Edit tour

Windows Analysis Report
LisectAVT_2403002B_47.exe

Overview

General Information

Sample name:	LisectAVT_2403002B_47.exe
Analysis ID:	1481626
MD5:	6fd4849beabb6b6d40230e9f4d491d26
SHA1:	7811c23f6fef484d9d7bc9dd362a6ff389ad0dcc
SHA256:	3ac758c494812836d63fb7016a040ef640dcc9700b7532f85b94f61b86a98bfc
Tags:	exe
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

AI detected suspicious sample

Uses known network protocols on non-standard ports

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

LisectAVT_2403002B_47.exe (PID: 6748 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002B_47.exe" MD5: 6FD4849BEABB6B6D40230E9F4D491D26)

cleanup

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern HCa - Source IP: 192.168.2.4 - Destination IP: 156.254.126.18

Timestamp:	2024-07-25T12:06:30.933225+0200
SID:	2803304
Source Port:	49730
Destination Port:	8000
Protocol:	TCP
Classtype:	Unknown Traffic

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.114.59.183 - Destination IP: 192.168.2.4

Timestamp:	2024-07-25T12:06:31.348537+0200
SID:	2022930
Source Port:	443
Destination Port:	49731
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern HCa - Source IP: 192.168.2.4 - Destination IP: 156.254.126.18

Timestamp:	2024-07-25T12:09:11.563670+0200
SID:	2803304
Source Port:	62776
Destination Port:	8000
Protocol:	TCP
Classtype:	Unknown Traffic

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.114.59.183 - Destination IP: 192.168.2.4

Timestamp:	2024-07-25T12:07:00.076102+0200
SID:	2022930
Source Port:	443
Destination Port:	62771
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Common Downloader Header Pattern HCa - Source IP: 192.168.2.4 - Destination IP: 156.254.126.18

Timestamp:	2024-07-25T12:07:35.168663+0200
SID:	2803304
Source Port:	62773
Destination Port:	8000
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern HCa - Source IP: 192.168.2.4 - Destination IP: 156.254.126.18

Timestamp:	2024-07-25T12:07:03.022906+0200
SID:	2803304
Source Port:	62772
Destination Port:	8000
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern HCa - Source IP: 192.168.2.4 - Destination IP: 156.254.126.18

Timestamp:	2024-07-25T12:08:07.299887+0200
SID:	2803304
Source Port:	62774
Destination Port:	8000
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern HCa - Source IP: 192.168.2.4 - Destination IP: 156.254.126.18

Timestamp:	2024-07-25T12:08:39.427971+0200
SID:	2803304
Source Port:	62775
Destination Port:	8000
Protocol:	TCP
Classtype:	Unknown Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002B_47.exe

Avira: detected

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: LisectAVT_2403002B_47.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 62772 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 62773 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 62774 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 62775 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 62776 -> 8000

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 156.254.126.18:8000

Source: global traffic	HTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknown	TCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknown	TCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknown	TCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknown	TCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknown	TCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknown	TCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknown	TCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknown	TCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknown	TCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknown	TCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknown	TCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknown	TCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknown	TCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknown	TCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknown	TCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknown	TCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknown	TCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknown	TCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknown	TCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknown	TCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknown	TCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknown	TCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknown	TCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknown	TCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknown	TCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknown	TCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknown	TCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknown	TCP traffic detected without corresponding DNS query: 156.254.126.18
Source: unknown	TCP traffic detected without corresponding DNS query: 156.254.126.18

Source: global traffic	HTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /xb-4 HTTP/1.1Host: 156.254.126.18:8000Cache-Control: no-cache

Source: LisectAVT_2403002B_47.exe, 00000000.00000002.3526647092.00000000006A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://156.254.126.18/
Source: LisectAVT_2403002B_47.exe, 00000000.00000002.3526647092.00000000006A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://156.254.126.18/n
Source: LisectAVT_2403002B_47.exe, 00000000.00000002.3526647092.00000000006A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://156.254.126.18:8000/xb-4
Source: LisectAVT_2403002B_47.exe, 00000000.00000002.3526647092.00000000006A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://156.254.126.18:8000/xb-426.18:8000/xb-4
Source: LisectAVT_2403002B_47.exe, 00000000.00000002.3526647092.000000000068A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://156.254.126.18:8000/xb-44j/
Source: LisectAVT_2403002B_47.exe, 00000000.00000002.3526647092.00000000006A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://156.254.126.18:8000/xb-45
Source: LisectAVT_2403002B_47.exe, 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_47.exe, 00000000.00000002.3526647092.00000000006A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://156.254.126.18:8000/xb-4C
Source: LisectAVT_2403002B_47.exe, 00000000.00000002.3526647092.00000000006A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://156.254.126.18:8000/xb-4H
Source: LisectAVT_2403002B_47.exe, 00000000.00000002.3526647092.000000000068A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://156.254.126.18:8000/xb-4Z
Source: LisectAVT_2403002B_47.exe, 00000000.00000002.3526647092.000000000068A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://156.254.126.18:8000/xb-4hqos.dll.mui
Source: LisectAVT_2403002B_47.exe, 00000000.00000002.3526647092.000000000068A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://156.254.126.18:8000/xb-4hqos.dll.mui2
Source: LisectAVT_2403002B_47.exe, 00000000.00000002.3526647092.000000000068A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://156.254.126.18:8000/xb-4wsock.dll.mui(
Source: LisectAVT_2403002B_47.exe, 00000000.00000002.3526647092.00000000006A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://156.254.126.18:8000/xb-4z
Source: LisectAVT_2403002B_47.exe	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: LisectAVT_2403002B_47.exe	String found in binary or memory: http://s2.symcb.com0
Source: LisectAVT_2403002B_47.exe	String found in binary or memory: http://www.symauth.com/cps0(
Source: LisectAVT_2403002B_47.exe	String found in binary or memory: http://www.symauth.com/rpa00

Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe	Code function: 0_2_0040DEC9	0_2_0040DEC9
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe	Code function: 0_2_00404716	0_2_00404716
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe	Code function: 0_2_0040D7AF	0_2_0040D7AF
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe	Code function: 0_2_00405FB0	0_2_00405FB0

Source: LisectAVT_2403002B_47.exe, 00000000.00000000.1675719598.0000000000429000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFL.exe4 vs LisectAVT_2403002B_47.exe
Source: LisectAVT_2403002B_47.exe	Binary or memory string: OriginalFilenameFL.exe4 vs LisectAVT_2403002B_47.exe

Source: LisectAVT_2403002B_47.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal56.troj.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe

Code function: 0_2_004232A4 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

0_2_004232A4

Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe

Command line argument: NEA

0_2_004144A0

Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: LisectAVT_2403002B_47.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: LisectAVT_2403002B_47.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: LisectAVT_2403002B_47.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: LisectAVT_2403002B_47.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: LisectAVT_2403002B_47.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: LisectAVT_2403002B_47.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: LisectAVT_2403002B_47.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: LisectAVT_2403002B_47.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: LisectAVT_2403002B_47.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: LisectAVT_2403002B_47.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: LisectAVT_2403002B_47.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: LisectAVT_2403002B_47.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe

Code function: 0_2_00444000 LoadLibraryW,GetProcAddress,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,FreeLibrary,

0_2_00444000

Source: LisectAVT_2403002B_47.exe

Static PE information: real checksum: 0x41085 should be: 0x42e46

Source: LisectAVT_2403002B_47.exe

Static PE information: section name: .fixer

Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe

Code function: 0_2_00405886 push ecx; ret

0_2_00405899

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 62772 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 62773 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 62774 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 62775 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 62776 -> 8000

Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe

Code function: 0_2_00404716 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00404716

Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe

API coverage: 4.1 %

Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe TID: 6760	Thread sleep time: -150000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe TID: 6760	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe	Thread delayed: delay time: 30000			Jump to behavior

Source: LisectAVT_2403002B_47.exe, 00000000.00000002.3526647092.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_47.exe, 00000000.00000002.3526647092.000000000064E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe

Code function: 0_2_00409371 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00409371

Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe

0_2_00444000

Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe	Code function: 0_2_00422BFE mov edx, dword ptr fs:[00000030h]		0_2_00422BFE
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe	Code function: 0_2_0040A60E mov eax, dword ptr fs:[00000030h]		0_2_0040A60E

Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe

Code function: 0_2_0040D430 GetProcessHeap,

0_2_0040D430

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe	Code function: 0_2_00409371 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00409371
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe	Code function: 0_2_00404B27 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00404B27
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe	Code function: 0_2_004054A9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004054A9
Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe	Code function: 0_2_0040563B SetUnhandledExceptionFilter,	0_2_0040563B

Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe

Code function: 0_2_00405690 cpuid

0_2_00405690

Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe

Code function: 0_2_004058A0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_004058A0

Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe

Code function: 0_2_0040F895 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0040F895

Source: C:\Users\user\Desktop\LisectAVT_2403002B_47.exe

Code function: 0_2_004023B0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,

0_2_004023B0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Obfuscated Files or Information	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	12 System Information Discovery	SSH	Keylogging	1 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
LisectAVT_2403002B_47.exe	100%	Avira	BDS/Redcap.kouft

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.symauth.com/rpa00	0%	URL Reputation	safe
http://www.symauth.com/cps0(	0%	URL Reputation	safe
http://156.254.126.18:8000/xb-44j/	0%	Avira URL Cloud	safe
http://156.254.126.18:8000/xb-4Z	0%	Avira URL Cloud	safe
http://156.254.126.18/	0%	Avira URL Cloud	safe
http://156.254.126.18:8000/xb-4	0%	Avira URL Cloud	safe
http://156.254.126.18:8000/xb-4hqos.dll.mui	0%	Avira URL Cloud	safe
http://156.254.126.18:8000/xb-45	0%	Avira URL Cloud	safe
http://156.254.126.18:8000/xb-4wsock.dll.mui(	0%	Avira URL Cloud	safe
http://156.254.126.18:8000/xb-426.18:8000/xb-4	0%	Avira URL Cloud	safe
http://156.254.126.18/n	0%	Avira URL Cloud	safe
http://156.254.126.18:8000/xb-4H	0%	Avira URL Cloud	safe
http://156.254.126.18:8000/xb-4hqos.dll.mui2	0%	Avira URL Cloud	safe
http://156.254.126.18:8000/xb-4C	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://156.254.126.18:8000/xb-4	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://156.254.126.18:8000/xb-4hqos.dll.mui	LisectAVT_2403002B_47.exe, 00000000.00000002.3526647092.000000000068A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://156.254.126.18:8000/xb-4wsock.dll.mui(	LisectAVT_2403002B_47.exe, 00000000.00000002.3526647092.000000000068A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://156.254.126.18:8000/xb-44j/	LisectAVT_2403002B_47.exe, 00000000.00000002.3526647092.000000000068A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/rpa00	LisectAVT_2403002B_47.exe	false	URL Reputation: safe	unknown
http://156.254.126.18:8000/xb-45	LisectAVT_2403002B_47.exe, 00000000.00000002.3526647092.00000000006A1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://156.254.126.18/	LisectAVT_2403002B_47.exe, 00000000.00000002.3526647092.00000000006A1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://156.254.126.18:8000/xb-4Z	LisectAVT_2403002B_47.exe, 00000000.00000002.3526647092.000000000068A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://156.254.126.18:8000/xb-4z	LisectAVT_2403002B_47.exe, 00000000.00000002.3526647092.00000000006A1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://156.254.126.18/n	LisectAVT_2403002B_47.exe, 00000000.00000002.3526647092.00000000006A1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://156.254.126.18:8000/xb-426.18:8000/xb-4	LisectAVT_2403002B_47.exe, 00000000.00000002.3526647092.00000000006A1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://156.254.126.18:8000/xb-4H	LisectAVT_2403002B_47.exe, 00000000.00000002.3526647092.00000000006A1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/cps0(	LisectAVT_2403002B_47.exe	false	URL Reputation: safe	unknown
http://156.254.126.18:8000/xb-4hqos.dll.mui2	LisectAVT_2403002B_47.exe, 00000000.00000002.3526647092.000000000068A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://156.254.126.18:8000/xb-4C	LisectAVT_2403002B_47.exe, 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_47.exe, 00000000.00000002.3526647092.00000000006A1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
156.254.126.18	unknown	Seychelles		135026	THINKDREAM-AS-APThinkDreamTechnologyLimitedHK	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1481626
Start date and time:	2024-07-25 12:05:19 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002B_47.exe
Detection:	MAL
Classification:	mal56.troj.winEXE@1/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 4 Number of non-executed functions: 52
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: LisectAVT_2403002B_47.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
156.254.126.18	gx.elf	Get hash	malicious	Chaos	Browse	156.254.126.18:8080/password.txt

