Edit tour

Windows Analysis Report
LisectAVT_2403002B_445.exe

Overview

General Information

Sample name:	LisectAVT_2403002B_445.exe
Analysis ID:	1481648
MD5:	101e706c8b509af541e6dca6b289f309
SHA1:	0335f29d8d5d39f4a40c2c38c48fda355f73b3a7
SHA256:	8137af71185f4017345064b8e12f0595af2622eed918fe6281a8e59ca5497f42
Tags:	exe
Infos:

Detection

LummaC

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

LisectAVT_2403002B_445.exe (PID: 6636 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002B_445.exe" MD5: 101E706C8B509AF541E6DCA6B289F309)

conhost.exe (PID: 6652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["associationokeo.shop", "turkeyunlikelyofw.shop", "pooreveningfuseor.pw", "edurestunningcrackyow.fun", "detectordiscusser.shop", "relevantvoicelesskw.shop", "colorfulequalugliess.shop", "wisemassiveharmonious.shop", "sideindexfollowragelrew.pw"], "Build id": "LPnhqo--@asasdasqr"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (associationokeo .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T12:18:15.394752+0200
SID:	2050952
Source Port:	62388
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related Domain in DNS Lookup (sideindexfollowragelrew .pw) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T12:18:15.271368+0200
SID:	2049958
Source Port:	65106
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (turkeyunlikelyofw .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T12:18:15.382314+0200
SID:	2050956
Source Port:	57736
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (detectordiscusser .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T12:18:15.343058+0200
SID:	2050996
Source Port:	54507
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (relevantvoicelesskw .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T12:18:15.328952+0200
SID:	2051584
Source Port:	64965
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (pooreveningfuseor .pw) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T12:18:15.371429+0200
SID:	2050953
Source Port:	58030
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (edurestunningcrackyow .fun) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T12:18:15.358660+0200
SID:	2051473
Source Port:	63354
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (colorfulequalugliess .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T12:18:15.316713+0200
SID:	2051587
Source Port:	54768
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (wisemassiveharmonious .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T12:18:15.302690+0200
SID:	2051586
Source Port:	60825
Destination Port:	53
Protocol:	UDP
Classtype:	Domain Observed Used for C2 Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002B_445.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://associationokeo.shop/api	Avira URL Cloud: Label: malware
Source: https://turkeyunlikelyofw.shop/p	Avira URL Cloud: Label: malware
Source: https://associationokeo.shop/apiM	Avira URL Cloud: Label: malware
Source: colorfulequalugliess.shop	Avira URL Cloud: Label: phishing
Source: https://turkeyunlikelyofw.shop/api	Avira URL Cloud: Label: malware
Source: https://turkeyunlikelyofw.shop/	Avira URL Cloud: Label: malware
Source: https://associationokeo.shop/_	Avira URL Cloud: Label: malware
Source: associationokeo.shop	Avira URL Cloud: Label: malware
Source: turkeyunlikelyofw.shop	Avira URL Cloud: Label: malware
Source: detectordiscusser.shop	Avira URL Cloud: Label: malware
Source: https://detectordiscusser.shop/api	Avira URL Cloud: Label: malware
Source: https://colorfulequalugliess.shop/K	Avira URL Cloud: Label: phishing
Source: https://detectordiscusser.shop/apie	Avira URL Cloud: Label: malware
Source: https://associationokeo.shop//	Avira URL Cloud: Label: malware
Source: https://detectordiscusser.shop/	Avira URL Cloud: Label: malware
Source: sideindexfollowragelrew.pw	Avira URL Cloud: Label: malware
Source: https://relevantvoicelesskw.shop//	Avira URL Cloud: Label: phishing
Source: relevantvoicelesskw.shop	Avira URL Cloud: Label: phishing
Source: https://associationokeo.shop/i	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.LisectAVT_2403002B_445.exe.5a0000.1.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["associationokeo.shop", "turkeyunlikelyofw.shop", "pooreveningfuseor.pw", "edurestunningcrackyow.fun", "detectordiscusser.shop", "relevantvoicelesskw.shop", "colorfulequalugliess.shop", "wisemassiveharmonious.shop", "sideindexfollowragelrew.pw"], "Build id": "LPnhqo--@asasdasqr"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: LisectAVT_2403002B_445.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp	String decryptor: associationokeo.shop
Source: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp	String decryptor: turkeyunlikelyofw.shop
Source: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp	String decryptor: pooreveningfuseor.pw
Source: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp	String decryptor: edurestunningcrackyow.fun
Source: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp	String decryptor: detectordiscusser.shop
Source: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp	String decryptor: relevantvoicelesskw.shop
Source: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp	String decryptor: colorfulequalugliess.shop
Source: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp	String decryptor: wisemassiveharmonious.shop
Source: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp	String decryptor: sideindexfollowragelrew.pw
Source: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp	String decryptor: LPnhqo--@asasdasqr

Source: LisectAVT_2403002B_445.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: LisectAVT_2403002B_445.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe

Code function: 0_2_00590F8A FindFirstFileExW,

0_2_00590F8A

Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then mov ebx, eax	0_2_005A2060
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then mov byte ptr [edi], dl	0_2_005C2000
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then mov byte ptr [edi], dl	0_2_005C2000
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then mov byte ptr [edi], dl	0_2_005C1F63
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then add ebx, edi	0_2_005D308A
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	0_2_005B10B9
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then mov byte ptr [edi], 0000002Bh	0_2_005C1168
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then mov ecx, dword ptr [esp+08h]	0_2_005B4160
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then mov ebx, eax	0_2_005A2220
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then cmp dword ptr [eax-08h], 18DC7455h	0_2_005D02D0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then mov word ptr [ecx], dx	0_2_005C02E6
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_005BF31D
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then mov edx, dword ptr [esp+0Ch]	0_2_005B638C
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then mov word ptr [ecx], dx	0_2_005D2482
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then cmp word ptr [edx+eax], 0000h	0_2_005D2482
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then jmp esi	0_2_005CE61E
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then jmp ecx	0_2_005BC60E
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then jmp esi	0_2_005D37BA
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then mov byte ptr [edx], al	0_2_005C2863
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then mov ecx, dword ptr [esp+0Ch]	0_2_005A8800
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then mov byte ptr [edx], cl	0_2_005A8800
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_005CC880
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then cmp dword ptr [eax-08h], 5C3924FCh	0_2_005BC9B0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then jmp eax	0_2_005BD9B6
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then mov eax, dword ptr [edi+0Ch]	0_2_005A19A0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then mov edi, dword ptr [esi+0Ch]	0_2_005D1A5F
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then mov ecx, dword ptr [esi+00000080h]	0_2_005C0A88
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_005C0A88
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then jmp eax	0_2_005D2B30
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then cmp dword ptr [eax-08h], 5C3924FCh	0_2_005BFBAB
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then cmp byte ptr [ecx], dl	0_2_005A7CF0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then mov edx, dword ptr [esp+08h]	0_2_005A8C90
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then lea esi, dword ptr [edx+ecx]	0_2_005BDC90
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then mov ecx, dword ptr [esp+0Ch]	0_2_005B6DDA
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then movzx eax, byte ptr [esi+ecx]	0_2_005ACDB0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then jmp edx	0_2_005D3DB3
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then mov edx, dword ptr [esp+08h]	0_2_005A8DA0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then mov edi, dword ptr [esi+0Ch]	0_2_0070265F
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then cmp byte ptr [ecx], dl	0_2_006D88F0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then mov word ptr [ecx], dx	0_2_00703082
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then cmp word ptr [edx+eax], 0000h	0_2_00703082
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then mov edx, dword ptr [esp+08h]	0_2_006D9890
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then lea esi, dword ptr [edx+ecx]	0_2_006EE890
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 4x nop then mov ecx, edi	0_2_005A5D70

