UR, xrefs: 002C1E86
,-'7, xrefs: 002C1D04
QMSS, xrefs: 002C102A
7*(, xrefs: 002C1EAE
0, xrefs: 002C0994
|{, xrefs: 002C0FCB
ltF[, xrefs: 002C211A
U, xrefs: 002C212E
q_]], xrefs: 002C2B1D
]QRZ, xrefs: 002C29AC
N\YZ, xrefs: 002C131F
E, xrefs: 002C0F58
3, xrefs: 002C20B1
dzUR, xrefs: 002C166F
N\YZ, xrefs: 002C26F6
L, xrefs: 002C1577
P@Ek, xrefs: 002C096C
|TVT, xrefs: 002C3325
IQJV, xrefs: 002C285A
}X\P, xrefs: 002C2EB2
TXUZ, xrefs: 002C313C
ltF[, xrefs: 002C2089
QMSS, xrefs: 002C10B7
][UX, xrefs: 002C2C24
/3#$, xrefs: 002C060C
@\rX, xrefs: 002C292B
yIQ\][, xrefs: 002C2E2C
lPF\, xrefs: 002C05E4
lx\W, xrefs: 002C2408
lt^V, xrefs: 002C1CDC
G\YY, xrefs: 002C2782
QMSS, xrefs: 002C2412
lpF\, xrefs: 002C06B6
lvGR, xrefs: 002C2212
_Z, xrefs: 002C2C7A
l|G_, xrefs: 002C2921
lbW@, xrefs: 002C137D
WZ_Y, xrefs: 002C2CC6
lp@^, xrefs: 002C185E
LVHZ, xrefs: 002C126D
lPBC, xrefs: 002C1FBD
lp@^, xrefs: 002C17EA
_\fV, xrefs: 002C2850
!, xrefs: 002C0616
ltJ\, xrefs: 002C0962
lFS_, xrefs: 002BFBE3
lbW@, xrefs: 002BF3D9

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID: !$!&'$!-.&$"$$,>$$,>8$$.%&$( 24$)$,7$,-'7$,-'7$/3#$$0$2$l)$3$4$7$7$7*($8$@TZT$@\RX$@\rX$@\rX$E$G\YY$G\YY$G\YY$G\YY$G\YY$G\YY$IQJV$L$LVHZ$LVHZ$LVHZ$LVHZ$LVHZ$LVHZ$LizX$N\YZ$N\YZ$N\YZ$N\YZ$N\YZ$N\YZ$OXVW$P@Ek$PQ[K$QGSB$QGSB$QGYk$QMSS$QMSS$QMSS$QMSS$QMSS$QMSS$QW$RRSV$RS[K$T$TXUZ$TaI^$U$U$UVY^$UYCD$U[UR$U[UR$Ua}S$UeMZ$Uunx$V$Vz[H$Vz[H$WADB$WADB$WADB$WADX$WADX$WZ_Y$WZ_Y$WZ_Y$WZ_Y$XPB`$YJ[Y$Y\Uk$ZPNS$ZZ[^$ZZ[^$Z\BR$Z\HO$[VSU$[X$[X$[X$[X$[X$[X$\PDk$\[$]AU_$]KNB$]QRZ$][$][$][UX$_Z$_\$_\fV$`C[^QVY^V$bTVWWZ_Y$dT@A$dXJK$dzUR$ipq\$j2'+$jRS@\$lFS_$lFS_$lPBC$lPF\$lR]^$lS[G$l\G_$lbW@$lbW@$lbW@$lbW@$lbW@$lbW@$lbW@$lfS@$lfS_$lp@^$lp@^$lpF\$lr]Z$lr]Z$ls[G$ls[G$ls[]$ls[]$ltF[$ltF[$ltJ\$ltJ\$lt^V$lt^V$lt^V$lt^V$lt^V$lt^VWADBUeMZPQ[K3$lvGR$lvGR$lx\W$lx\W$lx\W$lx\W$lx\W$lx\W$lx\WQMSS|{$lx\WQMSS|{$l{SK$l{SK$l{SK$l|G_$l|G_$l|]]$l|]]$l}]P$l}]P$l}]P$l}]P$l}]P$l}]P$oIQM$q_]]$rXFP$rscp$tPA[$tPWW$tVYZ$t^UV$vCS]$vCWZ$v]]A$wZDR$wZ_Y$w^^W$y$yIQ\][$y_TZ$y~q\$|TVT$|XFVWZ_Y$|{$|{$|{$|{$|{$|{$}TURWZ_Y$}X\P$~P_V
API String ID: 0-3089971460
Opcode ID: 26f9fc2656e045de9eb4b6c10c704a7de9bb3d3de6893b0d95b4e8f21c57813e
Instruction ID: 226c377fdd492a6701f35ecb788da7c8989ee9807c7a63703f21e159c35f5584
Opcode Fuzzy Hash: 26f9fc2656e045de9eb4b6c10c704a7de9bb3d3de6893b0d95b4e8f21c57813e
Instruction Fuzzy Hash: 1FD255B0D202099FDF19DFB8CC857EDBB79AF05344F24826CE416AB282D770AA55CB51

Function 002FA900 Relevance: 426.6, APIs: 1, Strings: 241, Instructions: 3117COMMON

Download Yara Rule

Strings

lwW], xrefs: 002FE1B7
QXbj, xrefs: 002FCC48
tXAP[GRs]O_WSMSZ.5, xrefs: 002FC9EE, 002FCA0F
lrZV, xrefs: 002FDB67
sY@\YZRX, xrefs: 002FF0EE
Q[BD, xrefs: 002FDED0
lU[@WZDS, xrefs: 002FC92A
WeoH, xrefs: 002FF08E
CZXk, xrefs: 002FE422
s^Qp[V, xrefs: 002FEFCB, 002FEFD3
VZNu, xrefs: 002FF1C0
\GYZ, xrefs: 002FEE9E
q\[T[, xrefs: 002FD70E, 002FD724
oQ[V, xrefs: 002FE1D3
mJ_I, xrefs: 002FEA0B
sYWW[A, xrefs: 002FDC0E, 002FDC24
lDq\, xrefs: 002FE097
!5#, xrefs: 002FE641
mJ_I, xrefs: 002FE539
3$0c, xrefs: 002FE442
lbFV, xrefs: 002FD5A2
~g{w}t, xrefs: 002FD567, 002FD57D
7 4g, xrefs: 002FCF68
VTYk, xrefs: 002FE52D
0/+1, xrefs: 002FE1DD
{VUL, xrefs: 002FE42E
qE]^, xrefs: 002FF17D
lg[E, xrefs: 002FDC4C
[XYS, xrefs: 002FF084
sY@\Y\CZnP_LYO, xrefs: 002FE2D4, 002FE2F0
UY_Y, xrefs: 002FE31E
`hMZ, xrefs: 002FD98A
l~@Q, xrefs: 002FE71D
SSbj, xrefs: 002FE438
OJ_I, xrefs: 002FDA6C
lt^V, xrefs: 002FDE2C
3$0c, xrefs: 002FF1E0
l|SC, xrefs: 002FD847
]eoH, xrefs: 002FEEA8
lx@Z, xrefs: 002FD74C
BD^VkS_[]J, xrefs: 002FAAE3, 002FAAF0
F, xrefs: 002FD9FB
iP\WQM, xrefs: 002FD437, 002FD44D
lbBF, xrefs: 002FEDE2
0$, xrefs: 002FD99E
lv]\, xrefs: 002FD247
yC[W, xrefs: 002FD7CB
FZEX, xrefs: 002FCD2B
[QYk, xrefs: 002FE9FF
YObj, xrefs: 002FF1D6
dxNT, xrefs: 002FF12C
sT\G, xrefs: 002FDAE5
)+&., xrefs: 002FCB67
l|[P, xrefs: 002FCD25
M]ST, xrefs: 002FD859
x\J^, xrefs: 002FE934
lr]^, xrefs: 002FE9F9
vGY@, xrefs: 002FEAFD
3$0c, xrefs: 002FE83D
sY@\YPf[MJ, xrefs: 002FD92A, 002FD946
4 , xrefs: 002FED3D
-, xrefs: 002FD28B
@]YY, xrefs: 002FEC1D
SO_K, xrefs: 002FD491
{VHK, xrefs: 002FD487
), xrefs: 002FCD5F
FZAD, xrefs: 002FEBA4
vGY@, xrefs: 002FDAEF
le]A, xrefs: 002FE918
OXLc, xrefs: 002FEF5B
lrW], xrefs: 002FDA5A
P\CZ, xrefs: 002FD752
2 4&, xrefs: 002FCE4A
mJ_I, xrefs: 002FDB79
KN[M, xrefs: 002FDEE4
h}{o, xrefs: 002FB839
ptbv, xrefs: 002FB54C
ZicD, xrefs: 002FEFFA
4 , xrefs: 002FDC72
K\Hg, xrefs: 002FD66C
lU[@WZDS, xrefs: 002FC83A
^MMZ, xrefs: 002FCE36
fXDR, xrefs: 002FDCCB
[XTZ, xrefs: 002FC73D
lr]P, xrefs: 002FEF41
JVMH, xrefs: 002FF1CA
YPXC, xrefs: 002FDE32
W_NL, xrefs: 002FCB3F
d^@P\, xrefs: 002FE9BB, 002FE9D1
SYSk, xrefs: 002FCC32
PZBk, xrefs: 002FDB6D
lv]\, xrefs: 002FCC2C
djJN, xrefs: 002FEDF4
l`{c, xrefs: 002FE61B
!, xrefs: 002FE54D
W_NL, xrefs: 002FCA49
WNI^, xrefs: 002FF233
\\L^, xrefs: 002FC930
lsSG, xrefs: 002FD057
lrZA, xrefs: 002FD147
mJ_I, xrefs: 002FDD59
dlI^, xrefs: 002FDC5E
lrSG, xrefs: 002FE318
?:/9, xrefs: 002FCE5E
lz]^, xrefs: 002FDD47
QYYY, xrefs: 002FED1D
NxSS, xrefs: 002FE09D
dlI^, xrefs: 002FE72F
UX, xrefs: 002FD5A5
sY@\YP, xrefs: 002FCCE7, 002FCCFD
eCS], xrefs: 002FF041
lhS], xrefs: 002FD36C
), xrefs: 002FEF79
!5#, xrefs: 002FEEBC
1<48, xrefs: 002FD4D7
qWYg, xrefs: 002FE1C9
^eoH, xrefs: 002FE62D
DAYc, xrefs: 002FCF3E
^Mf~, xrefs: 002FCD37
@[_\, xrefs: 002FEDE8
lp_Z, xrefs: 002FD65A
!, xrefs: 002FDB8D
ND, xrefs: 002FC747
l|SZ, xrefs: 002FF11C
zKUL, xrefs: 002FEF51
type must be boolean, but is , xrefs: 002FC5DA
QakL, xrefs: 002FF138
)50*, xrefs: 002FE33E
~XQ[FZ[R, xrefs: 002FEF18, 002FEF20
HSWT, xrefs: 002FEDFE
`hMZ, xrefs: 002FDA76
Y~HT, xrefs: 002FE32A
g@DQ, xrefs: 002FE6AF
PRNR, xrefs: 002FC93A
UeoH, xrefs: 002FD159
%, xrefs: 002FD68A
z, xrefs: 002FF20D
SSbj, xrefs: 002FE833
!5#, xrefs: 002FEC3D
cEWRY, xrefs: 002FD61C, 002FD632
SJMZ, xrefs: 002FDE48
4$>6, xrefs: 002FE205
{QHT, xrefs: 002FCC3E
@wDX, xrefs: 002FDA60
<=#%, xrefs: 002FE1F1
l~BV, xrefs: 002FCB2D
), xrefs: 002FE0D1
tCST[[, xrefs: 002FE8D4, 002FE8F0
kM[I, xrefs: 002FD980
kSY[, xrefs: 002FAB16
cAGG, xrefs: 002FEE4C
!5#, xrefs: 002FF0A4
4 , xrefs: 002FD772
wZUk, xrefs: 002FEF47
lU[@, xrefs: 002FC72B
]O[c, xrefs: 002FCB49
XZ[c, xrefs: 002FCD41
SZjb, xrefs: 002FD660
l~BV, xrefs: 002FCA2D
sY@\Y\CZ, xrefs: 002FD201, 002FD21F
4 , xrefs: 002FE743
BD^VkVY[T\YOcO[\5315, xrefs: 002FAC45, 002FAC4C
iN[M, xrefs: 002FD676
QO[X, xrefs: 002FDF69
lr]^, xrefs: 002FE817
72'1, xrefs: 002FE023
PPNk, xrefs: 002FD372
N, xrefs: 002FF23D
h+?, xrefs: 002FD281
9, xrefs: 002FD4E1
!, xrefs: 002FDD6D
NRIL, xrefs: 002FCF54
uA[P, xrefs: 002FDFFB
l|SK, xrefs: 002FEC17
Z, xrefs: 002FCFE9
tXAP[GRgl{, xrefs: 002FC8DA, 002FC8F6
lrZA, xrefs: 002FF07E
,%3%, xrefs: 002FD4CD
axsy, xrefs: 002FB045
1, xrefs: 002FD895
IMb|, xrefs: 002FE334
{^_V@T, xrefs: 002FDDEE, 002FDE04
0$, xrefs: 002FDA8A
[MtE, xrefs: 002FF227
BD^VkF_M]fQY, xrefs: 002FABA1, 002FABAE
*672, xrefs: 002FE219
NXb}, xrefs: 002FCE40
|K[\, xrefs: 002FE829
dlI^, xrefs: 002FED29
QAWk, xrefs: 002FDD4D
4, xrefs: 002FCE7C
%1', xrefs: 002FF14C
lr@J, xrefs: 002FCF38
s^]D[[, xrefs: 002FE4DD, 002FE4FF
N\Pc, xrefs: 002FE0B3
K\Hg, xrefs: 002FEB09
l/;, xrefs: 002FD88B
WZDS, xrefs: 002FC731
XPeC, xrefs: 002FD84D
u]W^, xrefs: 002FDEC6
aXT_, xrefs: 002FD37E
lu[@WZDS, xrefs: 002FC680, 002FC69F
sXFA]Z, xrefs: 002FE3DE, 002FE3F4
W]jb, xrefs: 002FE91E
}PJG, xrefs: 002FEC9D
`~VM, xrefs: 002FD263
fedx, xrefs: 002FB31F
h+?, xrefs: 002FEB31
[X_B, xrefs: 002FD14D
!5#, xrefs: 002FD16D
<(, xrefs: 002FEE1C
NXYB, xrefs: 002FE00F
s^_\PZ, xrefs: 002FEAB0, 002FEACF
ld@R, xrefs: 002FEFF4
lr]\, xrefs: 002FE41C
UYR^, xrefs: 002FDC52
YE|M, xrefs: 002FD388
ltBZ, xrefs: 002FDF57
!, xrefs: 002FEA1F
tXAP[GRtYW[IE, xrefs: 002FC7EA, 002FC806
BPeX, xrefs: 002FCE2A
-, xrefs: 002FEB3B
/61&, xrefs: 002FDF7D
~TFQ, xrefs: 002FF21D
[QYk, xrefs: 002FE81D
Er]IyPR^Y, xrefs: 002FE170, 002FE18F
rPFG, xrefs: 002FD0C9
sY@\, xrefs: 002FD2EA
]K, xrefs: 002FEBAE
`~VM, xrefs: 002FD863
QXfn, xrefs: 002FE0A9
]M, xrefs: 002FD0DD
dlI^, xrefs: 002FD75E
~OQH, xrefs: 002FEB13
ls@R, xrefs: 002FCE24
l][V, xrefs: 002FE527
/61&, xrefs: 002FD392
3$0c, xrefs: 002FCC52
\XWQUZ, xrefs: 002FE5D7, 002FE5F3
]ACZ, xrefs: 002FE723
tXAP, xrefs: 002FC6B5