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
THINKDREAM-AS-APThinkDreamTechnologyLimitedHK	4qOdQ3lrYx.elf	Get hash	malicious	Mirai	Browse	119.8.28.218
	jhpg1LVUrZ.elf	Get hash	malicious	Mirai	Browse	119.8.28.202
	https://link.mail.beehiiv.com/ls/click?upn=u001.AafWW5Nqnbo2z-2BTA50bGEdcgdlKW6veoHg9i0lfVykqgG210mMbY9x6wlCJFem63Ptvb1AhwNnKu2bFWir67u4CZi9kAG27a28kN3PuYedxeUyKmOac6ITo-2BRFaF-2Bd-2Fi2Ixv82DfFvf02BiAI4hE-2B33SFQFo6ls2LdouLvYQ4evOtL64w0kovPYLtYVrx27PXV8C_Brrq8-2Fl00XKb7EalRYiEGmX6heUjj2STeswY-2BsiIt8od5e7wnskh4Flyd2gRfoUQMNxCsUTDSaFM8zPDLSGDGP82i7-2F2T8vItuV5dWHeXDAA5lbmJvOIRHwwHLaZqkTAe-2FUo72xufSnVCNP9jOcjTziRyEgpuuJQJiZBB3fK9Jfw-2BwXqmN7-2Bgu5oQ-2B1xbFghH62g1lHFS1Y4CHHJPc0auTlLsB05ygQ-2FI-2F7sxR9u8jR91M7H-2BbzqUKzs-2BT3ZKLeFEIL3152abEbru7Xm-2FQccrWU8wpYyuMKn02Tn-2B2EMXTmjNNbbalm-2BJ6GnnTdkYphMczl4vx3aqH514BnG-2FxWL6zJOg9p0nIer2lira82L8b5vTqtEzMFFrshInaCk-2FIKuK7IqIBd82nujTq2sahPgOcOQZPE1-2F-2BLJyD2o7TtDkzFXunFRnYrxODO7DLzvTUoA#SZ2JyYWRsZXlAdmNjdW9ubGluZS5uZXQ=&d=DwMFaQ	Get hash	malicious	HTMLPhisher	Browse	156.227.6.70
	sBgS8t0K7i.elf	Get hash	malicious	Mirai	Browse	103.206.123.198
	Qd0pExC2i1.elf	Get hash	malicious	Mirai	Browse	103.206.123.186
	HxTjtCwHSe.elf	Get hash	malicious	Mirai	Browse	103.206.123.189
	tY2bVScm0v.elf	Get hash	malicious	Mirai	Browse	103.114.133.123
	PO34730937398.exe	Get hash	malicious	RHADAMANTHYS	Browse	156.227.6.50
	sales contract-876 & New-Order.exe	Get hash	malicious	FormBook	Browse	156.227.6.30

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.87364273870965
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LisectAVT_2403002B_47.exe
File size:	266'752 bytes
MD5:	6fd4849beabb6b6d40230e9f4d491d26
SHA1:	7811c23f6fef484d9d7bc9dd362a6ff389ad0dcc
SHA256:	3ac758c494812836d63fb7016a040ef640dcc9700b7532f85b94f61b86a98bfc
SHA512:	367d544c24a4c0ef40f05bd83181c64adb1d49e9a154b25648900cf604d74893fdc643e5f1de0de0bce0c0f19e802f83be6a9c85423800ffb8c330a2806198e6
SSDEEP:	3072:sp4xw3IkbNoyP6niK6gc31EvtAg0FubKk0Drz8ZcETg3+vhjNZQfGZ7DaTIOYWt7:w4k/oyPZKfAOB0DrAZtj7QfGZ7uOes
TLSH:	2B448E183CD18677D7A239B50CA5DBB5DC6FED7007608BEBA394EB790E242C22523563
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@...!...!...!..c.!..!..c.#.@!..c."..!.......!.......!.......!...YC..!...!...!..@....!..E./..!...!G..!..@....!..Rich.!.........

File Icon


Icon Hash:	2f3979797939190f

Static PE Info

General

Entrypoint:	0x405316
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x5C6FB2CC [Fri Feb 22 08:29:00 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	db8de496dd66110cf35d3e281bf4cecf

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
call 00007F8CAD529535h
jmp 00007F8CAD528E43h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [00422070h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], esp
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
jmp dword ptr [0041514Ch]
int3
int3
int3
mov eax, dword ptr [esp+08h]
mov ecx, dword ptr [esp+10h]
or ecx, eax
mov ecx, dword ptr [esp+0Ch]
jne 00007F8CAD528FBBh
mov eax, dword ptr [esp+04h]
mul ecx
retn 0010h
push ebx
mul ecx
mov ebx, eax
mov eax, dword ptr [esp+08h]
mul dword ptr [esp+14h]
add ebx, eax
mov eax, dword ptr [esp+08h]
mul ecx
add edx, ebx
pop ebx
retn 0010h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebx
push esi
mov eax, dword ptr [esp+18h]
or eax, eax
jne 00007F8CAD528FCAh
mov ecx, dword ptr [esp+14h]
mov eax, dword ptr [esp+10h]
xor edx, edx
div ecx
mov ebx, eax
mov eax, dword ptr [esp+0Ch]
div ecx
mov edx, ebx
jmp 00007F8CAD528FF3h
mov ecx, eax
mov ebx, dword ptr [esp+14h]
mov edx, dword ptr [esp+10h]
mov eax, dword ptr [esp+0Ch]
shr ecx, 1
rcr ebx, 1
shr edx, 1
rcr eax, 1
or ecx, ecx
jne 00007F8CAD528FA6h
div ebx

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729
[RES] VS2015 UPD3 build 24213
[LNK] VS2015 UPD3.1 build 24215

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x20a18	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x29000	0x18f75	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x3e000	0x17b8	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x42000	0x19a0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1f8d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1f94c	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1f8f0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x15000	0x14c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x13eca	0x14000	11bd66c136a0971b16fad0a1a615f10a	False	0.56595458984375	data	6.65250970718716	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x15000	0xc1b6	0xc200	9376d3c48f5711d894cfc4cc970e991b	False	0.4856233891752577	data	5.512658321404061	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x22000	0x49cc	0x3600	9c4499e7123eeef0788848a120c133c4	False	0.8470775462962963	DOS executable (block device driver ght (c)	7.3991199987904475	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.gfids	0x27000	0x150	0x200	02b5641edb4343181cc0d842b828dfb0	False	0.43359375	data	2.3451760582622585	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x28000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x29000	0x18f75	0x19000	05e6351956f8ef10302bda20bd90cb75	False	0.747255859375	data	7.122480667277769	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x42000	0x19a0	0x1a00	f8cc0291e51a455217c80f30ddfe173a	False	0.7086838942307693	data	6.53789180717345	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.fixer	0x44000	0x1000	0x1000	3424e2cbf1f4167b8f7b4789f0e943fa	False	0.087158203125	data	1.3316124420719018	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x29370	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Dutch	Belgium	0.6868279569892473
RT_ICON	0x29658	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Dutch	Belgium	0.7027027027027027
RT_ICON	0x29780	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	Dutch	Belgium	0.660181236673774
RT_ICON	0x2a628	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	Dutch	Belgium	0.7906137184115524
RT_ICON	0x2aed0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	Dutch	Belgium	0.7947976878612717
RT_ICON	0x2b438	0xbe87	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Dutch	Belgium	0.995961045617632
RT_ICON	0x372c0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	Dutch	Belgium	0.4417808219178082
RT_ICON	0x3b4e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Dutch	Belgium	0.4954356846473029
RT_ICON	0x3da90	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6720	Dutch	Belgium	0.527810650887574
RT_ICON	0x3f4f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Dutch	Belgium	0.5874765478424016
RT_ICON	0x405a0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Dutch	Belgium	0.6610655737704918
RT_ICON	0x40f28	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1680	Dutch	Belgium	0.7069767441860465
RT_ICON	0x415e0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Dutch	Belgium	0.7854609929078015
RT_GROUP_ICON	0x41a48	0xbc	data	Dutch	Belgium	0.6542553191489362
RT_VERSION	0x41b04	0x2e8	data	Dutch	Belgium	0.4731182795698925
RT_MANIFEST	0x41dec	0x189	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	English	United States	0.6081424936386769

Imports

DLL

Import

KERNEL32.dll

GetFileAttributesW, GetLastError, CloseHandle, WideCharToMultiByte, LoadLibraryW, GetProcAddress, FreeLibrary, SetCurrentDirectoryW, GetModuleHandleW, FindClose, GetModuleFileNameW, MultiByteToWideChar, GetModuleFileNameA, FlushFileBuffers, SetFilePointerEx, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, EncodePointer, DecodePointer, SetLastError, InitializeCriticalSectionAndSpinCount, CreateEventW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetStringTypeW, CompareStringW, LCMapStringW, GetCPInfo, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, InitializeSListHead, RaiseException, RtlUnwind, LoadLibraryExW, CreateFileW, GetDriveTypeW, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, HeapAlloc, HeapReAlloc, HeapFree, ExitProcess, GetModuleHandleExW, GetStdHandle, WriteFile, GetACP, GetCurrentDirectoryW, GetFullPathNameW, SetStdHandle, GetProcessHeap, GetTimeZoneInformation, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, HeapSize, GetConsoleCP, GetConsoleMode, WriteConsoleW