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: associationokeo.shop
Source: Malware configuration extractor	URLs: turkeyunlikelyofw.shop
Source: Malware configuration extractor	URLs: pooreveningfuseor.pw
Source: Malware configuration extractor	URLs: edurestunningcrackyow.fun
Source: Malware configuration extractor	URLs: detectordiscusser.shop
Source: Malware configuration extractor	URLs: relevantvoicelesskw.shop
Source: Malware configuration extractor	URLs: colorfulequalugliess.shop
Source: Malware configuration extractor	URLs: wisemassiveharmonious.shop
Source: Malware configuration extractor	URLs: sideindexfollowragelrew.pw

Source: unknown	DNS traffic detected: query: wisemassiveharmonious.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: turkeyunlikelyofw.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: associationokeo.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: relevantvoicelesskw.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: detectordiscusser.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: colorfulequalugliess.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: edurestunningcrackyow.fun replaycode: Name error (3)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: sideindexfollowragelrew.pw
Source: global traffic	DNS traffic detected: DNS query: wisemassiveharmonious.shop
Source: global traffic	DNS traffic detected: DNS query: colorfulequalugliess.shop
Source: global traffic	DNS traffic detected: DNS query: relevantvoicelesskw.shop
Source: global traffic	DNS traffic detected: DNS query: detectordiscusser.shop
Source: global traffic	DNS traffic detected: DNS query: edurestunningcrackyow.fun
Source: global traffic	DNS traffic detected: DNS query: pooreveningfuseor.pw
Source: global traffic	DNS traffic detected: DNS query: turkeyunlikelyofw.shop
Source: global traffic	DNS traffic detected: DNS query: associationokeo.shop

Source: LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://associationokeo.shop//
Source: LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://associationokeo.shop/_
Source: LisectAVT_2403002B_445.exe, 00000000.00000002.1671254395.00000000008BE000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://associationokeo.shop/api
Source: LisectAVT_2403002B_445.exe, 00000000.00000002.1671254395.00000000008BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://associationokeo.shop/apiM
Source: LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://associationokeo.shop/i
Source: LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://colorfulequalugliess.shop/K
Source: LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://detectordiscusser.shop/
Source: LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://detectordiscusser.shop/api
Source: LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://detectordiscusser.shop/apie
Source: LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://edurestunningcrackyow.fun/
Source: LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pooreveningfuseor.pw/
Source: LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pooreveningfuseor.pw/t
Source: LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://relevantvoicelesskw.shop//
Source: LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turkeyunlikelyofw.shop/
Source: LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turkeyunlikelyofw.shop/api
Source: LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://turkeyunlikelyofw.shop/p

Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe

Code function: 0_2_006FA0A0 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_006FA0A0

Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe

Code function: 0_2_006FA0A0 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_006FA0A0

Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_00703127 NtClose,	0_2_00703127
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_007052B0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_007052B0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_00702AB2 NtOpenSection,	0_2_00702AB2
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_00702C33 NtMapViewOfSection,	0_2_00702C33
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_00702E7A NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_00702E7A
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_007057A0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_007057A0

Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_00440060	0_2_00440060
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_004410E0	0_2_004410E0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_00512060	0_2_00512060
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_00523460	0_2_00523460
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_0053FC10	0_2_0053FC10
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_00579C10	0_2_00579C10
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_00578400	0_2_00578400
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_0056A8F0	0_2_0056A8F0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_0051BCE0	0_2_0051BCE0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_0056C480	0_2_0056C480
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_005060B0	0_2_005060B0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_005808B0	0_2_005808B0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_005074A0	0_2_005074A0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_0055AD50	0_2_0055AD50
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_00514540	0_2_00514540
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_00547D10	0_2_00547D10
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_0050FD00	0_2_0050FD00
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_005495C0	0_2_005495C0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_005981F1	0_2_005981F1
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_004FFA40	0_2_004FFA40
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_00503640	0_2_00503640
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_0053D260	0_2_0053D260
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_0054EA10	0_2_0054EA10
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_0054F6D0	0_2_0054F6D0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_00531EC0	0_2_00531EC0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_005612C0	0_2_005612C0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_005332F0	0_2_005332F0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_00502E80	0_2_00502E80
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_0052DF50	0_2_0052DF50
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_005E9371	0_2_005E9371
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_00546360	0_2_00546360
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_00513710	0_2_00513710
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_0056EF10	0_2_0056EF10
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_00568B00	0_2_00568B00
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_0052C730	0_2_0052C730
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_005E93E3	0_2_005E93E3
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_00517B90	0_2_00517B90
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_0052FBA0	0_2_0052FBA0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_005A3050	0_2_005A3050
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_005C6080	0_2_005C6080
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_005A70A0	0_2_005A70A0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_005B5170	0_2_005B5170
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_005A2220	0_2_005A2220
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_005D5290	0_2_005D5290
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_005A53D0	0_2_005A53D0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_005A2630	0_2_005A2630
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_005D5630	0_2_005D5630
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_005A4680	0_2_005A4680
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_005C2863	0_2_005C2863
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_005A3A10	0_2_005A3A10
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_005AFAB0	0_2_005AFAB0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_005BDC90	0_2_005BDC90
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_006EE890	0_2_006EE890
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_005CE750	0_2_005CE750
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_005A5D70	0_2_005A5D70

Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: String function: 0058AF80 appears 33 times
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: String function: 005A8250 appears 145 times
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: String function: 005A7B10 appears 43 times

Source: LisectAVT_2403002B_445.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal92.troj.evad.winEXE@2/0@9/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6652:120:WilError_03

Source: LisectAVT_2403002B_445.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe

File read: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe "C:\Users\user\Desktop\LisectAVT_2403002B_445.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Section loaded: msasn1.dll	Jump to behavior

Source: LisectAVT_2403002B_445.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: LisectAVT_2403002B_445.exe

Static file information: File size 2012017 > 1048576

Source: LisectAVT_2403002B_445.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x197e00

Source: LisectAVT_2403002B_445.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: LisectAVT_2403002B_445.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_00598901 push ecx; ret		0_2_00598914
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_005D7C47 push ecx; ret		0_2_005D7C48

Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe TID: 984	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe TID: 984	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe

Code function: 0_2_00590F8A FindFirstFileExW,

0_2_00590F8A

Source: LisectAVT_2403002B_445.exe, 00000000.00000002.1671254395.00000000008BE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe

Code function: 0_2_0058ECA0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0058ECA0

Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe

Code function: 0_2_005936A3 GetProcessHeap,

0_2_005936A3

Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_0058A882 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0058A882
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_0058ECA0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0058ECA0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_0058AD60 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0058AD60
Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe	Code function: 0_2_0058AEBC SetUnhandledExceptionFilter,	0_2_0058AEBC

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: LisectAVT_2403002B_445.exe	String found in binary or memory: sideindexfollowragelrew.pw
Source: LisectAVT_2403002B_445.exe	String found in binary or memory: associationokeo.shop
Source: LisectAVT_2403002B_445.exe	String found in binary or memory: turkeyunlikelyofw.shop
Source: LisectAVT_2403002B_445.exe	String found in binary or memory: pooreveningfuseor.pw
Source: LisectAVT_2403002B_445.exe	String found in binary or memory: edurestunningcrackyow.fun
Source: LisectAVT_2403002B_445.exe	String found in binary or memory: detectordiscusser.shop
Source: LisectAVT_2403002B_445.exe	String found in binary or memory: relevantvoicelesskw.shop
Source: LisectAVT_2403002B_445.exe	String found in binary or memory: colorfulequalugliess.shop
Source: LisectAVT_2403002B_445.exe	String found in binary or memory: wisemassiveharmonious.shop

Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe

Code function: 0_2_0058AFC5 cpuid

0_2_0058AFC5

Source: C:\Users\user\Desktop\LisectAVT_2403002B_445.exe

Code function: 0_2_0058AC47 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0058AC47