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID: 4$!$!$!$!$!5#$!5#$!5#$!5#$!5#$%$%1'$)$)$)$)+&.$)50*$*672$,%3%$-$-$/61&$/61&$0$$0$$0/+1$1$1<48$2 4&$3$0c$3$0c$3$0c$3$0c$4 $4 $4 $4 $4$>6$7 4g$72'1$9$<($<=#%$?:/9$@[_\$@]YY$@wDX$BD^VkF_M]fQY$BD^VkS_[]J$BD^VkVY[T\YOcO[\5315$BPeX$CZXk$DAYc$Er]IyPR^Y$F$FZAD$FZEX$HSWT$IMb|$JVMH$KN[M$K\Hg$K\Hg$M]ST$N$ND$NRIL$NXYB$NXb}$N\Pc$NxSS$OJ_I$OXLc$PPNk$PRNR$PZBk$P\CZ$QAWk$QO[X$QXbj$QXfn$QYYY$Q[BD$QakL$SJMZ$SO_K$SSbj$SSbj$SYSk$SZjb$UX$UYR^$UY_Y$UeoH$VTYk$VZNu$WNI^$WZDS$W]jb$W_NL$W_NL$WeoH$XPeC$XZ[c$YE|M$YObj$YPXC$Y~HT$Z$ZicD$[MtE$[QYk$[QYk$[XTZ$[XYS$[X_B$\GYZ$\XWQUZ$\\L^$]ACZ$]K$]M$]O[c$]eoH$^MMZ$^Mf~$^eoH$`hMZ$`hMZ$`~VM$`~VM$aXT_$axsy$cAGG$cEWRY$d^@P\$djJN$dlI^$dlI^$dlI^$dlI^$dxNT$eCS]$fXDR$fedx$g@DQ$h+?$h+?$h}{o$iN[M$iP\WQM$kM[I$kSY[$l/;$lDq\$lU[@$lU[@WZDS$lU[@WZDS$l][V$l`{c$lbBF$lbFV$ld@R$le]A$lg[E$lhS]$lp_Z$lr@J$lrSG$lrW]$lrZA$lrZA$lrZV$lr]P$lr]\$lr]^$lr]^$ls@R$lsSG$ltBZ$lt^V$lu[@WZDS$lv]\$lv]\$lwW]$lx@Z$lz]^$l|SC$l|SK$l|SZ$l|[P$l~@Q$l~BV$l~BV$mJ_I$mJ_I$mJ_I$mJ_I$oQ[V$ptbv$qE]^$qWYg$q\[T[$rPFG$sT\G$sXFA]Z$sY@\$sY@\YP$sY@\YPf[MJ$sY@\YZRX$sY@\Y\CZ$sY@\Y\CZnP_LYO$sYWW[A$s^Qp[V$s^]D[[$s^_\PZ$tCST[[$tXAP$tXAP[GRgl{$tXAP[GRs]O_WSMSZ.5$tXAP[GRtYW[IE$type must be boolean, but is $uA[P$u]W^$vGY@$vGY@$wZUk$x\J^$yC[W$z$zKUL${QHT${VHK${VUL${^_V@T$|K[\$}PJG$~OQH$~TFQ$~XQ[FZ[R$~g{w}t
API String ID: 0-1591587137
Opcode ID: effeaf0b3dfb10e5ea6de5aec3209b5af119ca5e118118c09e67a6a2ac542f94
Instruction ID: f71dfcd77c0aea7003357749eab3676d02fe37ae5fa79cda9da4132fe37444cc
Opcode Fuzzy Hash: effeaf0b3dfb10e5ea6de5aec3209b5af119ca5e118118c09e67a6a2ac542f94
Instruction Fuzzy Hash: C163A8B0810269CACF25EFA8CC157EEBBB5AF05344F5442C9D4593B282D7711B99CFA2

Function 002E58A0 Relevance: 157.7, APIs: 3, Strings: 86, Instructions: 1947COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 002E595D

Strings

>"#O, xrefs: 002E5DE7
gz_I, xrefs: 002E6C59
cannot use operator[] with a string argument with , xrefs: 002E775D
Z, xrefs: 002E7187
GS, xrefs: 002E71C5
l`GR, xrefs: 002E6C45
ZF, xrefs: 002E6BD8
ZACZ, xrefs: 002E6C4F
ZT[R, xrefs: 002E6989
CZDS, xrefs: 002E6B7F
lZWJ, xrefs: 002E6E97
di/%, xrefs: 002E5D8D
ST@G, xrefs: 002E724A
U_QAMEBR\lI^NS_R%, xrefs: 002E6AD5
QMoi, xrefs: 002E6886
lZWJ, xrefs: 002E6F36
V^@^, xrefs: 002E68C0
[TK, xrefs: 002E6F00
*$+", xrefs: 002E5D83
ZF, xrefs: 002E6662
Z, xrefs: 002E71F0
l]]T, xrefs: 002E5BB7
Z, xrefs: 002E6A95
BS, xrefs: 002E5C4D
p, xrefs: 002E6890
p, xrefs: 002E68DE
Z, xrefs: 002E7298
V^@^, xrefs: 002E6872
LI[[, xrefs: 002E5D6F
EC^, xrefs: 002E6317, 002E634A, 002E634D, 002E634E
5&% , xrefs: 002E5DAB
p, xrefs: 002E692D
Z, xrefs: 002E73A5
lRWA, xrefs: 002E732C
ZF, xrefs: 002E6766
/?7?, xrefs: 002E5D97
;, xrefs: 002E7485
g@TZ, xrefs: 002E6917
@PA@, xrefs: 002E6B75
\^UZ, xrefs: 002E6790
Z, xrefs: 002E733C
\^UZ, xrefs: 002E6BCE
@C]U]YS, xrefs: 002E61E1, 002E621C
VZHB, xrefs: 002E5D65
g@TZ, xrefs: 002E687C
V^@^, xrefs: 002E6911
`C]U, xrefs: 002E5A10
Z, xrefs: 002E744D
ST@G, xrefs: 002E73FF
@C]U, xrefs: 002E6835
7+>w, xrefs: 002E5DB5
RJUU, xrefs: 002E5BCB
\, xrefs: 002E5AB5
GS, xrefs: 002E6E82
\^UZ, xrefs: 002E6A8E
l, xrefs: 002E6D6C
`PF[, xrefs: 002E5AA7, 002E5AAA
\^UZ, xrefs: 002E5912
lRWA, xrefs: 002E7437
QMoi, xrefs: 002E6921
:%J-, xrefs: 002E5DDD
o, xrefs: 002E6D51
lZWJ, xrefs: 002E6E3B
\^UZ, xrefs: 002E675C
QMoi, xrefs: 002E68D4
lZWJ, xrefs: 002E70D4
GS, xrefs: 002E737A
lZWJ, xrefs: 002E6FD9
lRWA, xrefs: 002E7177
HN, xrefs: 002E6C63
ct~v, xrefs: 002E5D51
lRWA, xrefs: 002E71DA
\^UZ, xrefs: 002E6658
@PA@CZDS, xrefs: 002E6595, 002E65CC
R\ZR, xrefs: 002E598F
lRWA, xrefs: 002E7282
lZWJ, xrefs: 002E7035
GS, xrefs: 002E7020
lA@\, xrefs: 002E5985
\^UZZ, xrefs: 002E6458, 002E648E
g@TZ, xrefs: 002E68CA
lRWA, xrefs: 002E738F
ZF, xrefs: 002E679A
U, xrefs: 002E59A3
X^AG, xrefs: 002E6983
|;1-, xrefs: 002E5DBF

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: FolderPath
String ID: *$+"$/?7?$5&% $7+>w$:%J-$;$>"#O$@C]U$@C]U]YS$@PA@$@PA@CZDS$BS$CZDS$EC^$GS$GS$GS$GS$HN$LI[[$QMoi$QMoi$QMoi$RJUU$R\ZR$ST@G$ST@G$U$U_QAMEBR\lI^NS_R%$VZHB$V^@^$V^@^$V^@^$X^AG$Z$Z$Z$Z$Z$Z$Z$ZACZ$ZF$ZF$ZF$ZF$ZT[R$[TK$\$\^UZ$\^UZ$\^UZ$\^UZ$\^UZ$\^UZ$\^UZZ$`C]U$`PF[$cannot use operator[] with a string argument with $ct~v$di/%$g@TZ$g@TZ$g@TZ$gz_I$l$lA@\$lRWA$lRWA$lRWA$lRWA$lRWA$lRWA$lZWJ$lZWJ$lZWJ$lZWJ$lZWJ$lZWJ$l]]T$l`GR$o$p$p$p$|;1-
API String ID: 1514166925-422776455
Opcode ID: d41f9075fe7889401a0f1e1959490d1ac2fa437d7fb685020ec57927822bbc1f
Instruction ID: 0c8f29f486046a716e0c59ab3a1d53bbc5c9da4a04187879ad11f3abaec4365f
Opcode Fuzzy Hash: d41f9075fe7889401a0f1e1959490d1ac2fa437d7fb685020ec57927822bbc1f
Instruction Fuzzy Hash: 6E03C070D142588BDF2ADF64CC99BEDBBB4AF15304F4441D8E409AB282EB745B89CF51

Function 002D88A0 Relevance: 107.5, APIs: 2, Strings: 58, Instructions: 2469COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,00000000), ref: 002D8971

Strings

F, xrefs: 002DA612
UYfE, xrefs: 002D8D02
cannot use operator[] with a string argument with , xrefs: 002DACED, 002DAD25, 002DADBD
\fQ^, xrefs: 002D94B9
Q, xrefs: 002DA6CC
l}]P, xrefs: 002D8CFF
MEBR, xrefs: 002D942F
S^]X, xrefs: 002DAC57
E, xrefs: 002D94C3
FLFC, xrefs: 002D93BC
l, xrefs: 002D916D
U_QA, xrefs: 002D94A3
F, xrefs: 002DA63C
^P_V, xrefs: 002DA561, 002DA56E
E, xrefs: 002D9443
1, xrefs: 002D9EA1
_BmP, xrefs: 002D93B2
UYfE, xrefs: 002D90DB
ct~v, xrefs: 002D97F3
MEBR, xrefs: 002D94AF
VNQQ, xrefs: 002D90E9
9q~:, xrefs: 002D9861
U_QA, xrefs: 002D9423
\fQ^, xrefs: 002D9439
P, xrefs: 002DADD4
T^_R][, xrefs: 002D9A61, 002D9A6E
XeDR, xrefs: 002D9205
=&$, xrefs: 002D984D
`m>., xrefs: 002D9839
''&2, xrefs: 002D982F
l, xrefs: 002D969E
=:/), xrefs: 002D9857
,127, xrefs: 002D9825
1, xrefs: 002D9AC1
l, xrefs: 002D8FAC
FP^FQ, xrefs: 002DA9C0, 002DA9FF
tTTR, xrefs: 002D959A
XeDR, xrefs: 002D8D51
FP^F, xrefs: 002DA6C2
tTTRAYB, xrefs: 002DAB19, 002DAB3D
_BmP, xrefs: 002D93EF
CTQFFP, xrefs: 002DA0A3, 002DA0DF
l, xrefs: 002D9707
l, xrefs: 002D9248
l, xrefs: 002D92AF
FLFC, xrefs: 002D93F9
_BmPFLFC, xrefs: 002D8E56
UIBZFTB^WW~ZHX, xrefs: 002DA35A, 002DA396
|^QR, xrefs: 002D8D47
_BmP, xrefs: 002D946F
l, xrefs: 002D900F
VNQQ, xrefs: 002D8D12
U_QAMEBR\fQ^E, xrefs: 002D8EE0
l}]P, xrefs: 002D90D4
FLFC, xrefs: 002D9479
WJNd, xrefs: 002D9807
$9~s, xrefs: 002D9843
@PF[, xrefs: 002D9E41, 002D9E4E

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: FolderPath
String ID: $9~s$''&2$,127$1$1$9q~:$=&$$=:/)$@PF[$CTQFFP$E$E$F$F$FLFC$FLFC$FLFC$FP^F$FP^FQ$MEBR$MEBR$P$Q$S^]X$T^_R][$UIBZFTB^WW~ZHX$UYfE$UYfE$U_QA$U_QA$U_QAMEBR\fQ^E$VNQQ$VNQQ$WJNd$XeDR$XeDR$\fQ^$\fQ^$^P_V$_BmP$_BmP$_BmP$_BmPFLFC$`m>.$cannot use operator[] with a string argument with $ct~v$l$l$l$l$l$l$l$l}]P$l}]P$tTTR$tTTRAYB$|^QR
API String ID: 1514166925-2343552700
Opcode ID: 7731e02fb9f52fcb84cb7e6333ea9fd19ce3538b658a6ec8998a3e0e13171d9a
Instruction ID: ff898f33208580367bc9803622949104f29c6ca86198aad8f2e573b7a0db3c1d
Opcode Fuzzy Hash: 7731e02fb9f52fcb84cb7e6333ea9fd19ce3538b658a6ec8998a3e0e13171d9a
Instruction Fuzzy Hash: 1033CE70910258CBDB29DF64C895BEDBBB4AF15300F1441E9E449AB382EB749F98CF91