ADVAPI32.dll

RegQueryValueExW, RegCloseKey, RegOpenKeyExW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Dutch	Belgium
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T12:06:30.933225+0200	TCP	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	49730	8000	192.168.2.4	156.254.126.18
2024-07-25T12:06:31.348537+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49731	20.114.59.183	192.168.2.4
2024-07-25T12:09:11.563670+0200	TCP	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	62776	8000	192.168.2.4	156.254.126.18
2024-07-25T12:07:00.076102+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	62771	20.114.59.183	192.168.2.4
2024-07-25T12:07:35.168663+0200	TCP	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	62773	8000	192.168.2.4	156.254.126.18
2024-07-25T12:07:03.022906+0200	TCP	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	62772	8000	192.168.2.4	156.254.126.18
2024-07-25T12:08:07.299887+0200	TCP	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	62774	8000	192.168.2.4	156.254.126.18
2024-07-25T12:08:39.427971+0200	TCP	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	62775	8000	192.168.2.4	156.254.126.18

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 12:06:28.793858051 CEST	49730	8000	192.168.2.4	156.254.126.18
Jul 25, 2024 12:06:28.798834085 CEST	8000	49730	156.254.126.18	192.168.2.4
Jul 25, 2024 12:06:28.799062967 CEST	49730	8000	192.168.2.4	156.254.126.18
Jul 25, 2024 12:06:28.799097061 CEST	49730	8000	192.168.2.4	156.254.126.18
Jul 25, 2024 12:06:28.805315018 CEST	8000	49730	156.254.126.18	192.168.2.4
Jul 25, 2024 12:06:30.933046103 CEST	8000	49730	156.254.126.18	192.168.2.4
Jul 25, 2024 12:06:30.933224916 CEST	49730	8000	192.168.2.4	156.254.126.18
Jul 25, 2024 12:06:30.933224916 CEST	49730	8000	192.168.2.4	156.254.126.18
Jul 25, 2024 12:06:30.938256025 CEST	8000	49730	156.254.126.18	192.168.2.4
Jul 25, 2024 12:07:00.945879936 CEST	62772	8000	192.168.2.4	156.254.126.18
Jul 25, 2024 12:07:00.951514006 CEST	8000	62772	156.254.126.18	192.168.2.4
Jul 25, 2024 12:07:00.952270031 CEST	62772	8000	192.168.2.4	156.254.126.18
Jul 25, 2024 12:07:00.953613997 CEST	62772	8000	192.168.2.4	156.254.126.18
Jul 25, 2024 12:07:00.962236881 CEST	8000	62772	156.254.126.18	192.168.2.4
Jul 25, 2024 12:07:03.022721052 CEST	8000	62772	156.254.126.18	192.168.2.4
Jul 25, 2024 12:07:03.022906065 CEST	62772	8000	192.168.2.4	156.254.126.18
Jul 25, 2024 12:07:03.040539026 CEST	62772	8000	192.168.2.4	156.254.126.18
Jul 25, 2024 12:07:03.045639038 CEST	8000	62772	156.254.126.18	192.168.2.4
Jul 25, 2024 12:07:33.068841934 CEST	62773	8000	192.168.2.4	156.254.126.18
Jul 25, 2024 12:07:33.075333118 CEST	8000	62773	156.254.126.18	192.168.2.4
Jul 25, 2024 12:07:33.075449944 CEST	62773	8000	192.168.2.4	156.254.126.18
Jul 25, 2024 12:07:33.075773954 CEST	62773	8000	192.168.2.4	156.254.126.18
Jul 25, 2024 12:07:33.082120895 CEST	8000	62773	156.254.126.18	192.168.2.4
Jul 25, 2024 12:07:35.168554068 CEST	8000	62773	156.254.126.18	192.168.2.4
Jul 25, 2024 12:07:35.168663025 CEST	62773	8000	192.168.2.4	156.254.126.18
Jul 25, 2024 12:07:35.168766975 CEST	62773	8000	192.168.2.4	156.254.126.18
Jul 25, 2024 12:07:35.175183058 CEST	8000	62773	156.254.126.18	192.168.2.4
Jul 25, 2024 12:08:05.177280903 CEST	62774	8000	192.168.2.4	156.254.126.18
Jul 25, 2024 12:08:05.189580917 CEST	8000	62774	156.254.126.18	192.168.2.4
Jul 25, 2024 12:08:05.189717054 CEST	62774	8000	192.168.2.4	156.254.126.18
Jul 25, 2024 12:08:05.189961910 CEST	62774	8000	192.168.2.4	156.254.126.18
Jul 25, 2024 12:08:05.195058107 CEST	8000	62774	156.254.126.18	192.168.2.4
Jul 25, 2024 12:08:07.299793959 CEST	8000	62774	156.254.126.18	192.168.2.4
Jul 25, 2024 12:08:07.299886942 CEST	62774	8000	192.168.2.4	156.254.126.18
Jul 25, 2024 12:08:07.299995899 CEST	62774	8000	192.168.2.4	156.254.126.18
Jul 25, 2024 12:08:07.305043936 CEST	8000	62774	156.254.126.18	192.168.2.4
Jul 25, 2024 12:08:37.304630995 CEST	62775	8000	192.168.2.4	156.254.126.18
Jul 25, 2024 12:08:37.311825037 CEST	8000	62775	156.254.126.18	192.168.2.4
Jul 25, 2024 12:08:37.312037945 CEST	62775	8000	192.168.2.4	156.254.126.18
Jul 25, 2024 12:08:37.312366962 CEST	62775	8000	192.168.2.4	156.254.126.18
Jul 25, 2024 12:08:37.319538116 CEST	8000	62775	156.254.126.18	192.168.2.4
Jul 25, 2024 12:08:39.427896976 CEST	8000	62775	156.254.126.18	192.168.2.4
Jul 25, 2024 12:08:39.427970886 CEST	62775	8000	192.168.2.4	156.254.126.18
Jul 25, 2024 12:08:39.428055048 CEST	62775	8000	192.168.2.4	156.254.126.18
Jul 25, 2024 12:08:39.434741974 CEST	8000	62775	156.254.126.18	192.168.2.4
Jul 25, 2024 12:09:09.442948103 CEST	62776	8000	192.168.2.4	156.254.126.18
Jul 25, 2024 12:09:09.448237896 CEST	8000	62776	156.254.126.18	192.168.2.4
Jul 25, 2024 12:09:09.448374033 CEST	62776	8000	192.168.2.4	156.254.126.18
Jul 25, 2024 12:09:09.448532104 CEST	62776	8000	192.168.2.4	156.254.126.18
Jul 25, 2024 12:09:09.454703093 CEST	8000	62776	156.254.126.18	192.168.2.4
Jul 25, 2024 12:09:11.563473940 CEST	8000	62776	156.254.126.18	192.168.2.4
Jul 25, 2024 12:09:11.563669920 CEST	62776	8000	192.168.2.4	156.254.126.18
Jul 25, 2024 12:09:11.563967943 CEST	62776	8000	192.168.2.4	156.254.126.18
Jul 25, 2024 12:09:11.569170952 CEST	8000	62776	156.254.126.18	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 12:06:58.402859926 CEST	53	52837	162.159.36.2	192.168.2.4
Jul 25, 2024 12:06:58.906377077 CEST	53	53196	1.1.1.1	192.168.2.4

HTTP Request Dependency Graph

156.254.126.18:8000

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	156.254.126.18	8000	6748	C:\Users\user\Desktop\LisectAVT_2403002B_47.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:06:28.799097061 CEST	74	OUT	GET /xb-4 HTTP/1.1 Host: 156.254.126.18:8000 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	62772	156.254.126.18	8000	6748	C:\Users\user\Desktop\LisectAVT_2403002B_47.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:07:00.953613997 CEST	74	OUT	GET /xb-4 HTTP/1.1 Host: 156.254.126.18:8000 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	62773	156.254.126.18	8000	6748	C:\Users\user\Desktop\LisectAVT_2403002B_47.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:07:33.075773954 CEST	74	OUT	GET /xb-4 HTTP/1.1 Host: 156.254.126.18:8000 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	62774	156.254.126.18	8000	6748	C:\Users\user\Desktop\LisectAVT_2403002B_47.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:08:05.189961910 CEST	74	OUT	GET /xb-4 HTTP/1.1 Host: 156.254.126.18:8000 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	62775	156.254.126.18	8000	6748	C:\Users\user\Desktop\LisectAVT_2403002B_47.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:08:37.312366962 CEST	74	OUT	GET /xb-4 HTTP/1.1 Host: 156.254.126.18:8000 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	62776	156.254.126.18	8000	6748	C:\Users\user\Desktop\LisectAVT_2403002B_47.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:09:09.448532104 CEST	74	OUT	GET /xb-4 HTTP/1.1 Host: 156.254.126.18:8000 Cache-Control: no-cache

Target ID:	0
Start time:	06:06:10
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002B_47.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002B_47.exe"
Imagebase:	0x400000
File size:	266'752 bytes
MD5 hash:	6FD4849BEABB6B6D40230E9F4D491D26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	46.4%
Total number of Nodes:	28
Total number of Limit Nodes:	3

Executed Functions

Function 004232A4 Relevance: 23.0, APIs: 4, Strings: 9, Instructions: 205
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 004232B4
Process32FirstW.KERNEL32(00000000,?), ref: 004232D7
FindCloseChangeNotification.KERNELBASE(?), ref: 0042354E

Strings

C, xrefs: 0042347D
l, xrefs: 00423484
n, xrefs: 00423476
Q360Saf, xrefs: 0042351E, 00423524
s, xrefs: 00423492
s, xrefs: 00423499
M, xrefs: 00423468
o, xrefs: 0042346F
a, xrefs: 0042348B

Memory Dump Source

Source File: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: ChangeCloseCreateFindFirstNotificationProcess32SnapshotToolhelp32
String ID: C$M$Q360Saf$a$l$n$o$s$s
API String ID: 692674288-2495611964
Opcode ID: 3a7e114790ac83807ee783d4973c5ba35863f74a632842655462cc972086b0dd
Instruction ID: ea301f65fb63b90236c93c6f34219e0de73ff33be3de113c62dd973678eed83a
Opcode Fuzzy Hash: 3a7e114790ac83807ee783d4973c5ba35863f74a632842655462cc972086b0dd
Instruction Fuzzy Hash: A681A630A0C36CAAEB219B24DC557EAA7B8EF44744F0054DDD14C972D1E6BA6FC48F19

Function 00422BFE Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 328
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Mess, xrefs: 00423153
roce, xrefs: 00423241
ssId, xrefs: 0042324B
LoadLibraryA, xrefs: 00422C7C, 00422C82
eadP, xrefs: 00423237