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 PowerShell	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	2 Clipboard Data	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
LisectAVT_2403002B_445.exe	100%	Avira	TR/Crypt.Agent.iobkp
LisectAVT_2403002B_445.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://associationokeo.shop/api	100%	Avira URL Cloud	malware
https://turkeyunlikelyofw.shop/p	100%	Avira URL Cloud	malware
https://associationokeo.shop/apiM	100%	Avira URL Cloud	malware
colorfulequalugliess.shop	100%	Avira URL Cloud	phishing
https://turkeyunlikelyofw.shop/api	100%	Avira URL Cloud	malware
pooreveningfuseor.pw	0%	Avira URL Cloud	safe
edurestunningcrackyow.fun	0%	Avira URL Cloud	safe
https://turkeyunlikelyofw.shop/	100%	Avira URL Cloud	malware
https://associationokeo.shop/_	100%	Avira URL Cloud	malware
associationokeo.shop	100%	Avira URL Cloud	malware
https://edurestunningcrackyow.fun/	0%	Avira URL Cloud	safe
turkeyunlikelyofw.shop	100%	Avira URL Cloud	malware
detectordiscusser.shop	100%	Avira URL Cloud	malware
https://pooreveningfuseor.pw/t	0%	Avira URL Cloud	safe
https://detectordiscusser.shop/api	100%	Avira URL Cloud	malware
https://colorfulequalugliess.shop/K	100%	Avira URL Cloud	phishing
https://detectordiscusser.shop/apie	100%	Avira URL Cloud	malware
https://associationokeo.shop//	100%	Avira URL Cloud	malware
wisemassiveharmonious.shop	0%	Avira URL Cloud	safe
https://detectordiscusser.shop/	100%	Avira URL Cloud	malware
sideindexfollowragelrew.pw	100%	Avira URL Cloud	malware
https://relevantvoicelesskw.shop//	100%	Avira URL Cloud	phishing
https://pooreveningfuseor.pw/	0%	Avira URL Cloud	safe
relevantvoicelesskw.shop	100%	Avira URL Cloud	phishing
https://associationokeo.shop/i	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
edurestunningcrackyow.fun	unknown	unknown	true	unknown
turkeyunlikelyofw.shop	unknown	unknown	true	unknown
sideindexfollowragelrew.pw	unknown	unknown	true	unknown
detectordiscusser.shop	unknown	unknown	true	unknown
relevantvoicelesskw.shop	unknown	unknown	true	unknown
pooreveningfuseor.pw	unknown	unknown	true	unknown
wisemassiveharmonious.shop	unknown	unknown	true	unknown
associationokeo.shop	unknown	unknown	true	unknown
colorfulequalugliess.shop	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
edurestunningcrackyow.fun	true	Avira URL Cloud: safe	unknown
pooreveningfuseor.pw	true	Avira URL Cloud: safe	unknown
associationokeo.shop	true	Avira URL Cloud: malware	unknown
colorfulequalugliess.shop	true	Avira URL Cloud: phishing	unknown
turkeyunlikelyofw.shop	true	Avira URL Cloud: malware	unknown
detectordiscusser.shop	true	Avira URL Cloud: malware	unknown
wisemassiveharmonious.shop	true	Avira URL Cloud: safe	unknown
sideindexfollowragelrew.pw	true	Avira URL Cloud: malware	unknown
relevantvoicelesskw.shop	true	Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://associationokeo.shop/api	LisectAVT_2403002B_445.exe, 00000000.00000002.1671254395.00000000008BE000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://turkeyunlikelyofw.shop/p	LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008D6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://associationokeo.shop/_	LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008D6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://turkeyunlikelyofw.shop/api	LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://turkeyunlikelyofw.shop/	LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://associationokeo.shop/apiM	LisectAVT_2403002B_445.exe, 00000000.00000002.1671254395.00000000008BE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://edurestunningcrackyow.fun/	LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://colorfulequalugliess.shop/K	LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://pooreveningfuseor.pw/t	LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008D6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://detectordiscusser.shop/apie	LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://detectordiscusser.shop/	LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008D6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://detectordiscusser.shop/api	LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://associationokeo.shop//	LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008D6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://relevantvoicelesskw.shop//	LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008EC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://pooreveningfuseor.pw/	LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008D6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://associationokeo.shop/i	LisectAVT_2403002B_445.exe, 00000000.00000002.1671318253.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_445.exe, 00000000.00000003.1669580341.00000000008D6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1481648
Start date and time:	2024-07-25 12:17:24 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002B_445.exe
Detection:	MAL
Classification:	mal92.troj.evad.winEXE@2/0@9/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 22 Number of non-executed functions: 83
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: LisectAVT_2403002B_445.exe

Simulations

Behavior and APIs

Time	Type	Description
06:18:13	API Interceptor	2x Sleep call for process: LisectAVT_2403002B_445.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.450959928713771
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LisectAVT_2403002B_445.exe
File size:	2'012'017 bytes
MD5:	101e706c8b509af541e6dca6b289f309
SHA1:	0335f29d8d5d39f4a40c2c38c48fda355f73b3a7
SHA256:	8137af71185f4017345064b8e12f0595af2622eed918fe6281a8e59ca5497f42
SHA512:	38c0b3561b53f8cedb9ba2c12547e5170187bb444bd43f5276794da107e890573dc0adbac451465d607a9144943f19e661d0663e11b717ef17b378af25ecadba
SSDEEP:	24576:yjZgd+tJIg6hd/pBiNf+HPcd76abHtmTolRdcYg:yjmGIg6hd/PiNf+A6abHtsydcz
TLSH:	D9951985B5E2A6C3E6A6DE302701BA91BA431DF70F26F5F6873394402AF71254C67387
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........$PRG..hsY.X..GyL.Z..C-...Q..uz....k?.?..N..2@.`...}s.....h...}>..V..D\.#....l.....m]............2..WJW.................PE..L..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x58a878
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x65FFEB67 [Sun Mar 24 08:59:19 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	51db1582194f01c23bbc2a9ca35a507e

Entrypoint Preview

Instruction
call 00007F874116F3DCh
jmp 00007F874116EE39h
push ebp
mov ebp, esp
push 00000000h
call dword ptr [00599030h]
push dword ptr [ebp+08h]
call dword ptr [0059902Ch]
push C0000409h
call dword ptr [00599034h]
push eax
call dword ptr [00599038h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [0059903Ch]
test eax, eax
je 00007F874116EFC7h
push 00000002h
pop ecx
int 29h
mov dword ptr [005E68B8h], eax
mov dword ptr [005E68B4h], ecx
mov dword ptr [005E68B0h], edx
mov dword ptr [005E68ACh], ebx
mov dword ptr [005E68A8h], esi
mov dword ptr [005E68A4h], edi
mov word ptr [005E68D0h], ss
mov word ptr [005E68C4h], cs
mov word ptr [005E68A0h], ds
mov word ptr [005E689Ch], es
mov word ptr [005E6898h], fs
mov word ptr [005E6894h], gs
pushfd
pop dword ptr [005E68C8h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [005E68BCh], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [005E68C0h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [005E68CCh], eax
mov eax, dword ptr [ebp-00000324h]
mov dword ptr [005E6808h], 00010001h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x19f5d4	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1eb000	0x2d68	.tls
IMAGE_DIRECTORY_ENTRY_DEBUG	0x19e970	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x19e8b0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x199000	0x134	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x197c23	0x197e00	45d2fe3c53e81b0a60797d94ed096d99	False	0.41138331290223723	data	6.0176219726821785	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x199000	0x6ca4	0x6e00	1bf91c02bf33b0362dc7365b7b37f6f4	False	0.46072443181818185	data	5.091756129159089	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1a0000	0x47444	0x46800	cab59c15f922e5fda66ce57f3a9d2d5a	False	0.540278008643617	data	6.797833242993344	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x1e8000	0x2d5c	0x2e00	6fd29d58eb735fb160810af845c3f2bc	False	0.7130604619565217	data	6.115895082015251	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.tls	0x1eb000	0x2e00	0x2d68	b764320f17ca6c504cb6d641b4dc7989	False	0.7225567790777702	data	6.168829025198588	IMAGE_SCN_MEM_READ