Function 003104D0 Relevance: 91.4, APIs: 42, Strings: 9, Instructions: 2192COMMON

Download Yara Rule

APIs

Part of subcall function 002F3160: CreateDirectoryA.KERNEL32(00000000,00000000), ref: 002F31F0
Part of subcall function 002F3160: CreateDirectoryA.KERNEL32(00000000,00000000), ref: 002F324C
Part of subcall function 002F3160: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 002F327D

CreateDirectoryA.KERNEL32(?,00000000,?,la^FS\XD,003E2D14,00000033,la^FS\XD,la^FS\XD), ref: 003105B5
GetFileAttributesA.KERNEL32(00000000,?,-00000034,0000004C,?,0000004C), ref: 003107AF
GetLastError.KERNEL32(?,-00000034,0000004C,?,0000004C), ref: 003107BA
__Mtx_unlock.LIBCPMT ref: 003107D9
__Mtx_unlock.LIBCPMT ref: 003107E8
CreateDirectoryA.KERNEL32(?,00000000,?,0000004C), ref: 003107FF
GetFileAttributesA.KERNEL32(00000000,?,?,?,-00000034,0000004C,?,0000004C), ref: 003109E0
GetLastError.KERNEL32(?,?,-00000034,0000004C,?,0000004C), ref: 003109EB
__Mtx_unlock.LIBCPMT ref: 00310A0A
__Mtx_unlock.LIBCPMT ref: 00310A1F
CreateDirectoryA.KERNEL32(00000000,00000000,?,?,?,?,-00000034,0000004C,?,0000004C), ref: 00310A3C
GetFileAttributesA.KERNEL32(?,?,?,?,?,?,-00000034,0000004C,?,0000004C), ref: 00310C1C
GetLastError.KERNEL32(?,?,?,?,-00000034,0000004C,?,0000004C), ref: 00310C27
__Mtx_unlock.LIBCPMT ref: 00310C46
__Mtx_unlock.LIBCPMT ref: 00310C55
CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,-00000034,0000004C,?,0000004C), ref: 00310C72
GetFileAttributesA.KERNEL32(00000000,|^QRS\XD,?,?,?,?,-00000034,0000004C,?,0000004C), ref: 00310F2C
GetLastError.KERNEL32(?,?,?,?,-00000034,0000004C,?,0000004C), ref: 00310F37
__Mtx_unlock.LIBCPMT ref: 00310F56
__Mtx_unlock.LIBCPMT ref: 00310F65
CreateDirectoryA.KERNEL32(00000000,00000000,?,|^QRS\XD,?,?,?,?,-00000034,0000004C,?,0000004C), ref: 00310F7C

Strings

y_VVLPRsz, xrefs: 00310D04
\, xrefs: 00311A33
\, xrefs: 003116E2
QPXD, xrefs: 00312161
\, xrefs: 003112E2
la^FS\XD, xrefs: 00310548, 0031057D
lBQA, xrefs: 00312158
cH\P, xrefs: 00310D31, 00310D8F, 00310D90
\, xrefs: 0031149D

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: Mtx_unlock$CreateDirectory$AttributesErrorFileLast$FolderPath
String ID: QPXD$\$\$\$\$cH\P$lBQA$la^FS\XD$y_VVLPRsz
API String ID: 2196497886-1339855362
Opcode ID: 81b1a2e21b7c6d3a6a10b70d602ece31968e73971670202e96c918b5d608e24d
Instruction ID: 41d8d3d104a45bd8ed7cfda43ea1f4b798f8e5358f35370127e6d245a7161f99
Opcode Fuzzy Hash: 81b1a2e21b7c6d3a6a10b70d602ece31968e73971670202e96c918b5d608e24d
Instruction Fuzzy Hash: 140305709102588FDF1EDF68CC85BEDBBB5AF09304F148298E549AB282D7719AC5CF61

Function 002DC470 Relevance: 72.6, APIs: 1, Strings: 39, Instructions: 2614COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,00000000), ref: 002DC54A

Strings

\, xrefs: 002DD090
_BmP, xrefs: 002DDA0A
|^QR, xrefs: 002DD5FE
VNQQ, xrefs: 002DD3E8
D^YVZ\, xrefs: 002DE4C0, 002DE4FF
cannot use operator[] with a string argument with , xrefs: 002DEA0F
\, xrefs: 002DD6A5
9/(6, xrefs: 002DE09B
=52", xrefs: 002DE05F
l}]P, xrefs: 002DCC93
_BmPFLFC, xrefs: 002DCF26
\, xrefs: 002DD723
MEBR, xrefs: 002DDABE
]KLR, xrefs: 002DE041
MEBR, xrefs: 002DDA4A
WE]X, xrefs: 002DE6EB
E, xrefs: 002DDA5E
%/!1, xrefs: 002DE055
\, xrefs: 002DDCB2
'( o, xrefs: 002DE073
\fQ^, xrefs: 002DDAC8
t!9<, xrefs: 002DE087
\, xrefs: 002DD0FB
XeDR, xrefs: 002DD607
_BmPFLFC, xrefs: 002DD9E2, 002DD9EF
U_QA, xrefs: 002DDA3E
CT@E, xrefs: 002DE20C
UYfE, xrefs: 002DD3DA
F, xrefs: 002DE322
F, xrefs: 002DE361
\, xrefs: 002DD478
E, xrefs: 002DDAD2
ct~v, xrefs: 002DE02B
U_QA, xrefs: 002DDAB2
U_QAMEBR\fQ^E, xrefs: 002DCFB0
FLFC, xrefs: 002DDA14
\fQ^, xrefs: 002DDA54
A, xrefs: 002DEA2C
\, xrefs: 002DDD19

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: FolderPath
String ID: %/!1$'( o$9/(6$=52"$A$CT@E$D^YVZ\$E$E$F$F$FLFC$MEBR$MEBR$UYfE$U_QA$U_QA$U_QAMEBR\fQ^E$VNQQ$WE]X$XeDR$\$\$\$\$\$\$\$\fQ^$\fQ^$]KLR$_BmP$_BmPFLFC$_BmPFLFC$cannot use operator[] with a string argument with $ct~v$l}]P$t!9<$|^QR
API String ID: 1514166925-3444709628
Opcode ID: 0d41f0e7169bb0692188a24e42a0d28c901f569eff301329e891c887220847b1
Instruction ID: 51f4628c9c812c57de9412c9c55fbe169efd5439fff9cf61752eddbea42028f2
Opcode Fuzzy Hash: 0d41f0e7169bb0692188a24e42a0d28c901f569eff301329e891c887220847b1
Instruction Fuzzy Hash: 0133CE709102598FDF29DF68C885BEDBBB5AF05304F1482DAE449AB382D7709E85CF91

Function 002DEA60 Relevance: 61.7, APIs: 1, Strings: 33, Instructions: 2217COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,00000001,?,?), ref: 002DEAC8

Strings

\, xrefs: 002DFE41
0,( , xrefs: 002DEEE7
L\TH, xrefs: 002DF5E4
lx\W, xrefs: 002DF1EC
lrgafpxc, xrefs: 002E0497, 002E04D6
lrgafpxc, xrefs: 002DF15E, 002DF165
QMSS, xrefs: 002DFD66
tTTR, xrefs: 002E0809
OTQQ, xrefs: 002DF999
-+!4, xrefs: 002DEBD4
-+!4, xrefs: 002DF602
ZQSO, xrefs: 002DFCED
0 (4, xrefs: 002DFD82
%-&!, xrefs: 002DFD0B
]]^Y, xrefs: 002DFCF7
%l';, xrefs: 002DFD7B
lrgafpxc, xrefs: 002E01D7, 002E0213
\, xrefs: 002DFA61
0,( , xrefs: 002DF9A7
@M_U, xrefs: 002DF992
tTTRAYB, xrefs: 002E056B, 002E05A7
lx\W, xrefs: 002DFD5D
%l';, xrefs: 002DF20A
0 (4, xrefs: 002DF211
\, xrefs: 002DF6D5
TOQR, xrefs: 002DFD74
|{fX, xrefs: 002DF1FC
tTTRAYB, xrefs: 002E02AA, 002E02E6
l}]P, xrefs: 002DF982
,, xrefs: 002E098C
|{fX, xrefs: 002DFD6D
lbK], xrefs: 002DF5CE
QMSS, xrefs: 002DF1F5

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: FolderPath
String ID: %-&!$%l';$%l';$,$-+!4$-+!4$0 (4$0 (4$0,( $0,( $@M_U$L\TH$OTQQ$QMSS$QMSS$TOQR$ZQSO$\$\$\$]]^Y$lbK]$lrgafpxc$lrgafpxc$lrgafpxc$lx\W$lx\W$l}]P$tTTR$tTTRAYB$tTTRAYB$|{fX$|{fX
API String ID: 1514166925-3406950845
Opcode ID: d3eda4c4248a14b1d07182dd11b557c67d0f17b592e2f2e9f24d4485862c0aee
Instruction ID: 3f95cf8892123e5fe9b93df6b051bcaeae8ba2aa6b9ee3fd2cdf357148f0ae10
Opcode Fuzzy Hash: d3eda4c4248a14b1d07182dd11b557c67d0f17b592e2f2e9f24d4485862c0aee
Instruction Fuzzy Hash: 66239A709102588FDB29CF28CD95BEDBBB5AF05304F5482E9E449AB382D7749E85CF60

Function 00370A90 Relevance: 54.4, Strings: 41, Instructions: 3100COMMON

Download Yara Rule

Strings

locking_mode, xrefs: 003712AF, 0037143C
default_cache_size, xrefs: 00370CC0
name, xrefs: 00371E2C, 0037231D, 003725F2, 0037286D, 00372B0D
notnull, xrefs: 00371E6E
not a writable directory, xrefs: 00371B8F
-%T, xrefs: 00370BA5
encoding, xrefs: 00372D7F, 00372E19
case_sensitive_like, xrefs: 00372C80
page_count, xrefs: 0037116F, 003712A5
temp_store_directory, xrefs: 00371AD1, 00371B4F
journal_size_limit, xrefs: 00371767, 00371824
journal_mode, xrefs: 0037150A, 003716E9
database_list, xrefs: 003727B5
schema_version, xrefs: 00372FC1
index_list, xrefs: 003724F1
temporary storage cannot be changed from within a transaction, xrefs: 00371ABE, 00371BE0
Safety level may not be changed inside a transaction, xrefs: 00371D04
index_info, xrefs: 00372217
type, xrefs: 00371E4D
exclusive, xrefs: 00371313, 00371417, 003714A9
table_info, xrefs: 00371D47
freelist_count, xrefs: 0037306C
memory, xrefs: 00371A12
glob, xrefs: 00372D33, 00372D4F
cache_size, xrefs: 00370D7A, 0037183E, 003718CB
seqno, xrefs: 003722DE
like, xrefs: 00372D00, 00372D17, 00372D5E
collation_list, xrefs: 00372A76
*?[, xrefs: 00372D3F
file, xrefs: 003719BA, 0037288E
unique, xrefs: 00372613
seq, xrefs: 003725D4, 0037284F, 00372AEF
normal, xrefs: 00371363, 00371420
page_size, xrefs: 00371014, 0037108D
temp_store, xrefs: 00371929, 00371993
synchronous, xrefs: 00371C5B, 00371CE9
cid, xrefs: 00371E0E, 003722FC
dflt_value, xrefs: 00371E8F
unsupported encoding: %s, xrefs: 00372F76, 00372FAE
max_page_count, xrefs: 003710CF, 0037115D
user_version, xrefs: 00373018

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID: *?[$-%T$Safety level may not be changed inside a transaction$cache_size$case_sensitive_like$cid$collation_list$database_list$default_cache_size$dflt_value$encoding$exclusive$file$freelist_count$glob$index_info$index_list$journal_mode$journal_size_limit$like$locking_mode$max_page_count$memory$name$normal$not a writable directory$notnull$page_count$page_size$schema_version$seq$seqno$synchronous$table_info$temp_store$temp_store_directory$temporary storage cannot be changed from within a transaction$type$unique$unsupported encoding: %s$user_version
API String ID: 0-4012380797
Opcode ID: c0ec4699f593a1a2a1a4150f491d9350890c84277d1d7aefdefc9960683643af
Instruction ID: 87c754fce391c94b22b5af893f476859efa6bc91eb806c068ecc52e2c9ad895f
Opcode Fuzzy Hash: c0ec4699f593a1a2a1a4150f491d9350890c84277d1d7aefdefc9960683643af
Instruction Fuzzy Hash: F653C074A006818FDB26DF28C4A0B6ABBF1BF05304F1AC59DD8999F392D779E905CB50

Function 00306270 Relevance: 52.8, Strings: 41, Instructions: 1548COMMON

Download Yara Rule

Strings

u|z, xrefs: 00307D1E
`S>, xrefs: 0030636E
`S>, xrefs: 00306350
FTQR, xrefs: 00306FD5
BC, xrefs: 00307D41
jk, xrefs: 00307043
:bF\, xrefs: 003078FD
lAS@, xrefs: 00307146
lW]K, xrefs: 00307C29
`S>, xrefs: 003071FD
@PA@CZDS, xrefs: 00306555, 0030655A
:bF\, xrefs: 00306FCB
\^UZZ, xrefs: 003064CD, 003064D2
]YSD, xrefs: 003066C9
@C]U, xrefs: 0030786D
/, xrefs: 00307BED
jqw , xrefs: 00307B8B
ls@\CFSEK, xrefs: 003062FE, 00306309
`S>, xrefs: 003071E5
:bF\, xrefs: 00307B45
+$ u, xrefs: 00307011
DI, xrefs: 00307164
pt!Y, xrefs: 00307941
~ec4, xrefs: 00307D3A
GS, xrefs: 00307C17
@C]U, xrefs: 00307843
l, xrefs: 00306DE9
6hMZ, xrefs: 00307B65
`S>, xrefs: 00306291
\^UZZ, xrefs: 003064F6, 003064FB
@PA@CZDS, xrefs: 00306529, 0030652E
pt!Y, xrefs: 0030701B
f}{,, xrefs: 00307039
YT_[, xrefs: 00307C33
7.0', xrefs: 00307D33
QS, xrefs: 00306F47
GBYE, xrefs: 00307150
/6(?, xrefs: 0030702F
l, xrefs: 00306D4D
l\ML, xrefs: 00307D2C
FTQR, xrefs: 00307B51