Memory Dump Source

Source File: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID:
String ID: LoadLibraryA$Mess$eadP$roce$ssId
API String ID: 0-735157309
Opcode ID: b36e120d0833b7731a54506a0c70d5ba7736ed5fbba49d6459cd0983861c9288
Instruction ID: b586430f75ab145293ba667e9a8f67668a4fff5002a76f18b79429bede9ffe87
Opcode Fuzzy Hash: b36e120d0833b7731a54506a0c70d5ba7736ed5fbba49d6459cd0983861c9288
Instruction Fuzzy Hash: 92F12FB1D0422A9BDB61CF56DA81BD9BBB4BF24300F5081DA958CE6245DBB4DBC0CF58

Function 004236A9 Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 125
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 0042388B
Sleep.KERNELBASE(000007D0), ref: 004238BD

Strings

6, xrefs: 00423757
0, xrefs: 004237DE
hQkS, xrefs: 004237C1
0, xrefs: 004237B6
ck(W, xrefs: 00423736

Memory Dump Source

Source File: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: Sleep
String ID: 0$0$6$ck(W$hQkS
API String ID: 3472027048-2213254173
Opcode ID: 2c66a0ee2386820558b81d1253ee446268f83519f76bd6f3ac3aa14a6fcf5d4c
Instruction ID: b063393dda38bf1b8e8c1fc40eaeb6db28000a4d690f90c6b281b0b53222eae8
Opcode Fuzzy Hash: 2c66a0ee2386820558b81d1253ee446268f83519f76bd6f3ac3aa14a6fcf5d4c
Instruction Fuzzy Hash: 205143B1509391DFD3309F15A845B8FBBF8FF80705F50891EE5989A240DB788606CBAB

Function 004235B9 Relevance: 3.1, APIs: 2, Instructions: 93
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 004235EC
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 00423606

Memory Dump Source

Source File: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 77c53ca93e236c562defaffb78af67adc030127ede9e7ff349b1119ef9f3d8a5
Instruction ID: 7a828d8358b6daa98ad7c03c44e6977a739d63b350b14f336fab54bd7487e73a
Opcode Fuzzy Hash: 77c53ca93e236c562defaffb78af67adc030127ede9e7ff349b1119ef9f3d8a5
Instruction Fuzzy Hash: 4231D8B1E00219FFDB20DF95CD88AAEBBB9FF08305F504469E546E2250D7789E449B24

Non-executed Functions

Function 00444000 Relevance: 30.2, APIs: 20, Instructions: 200
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(00441E00), ref: 00444019
GetProcAddress.KERNEL32(00000000,646F636E), ref: 00444025
GetCurrentProcess.KERNEL32(?,00441E2D,00000004,00000000), ref: 0044403E
GetCurrentProcess.KERNEL32(?,00441E31,00000002,00000000,?,00441E2D,00000004,00000000), ref: 00444057
GetCurrentProcess.KERNEL32(?,00441E33,00000003,00000000,?,00441E31,00000002,00000000,?,00441E2D,00000004,00000000), ref: 00444070
GetCurrentProcess.KERNEL32(?,00441E36,00000005,00000000,?,00441E33,00000003,00000000,?,00441E31,00000002,00000000,?,00441E2D,00000004,00000000), ref: 00444089
GetCurrentProcess.KERNEL32(?,00441E3B,0000000B,00000000,?,00441E36,00000005,00000000,?,00441E33,00000003,00000000,?,00441E31,00000002,00000000), ref: 004440A2
GetCurrentProcess.KERNEL32(?,00441E46,00000006,00000000,?,00441E3B,0000000B,00000000,?,00441E36,00000005,00000000,?,00441E33,00000003,00000000), ref: 004440BB
GetCurrentProcess.KERNEL32(?,00441E4C,00000007,00000000,?,00441E46,00000006,00000000,?,00441E3B,0000000B,00000000,?,00441E36,00000005,00000000), ref: 004440D4
GetCurrentProcess.KERNEL32(?,00441E53,00000001,00000000,?,00441E4C,00000007,00000000,?,00441E46,00000006,00000000,?,00441E3B,0000000B,00000000), ref: 004440ED

Memory Dump Source

Source File: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: CurrentProcess$AddressLibraryLoadProc
String ID:
API String ID: 3180543935-0
Opcode ID: bf3e07137b0beb4a52e0053cdb9eb43d7be91cec0d8cae02cce42a71bbe23a88
Instruction ID: e5d195f8fff31ccf77d7fe84f9012ba492b6e0f0acfd17ef9f710123e8bfc7af
Opcode Fuzzy Hash: bf3e07137b0beb4a52e0053cdb9eb43d7be91cec0d8cae02cce42a71bbe23a88
Instruction Fuzzy Hash: 09513CB2650709BFE640ABF8DC4DFD63A9CEB4C745F404431B30CD6280D768EA1887A8

Function 0040F895 Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0040F8A5

Part of subcall function 0040A0D4: HeapFree.KERNEL32(00000000,00000000,?,00411227,?,00000000,?,00000000,?,0041124E,?,00000007,?,?,0041152E,?), ref: 0040A0EA
Part of subcall function 0040A0D4: GetLastError.KERNEL32(?,?,00411227,?,00000000,?,00000000,?,0041124E,?,00000007,?,?,0041152E,?,?), ref: 0040A0FC

GetTimeZoneInformation.KERNEL32 ref: 0040F8B7
WideCharToMultiByte.KERNEL32(00000000,?,0042364C,000000FF,?,0000003F,?,?), ref: 0040F92F
WideCharToMultiByte.KERNEL32(00000000,?,004236A0,000000FF,?,0000003F,?,?,?,0042364C,000000FF,?,0000003F,?,?), ref: 0040F95C

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 215096cbdcae1f8da96745ef043b85de9c26519771fb4ba832711c0c73d95392
Instruction ID: 6e57f7e2d0a2053b15716a2412924180c1bac2f3857dd3741ad5d86193e84dda
Opcode Fuzzy Hash: 215096cbdcae1f8da96745ef043b85de9c26519771fb4ba832711c0c73d95392
Instruction Fuzzy Hash: 7C31ABB1A00245FFCB31DFA9DC8096ABBB8BF5571075442BBE050A73A1D3399A06DB58

Function 004054A9 Relevance: 6.1, APIs: 4, Instructions: 75COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?,00000007), ref: 004054B6
IsDebuggerPresent.KERNEL32(?,?,?,00000017,?,00000007), ref: 0040557E
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,00000017,?,00000007), ref: 0040559D
UnhandledExceptionFilter.KERNEL32(?,?,?,?,00000017,?,00000007), ref: 004055A7

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 404194f505ab6bcc554436712299a4a2aff77fb66b116873bf98776274aa3698
Instruction ID: 2c3cb7413c07a9c782ae6c42a12524f6d5191052f304192687f7892d7edc3cd0
Opcode Fuzzy Hash: 404194f505ab6bcc554436712299a4a2aff77fb66b116873bf98776274aa3698
Instruction Fuzzy Hash: A53107B5D0522CDBDB20DFA5D9896CEBBB8FF48305F1041AAE40DAB250E7345A84CF84

Function 004058A0 Relevance: 6.1, APIs: 4, Instructions: 53timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 004058CF
GetCurrentThreadId.KERNEL32 ref: 004058DE
GetCurrentProcessId.KERNEL32 ref: 004058E7
QueryPerformanceCounter.KERNEL32(?), ref: 004058F4

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 1b3a825cc706b74735f712516263f2fb5b8ac3cc0a29f07f8ba54018fa2c8f50
Instruction ID: fbfe4691f84679fef18e7ff33e83e5debe7ff519a6be1f3678a07b2cc86d359d
Opcode Fuzzy Hash: 1b3a825cc706b74735f712516263f2fb5b8ac3cc0a29f07f8ba54018fa2c8f50
Instruction Fuzzy Hash: 8D11E075D05A08DBCB14CBB4E9481EEBBB0EB4C310B91857BD803E7280DB348A01CF49

Function 00409371 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00409469
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00409473
UnhandledExceptionFilter.KERNEL32(?), ref: 00409480

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 6d05ee05fdbd1b9a0dd489d33e8ae2999e111935a8bff4fc6c0049eb1948d3fa
Instruction ID: 56c3b2a019c41920525924eedc28813e36dcba2a4ad85c36c50cd910d3ea6526
Opcode Fuzzy Hash: 6d05ee05fdbd1b9a0dd489d33e8ae2999e111935a8bff4fc6c0049eb1948d3fa
Instruction Fuzzy Hash: C631C274901218ABCB21DF65D9897DDBBB8BF48310F5046EAE80CA7291E7349F818F48

Function 0040A60E Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,0040A5E4,00000003,00420690,0000000C,0040A6F7,00000003,00000002,00000000,?,0040A0B7,00000003), ref: 0040A62F
TerminateProcess.KERNEL32(00000000,?,0040A5E4,00000003,00420690,0000000C,0040A6F7,00000003,00000002,00000000,?,0040A0B7,00000003), ref: 0040A636
ExitProcess.KERNEL32 ref: 0040A648

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 721ab978f54cbce462c27a4fe3a09cb37437b04cd829fb710bf6f337512a355f
Instruction ID: 693879e349d8a07138d15f2ebcff5f69683aa6f8293a49bea3ff601a8daea9ae
Opcode Fuzzy Hash: 721ab978f54cbce462c27a4fe3a09cb37437b04cd829fb710bf6f337512a355f
Instruction Fuzzy Hash: 6AE04F32000604EFCF016F60CC08AC93F39EF44741B048435F94966262CB3ADD53CA9D

Function 0040D7AF Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,?,?,?,0040D7AA,?,?,?,?,?,?,00000000), ref: 0040D9DC

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 6ee6114958ef5b940a365093dfef52e91a631aab357f1a753731accc93427e7c
Instruction ID: 7779b2fec0980917fd9de0f92ead704795e76caf878fd6bc5e49e2f076afb18b
Opcode Fuzzy Hash: 6ee6114958ef5b940a365093dfef52e91a631aab357f1a753731accc93427e7c
Instruction Fuzzy Hash: 86B16B72A10608DFD718CF68C486B657BE0FF45324F258669E899DF2E1C339E986CB44

Function 0040563B Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00005647,004051A1), ref: 00405640

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c941ad497f0eaebb4d9a4deb7122c6e295a3ee5fce6079653569e34823ac70f0
Instruction ID: b30fad5db58dceec2b94860587723317c94b67e66f094e628d3c2fe363f57e98
Opcode Fuzzy Hash: c941ad497f0eaebb4d9a4deb7122c6e295a3ee5fce6079653569e34823ac70f0
Instruction Fuzzy Hash:

Function 0040D430 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0040D430

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 61ec7acb2f29f43c711cdb9fa6988f24fe5123dd91ef8e0ede4c2ec2a456dc9a
Instruction ID: ec319743ba999b14c5b36b7db05a41e1a9341160322eae14b836442ef7f3742e
Opcode Fuzzy Hash: 61ec7acb2f29f43c711cdb9fa6988f24fe5123dd91ef8e0ede4c2ec2a456dc9a
Instruction Fuzzy Hash: DBA01230701200DB43118F319A0434C76E8655518170180345000C0220DA2440004A08