Imports

DLL

Import

KERNEL32.dll

VirtualProtect, VirtualAlloc, VirtualAllocEx, LoadLibraryA, GetProcAddress, lstrlenW, CreateThread, Sleep, WaitForSingleObject, FreeConsole, SetEndOfFile, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, WriteConsoleW, RaiseException, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, EncodePointer, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetFileType, GetStringTypeW, CompareStringW, LCMapStringW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, SetFilePointerEx, CreateFileW, CloseHandle, DecodePointer

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T12:18:15.394752+0200	UDP	2050952	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (associationokeo .shop)	62388	53	192.168.2.4	1.1.1.1
2024-07-25T12:18:15.271368+0200	UDP	2049958	ET MALWARE Lumma Stealer Related Domain in DNS Lookup (sideindexfollowragelrew .pw)	65106	53	192.168.2.4	1.1.1.1
2024-07-25T12:18:15.382314+0200	UDP	2050956	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (turkeyunlikelyofw .shop)	57736	53	192.168.2.4	1.1.1.1
2024-07-25T12:18:15.343058+0200	UDP	2050996	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (detectordiscusser .shop)	54507	53	192.168.2.4	1.1.1.1
2024-07-25T12:18:15.328952+0200	UDP	2051584	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (relevantvoicelesskw .shop)	64965	53	192.168.2.4	1.1.1.1
2024-07-25T12:18:15.371429+0200	UDP	2050953	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (pooreveningfuseor .pw)	58030	53	192.168.2.4	1.1.1.1
2024-07-25T12:18:15.358660+0200	UDP	2051473	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (edurestunningcrackyow .fun)	63354	53	192.168.2.4	1.1.1.1
2024-07-25T12:18:15.316713+0200	UDP	2051587	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (colorfulequalugliess .shop)	54768	53	192.168.2.4	1.1.1.1
2024-07-25T12:18:15.302690+0200	UDP	2051586	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (wisemassiveharmonious .shop)	60825	53	192.168.2.4	1.1.1.1

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 12:18:15.271368027 CEST	65106	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:18:15.299001932 CEST	53	65106	1.1.1.1	192.168.2.4
Jul 25, 2024 12:18:15.302690029 CEST	60825	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:18:15.312860966 CEST	53	60825	1.1.1.1	192.168.2.4
Jul 25, 2024 12:18:15.316713095 CEST	54768	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:18:15.326158047 CEST	53	54768	1.1.1.1	192.168.2.4
Jul 25, 2024 12:18:15.328952074 CEST	64965	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:18:15.338994026 CEST	53	64965	1.1.1.1	192.168.2.4
Jul 25, 2024 12:18:15.343058109 CEST	54507	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:18:15.351046085 CEST	53	54507	1.1.1.1	192.168.2.4
Jul 25, 2024 12:18:15.358659983 CEST	63354	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:18:15.367553949 CEST	53	63354	1.1.1.1	192.168.2.4
Jul 25, 2024 12:18:15.371428967 CEST	58030	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:18:15.378226995 CEST	53	58030	1.1.1.1	192.168.2.4
Jul 25, 2024 12:18:15.382313967 CEST	57736	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:18:15.390511990 CEST	53	57736	1.1.1.1	192.168.2.4
Jul 25, 2024 12:18:15.394752026 CEST	62388	53	192.168.2.4	1.1.1.1
Jul 25, 2024 12:18:15.402287006 CEST	53	62388	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 25, 2024 12:18:15.271368027 CEST	192.168.2.4	1.1.1.1	0xffa8	Standard query (0)	sideindexfollowragelrew.pw	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:18:15.302690029 CEST	192.168.2.4	1.1.1.1	0x8550	Standard query (0)	wisemassiveharmonious.shop	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:18:15.316713095 CEST	192.168.2.4	1.1.1.1	0x955	Standard query (0)	colorfulequalugliess.shop	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:18:15.328952074 CEST	192.168.2.4	1.1.1.1	0xbc20	Standard query (0)	relevantvoicelesskw.shop	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:18:15.343058109 CEST	192.168.2.4	1.1.1.1	0x34ee	Standard query (0)	detectordiscusser.shop	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:18:15.358659983 CEST	192.168.2.4	1.1.1.1	0x6448	Standard query (0)	edurestunningcrackyow.fun	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:18:15.371428967 CEST	192.168.2.4	1.1.1.1	0xdbd3	Standard query (0)	pooreveningfuseor.pw	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:18:15.382313967 CEST	192.168.2.4	1.1.1.1	0xf97e	Standard query (0)	turkeyunlikelyofw.shop	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:18:15.394752026 CEST	192.168.2.4	1.1.1.1	0x446	Standard query (0)	associationokeo.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 12:18:15.312860966 CEST	1.1.1.1	192.168.2.4	0x8550	Name error (3)	wisemassiveharmonious.shop	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:18:15.326158047 CEST	1.1.1.1	192.168.2.4	0x955	Name error (3)	colorfulequalugliess.shop	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:18:15.338994026 CEST	1.1.1.1	192.168.2.4	0xbc20	Name error (3)	relevantvoicelesskw.shop	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:18:15.351046085 CEST	1.1.1.1	192.168.2.4	0x34ee	Name error (3)	detectordiscusser.shop	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:18:15.367553949 CEST	1.1.1.1	192.168.2.4	0x6448	Name error (3)	edurestunningcrackyow.fun	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:18:15.390511990 CEST	1.1.1.1	192.168.2.4	0xf97e	Name error (3)	turkeyunlikelyofw.shop	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:18:15.402287006 CEST	1.1.1.1	192.168.2.4	0x446	Name error (3)	associationokeo.shop	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	06:18:13
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002B_445.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002B_445.exe"
Imagebase:	0x400000
File size:	2'012'017 bytes
MD5 hash:	101E706C8B509AF541E6DCA6B289F309
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:18:13
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	18.4%
Signature Coverage:	10.9%
Total number of Nodes:	293
Total number of Limit Nodes:	6

Executed Functions

Function 004410E0 Relevance: 49.8, APIs: 1, Strings: 16, Instructions: 20001
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00448556
VirtualAllocEx.KERNEL32 ref: 00448DB1
LoadLibraryA.KERNELBASE ref: 00458953
GetProcAddress.KERNEL32 ref: 0045B219
GetProcAddress.KERNEL32 ref: 0045B282
lstrlenW.KERNEL32 ref: 0046E1BA
CreateThread.KERNELBASE ref: 0046F335
Sleep.KERNEL32 ref: 0046F755
WaitForSingleObject.KERNEL32 ref: 0046FA74
VirtualAllocEx.KERNEL32 ref: 004719B8
LoadLibraryA.KERNEL32 ref: 004720DE
CreateThread.KERNEL32 ref: 004728C9
WaitForSingleObject.KERNEL32 ref: 00472904

Strings

&iug, xrefs: 00460AD5
\~#, xrefs: 00466C7F
:6SY, xrefs: 0044C9D1
:6SY, xrefs: 0044C577
&iug, xrefs: 00441109
lJx, xrefs: 0044C3D3
R)|, xrefs: 0046C267
AV{, xrefs: 00472139
@, xrefs: 004719B0
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe, xrefs: 0046CED1, 00472759
x, xrefs: 00472769
kr9@, xrefs: 004724FE
MZx, xrefs: 00444F5D, 00444F79, 004713EC, 00471408
D, xrefs: 004469A7
!uq, xrefs: 00453EF7
Dp[f, xrefs: 0045B7D1

Memory Dump Source

Source File: 00000000.00000002.1670735327.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1670717248.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670856493.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID: AllocVirtual$AddressCreateLibraryLoadObjectProcSingleThreadWait$Sleeplstrlen
String ID: &iug$&iug$:6SY$:6SY$@$C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe$D$Dp[f$MZx$R)|$\~#$kr9@$lJx$x$!uq$AV{
API String ID: 1351281969-1804762653
Opcode ID: e7c30ccb64e4230fd7d1abe2324c637316919f11062961b8e77a19a4f028276c
Instruction ID: 6e13b27e6b28ca3936986e15ddb83133aed75227716d45a29e0065069844fc92
Opcode Fuzzy Hash: e7c30ccb64e4230fd7d1abe2324c637316919f11062961b8e77a19a4f028276c
Instruction Fuzzy Hash: 8454F377A50AA04FFB50983CC8B93D71BE24773331F29679186B84B2E3C55B164AAF50