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID: +$ u$/$/6(?$6hMZ$7.0'$:bF\$:bF\$:bF\$@C]U$@C]U$@PA@CZDS$@PA@CZDS$BC$DI$FTQR$FTQR$GBYE$GS$QS$YT_[$\^UZZ$\^UZZ$]YSD$`S>$`S>$`S>$`S>$`S>$f}{,$jk$jqw $l$l$lAS@$lW]K$l\ML$ls@\CFSEK$pt!Y$pt!Y$u|z$~ec4
API String ID: 0-806085981
Opcode ID: d7d476666c5eb3e5db475fe299415b6b37f280466f87ebcee7c5a6a0a498068a
Instruction ID: 68494ae9748d80fc66db2b2b6d088d576ced4bbc3f2e614f9e3b438df6b67940
Opcode Fuzzy Hash: d7d476666c5eb3e5db475fe299415b6b37f280466f87ebcee7c5a6a0a498068a
Instruction Fuzzy Hash: 0EE26170D11258DADF2AEBA0CC56BDDBB78AF15340F4040D9E44A7B282EB745B89CF61

Function 002E77E0 Relevance: 46.8, APIs: 1, Strings: 25, Instructions: 1288COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 002E78F6

Strings

\, xrefs: 002E7AF3
LVHB, xrefs: 002E7E80
Q\V_, xrefs: 002E80A1
cannot use operator[] with a string argument with , xrefs: 002E895A, 002E89B2
`PF[, xrefs: 002E7AE5, 002E7AE8, 002E7AEA
,6("g, xrefs: 002E85AB, 002E85D5
lW]A, xrefs: 002E7E70
l !5, xrefs: 002E80C4
ct~v, xrefs: 002E8091
QDF\R\Z[, xrefs: 002E787D, 002E7884
(0#g, xrefs: 002E80B6
, xrefs: 002E8394
lA@\, xrefs: 002E7955
U, xrefs: 002E7973
FP^FQ, xrefs: 002E8565, 002E858C
BS, xrefs: 002E7F09
\, xrefs: 002E7DAA
/, xrefs: 002E7C9D
QDF\R\Z[, xrefs: 002E8726, 002E872C
^P_V, xrefs: 002E8471, 002E8478
9=?$, xrefs: 002E80D2
R\ZR, xrefs: 002E795F
Y]_D, xrefs: 002E7E79
la4", xrefs: 002E80AF
R\SZ, xrefs: 002E80A8

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: FolderPath
String ID: $(0#g$,6("g$/$9=?$$BS$FP^FQ$LVHB$QDF\R\Z[$QDF\R\Z[$Q\V_$R\SZ$R\ZR$U$Y]_D$\$\$^P_V$`PF[$cannot use operator[] with a string argument with $ct~v$l !5$lA@\$lW]A$la4"
API String ID: 1514166925-2439004152
Opcode ID: 80cebc557caeb02fa6c8942b0beab231a1173e8826bad49871d183b581220aa2
Instruction ID: 1c856f6fe30479741f7ab748febfed40ce72540707ea134a35c00ef7103d3d5c
Opcode Fuzzy Hash: 80cebc557caeb02fa6c8942b0beab231a1173e8826bad49871d183b581220aa2
Instruction Fuzzy Hash: 28C2C1709102999FDF29CF64CC85BEDBBB5AF05304F5441ECE449AB282DB709A89CF91

Function 002E11D0 Relevance: 37.9, Strings: 30, Instructions: 443COMMON

Download Yara Rule

Strings

WK[\, xrefs: 002E2F0F
g'., xrefs: 002E1631, 002E165B
cannot use operator[] with a string argument with , xrefs: 002E538C, 002E53E1, 002E5436
%(9?, xrefs: 002E3B84
_BmPFLFC, xrefs: 002E2C71, 002E2C7E
6xm6, xrefs: 002E1395
|^QR, xrefs: 002E2EF9
r}}qk, xrefs: 002E4FBE
=?2:, xrefs: 002E3BA7
U_QAMEBR\fQ^E, xrefs: 002E2DC1, 002E2DCE
&, xrefs: 002E2F2D
_BmPFLFC, xrefs: 002E2D63, 002E2D6A
6$.', xrefs: 002E2F23
EBWAZT[R, xrefs: 002E1592, 002E1599
_BmPFLFC, xrefs: 002E2CC3, 002E2CD0
U_QAMEBR\fQ^E, xrefs: 002E27C2, 002E27C9
LXN^, xrefs: 002E260D
, xrefs: 002E5453
`cst, xrefs: 002E3FD3
;, xrefs: 002E45C4
zoqr, xrefs: 002E3B6F
U\SZXEBWAZT[R, xrefs: 002E1685, 002E168C
t!/', xrefs: 002E3B99
=d}/, xrefs: 002E3BA0
YaRZ, xrefs: 002E2F19
`23/, xrefs: 002E3B76
ts~l, xrefs: 002E4C2E
authorization: , xrefs: 002E12C4
U_QAMEBR\fQ^E, xrefs: 002E2D21, 002E2D2E
l}]P, xrefs: 002E25F7

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: AddressProc
String ID: $%(9?$&$6$.'$6xm6$;$=?2:$=d}/$EBWAZT[R$LXN^$U\SZXEBWAZT[R$U_QAMEBR\fQ^E$U_QAMEBR\fQ^E$U_QAMEBR\fQ^E$WK[\$YaRZ$_BmPFLFC$_BmPFLFC$_BmPFLFC$`23/$`cst$authorization: $cannot use operator[] with a string argument with $g'.$l}]P$r}}qk$t!/'$ts~l$zoqr$|^QR
API String ID: 190572456-4167187317
Opcode ID: 69796042cb0054ce9d9a788d84b9723b50314dd702a3e24f720d17e707f1b9c3
Instruction ID: 59981558b835d709d416d79d0d889f3c328e67e1aca3d6cf562c5a12b961e5de
Opcode Fuzzy Hash: 69796042cb0054ce9d9a788d84b9723b50314dd702a3e24f720d17e707f1b9c3
Instruction Fuzzy Hash: 0F02CEB0D102488FDB09DFA8C8847DDBBB5BF09304F54866DE41AAB782D7349A95CB90

Function 002EB480 Relevance: 33.6, APIs: 9, Strings: 10, Instructions: 349COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 002EB596

Strings

K\lZ, xrefs: 002EC972
lA@\, xrefs: 002EB5F2
U, xrefs: 002EB607
fPG_@rSCqM_V, xrefs: 002EC82E
fPG_, xrefs: 002EC964
fPG_@rSCqM_V, xrefs: 002EC9D0, 002EC9D7
R\ZR, xrefs: 002EB5F9
fPG_@zFRVo[NPI, xrefs: 002EC94D, 002EC954
fPG_, xrefs: 002EC84C
@vZX, xrefs: 002EC96B

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: FolderPath
String ID: @vZX$K\lZ$R\ZR$U$fPG_$fPG_$fPG_@rSCqM_V$fPG_@rSCqM_V$fPG_@zFRVo[NPI$lA@\
API String ID: 1514166925-621714570
Opcode ID: ae99877fb332657d6bda3fb2d4dc255893c1634862cad2f8c99b22a2c70a0043
Instruction ID: 055fa3182f4fcb886a68c0b8e473a233dbff665d2fda1e5d2a11c42ccbc1844c
Opcode Fuzzy Hash: ae99877fb332657d6bda3fb2d4dc255893c1634862cad2f8c99b22a2c70a0043
Instruction Fuzzy Hash: C9E1F670810288DEDF15CFA4D884BEEBBB8FF05308F5041ADE415AB292D7755A4ACFA4

Function 002DAE30 Relevance: 33.1, APIs: 2, Strings: 16, Instructions: 1607COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,47415858), ref: 002DAF53

Strings

XXAG, xrefs: 002DC2AE
!$/k, xrefs: 002DBAE7
, xrefs: 002DC43E
tTTRAYB, xrefs: 002DB607, 002DB643
cannot use operator[] with a string argument with , xrefs: 002DC421
P\MK, xrefs: 002DBAC9
EC^, xrefs: 002DBD9D, 002DBDD0, 002DBDD3, 002DBDD4
-+6w, xrefs: 002DBB0F
\, xrefs: 002DB843
XXAG[GO, xrefs: 002DAECE
\, xrefs: 002DB7A3
ct~v, xrefs: 002DBAA9
.9;-, xrefs: 002DBB69
P7 <, xrefs: 002DBB4B
|1?,, xrefs: 002DBB19
DX_V, xrefs: 002DBFC4, 002DBFEC

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: FolderPath
String ID: $!$/k$-+6w$.9;-$DX_V$EC^$P7 <$P\MK$XXAG$XXAG[GO$\$\$cannot use operator[] with a string argument with $ct~v$tTTRAYB$|1?,
API String ID: 1514166925-2669237069
Opcode ID: c3e97fb4fa7566481af02d8c802a7052d50b80d127e4f043332bd069fddf0ce9
Instruction ID: 662458325b0d594215dcaa58cd4c219e70bbe9c328660171dc82f860420f6557
Opcode Fuzzy Hash: c3e97fb4fa7566481af02d8c802a7052d50b80d127e4f043332bd069fddf0ce9
Instruction Fuzzy Hash: 79E2CE70910259CFDB29CF68CC957EEBBB5AF05300F24819AE449AB382D7709E95CF90

Function 00332A70 Relevance: 30.0, APIs: 10, Strings: 7, Instructions: 263libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,gX\{@AFtWWT^_I), ref: 00332BBC
GetProcAddress.KERNEL32(00000000,7B5C5867), ref: 00332C06
GetProcAddress.KERNEL32(00000000,gX\{@AFt), ref: 00332C3E
GetProcAddress.KERNEL32(00000000,gX\{@AFxH\TiYLKZ35), ref: 00332C86
GetProcAddress.KERNEL32(00000000,7B5C5867), ref: 00332CD9

Strings

gx|{, xrefs: 00332B42
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36, xrefs: 00332B27
gX\{@AFf, xrefs: 00332D5D, 00332D64
gX\{gX\{M\HB, xrefs: 00332BFD
gX\{, xrefs: 00332C8F
gX\{@AFxH\TiYLKZ35, xrefs: 00332C7D, 00332C84
gX\{M\HB, xrefs: 00332D12, 00332D19

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: AddressProc
String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36$gX\{$gX\{@AFf$gX\{@AFxH\TiYLKZ35$gX\{M\HB$gX\{gX\{M\HB$gx|{
API String ID: 190572456-2900703129
Opcode ID: 6ab2d3deaed4c66168ded611bf821fd40adc8dfea265e69fe22006d1c3f5253a
Instruction ID: d0605c5f4a4106939273ca31e909863a75cc6f7ef6ba7a04bf93d44c3eb8cb69
Opcode Fuzzy Hash: 6ab2d3deaed4c66168ded611bf821fd40adc8dfea265e69fe22006d1c3f5253a
Instruction Fuzzy Hash: BAC13CB08142888EDF45CFA9E4857EEBFF4EF19748F60006ED445AB642E7748509CFA9

Function 002D4AD0 Relevance: 29.4, APIs: 1, Strings: 15, Instructions: 1442COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,T^E]XZWSgQSHHRLF), ref: 002D4C1C

Strings

, xrefs: 002D5B56
4 0$, xrefs: 002D5763
p5=$, xrefs: 002D578B
)="k, xrefs: 002D5777
T^E]XZWSgQSHHRLF, xrefs: 002D5D0B, 002D5D0E
tTTRAYB, xrefs: 002D530A, 002D5334
T^E]XZWSgQSHHRLF, xrefs: 002D4B91, 002D4B9E
\, xrefs: 002D5501
Y[eN, xrefs: 002D574F
:996, xrefs: 002D5795
\, xrefs: 002D5479
@PF[, xrefs: 002D5A7E, 002D5A85
<*, xrefs: 002D579F
tTTRAYB, xrefs: 002D5B24, 002D5B4C
ct~v, xrefs: 002D5739

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: FolderPath
String ID: $)="k$4 0$$:996$<*$@PF[$T^E]XZWSgQSHHRLF$T^E]XZWSgQSHHRLF$Y[eN$\$\$ct~v$p5=$$tTTRAYB$tTTRAYB
API String ID: 1514166925-2985984096
Opcode ID: 66a8dfe6ae583ebc276ae1c784788a2e4cba205b63ace9a1db8c21e67d0c6be4
Instruction ID: 5d6e1885a6ee5132fa8d60f594faab19df90b27ed61ffdce73b79257ad4a74be
Opcode Fuzzy Hash: 66a8dfe6ae583ebc276ae1c784788a2e4cba205b63ace9a1db8c21e67d0c6be4
Instruction Fuzzy Hash: 7AD2E171D106598FDB29CF68C8847EDBBB5AF04300F14829EE449AB382D7749E95CF90

Function 00366630 Relevance: 27.4, Strings: 21, Instructions: 1184COMMON

Download Yara Rule

Strings

rtab, xrefs: 003668FB
sqlite_, xrefs: 0036688C, 003669D0
%s %T cannot reference objects in database %s, xrefs: 00366799
index, xrefs: 00366794
no such table, xrefs: 003667F9, 0036681A
alte, xrefs: 003668EE
table %s may not be indexed, xrefs: 003674C6
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);, xrefs: 0036728F
%s: %s, xrefs: 0036681F
there is already a table named %s, xrefs: 00366A21
CREATE%s INDEX %.*s, xrefs: 0036725B
table %s has no column named %s, xrefs: 003670D5
name='%q', xrefs: 003672FE
UNIQUE, xrefs: 00367246, 0036725A
virtual tables may not be indexed, xrefs: 0036691B
no such collation sequence: %s, xrefs: 00366F02
sqlite_autoindex_%s_%d, xrefs: 00366ACD
sqlite_master, xrefs: 00367284
index %s already exists, xrefs: 00366A8A
%s: %s.%s, xrefs: 003667FE
conflicting ON CONFLICT clauses specified, xrefs: 00367138