Function 0040DEC9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a49be35e42ad91bd8ae451549b3abc82ae36c2bad44d9dc37428738df5aac6a
Instruction ID: e1cf9e6faf36b8add5926323722615d690e454bc73e106785dde56bdd673a75a
Opcode Fuzzy Hash: 3a49be35e42ad91bd8ae451549b3abc82ae36c2bad44d9dc37428738df5aac6a
Instruction Fuzzy Hash: 07324421D29F014DD7239635D822336A68CAFB73D4F15CB37F81AB5AA6EB39C4930109

Function 00405FB0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 48e740e85c0ba13e9a39178d6675e0207deff7deda563336be704961b392fadd
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: BB112EB728004243E614CA2DC5B45B7A796EFC6324B2E437BD0439B7D4D63FD565AE08

Function 004023B0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd100cc5fbd715ecb011839e5036f548278fb3c62fe5b5825335654aac5a513
Instruction ID: 6e0bbde72fb14e28d293faa79a21a47684c70f3d5d039a1569678be7d820ba02
Opcode Fuzzy Hash: 6fd100cc5fbd715ecb011839e5036f548278fb3c62fe5b5825335654aac5a513
Instruction Fuzzy Hash: 1CF0A035704604AFCB14CF24D994F2AB7E8FB09B10F1082BEE81ACB7D0DB79A801CA44

Function 00411396 Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___free_lconv_mon.LIBCMT ref: 004113DA

Part of subcall function 00411092: _free.LIBCMT ref: 004110AF
Part of subcall function 00411092: _free.LIBCMT ref: 004110C1
Part of subcall function 00411092: _free.LIBCMT ref: 004110D3
Part of subcall function 00411092: _free.LIBCMT ref: 004110E5
Part of subcall function 00411092: _free.LIBCMT ref: 004110F7
Part of subcall function 00411092: _free.LIBCMT ref: 00411109
Part of subcall function 00411092: _free.LIBCMT ref: 0041111B
Part of subcall function 00411092: _free.LIBCMT ref: 0041112D
Part of subcall function 00411092: _free.LIBCMT ref: 0041113F
Part of subcall function 00411092: _free.LIBCMT ref: 00411151
Part of subcall function 00411092: _free.LIBCMT ref: 00411163
Part of subcall function 00411092: _free.LIBCMT ref: 00411175
Part of subcall function 00411092: _free.LIBCMT ref: 00411187

_free.LIBCMT ref: 004113CF

Part of subcall function 0040A0D4: HeapFree.KERNEL32(00000000,00000000,?,00411227,?,00000000,?,00000000,?,0041124E,?,00000007,?,?,0041152E,?), ref: 0040A0EA
Part of subcall function 0040A0D4: GetLastError.KERNEL32(?,?,00411227,?,00000000,?,00000000,?,0041124E,?,00000007,?,?,0041152E,?,?), ref: 0040A0FC

_free.LIBCMT ref: 004113F1
_free.LIBCMT ref: 00411406
_free.LIBCMT ref: 00411411
_free.LIBCMT ref: 00411433
_free.LIBCMT ref: 00411446
_free.LIBCMT ref: 00411454
_free.LIBCMT ref: 0041145F
_free.LIBCMT ref: 00411497
_free.LIBCMT ref: 0041149E
_free.LIBCMT ref: 004114BB
_free.LIBCMT ref: 004114D3

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 6948097937a93bc79f347b0239b9d3e03f7c2ed127d1936b30172035711646f9
Instruction ID: c3e3b1c69a3f208cfc80e5f5fa68dd56a74046792277ba31cc9222323f4b6648
Opcode Fuzzy Hash: 6948097937a93bc79f347b0239b9d3e03f7c2ed127d1936b30172035711646f9
Instruction Fuzzy Hash: C4316D326043099EEB309F7AD845B9B73E8AF00714F15442FE259E76A1DB3DAC90D729

Function 0040BBE8 Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 0040BBFC

Part of subcall function 0040A0D4: HeapFree.KERNEL32(00000000,00000000,?,00411227,?,00000000,?,00000000,?,0041124E,?,00000007,?,?,0041152E,?), ref: 0040A0EA
Part of subcall function 0040A0D4: GetLastError.KERNEL32(?,?,00411227,?,00000000,?,00000000,?,0041124E,?,00000007,?,?,0041152E,?,?), ref: 0040A0FC

_free.LIBCMT ref: 0040BC08
_free.LIBCMT ref: 0040BC13
_free.LIBCMT ref: 0040BC1E
_free.LIBCMT ref: 0040BC29
_free.LIBCMT ref: 0040BC34
_free.LIBCMT ref: 0040BC3F
_free.LIBCMT ref: 0040BC4A
_free.LIBCMT ref: 0040BC55
_free.LIBCMT ref: 0040BC63

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a67545f4090f87f4ce43d628bc50666b59a916dea7e958812169f1c9f9eab329
Instruction ID: 48553cfbb76d33e2d3673e81f8a837f49d6e368abddba18f1e8eacc9daa22871
Opcode Fuzzy Hash: a67545f4090f87f4ce43d628bc50666b59a916dea7e958812169f1c9f9eab329
Instruction Fuzzy Hash: 6B11A77611424CEFCF01EF96C842CD97B65EF04354B1140AABA085B262DB3BDE60EB89

Function 00410BFF Relevance: 13.7, APIs: 9, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___from_strstr_to_strchr.LIBCMT ref: 00410C26
_free.LIBCMT ref: 00410C91
_free.LIBCMT ref: 00410CB7
_free.LIBCMT ref: 00410CE0
_free.LIBCMT ref: 00410D18
_free.LIBCMT ref: 00410D49
_free.LIBCMT ref: 00410D8A
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00410E0B
_free.LIBCMT ref: 00410E24

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 0c7fa12dbec1ef7520115cce65805f1284c8e539b35b5cadf8115085c372d76b
Instruction ID: bd5c10ff3c59d4f406f930c3cde5030183181efdbd96f99f595e2c86a631d60a
Opcode Fuzzy Hash: 0c7fa12dbec1ef7520115cce65805f1284c8e539b35b5cadf8115085c372d76b
Instruction Fuzzy Hash: 7E612871A04301AFDB38AF7598417AA77A4AF01314F1442BFF944A7381E6BD99C18B9D

Function 004038E0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 216
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNEL32(?,264E9466), ref: 00403932
GetFileAttributesW.KERNEL32(00000000), ref: 00403A12
LoadLibraryW.KERNEL32 ref: 00403A32
GetProcAddress.KERNEL32(00000000,ShowEngineChoice), ref: 00403A98
FreeLibrary.KERNEL32(00000000), ref: 00403B66

Strings

Builds\, xrefs: 00403956
ShowEngineChoice, xrefs: 00403A8E

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: AttributesFileLibrary$AddressFreeLoadProc
String ID: Builds\$ShowEngineChoice
API String ID: 1170010538-1704591504
Opcode ID: 05081c2cd0ad7e37283d0b5abf5e49dd46763fc5f060554cd6a7b137e7f9392f
Instruction ID: de1ddf5754e0430927df7d71477b2fb86df1c92578392477b91780301d0b4d69
Opcode Fuzzy Hash: 05081c2cd0ad7e37283d0b5abf5e49dd46763fc5f060554cd6a7b137e7f9392f
Instruction Fuzzy Hash: C28191709042149BCB20DF25CD45BDABBB8AF45319F1006BEE419B72E1DB78AF44CB99

Function 004030E0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 281
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Image-Line\Shared\Paths,00000000,00020019,?,0041F3E0,00000000,264E9466), ref: 004031DA
RegQueryValueExW.ADVAPI32(?,FL Studio engine,00000000,?,?,?), ref: 00403210
RegCloseKey.ADVAPI32(?), ref: 00403220
SetCurrentDirectoryW.KERNEL32(?,00000000,-00000002), ref: 004032C9

Strings

FL Studio engine, xrefs: 00403205
Software\Image-Line\Shared\Paths, xrefs: 004031CE

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: CloseCurrentDirectoryOpenQueryValue
String ID: FL Studio engine$Software\Image-Line\Shared\Paths
API String ID: 560107024-3045882576
Opcode ID: 1ae0359c2a9daeafde217d5f520328ae5fb480cd08f2ba52420d0b095b6717eb
Instruction ID: d9aca2f66e9e14c5e08ca7a59a44d8ca8ae13f807f69bbcddbd0e91051e932eb
Opcode Fuzzy Hash: 1ae0359c2a9daeafde217d5f520328ae5fb480cd08f2ba52420d0b095b6717eb
Instruction Fuzzy Hash: 1DB1B3709002149BDB25EF25DC8879EBAB4EF05309F1006BEE41AE72D1DB789F84CB59

Function 004034E0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 281
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.ADVAPI32(80000001,Software\Image-Line\Shared\Paths,00000000,00020019,?,0041F3E0,00000000,264E9466), ref: 004035DA
RegQueryValueExW.ADVAPI32(?,Shared DLLs,00000000,?,?,?), ref: 00403610
RegCloseKey.ADVAPI32(?), ref: 00403620
SetCurrentDirectoryW.KERNEL32(?,00000000,-00000002), ref: 004036C9

Strings

Shared DLLs, xrefs: 00403605
Software\Image-Line\Shared\Paths, xrefs: 004035CE

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: CloseCurrentDirectoryOpenQueryValue
String ID: Shared DLLs$Software\Image-Line\Shared\Paths
API String ID: 560107024-15047795
Opcode ID: fb2951c57167801161c0f0967db5a3139c012f4da95c761b7b7e4a9da19dd4cf
Instruction ID: 6e996c8f710392308a9c9457fb9a5c140fb766d7203bd62eeb12cb5959cd522a
Opcode Fuzzy Hash: fb2951c57167801161c0f0967db5a3139c012f4da95c761b7b7e4a9da19dd4cf
Instruction Fuzzy Hash: DCB1B3B19002149ADB24AF25CC8879DBBB5EF05309F1046BEE41AE32D1D779AF84CF59

Function 00413DD6 Relevance: 10.8, APIs: 7, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCPInfo.KERNEL32(?,?), ref: 00413E82
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00413F05
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00413F98
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00413FAF

Part of subcall function 00409B44: HeapAlloc.KERNEL32(00000000,?,?,?,004071B5,?,?,?,?,?,0040232D,00404584,?,?,00404584), ref: 00409B76

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0041402B
__freea.LIBCMT ref: 00414056
__freea.LIBCMT ref: 00414062