Function 007052B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00705415
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000,?,00000000,00000010,00003000,00000040), ref: 00705487

Strings

@, xrefs: 0070535C
,, xrefs: 007053EC

Memory Dump Source

Source File: 00000000.00000002.1670967330.00000000006D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1670947362.00000000006D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1670997509.0000000000707000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1671016289.000000000070A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1671037134.0000000000714000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_LisectAVT_2403002B_445.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: ,$@
API String ID: 292159236-1227015840
Opcode ID: 5653969c889f688eb66e75d5390de366ec261b403b083986cf63775a58025652
Instruction ID: ded5703f86ba095343c043fe299d492f42898b2c2519bf1b46f568d7da93e9e3
Opcode Fuzzy Hash: 5653969c889f688eb66e75d5390de366ec261b403b083986cf63775a58025652
Instruction Fuzzy Hash: 71517EB11043049FE711CF18C845B6BBBE4EF84358F54861DF9A99B2E0E779D908CB96

Function 007057A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 00705854
NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000,?,00000000,00000010,00003000,00000040), ref: 007058B3

Strings

$, xrefs: 0070582B

Memory Dump Source

Source File: 00000000.00000002.1670967330.00000000006D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1670947362.00000000006D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1670997509.0000000000707000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1671016289.000000000070A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1671037134.0000000000714000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_LisectAVT_2403002B_445.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: $
API String ID: 292159236-3993045852
Opcode ID: e45d237de3acbb0b76dff56c08294f3564aeeb5b3f0f19a26298c09544129150
Instruction ID: 571ea171b62d5d02fbdbda33eb6d208fffd56853e7362904566732413fc597da
Opcode Fuzzy Hash: e45d237de3acbb0b76dff56c08294f3564aeeb5b3f0f19a26298c09544129150
Instruction Fuzzy Hash: 32315E71208314AFE710CF18DC44B5BBBE8EB89718F108A1CFAA9972D0D775D9088B96

Function 0070265F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE ref: 00702713

Strings

uvw, xrefs: 00702752

Memory Dump Source

Source File: 00000000.00000002.1670967330.00000000006D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1670947362.00000000006D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1670997509.0000000000707000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1671016289.000000000070A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1671037134.0000000000714000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_LisectAVT_2403002B_445.jbxd

Similarity

API ID: LibraryLoad
String ID: uvw
API String ID: 1029625771-3462500642
Opcode ID: 22f0dfb1a0db74a3f1f1901504651e8157ffab53d8e41bdda7f8712b5a3cb4e8
Instruction ID: 435feb663da5d0519b9207f21e32ff2202ab98fd32316d95b5f324f2c430c822
Opcode Fuzzy Hash: 22f0dfb1a0db74a3f1f1901504651e8157ffab53d8e41bdda7f8712b5a3cb4e8
Instruction Fuzzy Hash: 4B417C76250A429FC718CF15C4A0A66F7A2FF89324B68DA1DC4A647B85C738F466CF84

Function 00702E7A Relevance: 3.2, APIs: 2, Instructions: 158
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 0070301B
NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 00703067

Memory Dump Source

Source File: 00000000.00000002.1670967330.00000000006D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1670947362.00000000006D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1670997509.0000000000707000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1671016289.000000000070A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1671037134.0000000000714000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_LisectAVT_2403002B_445.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 1011852050ce5695c6b7d7d7af59469dbc6a89cec480087caaa8c789bd6ce845
Instruction ID: 56f983fb2f657037516d296a0ff7e422512cbcb49941c3f6f0ac9bbe3c883ad6
Opcode Fuzzy Hash: 1011852050ce5695c6b7d7d7af59469dbc6a89cec480087caaa8c789bd6ce845
Instruction Fuzzy Hash: DF510771110B409FE725CF18C858B66B7F4FB08314F148B1CE5AA9BAE1D7B8E949CB94

Function 00440060 Relevance: 3.1, APIs: 1, Instructions: 1627
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1670735327.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1670717248.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670856493.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b411c4b0dc64c476b7552fd120cd8051a95b9fffaa20fb531c3e262c8c02ff9
Instruction ID: f4867835bce4b223895882ec1a78cefec2126b80fe52bc5b1f6e813c06ace2ba
Opcode Fuzzy Hash: 0b411c4b0dc64c476b7552fd120cd8051a95b9fffaa20fb531c3e262c8c02ff9
Instruction Fuzzy Hash: 5AA2CE77A51A500FFB40987CC8AD3DB1BD687B7732F2A6715CAB44B6E2C55B000BAB50

Function 00702C33 Relevance: 1.5, APIs: 1, Instructions: 44nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000002,00000000,00000002,00000000,00000002), ref: 00702C9C

Memory Dump Source

Source File: 00000000.00000002.1670967330.00000000006D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1670947362.00000000006D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1670997509.0000000000707000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1671016289.000000000070A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1671037134.0000000000714000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_LisectAVT_2403002B_445.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: ce3d8a2c6c462a305ce16a63b998f529b15615d39912ff56c30009be18aeab9f
Instruction ID: 720e0ae01844a137da99cbbe369415312941b9fc163c4d5223fcccedfa28859c
Opcode Fuzzy Hash: ce3d8a2c6c462a305ce16a63b998f529b15615d39912ff56c30009be18aeab9f
Instruction Fuzzy Hash: 0F013C70384350BFE7319B14DC47F153ABAAB42B14F20C244F6216E1E2C7B62910CB59

Function 00703127 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL ref: 00703155

Memory Dump Source

Source File: 00000000.00000002.1670967330.00000000006D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1670947362.00000000006D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1670997509.0000000000707000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1671016289.000000000070A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1671037134.0000000000714000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_LisectAVT_2403002B_445.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: bf9df8704aa08e56faebdb5def92edfa28b0c457df742ca02759a5cb4cfe5d80
Instruction ID: 06e549725d5a3e89f2311a9b6bb113d3f341cffba8b8704e04c83643410fc796
Opcode Fuzzy Hash: bf9df8704aa08e56faebdb5def92edfa28b0c457df742ca02759a5cb4cfe5d80
Instruction Fuzzy Hash: 56E012B4A94111FFCB15EF5CFC429A43AA1EB66205700D020F916D52B2DA2A16A5DE19

Function 00702AB2 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000004), ref: 00702ACC

Memory Dump Source

Source File: 00000000.00000002.1670967330.00000000006D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1670947362.00000000006D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1670997509.0000000000707000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1671016289.000000000070A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1671037134.0000000000714000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_LisectAVT_2403002B_445.jbxd

Similarity

API ID: OpenSection
String ID:
API String ID: 1950954290-0
Opcode ID: 583c3596ad9d27c31748657e9897cd0a3e4d67e78b3f8bec76bbaf7dfe454474
Instruction ID: 43b7d058ebc87d9f6c51ffda3d30ce40a4a2d1ea271d57aa44166768501a2f73
Opcode Fuzzy Hash: 583c3596ad9d27c31748657e9897cd0a3e4d67e78b3f8bec76bbaf7dfe454474
Instruction Fuzzy Hash: 1FD05BB5150150D7C725D778EC43D263369A785301710D014F362C71D2D976A552CA58

Function 007023F3 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 80
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(?), ref: 007024DD

Strings

p%', xrefs: 00702452
B)D+, xrefs: 00702459
F-,/, xrefs: 00702460

Memory Dump Source

Source File: 00000000.00000002.1670967330.00000000006D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1670947362.00000000006D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1670997509.0000000000707000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1671016289.000000000070A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1671037134.0000000000714000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_LisectAVT_2403002B_445.jbxd