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID: UNIQUE$%s %T cannot reference objects in database %s$%s: %s$%s: %s.%s$CREATE%s INDEX %.*s$INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);$alte$conflicting ON CONFLICT clauses specified$index$index %s already exists$name='%q'$no such collation sequence: %s$no such table$rtab$sqlite_$sqlite_autoindex_%s_%d$sqlite_master$table %s has no column named %s$table %s may not be indexed$there is already a table named %s$virtual tables may not be indexed
API String ID: 0-3211406468
Opcode ID: abc543569a7c2bffbaf61cd5403f95dd31c69d5b8f5d36d053f6917b0ff2d275
Instruction ID: ee45a718af6d65872020344e2c881d10efd032a5ca48f59073e591cbcd6510f6
Opcode Fuzzy Hash: abc543569a7c2bffbaf61cd5403f95dd31c69d5b8f5d36d053f6917b0ff2d275
Instruction Fuzzy Hash: 67A2F170A002459FCB26CF29C491BAEBBB1BF45304F19C5A9D855AF35ADB31ED41CBA0

Function 002D3330 Relevance: 24.5, APIs: 1, Strings: 12, Instructions: 1726COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,QDF\R\Z[), ref: 002D3453

Strings

ct~v, xrefs: 002D40C2
*$"#, xrefs: 002D47A1, 002D47DA
&, xrefs: 002D4A18
)<>$, xrefs: 002D4100
\, xrefs: 002D3D65
cannot use operator[] with a string argument with , xrefs: 002D49FB, 002D4A53
\, xrefs: 002D3DED
tTTRAYB, xrefs: 002D3B4A, 002D3B86
QDF\R\Z[, xrefs: 002D33CE, 002D33D5
QDF\R\Z[, xrefs: 002D48AA, 002D48AD
FP^FQ, xrefs: 002D45B3, 002D45DC
^P_V, xrefs: 002D44BE, 002D44C5

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: FolderPath
String ID: &$)<>$$*$"#$FP^FQ$QDF\R\Z[$QDF\R\Z[$\$\$^P_V$cannot use operator[] with a string argument with $ct~v$tTTRAYB
API String ID: 1514166925-449149491
Opcode ID: e73068ed77223fe0619c64f5a0e502511fd55c6d2225b6fbc7ef67ad994a57a9
Instruction ID: 9687d4397c3247f446163676e816528b01f923e5e927c20036c377da5a8605cd
Opcode Fuzzy Hash: e73068ed77223fe0619c64f5a0e502511fd55c6d2225b6fbc7ef67ad994a57a9
Instruction Fuzzy Hash: B4E2EF709102598FDF29DF68CC847EDBBB5AF05300F1482AAE449AB382D7749E95CF91

Function 003340A0 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 187libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,y_FVF[SCwI_U}), ref: 003340EC
GetProcAddress.KERNEL32(?,y_FVF[SCk\NtLIWP.), ref: 0033412E
GetProcAddress.KERNEL32(?,xEFC{ESYj\KNYNJ~), ref: 00334176
GetProcAddress.KERNEL32(?,y_FVF[SC{VTUY^J~), ref: 003341B7
GetProcAddress.KERNEL32(?,y_FVF[SCwI_UiOR~), ref: 003341F8
GetProcAddress.KERNEL32(?,xEFCy_FVF[SC), ref: 00334236
GetProcAddress.KERNEL32(?,56465F79), ref: 0033427E
GetProcAddress.KERNEL32(?,xEFCgPXSj\KNYNJ~), ref: 003342C6
GetProcAddress.KERNEL32(?,y_FVF[SCj\[_zTRZ), ref: 00334307
GetProcAddress.KERNEL32(?,y_FVy_FV), ref: 0033434D

Strings

y_FVF[SCwI_U}, xrefs: 003340E3, 003340E6
y_FVF[SCk\NtLIWP., xrefs: 00334125, 0033412C
y_FVy_FVy_FV, xrefs: 00334275

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: AddressProc
String ID: y_FVF[SCk\NtLIWP.$y_FVF[SCwI_U}$y_FVy_FVy_FV
API String ID: 190572456-2900599294
Opcode ID: 1766fa3103a1b9d97c9a33e1ab20e7b5c1684832ed77bb0d62bcb29ab826f58f
Instruction ID: 0d22d9e192213dc0bb325583a1058b083f739137850446917782cd5215b0ce21
Opcode Fuzzy Hash: 1766fa3103a1b9d97c9a33e1ab20e7b5c1684832ed77bb0d62bcb29ab826f58f
Instruction Fuzzy Hash: 8D817DB091428CDEDF0ACFA5E8846EEBBB9EF05704F51809ED441AA252D774930ACB65

Function 0033F110 Relevance: 18.6, APIs: 3, Strings: 7, Instructions: 1060COMMON

Download Yara Rule

Strings

gfff, xrefs: 0033FBBC
Inf, xrefs: 0033F91E
+, xrefs: 0033F73A
+Inf, xrefs: 0033F915
NaN, xrefs: 0033F7D7
, xrefs: 0033F979, 0033F9A1, 0033FFD7, 0033FFF7
-Inf, xrefs: 0033F8F2

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID: $+$+Inf$-Inf$Inf$NaN$gfff
API String ID: 0-2577472133
Opcode ID: 1e306aed04a2d1e207b539f63208edeb9bee5f869e9e66abf48a39413fc1ac35
Instruction ID: bcaa9086dee8bbf664fcffce63630f0d16341d52753cc192eae55d747be86738
Opcode Fuzzy Hash: 1e306aed04a2d1e207b539f63208edeb9bee5f869e9e66abf48a39413fc1ac35
Instruction Fuzzy Hash: F9822571E083818FD7179F28C4D036BBBE4AF86344F99496DE4C59B396E731C9498B82

Function 0036C770 Relevance: 11.8, Strings: 8, Instructions: 1845COMMON

Download Yara Rule

Strings

`V>, xrefs: 0036D72D
`V>, xrefs: 0036CBE3
%d values for %d columns, xrefs: 0036D20A
`V>, xrefs: 0036CBCD
table %S has no column named %s, xrefs: 0036D345
`V>, xrefs: 0036D718
table %S has %d columns but %d values were supplied, xrefs: 0036D113
rows inserted, xrefs: 0036E07E

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID: %d values for %d columns$`V>$`V>$`V>$`V>$rows inserted$table %S has %d columns but %d values were supplied$table %S has no column named %s
API String ID: 0-4124804184
Opcode ID: 64a6dbaee8299865bd91384f4b3d1257e438b8b11f7060306af7c0e079d86bde
Instruction ID: 68eece9e748c54065ffe803c828e3cd392082f07f80f69b1ec255b77cc787e0b
Opcode Fuzzy Hash: 64a6dbaee8299865bd91384f4b3d1257e438b8b11f7060306af7c0e079d86bde
Instruction Fuzzy Hash: D81368706047418FD726EF18C090B2ABBE1FF89344F16C95DE9868B356DB75E819CB82

Function 003B0413 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 003B062A

Strings

1#IND, xrefs: 003B0518
1#SNAN, xrefs: 003B051F
1#QNAN, xrefs: 003B0526
1#INF, xrefs: 003B0549

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 7a536cbf668e579f0c8b8068099bb530cac02d8a6a22646f5d56ac026212fdef
Instruction ID: 91d37af7fc0452a2d351cf2e9439e7ec09119081bb9567e95657aaf2f0c8960a
Opcode Fuzzy Hash: 7a536cbf668e579f0c8b8068099bb530cac02d8a6a22646f5d56ac026212fdef
Instruction Fuzzy Hash: 00D25D71E082288FDB6ACE28CD507EAB7B5FB45309F1545EAD50DE7640EB34AE858F40

Function 0038B900 Relevance: 9.2, Strings: 7, Instructions: 461COMMON

Download Yara Rule

Strings

MATCH, xrefs: 0038BC4C, 0038BC5A, 0038BC7A, 0038BC7B, 0038BC91
no such vfs: %s, xrefs: 0038BA92
BINARY, xrefs: 0038BAB3, 0038BAC2, 0038BADC, 0038BB1E
RTRIM, xrefs: 0038BAF6
automatic extension loading failed: %s, xrefs: 0038BD92
sqlite_rename_table, xrefs: 0038BC28
NOCASE, xrefs: 0038BB35

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID: BINARY$MATCH$NOCASE$RTRIM$automatic extension loading failed: %s$no such vfs: %s$sqlite_rename_table
API String ID: 0-1885142750
Opcode ID: 59e8c75fcf703e50e30697f1c567e2058bdb1ac8d779e07411ad244d10c5e8e7
Instruction ID: 17485c5c8d6237785264ac1ef96e6e8dee81d245aacc3b0736248c6286324a2c
Opcode Fuzzy Hash: 59e8c75fcf703e50e30697f1c567e2058bdb1ac8d779e07411ad244d10c5e8e7
Instruction Fuzzy Hash: A5F1F2B1A003059FEB23AF14ECC6B6AB7A9AF00304F1540A9E9059F2D6D7B5ED45CBD1

Function 002BA480 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 70libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,bE^tQA`RJJSTR), ref: 002BA500

Strings

bE^tQA`RJJSTR, xrefs: 002BA4FB, 002BA4FE
~EV_, xrefs: 002BA4C3
T, xrefs: 002BA4D1

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: AddressProc
String ID: T$bE^tQA`RJJSTR$~EV_
API String ID: 190572456-4159564008
Opcode ID: 67567df312fd0944ae3c58adaf1169d3e1fcfaafc163ac56c7d74a62c15f149a
Instruction ID: 79142cd87d3830a3685f2ff9409143ec8707219c558575c16adbba3bac315fd4
Opcode Fuzzy Hash: 67567df312fd0944ae3c58adaf1169d3e1fcfaafc163ac56c7d74a62c15f149a
Instruction Fuzzy Hash: A421B030C2424CAACF25CFA4D4887EEBBB8EF15348F9040DDD41AA6241E7758759CB57

Function 00385470 Relevance: 7.0, Strings: 5, Instructions: 751COMMON

Download Yara Rule

Strings

at most %d tables in a join, xrefs: 0038549B
@, xrefs: 00385A35
cannot use index: %s, xrefs: 00385A5F
@, xrefs: 00385DF7
@, xrefs: 00385934

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID: @$@$@$at most %d tables in a join$cannot use index: %s
API String ID: 0-2763088227
Opcode ID: d7b50c91e2e622b4bca5550256db3059f74470d5b922d32e79353e24b5c11479
Instruction ID: ca994ac2acf91049bce09d2d24b5f6c182bfb8eea61a1d09ac5991c953ea82ef
Opcode Fuzzy Hash: d7b50c91e2e622b4bca5550256db3059f74470d5b922d32e79353e24b5c11479
Instruction Fuzzy Hash: 2C62AC706087418FD716EF18C480B2ABBE1FF89314F168AADE8959B391D774EC45CB92

Function 0037C580 Relevance: 7.0, Strings: 4, Instructions: 2001COMMON

Download Yara Rule

Strings

only a single result allowed for a SELECT that is part of an expression, xrefs: 0037C865
min, xrefs: 0037DE8D
too many terms in compound SELECT, xrefs: 0037C81F
max, xrefs: 0037DEFE

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID: max$min$only a single result allowed for a SELECT that is part of an expression$too many terms in compound SELECT
API String ID: 0-2877691265
Opcode ID: 7c9edde0bd477901fa3f43dd899f49e0cb523a90c645c2876aac621ad42f20af
Instruction ID: d9415f2632d9378a3cda2df9c3ddd79b77090cfe60dd44398656329aa5b712c6
Opcode Fuzzy Hash: 7c9edde0bd477901fa3f43dd899f49e0cb523a90c645c2876aac621ad42f20af
Instruction Fuzzy Hash: 7E2338706047418FD725DF28C090B2ABBF1BF89304F16C95DE99A8B352DB79E945CB82

Function 00396F90 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64f3726e9d1158fca0f6afefcf42a3c85b5684936711d7c09b3d045691fbfa27
Instruction ID: 80ae3b4385eb3c8d147bb42c84d2a0ef75a9df6a90556509a0ccd9a60ef2e807
Opcode Fuzzy Hash: 64f3726e9d1158fca0f6afefcf42a3c85b5684936711d7c09b3d045691fbfa27
Instruction Fuzzy Hash: D1023D71E142199BDF15CFA9C8806AEFBF1FF48314F258269E919E7381D731AA41CB90

Function 002FF280 Relevance: 5.7, Strings: 4, Instructions: 658COMMON

Download Yara Rule

Strings

stbr, xrefs: 002FF8BC
lBVWMECM]STOa}F"$0%+=, xrefs: 002FF812, 002FF83C
ZV^^, xrefs: 002FF9BB
l|]\, xrefs: 002FF9B4

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID: ZV^^$lBVWMECM]STOa}F"$0%+=$l|]\$stbr
API String ID: 0-725108056
Opcode ID: 664c22a8c738689e98dd37ce94d4e1efe0a090f972d067598c09536a01d37f67
Instruction ID: 2247cfd7c18c46d6d72bbe328d51bb79172f265a8149b28477beb580e2df40b5
Opcode Fuzzy Hash: 664c22a8c738689e98dd37ce94d4e1efe0a090f972d067598c09536a01d37f67
Instruction Fuzzy Hash: C35268B091024ACECB48DFB8D5552AEFBF4FF09344F1482ADC449AB642E771964ACBD1

Function 0049885E Relevance: 3.9, Strings: 3, Instructions: 157COMMON

Download Yara Rule

Strings

2, xrefs: 00409317
C, xrefs: 003E6FB7
i, xrefs: 003E6FBC

Memory Dump Source

Source File: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID: 2$C$i
API String ID: 0-2244554577
Opcode ID: eb49a35e5be38a60a5f30af4d1cdf20f355320cce3bb6fc434da0a3848502a38
Instruction ID: 268cd88bba7faf53fc42cdda5a474c11260f6459d90525a367830aa2a4bc0b8d
Opcode Fuzzy Hash: eb49a35e5be38a60a5f30af4d1cdf20f355320cce3bb6fc434da0a3848502a38
Instruction Fuzzy Hash: 6151033140D7829BC71AEF24C80526BBBE1BFD2314F548A5EF5E607292E7398506CB4B