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocHeapInfo
String ID:
API String ID: 2171645-0
Opcode ID: 8ca8590afd9faeddc56944c5881a59f4c9234a53216bebeb6f83dead52eff06f
Instruction ID: 5165c60ab54c1a2ed8f89255d6defbb5e83309102b0ac90782e38da0fcb7c16f
Opcode Fuzzy Hash: 8ca8590afd9faeddc56944c5881a59f4c9234a53216bebeb6f83dead52eff06f
Instruction Fuzzy Hash: 4991D372E003169ADF209F65C841AEFBBB5AF49710F14416BE915E7280D739DDC1CBA8

Function 0041305D Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,004137D2,?,00000000,?,00000000,00000000), ref: 0041309F
__fassign.LIBCMT ref: 0041311A
__fassign.LIBCMT ref: 00413135
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 0041315B
WriteFile.KERNEL32(?,?,00000000,004137D2,00000000,?,?,?,?,?,?,?,?,?,004137D2,?), ref: 0041317A
WriteFile.KERNEL32(?,?,00000001,004137D2,00000000,?,?,?,?,?,?,?,?,?,004137D2,?), ref: 004131B3

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: a85cf005042ee24a6171e8d11dee10c11e382f092748e9716315bae38fe722a0
Instruction ID: 65771749660f6c082f4e6d3f597a9b1f5a1b1864e1e77bfea480567eba9dd0f9
Opcode Fuzzy Hash: a85cf005042ee24a6171e8d11dee10c11e382f092748e9716315bae38fe722a0
Instruction Fuzzy Hash: 6851B770A00249AFCB10CFA8D885AEEBBF8FF49301F14412BE955E7251D7349A85CB69

Function 00402F40 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 138
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,264E9466,?,00000000,?), ref: 00402FA5
GetFileAttributesW.KERNEL32(?,?,264E9466,?,00000000,?), ref: 0040304F
LoadLibraryW.KERNEL32(?,?,264E9466,?,00000000,?), ref: 0040307D

Strings

_Copy, xrefs: 00403026
invalid string position, xrefs: 00403006
., xrefs: 00402FD8

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: AttributesFileHandleLibraryLoadModule
String ID: .$_Copy$invalid string position
API String ID: 1874533835-1464509366
Opcode ID: 23fd22305333a2dffd62d6d05f13bcd70c23ccd8230bfd74617236fc908f2af0
Instruction ID: da98474bcf906f3713c5a1b78ce9558ec3c932553f14ae375e9e04e96a442bc2
Opcode Fuzzy Hash: 23fd22305333a2dffd62d6d05f13bcd70c23ccd8230bfd74617236fc908f2af0
Instruction Fuzzy Hash: 79513C71A04208DACF10DFA5C945BDEBBB8EF49725F50062AE411F32D0DB789A45CBA9

Function 00411235 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004111F9: _free.LIBCMT ref: 00411222

_free.LIBCMT ref: 00411283

Part of subcall function 0040A0D4: HeapFree.KERNEL32(00000000,00000000,?,00411227,?,00000000,?,00000000,?,0041124E,?,00000007,?,?,0041152E,?), ref: 0040A0EA
Part of subcall function 0040A0D4: GetLastError.KERNEL32(?,?,00411227,?,00000000,?,00000000,?,0041124E,?,00000007,?,?,0041152E,?,?), ref: 0040A0FC

_free.LIBCMT ref: 0041128E
_free.LIBCMT ref: 00411299
_free.LIBCMT ref: 004112ED
_free.LIBCMT ref: 004112F8
_free.LIBCMT ref: 00411303
_free.LIBCMT ref: 0041130E

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 06ec6540e438d8a09da536fd41d3305855b7a1539a34de379467d2ff3c042619
Instruction ID: a198fd2adebaaea5243515d9bd3843b1f186d145754a35d40907218dcc2e8f84
Opcode Fuzzy Hash: 06ec6540e438d8a09da536fd41d3305855b7a1539a34de379467d2ff3c042619
Instruction Fuzzy Hash: EA115172540B0CBAD530BBB2CC07FCBB79D5F08708F40082EB399660A2EA7DB5995755

Function 00408398 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0040838F,00406BC4,00420530,00000010,0040638C,?,?,?,?,?,00000000,?), ref: 004083A6
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004083B4
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004083CD
SetLastError.KERNEL32(00000000,0040838F,00406BC4,00420530,00000010,0040638C,?,?,?,?,?,00000000,?), ref: 0040841F

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: fc9d39874cf7a0374f305b0c494e64ddacde0b3903fe0cc47774a9f2a3145668
Instruction ID: c7df93d7cb5514c336b5a9696235fa9f61e0383ab9539d8bf0fc0785b5252b12
Opcode Fuzzy Hash: fc9d39874cf7a0374f305b0c494e64ddacde0b3903fe0cc47774a9f2a3145668
Instruction Fuzzy Hash: 8D0128322193267ED6342B75BE85B572A85EB457B8360023FF650B51E1FFB94C02D14C

Function 0040B1B5 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0040B1D3

Part of subcall function 0040A0D4: HeapFree.KERNEL32(00000000,00000000,?,00411227,?,00000000,?,00000000,?,0041124E,?,00000007,?,?,0041152E,?), ref: 0040A0EA
Part of subcall function 0040A0D4: GetLastError.KERNEL32(?,?,00411227,?,00000000,?,00000000,?,0041124E,?,00000007,?,?,0041152E,?,?), ref: 0040A0FC

_free.LIBCMT ref: 0040B1E5
_free.LIBCMT ref: 0040B1F8
_free.LIBCMT ref: 0040B209
_free.LIBCMT ref: 0040B21A

Strings

`&B, xrefs: 0040B1B5, 0040B1C4, 0040B1D9

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: `&B
API String ID: 776569668-3969561002
Opcode ID: 0ed04a65c61fe898eda77a51e80066cf5da9dab8517b67f1d56b517782923a2e
Instruction ID: 4e99f16235664ee9690e38a68369d1690a2d3ec36046c759a6a1aae0f7f62b60
Opcode Fuzzy Hash: 0ed04a65c61fe898eda77a51e80066cf5da9dab8517b67f1d56b517782923a2e
Instruction Fuzzy Hash: B2F0BDB1A00365ABCA35BF25AC414057BB0F704765385823BF915662A1CB7D4B539FCE

Function 0040CFE5 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,0040D236,?,?,00000003), ref: 0040D03F
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,?,?,?,0040D236,?,?,00000003), ref: 0040D0C5
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000003,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0040D1BF
__freea.LIBCMT ref: 0040D1CC

Part of subcall function 00409B44: HeapAlloc.KERNEL32(00000000,?,?,?,004071B5,?,?,?,?,?,0040232D,00404584,?,?,00404584), ref: 00409B76

__freea.LIBCMT ref: 0040D1D5
__freea.LIBCMT ref: 0040D1FA

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocHeap
String ID:
API String ID: 3147120248-0
Opcode ID: fe2f76ddb0a38e4701cb7393f5050f0a23a0184b85804567e5e93c2d4de6b396
Instruction ID: c34399926ba55bb14d524fc379ded5b759b3dbadcd7def488aa6283d5fea1d61
Opcode Fuzzy Hash: fe2f76ddb0a38e4701cb7393f5050f0a23a0184b85804567e5e93c2d4de6b396
Instruction Fuzzy Hash: 38510672A10206ABDB259FA4CC41EAB77A9EF44754F14423AFD05EB2C0DF38DC45C668

Function 0040BCDC Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0040B52C,00420718,0000000C,00405687), ref: 0040BCE0
_free.LIBCMT ref: 0040BD13
_free.LIBCMT ref: 0040BD3B
SetLastError.KERNEL32(00000000), ref: 0040BD48
SetLastError.KERNEL32(00000000), ref: 0040BD54
_abort.LIBCMT ref: 0040BD5A

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: aaf42687d7ffc606aaba6098ffb8d9e52b7e460a829c4a14b4e6d953c0badaef
Instruction ID: d242a3280e4ea0b848bb2f7007f2209fb6fbd24f2431a98af98647f32c8e44aa
Opcode Fuzzy Hash: aaf42687d7ffc606aaba6098ffb8d9e52b7e460a829c4a14b4e6d953c0badaef
Instruction Fuzzy Hash: 9FF0F43224460577C2223726AC06FAB6626DFC1775F25053FFA04B22E1EF3D890251EE

Function 00402BE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98libraryloaderCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00423970,00000000,000000FF,264E9466,?,?,?,00402B96), ref: 00402C84
LoadLibraryW.KERNEL32(?,?,?,?,00402B96), ref: 00402CA1
GetProcAddress.KERNEL32(00000000,RunReWirePanel), ref: 00402CB3
FreeLibrary.KERNEL32(00000000,?,?,?,00402B96), ref: 00402CC5

Strings

RunReWirePanel, xrefs: 00402CAD

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: Library$AddressAttributesFileFreeLoadProc
String ID: RunReWirePanel
API String ID: 4029741490-963473013
Opcode ID: 220b0ec9b74f5377be93692210716a78e0baf94325efc65548a8830abfc54b7b
Instruction ID: 6488b852996bd16dc08019f971c11e20d719507276cb5ee2635e9c964b462d1f
Opcode Fuzzy Hash: 220b0ec9b74f5377be93692210716a78e0baf94325efc65548a8830abfc54b7b
Instruction Fuzzy Hash: 03316031A04209DBDF14DFA4C959BEEB7B4AF09324F64153AE411B32D0D7B85985CAA8

Function 00408E24 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 51COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 00408E39

Strings

.bat, xrefs: 00408E68
.com, xrefs: 00408E79
.cmd, xrefs: 00408E57
.exe, xrefs: 00408E46

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: 3fc1bc48a4a7751d509f8da21a16398b1fd01de2a505bc3f2c14766ca8eb7738
Instruction ID: b6fd6605b743f34348d915e601607b4c9e83dd63d50c4e11f340ce731c974d97
Opcode Fuzzy Hash: 3fc1bc48a4a7751d509f8da21a16398b1fd01de2a505bc3f2c14766ca8eb7738
Instruction Fuzzy Hash: 76F06236249B1E75E9242519EE02ADB13894F427F9B28413FFC4CB55C2DE7D998180ED

Function 00406347 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0040635E

Part of subcall function 00406996: ___AdjustPointer.LIBCMT ref: 004069E0

_UnwindNestedFrames.LIBCMT ref: 00406375
___FrameUnwindToState.LIBVCRUNTIME ref: 00406387
CallCatchBlock.LIBVCRUNTIME ref: 004063AB

Strings

sg@, xrefs: 0040635B, 0040636A

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID: sg@
API String ID: 2633735394-4120294379
Opcode ID: 8e90f5c8eb9f3a8744cf03bb1354c1ea2422f4ef47fc7488f4a074b59a9dacde
Instruction ID: 7ef967dbf4a95b7153da8dbbdd964b51fe2c92b744254f5ec8080ae61ea075d1
Opcode Fuzzy Hash: 8e90f5c8eb9f3a8744cf03bb1354c1ea2422f4ef47fc7488f4a074b59a9dacde
Instruction Fuzzy Hash: C3010532400108BBCF126F65CC01EDA3BBAAF49754F06802AFD1976261D73AE9719BA5