Similarity

API ID: LibraryLoad
String ID: B)D+$F-,/$p%'
API String ID: 1029625771-2598909315
Opcode ID: af7c57e71d87b7a26f70fc0ac83cc2a010d95630e60d5a212eafc530e6f30bca
Instruction ID: 928c50b899920e9c428049b4e2a1074e0246fcbcaeabff74d5e67f789a4db729
Opcode Fuzzy Hash: af7c57e71d87b7a26f70fc0ac83cc2a010d95630e60d5a212eafc530e6f30bca
Instruction Fuzzy Hash: 40218DB1501702DFD718CF14E8A0A26BBF2FB45310B54C66CD8469BBA2D739E981CF84

Function 006D8DA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 006D8E22

Strings

eleet or leetspeak, is a system of modified spellings used primarily on the internet. it often uses character replacements in ways that play on the similarity of their glyphs via reflection or other resemblance, xrefs: 006D8DDF

Memory Dump Source

Source File: 00000000.00000002.1670967330.00000000006D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1670947362.00000000006D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1670997509.0000000000707000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1671016289.000000000070A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1671037134.0000000000714000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_LisectAVT_2403002B_445.jbxd

Similarity

API ID: ExitProcess
String ID: eleet or leetspeak, is a system of modified spellings used primarily on the internet. it often uses character replacements in ways that play on the similarity of their glyphs via reflection or other resemblance
API String ID: 621844428-3721107060
Opcode ID: f0036bde0d7349993efde5ed7e925012f8ec033bfd46b4b73384404e193069cb
Instruction ID: f034a30cba7395a809c88dab305593f53e1d5b1afd4b7b5b832355eeb8e5e7e8
Opcode Fuzzy Hash: f0036bde0d7349993efde5ed7e925012f8ec033bfd46b4b73384404e193069cb
Instruction Fuzzy Hash: 5FF0A471C18200CEC6503F76990E67BBBAB9F11320F100A1BE992533D2EF3454569ED7

Function 00594B44 Relevance: 4.7, APIs: 3, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__freea.LIBCMT ref: 00594CF9

Part of subcall function 00590ACB: HeapAlloc.KERNEL32(00000000,0058B27E,?,?,0058B9FA,?,?,-00000002603B985F,-4081992C,?,0058B1D1,0058B27E,?,?,?,?), ref: 00590AFD

__freea.LIBCMT ref: 00594D0C
__freea.LIBCMT ref: 00594D19

Memory Dump Source

Source File: 00000000.00000002.1670735327.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1670717248.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670856493.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID: __freea$AllocHeap
String ID:
API String ID: 85559729-0
Opcode ID: cd5ed6f8b347867009333f28de9852a6695fd0b7825ee8c3117320ca3f444642
Instruction ID: fd0cc46645060483b29cea0208f88dff7e5b7888c99466e64340abfc42bc1883
Opcode Fuzzy Hash: cd5ed6f8b347867009333f28de9852a6695fd0b7825ee8c3117320ca3f444642
Instruction Fuzzy Hash: 6951AE76600206AFEF259E608C85EBB3FA9FF89710F294529FD04D7140EB31DD128AA0

Function 00703636 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,FFFFFFFF), ref: 007036C2

Strings

`123, xrefs: 0070369A

Memory Dump Source

Source File: 00000000.00000002.1670967330.00000000006D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1670947362.00000000006D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1670997509.0000000000707000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1671016289.000000000070A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1671037134.0000000000714000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_LisectAVT_2403002B_445.jbxd

Similarity

API ID: AllocateHeap
String ID: `123
API String ID: 1279760036-1835766495
Opcode ID: b4c50003b81cd770b7fd67e4cd8fe7a091216e636decdd6803b3ce07473780ab
Instruction ID: 1f967c446330be38d7832a59fe2180778b0a289985c2ab0c27c2818e0e074d21
Opcode Fuzzy Hash: b4c50003b81cd770b7fd67e4cd8fe7a091216e636decdd6803b3ce07473780ab
Instruction Fuzzy Hash: 0E2169312083408BD719CF2CC8A075BBBE6EBC6258F54862CE9528B3E1C779E941CB85

Function 007037BF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,FFFFFFFF), ref: 00703842

Strings

`123, xrefs: 0070381A

Memory Dump Source

Source File: 00000000.00000002.1670967330.00000000006D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1670947362.00000000006D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1670997509.0000000000707000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1671016289.000000000070A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1671037134.0000000000714000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_LisectAVT_2403002B_445.jbxd

Similarity

API ID: AllocateHeap
String ID: `123
API String ID: 1279760036-1835766495
Opcode ID: 0d54c8ba7db5517b214b748ffc412e3a4981ff8432f6d93ce3d0b4622e0ee18e
Instruction ID: 8c5bbbe9868cd22302c9d98166c542f5886f2fac2818f5c35c66207a863f1148
Opcode Fuzzy Hash: 0d54c8ba7db5517b214b748ffc412e3a4981ff8432f6d93ce3d0b4622e0ee18e
Instruction Fuzzy Hash: 791128B42483408FD718CF18C894B5BBFF1EB86344F50891CE581877A1D779D955CB86

Function 00700A20 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 00700AA4

Strings

`123, xrefs: 00700A7B

Memory Dump Source

Source File: 00000000.00000002.1670967330.00000000006D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1670947362.00000000006D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1670997509.0000000000707000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1671016289.000000000070A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1671037134.0000000000714000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_LisectAVT_2403002B_445.jbxd

Similarity

API ID: AllocateHeap
String ID: `123
API String ID: 1279760036-1835766495
Opcode ID: 0ab4ed51ff615ce31fe1d70177ceb575c73ad5b9886e70a4c1a1b933e2006e81
Instruction ID: 6e30d27271176db9583e25bbbed9e837e1820156e2707c12b07015fc9c5b1ef8
Opcode Fuzzy Hash: 0ab4ed51ff615ce31fe1d70177ceb575c73ad5b9886e70a4c1a1b933e2006e81
Instruction Fuzzy Hash: FB01E5B02083419FE314CF14C865B2BBBE1EB81324F208A4CE8A507691C7759919CBC6

Function 00591C85 Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005917BC: GetOEMCP.KERNEL32(00000000,?,?,00000000,?), ref: 005917E7

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00591ACC,?,00000000,?,00000000,?), ref: 00591CE6
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00591ACC,?,00000000,?,00000000,?), ref: 00591D22

Memory Dump Source

Source File: 00000000.00000002.1670735327.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1670717248.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670856493.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 838e1c91fd076db693493694bdb80d6709ba79588aeef765457cf5e06c7e0f5e
Instruction ID: 1b6eba25015c24d4f9c27465c878cc6cf479732c1f65f62725463201551c9ed2
Opcode Fuzzy Hash: 838e1c91fd076db693493694bdb80d6709ba79588aeef765457cf5e06c7e0f5e
Instruction Fuzzy Hash: 77510170A00B678EDF21CF75C8846AABFE9FF91300F18456ED0968B252E7749945CB98

Function 00592939 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00592985
GetFileType.KERNELBASE(00000000), ref: 00592997

Memory Dump Source

Source File: 00000000.00000002.1670735327.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1670717248.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670856493.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: da12cc7b01ffe31367065bf076cb3bcbfb7b37ce21aeecff4f82f4cda2e1a531
Instruction ID: 3284696963506dececb250cf49439be412aef3c80be2b014486b33fcecd0c478
Opcode Fuzzy Hash: da12cc7b01ffe31367065bf076cb3bcbfb7b37ce21aeecff4f82f4cda2e1a531
Instruction Fuzzy Hash: CB118E316047516ADF344E3E8C98622BE99BB66370F380B1AE4B7DA5F1C334D9C6E251

Function 0059355E Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

LCMapStringEx.KERNELBASE(?,00594C34,?,?,-00000008,?,00000000,00000000,00000000,00000000,00000000), ref: 00593592
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,-00000008,-00000008,?,00594C34,?,?,-00000008,?,00000000), ref: 005935B0