Function 0037E300 Relevance: 3.7, Strings: 2, Instructions: 1167COMMON

Download Yara Rule

Strings

no such column: %s, xrefs: 0037E64A
rows updated, xrefs: 0037F28C

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID: no such column: %s$rows updated
API String ID: 0-885832449
Opcode ID: 2c7e51625cf3ffaba7e9967950b7520f38be7fde3823375e63ca9e18283a56e0
Instruction ID: 5d049d301154755d55cb595ea0a4bd349591ee8960d2a21b25ddceae368ea7a1
Opcode Fuzzy Hash: 2c7e51625cf3ffaba7e9967950b7520f38be7fde3823375e63ca9e18283a56e0
Instruction Fuzzy Hash: 94C259742047418FD726DF18C090B2ABBF1BF89344F16C99DE99A8B352D779E815CB82

Function 00341110 Relevance: 3.5, APIs: 2, Instructions: 456COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003413FB
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0034144D

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 27c5b3372338de7d7bfda0c0e8000eb420848edc0633e142b08433a518e8147b
Instruction ID: ee6c69a5a352376a7b8077fd4383e56ea919db2d53ea373fa2f3d55eb31ba85c
Opcode Fuzzy Hash: 27c5b3372338de7d7bfda0c0e8000eb420848edc0633e142b08433a518e8147b
Instruction Fuzzy Hash: 85F10271E006198BCF16CFADC8902EDFBF1FB89310F1A42AAD594EF291D77159808B90

Function 00324450 Relevance: 3.4, APIs: 2, Instructions: 374COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00324665
Concurrency::cancel_current_task.LIBCPMT ref: 0032485C

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 0682d0525f26f26695730ce3270428992653feb2a4615428683965e127f80bed
Instruction ID: 781c17808f5eb265352b6a2d7ae7783a8626490a588b92396c873693aa997ebe
Opcode Fuzzy Hash: 0682d0525f26f26695730ce3270428992653feb2a4615428683965e127f80bed
Instruction Fuzzy Hash: BBC12C72E101248BDB1ADF6DEDD15ACB3A5EB84300B56863DD8669F385E730AD44CBD0

Function 002B24F0 Relevance: 2.7, Strings: 2, Instructions: 221COMMON

Download Yara Rule

Strings

,>, xrefs: 002B26B7
,>, xrefs: 002B25C7

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID: ,>$,>
API String ID: 0-157805121
Opcode ID: 93d41d3daa201f1d831701fbf5889da4e332b32a725f5d13ab6e194a84765ff1
Instruction ID: 83eb113a0dc9dc0fe597b267597ddf6d62d4d09acdbe26fc12172f8c2d0c9af0
Opcode Fuzzy Hash: 93d41d3daa201f1d831701fbf5889da4e332b32a725f5d13ab6e194a84765ff1
Instruction Fuzzy Hash: 247115B4D10256CFEB29CF68C8D07FFBBB8EB19340F140269D955A7383C624991AC7A0

Function 0046B450 Relevance: 2.6, Strings: 2, Instructions: 80COMMON

Download Yara Rule

Strings

U, xrefs: 004AB19C
J, xrefs: 0046B47B

Memory Dump Source

Source File: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID: J$U
API String ID: 0-1755682265
Opcode ID: 24bfc292d06bd2afd9d53709659aaa2e4f8db6c3ac864b46c23a8c74671575e0
Instruction ID: 47baf70e2a8d511d8fa95eb1f080ad93068cf755bf81dc58a548e4fd9e52098b
Opcode Fuzzy Hash: 24bfc292d06bd2afd9d53709659aaa2e4f8db6c3ac864b46c23a8c74671575e0
Instruction Fuzzy Hash: 4631383110871A9FE304EF25D8829ABB7E0BB80314F448A1DB6DA53292D77CA545DF87

Function 003356F0 Relevance: 2.3, Strings: 1, Instructions: 1073COMMON

Download Yara Rule

Strings

4(=, xrefs: 0033582D

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID: 4(=
API String ID: 0-3642128101
Opcode ID: cdd0bd773aeac7e639ac1ccfc012b82627686dc5ddb8dd697e1c066143d9a079
Instruction ID: c68e2ac658782a43b35420f889ba1a8fb244fe6d6d6107300a13005598ec7a50
Opcode Fuzzy Hash: cdd0bd773aeac7e639ac1ccfc012b82627686dc5ddb8dd697e1c066143d9a079
Instruction Fuzzy Hash: 93A24974A00A02DFCB29CF68D1C0A6AB7F1FF49304F148669D4568BB52D734F996CBA1

Function 00334610 Relevance: 2.0, Strings: 1, Instructions: 759COMMON

Download Yara Rule

Strings

D3, xrefs: 0033470B, 003349CC, 00334B73, 00334C77

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID: D3
API String ID: 0-3972625637
Opcode ID: 0c5316f1b48f63a7bb38c0e6b3ea4f58914c08cb1eb6d5d8162fff3f7cf674ca
Instruction ID: a20ef5cb3bccbb3b35f586d0520ba8a7bd18ba1ed199951a52a20b91afd5e55f
Opcode Fuzzy Hash: 0c5316f1b48f63a7bb38c0e6b3ea4f58914c08cb1eb6d5d8162fff3f7cf674ca
Instruction Fuzzy Hash: 593241B7F5161447DB0CCE5DDCA16EDB2E3AFD8224B1E803DA80AE3345EA79DD058684

Function 00338370 Relevance: 2.0, Strings: 1, Instructions: 748COMMON

Download Yara Rule

Strings

x'=, xrefs: 00338629

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID: x'=
API String ID: 0-655236750
Opcode ID: e16ab0b288899eaa6e58ab50f41c95e0ef9e7db3d246a204ff9c08201f48992c
Instruction ID: 630e18cfac98d62758c9a148223cd8e9e5606c31f1a0ceffc9e138379bb66c5d
Opcode Fuzzy Hash: e16ab0b288899eaa6e58ab50f41c95e0ef9e7db3d246a204ff9c08201f48992c
Instruction Fuzzy Hash: C3625DB0E003059BDB16CF59C5C47AEBBB1AF88304F2581AEE805AB352DB75D946CB90

Function 003453D0 Relevance: 1.7, APIs: 1, Instructions: 234COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00345456

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: __allrem
String ID:
API String ID: 2933888876-0
Opcode ID: 4cc452d52c494a6b4f7cab85431d7f5979f377a5412bf8613d1eb59dfdeb7610
Instruction ID: fc69b24d2937bd2656afc88a93596da45cc8ebe646aeae510042d71ddd053cd6
Opcode Fuzzy Hash: 4cc452d52c494a6b4f7cab85431d7f5979f377a5412bf8613d1eb59dfdeb7610
Instruction Fuzzy Hash: 93817071A001459FDB19CF9CCC80AAEBBB5EF89704F5980A9E915EB342D335EE45CB90

Function 00344EE0 Relevance: 1.7, APIs: 1, Instructions: 168COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00344F59

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: __allrem
String ID:
API String ID: 2933888876-0
Opcode ID: f6236e384e0100328f3c18778ce6eedc500b91834a32ac9b6a4968c2bb7cbbee
Instruction ID: f566d5a4a86b0f2859c80b37a03034e972fda2fbd713c996781b41ff054c410a
Opcode Fuzzy Hash: f6236e384e0100328f3c18778ce6eedc500b91834a32ac9b6a4968c2bb7cbbee
Instruction Fuzzy Hash: BF615B716107408FCB29CF6DC880A5AFBF5AF95300B0489AEE986DB752D630F955CB90

Function 0039A99F Relevance: 1.6, Strings: 1, Instructions: 333COMMON

Download Yara Rule

Strings

0, xrefs: 0039AB0F

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: ebb50a0d6f711a14c78bbd7cc2bd7cff3dc7edbaf937b2d3603def4245372500
Instruction ID: 4216939d1211f610ecaf7316f7f3fdc5493875922b3f828619dfa34dcc4ba7d9
Opcode Fuzzy Hash: ebb50a0d6f711a14c78bbd7cc2bd7cff3dc7edbaf937b2d3603def4245372500
Instruction Fuzzy Hash: A9C1BC70900E4A8FCF27CF6CC684A7ABBB6FB05304F264719D8569B691D730AD45CB92

Function 0039A65D Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

0, xrefs: 0039A7E1

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: ab3fa5fa9b3513e2c259515397e7c5a3e085e2a01b685d32c27cb86472dcd0b8
Instruction ID: a3e8b045de7632516a75809d6787b473e3b450a02a7601ca4de8905330c524f1
Opcode Fuzzy Hash: ab3fa5fa9b3513e2c259515397e7c5a3e085e2a01b685d32c27cb86472dcd0b8
Instruction Fuzzy Hash: D3B1C170904E0A8BCF27CFA8C5966BEBBB5EB40300F154B1DD4929B691D731AE01CBD2

Function 0033CC30 Relevance: 1.6, Strings: 1, Instructions: 303COMMON

Download Yara Rule

Strings

-, xrefs: 0033CC88

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 2a2e03b90355dc0d59000aeef2c7e7f9d6bd4af588e3a47cd3e57602e03e1696
Instruction ID: b2a5858399bde1a1b181f242265d5b1ca449805444c8989c475e09a372b5a1e6
Opcode Fuzzy Hash: 2a2e03b90355dc0d59000aeef2c7e7f9d6bd4af588e3a47cd3e57602e03e1696
Instruction Fuzzy Hash: CBB1B2756107059FEB31CAA8CC80ABEF7F5FF44310F104A19E9AAE3690D771A946CB61

Function 0034B000 Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

d, xrefs: 0034B228

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: cbe94b3f5837054907e53f150b73c29a65f543e769350a0222dc5f867f012476
Instruction ID: 28ef5921f74f1a18563ea8370762a16b3bb4372fad30c3004ed60ca5db02f63e
Opcode Fuzzy Hash: cbe94b3f5837054907e53f150b73c29a65f543e769350a0222dc5f867f012476
Instruction Fuzzy Hash: 82C191316087418FC715CF29C48055ABBE2AFD9304F198AADE8898F746DB35FD06CBA1

Function 0038E3B4 Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

W, xrefs: 0038E3DD

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: 9e1788dc7a08fa9ba0b9ea03b8fe38fb4d071d69b096e33b913ef6d18878afd3
Instruction ID: 267c834da3eb027e1d5f20c0ed16adfd6353cba213cd028eb0abee1cc62c83e0
Opcode Fuzzy Hash: 9e1788dc7a08fa9ba0b9ea03b8fe38fb4d071d69b096e33b913ef6d18878afd3
Instruction Fuzzy Hash: C95158B19103998BDB26CF55D8C17AEBBF8FB48314F2586AAC405EB295D374D940CF50

Function 00381450 Relevance: .6, Instructions: 612COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cb51f7959f340200f014bbbaf4069c2943f6fcadbfcaf3632146c857b3f8e8a
Instruction ID: e958f5cafe0f8f5d6e084a75a904d18049f84f77d18c04e47b23973bba490eee
Opcode Fuzzy Hash: 0cb51f7959f340200f014bbbaf4069c2943f6fcadbfcaf3632146c857b3f8e8a
Instruction Fuzzy Hash: 8232AC716043418FD726DF28C481B1AFBF5BF88314F1589AEE9898B351D775E846CB82

Function 00337100 Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 011b84df6fdb0c1f5f87864c4f33c2b05fa9df882d4c2b9f2fc5fe41c6a84fee
Instruction ID: a741c58c6805a42041be795fcb5af5de02c297871b999b59940657641971fad3
Opcode Fuzzy Hash: 011b84df6fdb0c1f5f87864c4f33c2b05fa9df882d4c2b9f2fc5fe41c6a84fee
Instruction Fuzzy Hash: 8A023675A04B008FC73ACF29C4C4A66B7E2FF88314F15495DE99A8BB52DB71E851CB80

Function 0033A840 Relevance: .4, Instructions: 381COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b80b37ecb74186be8c734b10355c4c601250e8bd0ee9413014499d52b291190a
Instruction ID: 95016d257dd0e38d12e3e10a27d5586f37a8ac4d8fb2b04584ed53ed16ff8c87
Opcode Fuzzy Hash: b80b37ecb74186be8c734b10355c4c601250e8bd0ee9413014499d52b291190a
Instruction Fuzzy Hash: 0B025B759096158FCB09CF18D4D48F9BBF1EF68310F1A82EDD8899B366D3359980CB91

Function 003AE264 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: cb3143b9f30a9efaa244ffd711325e2de46a066603496d109dfe988f3a2de644
Instruction ID: 52216468cbf5647c3b73076681e11ab54a8a351a9013acec83541a9f968c24b8
Opcode Fuzzy Hash: cb3143b9f30a9efaa244ffd711325e2de46a066603496d109dfe988f3a2de644
Instruction Fuzzy Hash: 62B129755007019BDB3A9B25CC92BB7B3E8EF46708F15492DE983CA580FB74E981CB10

Function 0033CF80 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19520573e42289d9cda3940d629451c38ad52933884b8e810867c422e56ddbd0
Instruction ID: 3ea17847a24bfd81fb270f33a76f7bebe8d930a3e8aec9fa0dd99bc1c81efc66
Opcode Fuzzy Hash: 19520573e42289d9cda3940d629451c38ad52933884b8e810867c422e56ddbd0
Instruction Fuzzy Hash: F4D1AEB0610B018BE765CF39D480796BBE1FF48314F148A6DD4EACB791EB74A489CB91

Function 0033E300 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0711813a1fa8fe1654d16beb3f801dd9f4a269e7befb4bf0313f4af5961adda
Instruction ID: 90d63dae3178acade36e548606a0f201448e32b51957c7766bb5e055adf32fda
Opcode Fuzzy Hash: c0711813a1fa8fe1654d16beb3f801dd9f4a269e7befb4bf0313f4af5961adda
Instruction Fuzzy Hash: E2B1DE716047019FD722CE64C8C0A6BBBE4EF98324F144A2DF9AA83790D774E9498B52