Function 0040A64F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0040A644,00000003,?,0040A5E4,00000003,00420690,0000000C,0040A6F7,00000003,00000002), ref: 0040A66F
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0040A682
FreeLibrary.KERNEL32(00000000,?,?,?,0040A644,00000003,?,0040A5E4,00000003,00420690,0000000C,0040A6F7,00000003,00000002,00000000), ref: 0040A6A5

Strings

CorExitProcess, xrefs: 0040A67A
mscoree.dll, xrefs: 0040A668

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9795655132b294b6ed77200db63e4e31ac7cf582c90e3c5b5fe0bfbf990e9267
Instruction ID: be8922ad79e942b18d1a88a6f750b82ec20cc5b5b9de9d2dae1f796284c9d412
Opcode Fuzzy Hash: 9795655132b294b6ed77200db63e4e31ac7cf582c90e3c5b5fe0bfbf990e9267
Instruction Fuzzy Hash: 7BF04431A00608FBCB119F90EC19BDE7FB9EF48715F544075F805B2290DB755E50CA99

Function 0040AF63 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0040AFD5
_free.LIBCMT ref: 0040AFF5

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 3560e30de7e155783c1a9f2f3b3d6e0cfae7312524d423a2823b58ec1579e24c
Instruction ID: 967c99f3be41bd8149f2bb0d9d15683302f605346b9f8901ce092a178fa2f6ff
Opcode Fuzzy Hash: 3560e30de7e155783c1a9f2f3b3d6e0cfae7312524d423a2823b58ec1579e24c
Instruction Fuzzy Hash: 5F41E272A003049FCB20DF79C881A5AB3A1EF85314F1546BEEA15EB381D735AD02CB89

Function 00410B7C Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00410B85
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00410BA8

Part of subcall function 00409B44: HeapAlloc.KERNEL32(00000000,?,?,?,004071B5,?,?,?,?,?,0040232D,00404584,?,?,00404584), ref: 00409B76

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00410BCE
_free.LIBCMT ref: 00410BE1
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00410BF0

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
String ID:
API String ID: 2278895681-0
Opcode ID: 72f072a49e6a99132a7dd3bc67e4ce666eec8761613f25c499fa7f45bf9d121a
Instruction ID: 7072b3659d0b35b431f8eaa513f3417bb5585d39fb516e420d80c14a405d6ff5
Opcode Fuzzy Hash: 72f072a49e6a99132a7dd3bc67e4ce666eec8761613f25c499fa7f45bf9d121a
Instruction Fuzzy Hash: 5301DD726096157F53211AF65C88CFFB96DDAC6B68314012BFD04D6200DAA8DC8291B9

Function 0040BD60 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00409A8B,004092D8,?,?,004011CD,?,00000104), ref: 0040BD65
_free.LIBCMT ref: 0040BD9A
_free.LIBCMT ref: 0040BDC1
SetLastError.KERNEL32(00000000,?,00000104), ref: 0040BDCE
SetLastError.KERNEL32(00000000,?,00000104), ref: 0040BDD7

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 4d9a13b72cfb8bdc8503e8d19b78d9f9c5aa16ee63b4d681031bd9953bcf6a87
Instruction ID: 5f25117c7d9b84b57ede9dfdc4567d6e7c743e31f630e51f5ba88c824c8e2162
Opcode Fuzzy Hash: 4d9a13b72cfb8bdc8503e8d19b78d9f9c5aa16ee63b4d681031bd9953bcf6a87
Instruction Fuzzy Hash: AC01F432240600A7C2226B766C85E6BB62AEFC2375765013BFA45B22D1EF7DCC0251ED

Function 00411190 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004111A8

Part of subcall function 0040A0D4: HeapFree.KERNEL32(00000000,00000000,?,00411227,?,00000000,?,00000000,?,0041124E,?,00000007,?,?,0041152E,?), ref: 0040A0EA
Part of subcall function 0040A0D4: GetLastError.KERNEL32(?,?,00411227,?,00000000,?,00000000,?,0041124E,?,00000007,?,?,0041152E,?,?), ref: 0040A0FC

_free.LIBCMT ref: 004111BA
_free.LIBCMT ref: 004111CC
_free.LIBCMT ref: 004111DE
_free.LIBCMT ref: 004111F0

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e276703debc424d4533bb6ceaeff71e8c48d78241a5b77186f15e6f34d36433b
Instruction ID: 7699969ecc13d64f9ba09c80e80d2a7e0edb06926d064be52e5d13629556f3ac
Opcode Fuzzy Hash: e276703debc424d4533bb6ceaeff71e8c48d78241a5b77186f15e6f34d36433b
Instruction Fuzzy Hash: 88F04F33609214BBC630DF69E981C57B3E9AA04710799081BF708E7A50CA3DFCD0CA6C

Function 00403C10 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 275libraryloaderCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?), ref: 00403D86
GetFileAttributesW.KERNEL32(?), ref: 00403DD3
GetProcAddress.KERNEL32(?,CreateFruityInstance), ref: 00403EE2

Strings

CreateFruityInstance, xrefs: 00403EDB

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: AttributesFile$AddressProc
String ID: CreateFruityInstance
API String ID: 2889150381-2634520518
Opcode ID: ac4b3991accd802ed1f897dbbea405be1db5e01a4f39e51f889860a9f754d976
Instruction ID: 4cb94eefa489964be5470bc5a27681c6cc97bd475849e9c1abb26d40f1a8a8b6
Opcode Fuzzy Hash: ac4b3991accd802ed1f897dbbea405be1db5e01a4f39e51f889860a9f754d976
Instruction Fuzzy Hash: C7A14C71D041089ADF14DFA5D985BDEBBB4EF05318F20822AE425B72E1DB786E05CB68

Function 004106F9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 0040BCDC: GetLastError.KERNEL32(?,?,0040B52C,00420718,0000000C,00405687), ref: 0040BCE0
Part of subcall function 0040BCDC: _free.LIBCMT ref: 0040BD13
Part of subcall function 0040BCDC: SetLastError.KERNEL32(00000000), ref: 0040BD54
Part of subcall function 0040BCDC: _abort.LIBCMT ref: 0040BD5A

Part of subcall function 00410818: _abort.LIBCMT ref: 0041084A
Part of subcall function 00410818: _free.LIBCMT ref: 0041087E

Part of subcall function 0041048D: GetOEMCP.KERNEL32(?,?,00410716,?), ref: 004104B8

_free.LIBCMT ref: 00410771
_free.LIBCMT ref: 004107A7

Strings

`&B, xrefs: 004107EB
`&B, xrefs: 004107F0

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID: `&B$`&B
API String ID: 2991157371-3650563656
Opcode ID: fac1b13765be351bc9d0e2134d85f0770d243abb3d8c7740635effb4b965b36d
Instruction ID: d447fda578f830014105bb406eef1840afa64cc3a1d2e87cdf6ab03ded19286b
Opcode Fuzzy Hash: fac1b13765be351bc9d0e2134d85f0770d243abb3d8c7740635effb4b965b36d
Instruction Fuzzy Hash: E531C431904208AFDB11EBA5D441BAA77E4EF40324F2540AFE5145B2D1DBBA6DC1CF98

Function 00402820 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00402918
std::_Xinvalid_argument.LIBCPMT ref: 00402922

Strings

invalid string position, xrefs: 00402909
string too long, xrefs: 00402913, 0040291D

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 909987262-4289949731
Opcode ID: c64b15007395dea2f36aca86ee3c211cfd551fdf6133d12655906c35363bfebf
Instruction ID: 984dc0c0b2cd398f35e6645f1bc5f04e18c9dbf1703626bb7c3d1d18387ae337
Opcode Fuzzy Hash: c64b15007395dea2f36aca86ee3c211cfd551fdf6133d12655906c35363bfebf
Instruction Fuzzy Hash: C6D05B7434030CB78A046997DCC2C85725C5E4D750720043BBF14E71C685B89E84416E

Function 00408A0D Relevance: 6.2, APIs: 4, Instructions: 174pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,?,00000000,00000000), ref: 00408A32

Part of subcall function 00408DB7: __dosmaperr.LIBCMT ref: 00408DFA

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040893B), ref: 00408B5D
__dosmaperr.LIBCMT ref: 00408B64
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 00408BA1

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: __dosmaperr$ErrorFileLastNamedPeekPipeType
String ID:
API String ID: 3955570002-0
Opcode ID: 4e17df2c825c0cc79ffa86c79776fe878e0bb5644ae6caaa7de0a9e25d9e925e
Instruction ID: a909cdaeb501b666b60ba36f2f7d5ecf36db804fe9db59e3ae2361878b55f0a5
Opcode Fuzzy Hash: 4e17df2c825c0cc79ffa86c79776fe878e0bb5644ae6caaa7de0a9e25d9e925e
Instruction Fuzzy Hash: 7751A5B29006089FDB14DFB5CD41AAFB7F9EF48314B14493EF595E32A0DB38A8418B54

Function 00401EE0 Relevance: 6.1, APIs: 4, Instructions: 117COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00401F64

Part of subcall function 0040546F: __CxxThrowException@8.LIBVCRUNTIME ref: 00405486

Concurrency::cancel_current_task.LIBCPMT ref: 00401F79
new.LIBCMT ref: 00401F7F
new.LIBCMT ref: 00401F93

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: Concurrency::cancel_current_task$Exception@8Throw
String ID:
API String ID: 3339364867-0
Opcode ID: b30e87919e1801eb3aa18b99a79989427a97fc347df8e849dbd210b43705568c
Instruction ID: bbac019b23ec9bba76f5c1b94f47a20e7e4d8badd3f71ac4ad78f24a1a322c6f
Opcode Fuzzy Hash: b30e87919e1801eb3aa18b99a79989427a97fc347df8e849dbd210b43705568c
Instruction Fuzzy Hash: 5741D271A006029BC724DF29D981A2AB7E9EB45354B10063FE456E73E0E778E905C76A

Function 0040F151 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000,?,?,?,004095C4,00000001,?,?,00000001,?,004096F7), ref: 0040F19E
MultiByteToWideChar.KERNEL32(?,00000001,?,00000001,00000000,00000001,?,?,?,004095C4,00000001,?,?,00000001,?,004096F7), ref: 0040F227
GetStringTypeW.KERNEL32(?,00000000,00000000,004095C4,?,?,?,004095C4,00000001,?,?,00000001,?,004096F7,?,00000001), ref: 0040F239
__freea.LIBCMT ref: 0040F242

Part of subcall function 00409B44: HeapAlloc.KERNEL32(00000000,?,?,?,004071B5,?,?,?,?,?,0040232D,00404584,?,?,00404584), ref: 00409B76