Memory Dump Source

Source File: 00000000.00000002.1670735327.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1670717248.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670856493.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: 57bfe0299506080901b7fc6b57b2ca1553b5da8bdad923bc59453652bf6209b4
Instruction ID: 73160930e086c53671cee915d8defe9472c0ac1da3fca6ef06d4fdb549ba0180
Opcode Fuzzy Hash: 57bfe0299506080901b7fc6b57b2ca1553b5da8bdad923bc59453652bf6209b4
Instruction Fuzzy Hash: 60F0523240021ABBCF126F909C099DE3F6ABB5D3A0F068015BA1825020CB32CA31EB94

Function 00591890 Relevance: 1.6, APIs: 1, Instructions: 142COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(FFFFF9B5,?,00000005,00591ACC,?), ref: 005918C2

Memory Dump Source

Source File: 00000000.00000002.1670735327.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1670717248.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670856493.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 29302f2054fd7fdd45e96ff1440d279d42459dbfec16609b96b06dda992c69ee
Instruction ID: b60882e231b3a8cf7605f990809bd682ad8247995a72f62dc9dffea4c92bc337
Opcode Fuzzy Hash: 29302f2054fd7fdd45e96ff1440d279d42459dbfec16609b96b06dda992c69ee
Instruction Fuzzy Hash: 70515AB190816AAEDF118E28CD84BE9BFADFF15304F1405E9E499C7182D3359E85DFA0

Function 00700ADC Relevance: 1.6, APIs: 1, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000), ref: 00700B86

Memory Dump Source

Source File: 00000000.00000002.1670967330.00000000006D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1670947362.00000000006D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1670997509.0000000000707000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1671016289.000000000070A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1671037134.0000000000714000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_LisectAVT_2403002B_445.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 81a7aa42915e030f43248b6267ec065fd9fb2908553cbe0cd5a68e5380a59af4
Instruction ID: eebe54f45aace2572e9e1a7a2beb6ccf1bab6f11b83f8d618ec17f9f2e395262
Opcode Fuzzy Hash: 81a7aa42915e030f43248b6267ec065fd9fb2908553cbe0cd5a68e5380a59af4
Instruction Fuzzy Hash: 231119756083009FDB08CF01D86476FFBE2EBC4729F148A1DE89A57691C7799906CB86

Function 00702587 Relevance: 1.5, APIs: 1, Instructions: 47libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE ref: 00702601

Memory Dump Source

Source File: 00000000.00000002.1670967330.00000000006D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1670947362.00000000006D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1670997509.0000000000707000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1671016289.000000000070A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1671037134.0000000000714000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_LisectAVT_2403002B_445.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f4dca88a714c8923d6f05ccb84d1c34531c4863cf5dea0f9bb45c0596061239a
Instruction ID: a2fd1416e78854275d12596bcad0314c66666de5de5fdcd0a7f36a9cc956550c
Opcode Fuzzy Hash: f4dca88a714c8923d6f05ccb84d1c34531c4863cf5dea0f9bb45c0596061239a
Instruction Fuzzy Hash: 23113575200A02AFE314CF19C8A0A27BBB1FF46364B50CB1DC56687B90C734E961CF84

Function 00703FB0 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(006D8E14), ref: 00703FC8

Memory Dump Source

Source File: 00000000.00000002.1670967330.00000000006D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000000.00000002.1670947362.00000000006D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1670997509.0000000000707000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1671016289.000000000070A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1671037134.0000000000714000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d0000_LisectAVT_2403002B_445.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: aacfe52b235272ced3ed8240ae0319d5892c9dcf2520e6eaf0342645f8272954
Instruction ID: af3d9787d27aae96cfac8743f93df41cbb9f8d170a1a27f3f299380601357383
Opcode Fuzzy Hash: aacfe52b235272ced3ed8240ae0319d5892c9dcf2520e6eaf0342645f8272954
Instruction Fuzzy Hash: E8D09E71710105EBCF015F69FD08D957AB5B704301700C520F94AA01F1DA2EDB15DB5C

Non-executed Functions

Function 0051BCE0 Relevance: 14.7, Strings: 3, Instructions: 10939COMMON

Download Yara Rule

Strings

h,jn, xrefs: 00522E9F
h,jn, xrefs: 0052344B
x;L@, xrefs: 0051F001

Memory Dump Source

Source File: 00000000.00000002.1670735327.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1670717248.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670856493.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: h,jn$h,jn$x;L@
API String ID: 0-221569872
Opcode ID: 1b3d99efa6db336748ddfb965f404fd9411318ad5a570319433afb37be29009b
Instruction ID: 9e55a19846826d939e74a22506219bc3975f1cfbb0ccd2a3dfb81aad6b61084b
Opcode Fuzzy Hash: 1b3d99efa6db336748ddfb965f404fd9411318ad5a570319433afb37be29009b
Instruction Fuzzy Hash: 29F3AC76A91AA04FEB51983888B93D71FE24773331F2A379586F40B2E3C557124EAF50

Function 005074A0 Relevance: 8.9, Strings: 3, Instructions: 5176COMMON

Download Yara Rule

Strings

B'Sh, xrefs: 00508226
v, xrefs: 00507FAD
v, xrefs: 0050ABED

Memory Dump Source

Source File: 00000000.00000002.1670735327.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1670717248.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670856493.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: B'Sh$v$v
API String ID: 0-3196793827
Opcode ID: e8d4d3c02173a4ccb656ea78af5ff7d1d33a05a1e2b7e502485f5a9aa1682a21
Instruction ID: ab76d39111afa0b01b7469c30e38b4ca0316ed8ab2bb148e2a4207bb186e8ee6
Opcode Fuzzy Hash: e8d4d3c02173a4ccb656ea78af5ff7d1d33a05a1e2b7e502485f5a9aa1682a21
Instruction Fuzzy Hash: B473AB76A50AA04FEB519938C8B93DB1FE24773731F2A6795C6B40B2E3C517024EAF50

Function 00579C10 Relevance: 7.9, Strings: 2, Instructions: 5353COMMON

Download Yara Rule

Strings

B#tw, xrefs: 0057D4A3
B#tw, xrefs: 0057B96F

Memory Dump Source

Source File: 00000000.00000002.1670735327.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1670717248.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670856493.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: B#tw$B#tw
API String ID: 0-3589352061
Opcode ID: 43ee2de5ed536a9b5ac88803b8ac2e7bf44110a1cbe235bb1aa333f04e1d0267
Instruction ID: 05cfa2dbb592a5b1f7370e0b1e62b674b3a6eb6e29571b86853456ba3fd0e477
Opcode Fuzzy Hash: 43ee2de5ed536a9b5ac88803b8ac2e7bf44110a1cbe235bb1aa333f04e1d0267
Instruction Fuzzy Hash: 09738B76A91A904FEB519838C8BA3C71FE24773731E2A779586F40B2E3C547124EAF50

Function 005A8800 Relevance: 7.8, Strings: 6, Instructions: 328COMMON

Download Yara Rule

Strings

mnRQ, xrefs: 005A8BBB
>I, xrefs: 005A887C
=, xrefs: 005A89BC
JiUj, xrefs: 005A8BB3
ML, xrefs: 005A89AC
bX\K, xrefs: 005A8968

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: =$>I$JiUj$ML$bX\K$mnRQ
API String ID: 0-2844760306
Opcode ID: ab737fd0466a319242f6193b8354029b6968a1c39ede0b1e0bd6cfc7fc98cd0e
Instruction ID: 8adf928b00c484a9f3ac8cde95666d1ef447f701e94c9419add7495b0ea8b302
Opcode Fuzzy Hash: ab737fd0466a319242f6193b8354029b6968a1c39ede0b1e0bd6cfc7fc98cd0e
Instruction Fuzzy Hash: 3DC147B05093818FD725CF15C4A07AFBBE0BF86314F14495DE4E59B382CB79990ACB96