Function 003A8314 Relevance: .3, Instructions: 270COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33b803b99e1efbab65681eb893126d6210d390dd774f91a9e893d316d0bad354
Instruction ID: 01989f37a10c33dd9e62413fb278607fe3c3c28f7e4bcbcd6a2f887c52378cc6
Opcode Fuzzy Hash: 33b803b99e1efbab65681eb893126d6210d390dd774f91a9e893d316d0bad354
Instruction Fuzzy Hash: 9AB12F35510609DFD71ACF28C48AB657BE0FF4A364F2A8658E8D9CF2A1C735D991CB40

Function 0033E0F0 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d31ba86242bfd7bd76f9ba221a1519e07e8bc4f3f0aa95c67da6b44e1bb030
Instruction ID: 2b5973eb07ac956c1cddd78ca78d810b5c68f6ba400bc8120fce185e14cc2537
Opcode Fuzzy Hash: 41d31ba86242bfd7bd76f9ba221a1519e07e8bc4f3f0aa95c67da6b44e1bb030
Instruction Fuzzy Hash: EC61B731A40609AFDB31DAA8CC80BEEFBF5EF45310F108AA9E596D37D0D274A685C751

Function 00335040 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc9979209e43906842b33ed070c63749a0471b8e85d9898ec11cbb21d5f8040
Instruction ID: 53a28f29d26b1ba6976c401039e54ffebc9d7791f24a63dfb4fc6c2dc4d9eec5
Opcode Fuzzy Hash: ebc9979209e43906842b33ed070c63749a0471b8e85d9898ec11cbb21d5f8040
Instruction Fuzzy Hash: 8861B0312105644FD71ACF1EECC49663379E38A301B8B466AEAC1DB396C735F926C7A0

Function 002C4100 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6fbd008fba7024008a73466831a910c6b46a3fbbbc449b750397b59804f1b58
Instruction ID: 167a831e050beb7023b0c10722dd88b5ea5964a83d2bd62e28f35c6181e28dc3
Opcode Fuzzy Hash: b6fbd008fba7024008a73466831a910c6b46a3fbbbc449b750397b59804f1b58
Instruction Fuzzy Hash: 8151BF71E1021A9FCB19EF98D891BEEBBB4FF48310F14466DE819A7341D7709A54CBA0

Function 00394F58 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1981d3f4efc1d7326e7ec73675bf0ba9eb9b58bdf0e432d0af5ce1f2cd5c2c28
Instruction ID: 71e9eb0f584adf300c9e5b3621335b5146691a4d91767a2298012cbe773b1f78
Opcode Fuzzy Hash: 1981d3f4efc1d7326e7ec73675bf0ba9eb9b58bdf0e432d0af5ce1f2cd5c2c28
Instruction Fuzzy Hash: C8517F72D00219EFDF16CF98C840AEEBBB6FF88304F5A8459E515AB301D7359A91CB90

Function 003417F0 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b63d64401bd7e6c0b9e96cbe20f5ac7b232a30cab2b22ebf5df1188a7b10d86
Instruction ID: 43aa76faf3864324e2f0e3c26d3cd092c6a6e7def6a02ebd7bd8e6756db1a7ce
Opcode Fuzzy Hash: 1b63d64401bd7e6c0b9e96cbe20f5ac7b232a30cab2b22ebf5df1188a7b10d86
Instruction Fuzzy Hash: BE21A641E1A6A84BDB01593EC890792BFC1C792329F28D3F4D8588FBDED514B409C3E1

Function 0033D400 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 854d7f0168f0dc93b040c5b83782ce3004fb363419dbd7899f20dfa3d1eb45b6
Instruction ID: 126745882d913a4b1fb6004a31d92dca9ec598ee8fe6be0978e3288691db98e8
Opcode Fuzzy Hash: 854d7f0168f0dc93b040c5b83782ce3004fb363419dbd7899f20dfa3d1eb45b6
Instruction Fuzzy Hash: 25316F71600B058FC366CEB9C8817A3B7E5FB49314F550A6ED6EAC7280C6B4F984CB60

Function 004EA790 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19e454e24aa5901306454e9e2ba1d41df90ca2b98c9ecabfb45b11066f9b7127
Instruction ID: 73be1fdfe97126da8a55fe90443792896676d593518a43fdf0a22ae43e339be0
Opcode Fuzzy Hash: 19e454e24aa5901306454e9e2ba1d41df90ca2b98c9ecabfb45b11066f9b7127
Instruction Fuzzy Hash: FAE0ECB0A04049EB8A51BE54DC824DD73E1BB84304F204420F954DB315E738EE259756

Function 002C4490 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 209registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?), ref: 002C45B5

Strings

#$>, xrefs: 002C44ED
MKH^, xrefs: 002C44C3
:$-*, xrefs: 002C4565
=*., xrefs: 002C46B4
:$-*, xrefs: 002C44E6
chagqxjt, xrefs: 002C451F
.50,, xrefs: 002C44D1
RI}P, xrefs: 002C4549
f|erfp, xrefs: 002C467D, 002C46A1
chag, xrefs: 002C4532
<20$, xrefs: 002C44F4
.50,, xrefs: 002C4550

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: Close
String ID: #$>$.50,$.50,$:$-*$:$-*$<20$$=*.$MKH^$RI}P$chag$chagqxjt$f|erfp
API String ID: 3535843008-2249345429
Opcode ID: de862cedce422b6b0f92d6f1453c90e9e16a9fdfb3da978096d9cc4b044b9aa3
Instruction ID: 3e887481082de47d0dcdd1cd7ae216f119ea65e1ca1a7c8a50b60d1f2a13c9d2
Opcode Fuzzy Hash: de862cedce422b6b0f92d6f1453c90e9e16a9fdfb3da978096d9cc4b044b9aa3
Instruction Fuzzy Hash: CE71D170D102489FDF18EFA4D890BEEBBB8EF19304F64425DE845BB282E7719506CB65

Function 002B8BF0 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 90libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 002B8C64

Strings

(3'", xrefs: 002B8CC7
^EV_, xrefs: 002B8C2A
wTF|, xrefs: 002B8CA9
V_ST, xrefs: 002B8CB2
T, xrefs: 002B8C38
wTF|V_STLw[VYtPk(3'" , xrefs: 002B8CE5, 002B8CEC
Lw[V, xrefs: 002B8CB9
YtPk, xrefs: 002B8CC0

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: AddressProc
String ID: (3'"$Lw[V$T$V_ST$YtPk$^EV_$wTF|$wTF|V_STLw[VYtPk(3'"
API String ID: 190572456-3590895520
Opcode ID: 701eabd2dea77752ca8ed87d56f76d60eab64e441e1b02e504620f29468b51ec
Instruction ID: a8650184530e1ad6aff1676789387840e6891f759d67cc9a7669e2401862ad83
Opcode Fuzzy Hash: 701eabd2dea77752ca8ed87d56f76d60eab64e441e1b02e504620f29468b51ec
Instruction Fuzzy Hash: DB31E270914389EEEF05DFA4C845BEFBBB8EF04744F50006EE805BA181E7B59605C7A9

Function 002E8A00 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 321COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,?,?,?,?), ref: 002E8B3F

Strings

R\ZR, xrefs: 002E8BAA
U, xrefs: 002E8BBE
lA@\, xrefs: 002E8BA0
cannot use operator[] with a string argument with , xrefs: 002E9F96
`PF[, xrefs: 002E8D56, 002E8D5C
T^E]XZWSgQSHHRLF, xrefs: 002E8AC0, 002E8ACD
`C]U, xrefs: 002E8CA0

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: FolderPath
String ID: R\ZR$T^E]XZWSgQSHHRLF$U$`C]U$`PF[$cannot use operator[] with a string argument with $lA@\
API String ID: 1514166925-1062347976
Opcode ID: 639e300bac14a5deb29db5beeb7b3211f31d278ab6cfc5ea62b0cca3972816eb
Instruction ID: 439e50b16ef4db9fb152efbfbd65e8bd1c603e96a6e3f42a668330fd8a8dc82d
Opcode Fuzzy Hash: 639e300bac14a5deb29db5beeb7b3211f31d278ab6cfc5ea62b0cca3972816eb
Instruction Fuzzy Hash: 9AD1D1709102989FEB19CB24CC85BDDB779AF06304F5441E9E44DAB282DB749F89CFA1

Function 0031E300 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0031E323
std::_Lockit::_Lockit.LIBCPMT ref: 0031E345
std::_Lockit::_Lockit.LIBCPMT ref: 0031E3FD
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0031E449
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0031E463
std::_Facet_Register.LIBCPMT ref: 0031E505

Strings

bad locale name, xrefs: 0031E51F

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: std::_$LockitLockit::_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 3514410213-1405518554
Opcode ID: 37a826f9039f30f0fe535910e4de1fcc22f950ba357c253cddca41f4230aee25
Instruction ID: eb25f87b69e1fe74c0de3780608ef710f09c6267e27764ce8789db869fdb6aa1
Opcode Fuzzy Hash: 37a826f9039f30f0fe535910e4de1fcc22f950ba357c253cddca41f4230aee25
Instruction Fuzzy Hash: 4861AFB5E00244DBDF16EFA4C885BDEBBB4AF18310F144598E854AB381EB31D945CBA2

Function 002BE2B7 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 366fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?), ref: 002BE53C
GetLastError.KERNEL32 ref: 002BE547
__Mtx_unlock.LIBCPMT ref: 002BE562
__Mtx_unlock.LIBCPMT ref: 002BE571
CreateDirectoryA.KERNEL32(?,00000000), ref: 002BE588
CopyFileA.KERNEL32(?,?,00000000), ref: 002BE5F0
FindNextFileA.KERNEL32(00000000,?,?,?,?,?,191C1B6C,?,?,191C1B6C,191C1B6D), ref: 002BE604
GetLastError.KERNEL32(00000000,00000000,?,?,?,?,191C1B6C,?,?,191C1B6C,191C1B6D), ref: 002BE61A
GetLastError.KERNEL32(?,?,?,?,191C1B6C,?,?,191C1B6C,191C1B6D), ref: 002BE630
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,00000000), ref: 002BE7F0

Strings

., xrefs: 002BE2C0

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: ErrorFileLast$Mtx_unlock$AttributesCopyCreateDirectoryFindFolderNextPath
String ID: .
API String ID: 745826957-248832578
Opcode ID: ff541bac97673f0cda62d2ca59ced98c9fd42badadf3c066e9ae51ba5c106e36
Instruction ID: c6408b7745ca9c22d3d141219d3489896c5729204c6d09ffe9b9d4c151acde8b
Opcode Fuzzy Hash: ff541bac97673f0cda62d2ca59ced98c9fd42badadf3c066e9ae51ba5c106e36
Instruction Fuzzy Hash: 62D10FB19202089BEF1CDF28CC89BEDBB7ABF15340F554258E416AB7C2D7349991CB90

Function 003A63EF Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 003A6475

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 74de2fde90784ff470486f2bda14f06e9c85ae0d91867898de652616e41cd3fb
Instruction ID: 3bd07a8ed4d03c7f7d33dabc7a6fbc7e56b89b1c6ca23e2b9a79244b7e35c4f7
Opcode Fuzzy Hash: 74de2fde90784ff470486f2bda14f06e9c85ae0d91867898de652616e41cd3fb
Instruction Fuzzy Hash: 34B127729002659FDB178F68CC83BAE7BA5EF5B314F1D4166E904AF282D274D901C7A0

Function 00391900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00391937
___except_validate_context_record.LIBVCRUNTIME ref: 0039193F
_ValidateLocalCookies.LIBCMT ref: 003919C8
__IsNonwritableInCurrentImage.LIBCMT ref: 003919F3
_ValidateLocalCookies.LIBCMT ref: 00391A48

Strings

csm, xrefs: 003919DD

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 39fdf5cdc5ab3841b9bfe1a28718ea1e38a624abdcb14d0ef0266ba902893e84
Instruction ID: 04c12b5e44f83cefcfb7adac559298d72e4ff3d72c2aa0f66be34a6b20be6430
Opcode Fuzzy Hash: 39fdf5cdc5ab3841b9bfe1a28718ea1e38a624abdcb14d0ef0266ba902893e84
Instruction Fuzzy Hash: D941D435A00209ABCF12DF69C895AEEBBE4AF44314F148156E819AB392D731EE45CB91

Function 002C5A10 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 123COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(2B161CF7,?,2B161D98,?,?,003B4E2B,000000FF,2B161E27,002C8851,2B161D98,?,00000001), ref: 002C5A9B
CreateDirectoryA.KERNEL32(2B161CF7,00000000,?,?,?,?,?,003B4E2B,000000FF,2B161E27,002C8851,2B161D98,?,00000001), ref: 002C5B59

Strings

RPj, xrefs: 002C5E8F
|TUR, xrefs: 002C5E3C
X}S[, xrefs: 002C5E45
|TURX}S[H\H, xrefs: 002C5E8C, 002C5E90

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID: RPj$X}S[$|TUR$|TURX}S[H\H
API String ID: 3401506121-3311416963
Opcode ID: c1b0ef3cd13922e529021a8a9a40da3f90993257f4879021a5c0004e1dcfa07e
Instruction ID: dfcb361ca478f669b2c3ac0f79c72f4c13f91a3d8299a2764e8b2f1bc0e5a9d7
Opcode Fuzzy Hash: c1b0ef3cd13922e529021a8a9a40da3f90993257f4879021a5c0004e1dcfa07e
Instruction Fuzzy Hash: 0441E371A10A508FCB29DF28D881B9EB7F9EB04314F50072EE4099B7D1D731A980CB94

Function 002C3AA0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

abcdefghijklmnopqrstuvwxyz0123456789_ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 002C3BBB
hR>, xrefs: 002C3E26
\, xrefs: 002C3BF8

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID: \$abcdefghijklmnopqrstuvwxyz0123456789_ABCDEFGHIJKLMNOPQRSTUVWXYZ$hR>
API String ID: 0-1660423820
Opcode ID: dffc30a0757dbd6937daee634f1a54fb34fef1cdb1e8e2de2e5a6cb0a4cc5507
Instruction ID: 0813b41e669a63cc775fa8b57c79d6fb97be083bd7d705f1ecdc351a947e4a9d
Opcode Fuzzy Hash: dffc30a0757dbd6937daee634f1a54fb34fef1cdb1e8e2de2e5a6cb0a4cc5507
Instruction Fuzzy Hash: 58E1AF71D102498FDB09DFA8C885BAEBBB5FF08300F14CA5DE415AB782D7759A45CB90