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeapStringType__freea
String ID:
API String ID: 573072132-0
Opcode ID: 77f54d69b030fc0044ea9aa385975c4f8fe243b4312b8d35308b85528f3bfee1
Instruction ID: 512b04379e6a838b32722feee948c7acc3d8876ca6f5dddda010fddc36e9784c
Opcode Fuzzy Hash: 77f54d69b030fc0044ea9aa385975c4f8fe243b4312b8d35308b85528f3bfee1
Instruction Fuzzy Hash: C431CE32A0020AABDB259FA5CC45EEF7BA5EB40314B04417EEC04E6291E739DC94CB94

Function 00408BC9 Relevance: 6.1, APIs: 4, Instructions: 65timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(00000000,?,?,?,00000000,00000000,000000FF,?,?,00000000), ref: 00408BF7
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00408C0B
GetLastError.KERNEL32 ref: 00408C53
__dosmaperr.LIBCMT ref: 00408C5A

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: Time$System$ErrorFileLastLocalSpecific__dosmaperr
String ID:
API String ID: 593088924-0
Opcode ID: 66ba25885fa02358f6a7470c051f6b3c8e8451d13ea520a3d931c7a08a5a69d3
Instruction ID: 8bb1349c06974e399ddb389eb7fbc4732d969f13515852d7df73d17925f9181a
Opcode Fuzzy Hash: 66ba25885fa02358f6a7470c051f6b3c8e8451d13ea520a3d931c7a08a5a69d3
Instruction Fuzzy Hash: 2B21DE7290510CAFDB10DFA1C985ADF77BCAB48310F50427AE516E61D0EF38EA458B65

Function 0040ABCB Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ee55be628356674c7006fafc0f87ded411dfc50adabf559d6154b96a4732128
Instruction ID: 5e43adfb19449af6642c75d7455ad3a127005c9fc59d7de8b8feeff0835e8e3f
Opcode Fuzzy Hash: 7ee55be628356674c7006fafc0f87ded411dfc50adabf559d6154b96a4732128
Instruction Fuzzy Hash: 5B01BCB220931A7EF6301A786CC1E6B725DDB503B8B21033BB621612C4DA7C8C21916A

Function 0040C4D7 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,0040C47E,?,00000000,00000000,00000000,?,0040C6EF,00000006,FlsSetValue), ref: 0040C509
GetLastError.KERNEL32(?,0040C47E,?,00000000,00000000,00000000,?,0040C6EF,00000006,FlsSetValue,00419F20,00419F28,00000000,00000364,?,0040BDAE), ref: 0040C515
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0040C47E,?,00000000,00000000,00000000,?,0040C6EF,00000006,FlsSetValue,00419F20,00419F28,00000000), ref: 0040C523

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 65987c33a4870a61ec0d88cfa2783c5b4bcde42e3c776262c33830971a0c1e51
Instruction ID: 6380d94804746b704030005758720c13e73b28941d8c184123fdba221520e63c
Opcode Fuzzy Hash: 65987c33a4870a61ec0d88cfa2783c5b4bcde42e3c776262c33830971a0c1e51
Instruction Fuzzy Hash: F801FC36611632FBC7214BADAC84AA73BA8AF497A17114731F905F72C0D734F901C6E8

Function 00402230 Relevance: 6.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 0040225A

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac2c024898f4b245a35f12b7cce9795117e1af5b522237a5aa5cd6410490a6cb
Instruction ID: 599de7a54721eb8155e436ef4736af534507c2350c8ac348b7faf381059bf985
Opcode Fuzzy Hash: ac2c024898f4b245a35f12b7cce9795117e1af5b522237a5aa5cd6410490a6cb
Instruction Fuzzy Hash: 7DF027F36042041BD708E3B4A917E6F32888B74318704023FF61AE26C1F539D864855E

Function 00408128 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00408128
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 0040812D
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00408132

Part of subcall function 004084E9: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004084FA

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00408147

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 4620ded051c162a4ab368f0813539878333b42ab7183a8981c68f5926920f08c
Instruction ID: 0feefd6e7a9dcf97134fbbcdd833eb7569e1ded764c4512838079dcd10bc9bae
Opcode Fuzzy Hash: 4620ded051c162a4ab368f0813539878333b42ab7183a8981c68f5926920f08c
Instruction Fuzzy Hash: 31C0027401461360DC503A721B421AA17402D623DDBD020BFE8C53A5C37D3D040B512F

Function 00409D2D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00409DBD

Strings

pow, xrefs: 00409D95, 00409DB2

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 89aae3a5647528a4d97b6ae6a42fabe9c956c69cb8fa3c9ac7f938d036d1b9a1
Instruction ID: 3eabbc112abf6287ad78030cf2cf251621e1beafa91c7b8843af6e1d8866db47
Opcode Fuzzy Hash: 89aae3a5647528a4d97b6ae6a42fabe9c956c69cb8fa3c9ac7f938d036d1b9a1
Instruction Fuzzy Hash: FD516D61A0910696DB117716C9413BB37A49F50701F208D7BF0D5623EAEB3D8CF5968F

Function 00402DF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00402F25
std::_Xinvalid_argument.LIBCPMT ref: 00402F2F

Strings

string too long, xrefs: 00402F20, 00402F2A

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: string too long
API String ID: 909987262-2556327735
Opcode ID: a904f873c3e27bc27a61258efc716a507fefc5f3dd25c960804420f830d219cd
Instruction ID: 85cd45213759bfd326ecc2e2a8360a1ab255e1e451396078c8cea420fa8a3e1a
Opcode Fuzzy Hash: a904f873c3e27bc27a61258efc716a507fefc5f3dd25c960804420f830d219cd
Instruction Fuzzy Hash: 2141E4313442008BC724DE58EA88927B3EAEB957113200A3FE542EB6D0DBB4EC05D7ED

Function 004026F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

string too long, xrefs: 004027FF, 00402809, 00402913, 0040291D

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID:
String ID: string too long
API String ID: 0-2556327735
Opcode ID: 487aea21fec2e29eb2f7db7b9444a1c668b841a6d5bd1c0b54d7b458f09e6a87
Instruction ID: 6718b6c2107a5b23a342d503e1025e29147def940efdb10f1ca3366c28115f34
Opcode Fuzzy Hash: 487aea21fec2e29eb2f7db7b9444a1c668b841a6d5bd1c0b54d7b458f09e6a87
Instruction Fuzzy Hash: 8031D3363046008BCB349E5DEAC886BB3A9FF95711320453FE542E76D0D7B5A849C7AD

Function 00401B40 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00401C5B

Strings

invalid string position, xrefs: 00401C42, 00401C4C
string too long, xrefs: 00401C56

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 909987262-4289949731
Opcode ID: 0b8ab227b915edf27cfca804e795f54def291a07adb0b180a46c7435900354b4
Instruction ID: 4350cead44ed5ab31cb3f3d539257fd7a892b7d14c681f0375fd391c803237d8
Opcode Fuzzy Hash: 0b8ab227b915edf27cfca804e795f54def291a07adb0b180a46c7435900354b4
Instruction Fuzzy Hash: 2E3105323043108BD7249E5DE880B57F7E9EB95761F10093FE6559B2D2D7B6E840C3A9

Function 00401820 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00401935

Strings

invalid string position, xrefs: 0040191C, 00401926
string too long, xrefs: 00401930

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 909987262-4289949731
Opcode ID: 9f2a7bfef2e2428048f2067e4509eecec52f7da7a1d745b31c79f9ad309d4b66
Instruction ID: b5c334c06d014f47bfb49e50dd55c9dee9af8ba5bc1378df0b1d42719fed28af
Opcode Fuzzy Hash: 9f2a7bfef2e2428048f2067e4509eecec52f7da7a1d745b31c79f9ad309d4b66
Instruction Fuzzy Hash: 9331CD33304314DBC724AE69E88085BF3E9EFD8B51320493FE546D72A0DB35AA54C7A9

Function 00404B16 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00404B5A
___raise_securityfailure.LIBCMT ref: 00404C41

Strings

H,B, xrefs: 00404C3C

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: H,B
API String ID: 3761405300-539709048
Opcode ID: b4c04d99618068d419dedac5404ebb96b96e4fa82eb6cc16d85986644676f1a2
Instruction ID: 052c40b602ece88b5a8612764514d0a3388197a280e22c9e4c4cddb85fbb46e9
Opcode Fuzzy Hash: b4c04d99618068d419dedac5404ebb96b96e4fa82eb6cc16d85986644676f1a2
Instruction Fuzzy Hash: 7121C3B4660204AAD324CF19EE817557BA4AB48350FD0453AEA089A6B1D7F49593CF4D

Function 00410818 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0040BCDC: GetLastError.KERNEL32(?,?,0040B52C,00420718,0000000C,00405687), ref: 0040BCE0
Part of subcall function 0040BCDC: _free.LIBCMT ref: 0040BD13
Part of subcall function 0040BCDC: SetLastError.KERNEL32(00000000), ref: 0040BD54
Part of subcall function 0040BCDC: _abort.LIBCMT ref: 0040BD5A

_abort.LIBCMT ref: 0041084A
_free.LIBCMT ref: 0041087E

Strings

`&B, xrefs: 00410884, 0041088C

Memory Dump Source

Source File: 00000000.00000002.3526499671.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3526483344.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526516611.0000000000415000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526531924.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526546684.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526564105.0000000000429000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3526584572.0000000000444000.00000020.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_47.jbxd

Similarity

API ID: ErrorLast_abort_free
String ID: `&B
API String ID: 289325740-3969561002
Opcode ID: 9d07433f83eae26126034b1a6cfac5b4998af9a3d26eff3265eea34d38613e45
Instruction ID: 4e49ab1c499d57525365d9bc9404fddb8aab5f4ad752d3df6904e89dc88b9448
Opcode Fuzzy Hash: 9d07433f83eae26126034b1a6cfac5b4998af9a3d26eff3265eea34d38613e45
Instruction Fuzzy Hash: FA015E32E05625EBC735BF59850169AB760BF04750B15422FE85463781CBBC69D28FCE

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002B_47.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
LisectAVT_2403002B_47.exe

Function 004232A4 Relevance: 23.0, APIs: 4, Strings: 9, Instructions: 205
processCOMMON

Function 00422BFE Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 328
COMMON

Function 004236A9 Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 125
sleepCOMMON

Function 004235B9 Relevance: 3.1, APIs: 2, Instructions: 93
networkCOMMON

Function 00444000 Relevance: 30.2, APIs: 20, Instructions: 200
libraryloaderCOMMON

Function 00411396 Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Function 0040BBE8 Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Function 00410BFF Relevance: 13.7, APIs: 9, Instructions: 209
COMMON

Function 004038E0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 216
libraryloaderCOMMON

Function 004030E0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 281
registryCOMMON

Function 004034E0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 281
registryCOMMON

Function 00413DD6 Relevance: 10.8, APIs: 7, Instructions: 268
COMMON

Function 0041305D Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Function 00402F40 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 138
libraryCOMMON