Function 002B73B0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 184COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 002B75BE
___std_exception_destroy.LIBVCRUNTIME ref: 002B75CD

Strings

at line , xrefs: 002B73F7
, column , xrefs: 002B7434, 002B744A
yo+, xrefs: 002B7455

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column $yo+
API String ID: 4194217158-420633916
Opcode ID: c52b547afc8c1405bd5cac2b608b76c49bcd263515aa30b9da3e01670b68e5a6
Instruction ID: 27812cfc23a62a36b147f57e5230d58f8d6c1751b65f8f9b352e8ebb0af0b90f
Opcode Fuzzy Hash: c52b547afc8c1405bd5cac2b608b76c49bcd263515aa30b9da3e01670b68e5a6
Instruction Fuzzy Hash: F6611571A042059FDB19DF68DC85BEDBBB6FF88300F24462CE415A7B82D774AA54CB90

Function 0031F730 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0031F7A1
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0031F7F4
__Getcoll.LIBCPMT ref: 0031F806
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0031F825

Strings

bad locale name, xrefs: 0031F905

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: std::_$Locinfo::_$GetcollLocinfo_ctorLocinfo_dtorLockitLockit::_
String ID: bad locale name
API String ID: 3738408318-1405518554
Opcode ID: dec0d1643418c06b8b1fbba187dd6a897c3b6392faef6eecb1b84258abc85fa9
Instruction ID: 4112a684b206e9864a8b85d30d51c3d6337eeab300485e2b2d4bcf2ad4fd039d
Opcode Fuzzy Hash: dec0d1643418c06b8b1fbba187dd6a897c3b6392faef6eecb1b84258abc85fa9
Instruction Fuzzy Hash: FA516EB1D102489FEF15EFE4C8857CEBBB8AF18314F144569E804EB381E7759949CBA2

Function 0039E039 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

%3, xrefs: 0039E03B

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID: %3
API String ID: 0-1638272713
Opcode ID: 2f17deb89200a4916d145705dc0590648ed55fe470763717517df29d91a636b0
Instruction ID: 982bd0612fec6092c00c6362b4dd948848db16165b71f80416176fd94bf9938a
Opcode Fuzzy Hash: 2f17deb89200a4916d145705dc0590648ed55fe470763717517df29d91a636b0
Instruction Fuzzy Hash: B241B671A00748AFEB26DF78CC45BAABBA9EB48710F10452AF155DF781D7B199408B90

Function 00342EB0 Relevance: 7.6, APIs: 5, Instructions: 89sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00342950: GetVersionExA.KERNEL32(?), ref: 00342976

GetVersionExA.KERNEL32(?), ref: 00342EF3
GetLastError.KERNEL32(00000000,?,00000000,?,00000000), ref: 00342F26
Sleep.KERNEL32(00000064,00000000,?,00000000), ref: 00342F3C
GetLastError.KERNEL32(00000000), ref: 00342F59
Sleep.KERNEL32(00000064,00000000), ref: 00342F6F

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: ErrorLastSleepVersion
String ID:
API String ID: 2145038200-0
Opcode ID: 3d32a625bdb467a8c53126dccd37c40f3ba0aa4242a9699657502bac3b8e8687
Instruction ID: 3f168ce68284cf91b38e6f01f1382d6aae94375a7c18f8b77e137acbf8d72c02
Opcode Fuzzy Hash: 3d32a625bdb467a8c53126dccd37c40f3ba0aa4242a9699657502bac3b8e8687
Instruction Fuzzy Hash: 81216832D046048FCB22AB78AC8466F73F8DB16328FD141EAF90EEB140EA346C458B41

Function 0039FA4A Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 370COMMON

Download Yara Rule

APIs

__freea.LIBCMT ref: 0039FBC4
__freea.LIBCMT ref: 0039FBE0

Strings

am/pm, xrefs: 0039FC42
a/p, xrefs: 0039FCA6

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: __freea
String ID: a/p$am/pm
API String ID: 240046367-3206640213
Opcode ID: fe6d5b09fed97bed1f90df5e2238718ef32d325a0223fa7b2ffd7bb2e3060bcd
Instruction ID: dd850e6f91fbc5a3cbd282e4adef6ebd18f72643fa98a64adfc00a8fb76bcadc
Opcode Fuzzy Hash: fe6d5b09fed97bed1f90df5e2238718ef32d325a0223fa7b2ffd7bb2e3060bcd
Instruction Fuzzy Hash: C8C10135E04206DFCF2B9F68C894ABAB7B4FF09710F168069E905EB662D3359D41CB51

Function 0034D6B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

__alldvrm.LIBCMT ref: 0034D73F
__allrem.LIBCMT ref: 0034D79B

Strings

M]4, xrefs: 0034D7A0, 0034D7A3
M]4, xrefs: 0034D7CB, 0034D795

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: __alldvrm__allrem
String ID: M]4$M]4
API String ID: 1673774721-632438782
Opcode ID: 95142e094ac9602de11ebfa111b6ef39a809850b2ef176966b0be36d55b17f61
Instruction ID: 69c71ded7c3fecc99667e95cb0e85883b7ca7fcaad89977c188171f39e2d725b
Opcode Fuzzy Hash: 95142e094ac9602de11ebfa111b6ef39a809850b2ef176966b0be36d55b17f61
Instruction Fuzzy Hash: 6A4118B5E00219AFCF15DF99D881AAEFBF5EF48310F15816AE905AB311D734AD00CBA0

Function 003AB63D Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 003AB6A1
__dosmaperr.LIBCMT ref: 003AB6A8
GetLastError.KERNEL32(?,?,?,?), ref: 003AB6E2
__dosmaperr.LIBCMT ref: 003AB6E9

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: ErrorLast__dosmaperr
String ID:
API String ID: 1659562826-0
Opcode ID: 7a00f60527fc00d7a7598dcbf9575a30def8d3efbef0284928dcf4c9fc931266
Instruction ID: 52ff48323df2dff5a9dd7a471fdfc31cfe34ac2df98479448fbc880c3018f545
Opcode Fuzzy Hash: 7a00f60527fc00d7a7598dcbf9575a30def8d3efbef0284928dcf4c9fc931266
Instruction Fuzzy Hash: 4521F671600205AFDF23AF76D881C6BF7ADFF46364B018519F9199B562DB31EC018BA0

Function 002CE1E0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 364libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,gbs`Q[R), ref: 002CE562

Strings

Ws2_32.dll, xrefs: 002CE54E
gbs`Q[R, xrefs: 002CE55D, 002CE560

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: AddressProc
String ID: Ws2_32.dll$gbs`Q[R
API String ID: 190572456-463361242
Opcode ID: 7320ec0399fcbdf1133166884ae21276ce3665113f88fba9f23970e937d49103
Instruction ID: e242a5969c543959836ebee86728b13c6fe2fbcda4a51c81c5703390ee682457
Opcode Fuzzy Hash: 7320ec0399fcbdf1133166884ae21276ce3665113f88fba9f23970e937d49103
Instruction Fuzzy Hash: 15E19E70620251DFEF29CF68C880B6DBBA6FF45310F254A5DE4A29B3C2D771A951CB81

Function 003A3116 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 003A3397, 003A339A

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 9282e06950ec50e95d2aa11c51c61ecea8a085cafc769c155ae225e220370df9
Instruction ID: 81b7a5af8b1919d0855acfdbdb75b4e650126176d297f7e57afd8591a7a3a49e
Opcode Fuzzy Hash: 9282e06950ec50e95d2aa11c51c61ecea8a085cafc769c155ae225e220370df9
Instruction Fuzzy Hash: 5CA1D574A08248AFDF17DFA9D881BADBBB5EF4A314F144258F5149F292CB709A41CB50

Function 002B6C61 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 246COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 002B6F11
___std_exception_destroy.LIBVCRUNTIME ref: 002B6F20

Strings

[json.exception., xrefs: 002B6CB8

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: ceb592cb666900915f80a0848d828f6426edd5e8d7c3217099b77c08cd877017
Instruction ID: 16be0ce2382bfc5f6621cef617b7fed4c22859b0a228830ec54de0c01e5bb6c0
Opcode Fuzzy Hash: ceb592cb666900915f80a0848d828f6426edd5e8d7c3217099b77c08cd877017
Instruction Fuzzy Hash: D991D370A102049FDB19CF68C889BDEBBF5EF44300F20866DE415AB792D775E981CB50

Function 002CF690 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170sleepCOMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 002CF781
Sleep.KERNEL32(00000065), ref: 002CF863

Strings

}pbOh, xrefs: 002CF6EE, 002CF721, 002CF726

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: Mtx_unlockSleep
String ID: }pbOh
API String ID: 2676483549-3548698129
Opcode ID: 8f669b097d2eaecc73d276eb5403558af470f32b2ebde44ee4f7960415c57768
Instruction ID: b0a83e6647934e6606237dd9ce991705524d5f12e6332823cc7128e0915035c9
Opcode Fuzzy Hash: 8f669b097d2eaecc73d276eb5403558af470f32b2ebde44ee4f7960415c57768
Instruction Fuzzy Hash: A5516971910149ABDF09EF68CD46BEE7B7EDB05304F20836CF8109B6C2DA74995987E2

Function 00342A20 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 143COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?), ref: 00342A70

Strings

>, xrefs: 00342B78
%s\etilqs_, xrefs: 00342B3A

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: Version
String ID: %s\etilqs_$>
API String ID: 1889659487-2315843240
Opcode ID: 3d5dd2d37121fe9414855a28fbfb85f9a6537ca11956dc2ab64addb8563146ea
Instruction ID: 49331e6c1ad12a61715133578048ef0b19629acf1a2aa4fbc1c481d91028f129
Opcode Fuzzy Hash: 3d5dd2d37121fe9414855a28fbfb85f9a6537ca11956dc2ab64addb8563146ea
Instruction Fuzzy Hash: 76516B319042985DE727DB698C417FABBE4EF1A300F4905E9E594EA0C2DA746A81CBA1

Function 0032CF30 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0032CF81

Strings

type must be string, but is , xrefs: 0032CFE8
type must be boolean, but is , xrefs: 0032D072

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: 93193d997564d06f5ff3726fce2d2fb14ba89c2978bddfe5a32f732965e9bd62
Instruction ID: 04904e2665d168d599978f558c9515b2b792f2fe075e904e1e2569e1ed9bc9cf
Opcode Fuzzy Hash: 93193d997564d06f5ff3726fce2d2fb14ba89c2978bddfe5a32f732965e9bd62
Instruction Fuzzy Hash: 3C415AB1D10248AFDB06EBA4E902BDEB7AADB14300F104675F419DB781EB35AA54C792

Function 0039219B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

CatchIt.LIBVCRUNTIME ref: 003922A6

Strings

RCC, xrefs: 003921DA
MOC, xrefs: 003921D2

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: Catch
String ID: MOC$RCC
API String ID: 78271584-2084237596
Opcode ID: f5c8718af9637b26ad0f108d3b039dc862457850545717bb2f636a52405a3a16
Instruction ID: 40241f8e55b754713fa50a01677b37713bb1f1ce024cb67c82afe5048831d74e
Opcode Fuzzy Hash: f5c8718af9637b26ad0f108d3b039dc862457850545717bb2f636a52405a3a16
Instruction Fuzzy Hash: 0B418A72900609BFCF16DF98C981AAEBBB5FF48300F1A8499F9147A261D3359960DB50

Function 002BAA29 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 002BAB12

Strings

QRL5, xrefs: 002BAAAF
wGQR5, xrefs: 002BAAEF

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: Mtx_unlock
String ID: QRL5$wGQR5
API String ID: 1418687624-2169126700
Opcode ID: 6a021dbec1413e710ff81ba084d2987626699ac957de1047a3c9510d51b8892c
Instruction ID: 32d8cadc64c93836566ea2b8274b797b691136f44461139b94a1c841d61b2a61
Opcode Fuzzy Hash: 6a021dbec1413e710ff81ba084d2987626699ac957de1047a3c9510d51b8892c
Instruction Fuzzy Hash: D82155729102018BEB18DF68CD897EDB7B6EF54355F148218E402AB6C2D7749990CBA6

Function 003A6259 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(x9,?,003978E1,?,?,?,00000000), ref: 003A626B
__dosmaperr.LIBCMT ref: 003A6272

Strings

x9, xrefs: 003A625E

Memory Dump Source

Source File: 00000000.00000002.4105234120.00000000002B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 002B0000, based on PE: true

Associated: 00000000.00000002.4105200278.00000000002B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105335483.00000000003BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105364714.00000000003E1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105384341.00000000003E6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105482075.0000000000501000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105501525.0000000000502000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4105686809.00000000007D1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b0000_LisectAVT_2403002A_262.jbxd

Similarity

API ID: ErrorLast__dosmaperr
String ID: x9
API String ID: 1659562826-1557327722
Opcode ID: f1e897b814f62d594dac233c6f6c62373a0bd42a38e66531129966c4740b0454
Instruction ID: 66ae3ed4aa63b4f72248fc0024c4315132267059cdc281d39c381a284350f64b
Opcode Fuzzy Hash: f1e897b814f62d594dac233c6f6c62373a0bd42a38e66531129966c4740b0454
Instruction Fuzzy Hash: 4ED0223304410823CE013AFABD0980B3B6DCBC23787000B21F16DC40D0EE35C8019424

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002A_262.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Windows Analysis Report
LisectAVT_2403002A_262.exe

Function 00312530 Relevance: 7.7, APIs: 5, Instructions: 156
sleepCOMMON

Function 002CE0A0 Relevance: .1, Instructions: 97
COMMON

Function 002BB865 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 194
registryCOMMON

Function 002CF1D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
networkCOMMON

Function 002BA6A9 Relevance: 4.5, APIs: 3, Instructions: 35
COMMON

Function 003A3605 Relevance: 3.1, APIs: 2, Instructions: 63
COMMONLIBRARYCODE

Function 0031F050 Relevance: 1.6, APIs: 1, Instructions: 138
COMMON