Function 005060B0 Relevance: 7.0, Strings: 4, Instructions: 1982COMMON

Download Yara Rule

Strings

?X5, xrefs: 00506317
?X5, xrefs: 0050671D
nYTu, xrefs: 005070AC
nYTu, xrefs: 00507489

Memory Dump Source

Source File: 00000000.00000002.1670735327.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1670717248.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670856493.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: nYTu$nYTu$?X5$?X5
API String ID: 0-3608183084
Opcode ID: bb15641b529f2a5ad569b97bdf471cd17ec3a873a751a03600cacaecbd6a3696
Instruction ID: a68dfb8f40e62e5ff89786949bb56dbd9dc15e67124aa535eef0a8902586153f
Opcode Fuzzy Hash: bb15641b529f2a5ad569b97bdf471cd17ec3a873a751a03600cacaecbd6a3696
Instruction Fuzzy Hash: AAC29B76A51A904FEB419878C4BA3DB1FE68773731F2A6719C6B44B2E3C50B110EAF50

Function 005A3A10 Relevance: 5.5, Strings: 4, Instructions: 492COMMON

Download Yara Rule

Strings

), xrefs: 005A3A89
IHDR, xrefs: 005A3E6C
IEND, xrefs: 005A3F4F
IDAT, xrefs: 005A3EDD

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: )$IDAT$IEND$IHDR
API String ID: 0-3181356877
Opcode ID: 685adf631ad49081b612d4db49c852dbd3f75fe7e12c3b15bc015a7654051b96
Instruction ID: 2acc6f75ab995a217c0fe93b0690dc4629ec0969486f68d212f07f8e3c2e4636
Opcode Fuzzy Hash: 685adf631ad49081b612d4db49c852dbd3f75fe7e12c3b15bc015a7654051b96
Instruction Fuzzy Hash: 7D12BCB16083548FD714CF28C854B5EBBE1BF86304F058A6DFA858B392D379DA09CB91

Function 005808B0 Relevance: 5.2, APIs: 1, Instructions: 3732COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00581CA0

Memory Dump Source

Source File: 00000000.00000002.1670735327.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1670717248.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670856493.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID: ___std_exception_destroy
String ID:
API String ID: 4194217158-0
Opcode ID: 86d7a762d75b8b425101793ed1bcf7e90aad2b659cf412b5f240ce85741f9aa3
Instruction ID: 6e6f1fa0747b16f19508906676a19c95d4fb3263eb6c08f772f49d986fd27f37
Opcode Fuzzy Hash: 86d7a762d75b8b425101793ed1bcf7e90aad2b659cf412b5f240ce85741f9aa3
Instruction Fuzzy Hash: EB338876AA1A904FFB41987888B93DB1BE24773731E2A7745C6F40B2E3C547114BAF60

Function 00512060 Relevance: 4.8, Strings: 2, Instructions: 2265COMMON

Download Yara Rule

Strings

S]Q, xrefs: 0051315B
Qx, xrefs: 00512081

Memory Dump Source

Source File: 00000000.00000002.1670735327.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1670717248.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670856493.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: Qx$S]Q
API String ID: 0-1210399317
Opcode ID: f750716fb4a6f2265c4f554347139b9ec8c127b1a443262ec058a29af1358c90
Instruction ID: 6091bc49892b3671833026e5620f21b80c79eab7136e3b08d02aa7bcf58eb0dd
Opcode Fuzzy Hash: f750716fb4a6f2265c4f554347139b9ec8c127b1a443262ec058a29af1358c90
Instruction Fuzzy Hash: 86D2597AA61A901FFB419878C4B93CB1BE28773735F2A7715C6B44B6E2C50B110FAB50

Function 00523460 Relevance: 4.7, Strings: 1, Instructions: 3442COMMON

Download Yara Rule

Strings

r+:, xrefs: 005237F9

Memory Dump Source

Source File: 00000000.00000002.1670735327.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1670717248.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670856493.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: r+:
API String ID: 0-2520838776
Opcode ID: d779d7d78752c70ce0817c7248701e119736885904e306b3de71c8bddb30968a
Instruction ID: 292670cd6de2b43e78fe1b9acf8e1ab2bacf64c058999203a2e64ac2a943a8ba
Opcode Fuzzy Hash: d779d7d78752c70ce0817c7248701e119736885904e306b3de71c8bddb30968a
Instruction Fuzzy Hash: 31237A76AA1A904FFF419878C4BA3DB1BE64773331E2A771586B40B6E3C54B110EAF50

Function 005A8C90 Relevance: 4.2, Strings: 3, Instructions: 417COMMON

Download Yara Rule

Strings

, xrefs: 005A8F88
0, xrefs: 005A8D03
z, xrefs: 005A9095

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: 0$z$
API String ID: 0-2628445692
Opcode ID: 4d1fc1deff65e21b88e93d539f373cae71cd381a489b90953f3e4e8b663927dd
Instruction ID: 2e7947ada7d64ca698e749390cf64b4545f9b620a12de86425ba1af8d2281243
Opcode Fuzzy Hash: 4d1fc1deff65e21b88e93d539f373cae71cd381a489b90953f3e4e8b663927dd
Instruction Fuzzy Hash: F60214B01083828BE724CF14C4A4B6FBBE6BBC6348F144D1CE5D58B292D779D949CB92

Function 005C6080 Relevance: 4.0, Strings: 3, Instructions: 231COMMON

Download Yara Rule

Strings

2, xrefs: 005C629B
;, xrefs: 005C6293
8, xrefs: 005C6283

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: 2$8$;
API String ID: 0-1476958264
Opcode ID: 5b11f4b7c838e394f5afdd80530e46b07975916d0aa69864f1bd8cf73783d52c
Instruction ID: 9ee7da160cea2915725649fd81db89aaa68be521b39e023571f350d8cdd307e9
Opcode Fuzzy Hash: 5b11f4b7c838e394f5afdd80530e46b07975916d0aa69864f1bd8cf73783d52c
Instruction Fuzzy Hash: 5CA1A17160C3818FD735CE68C494B9ABBE2BBD5324F184A2DD8E98B3C2D7759905CB42

Function 0056A8F0 Relevance: 4.0, Strings: 1, Instructions: 2731COMMON

Download Yara Rule

Strings

bad array new length, xrefs: 0056C40D

Memory Dump Source

Source File: 00000000.00000002.1670735327.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1670717248.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670856493.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: bad array new length
API String ID: 0-1242854226
Opcode ID: e56470c30bed55d3925d759ad03637a261c1453ea52858753bb7ba7d5650f977
Instruction ID: b3480d42f2bbc2627b63329acaf5f2a2e7e475b4e62e5b4ac388e0c633c2a843
Opcode Fuzzy Hash: e56470c30bed55d3925d759ad03637a261c1453ea52858753bb7ba7d5650f977
Instruction Fuzzy Hash: 3D035976A51AA04FFB41997888BA3DB1BE68773331F3A771586B40B2D3C54B110EAF50

Function 0053FC10 Relevance: 3.8, Strings: 2, Instructions: 1298COMMON

Download Yara Rule

Strings

mM{, xrefs: 0054092D
mM{, xrefs: 0053FF3C

Memory Dump Source

Source File: 00000000.00000002.1670735327.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1670717248.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670856493.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: mM{$mM{
API String ID: 0-2220883866
Opcode ID: ffb82d1b00d32108db07c68c21e8b55e151c38dc538282f9a262c61964b916f5
Instruction ID: 78b7294d3570d75b57fcaa9ba1b6eda306a3c70ea5b2a276b5a8a82d913b3c5d
Opcode Fuzzy Hash: ffb82d1b00d32108db07c68c21e8b55e151c38dc538282f9a262c61964b916f5
Instruction Fuzzy Hash: 44827A7AA609504FFF419838C9EA3C71BD387B3736F2A771586B44B6E2C54B110EAB50

Function 00578400 Relevance: 3.6, Strings: 1, Instructions: 2356COMMON

Download Yara Rule

Strings

Unknown exception, xrefs: 00579BCB

Memory Dump Source

Source File: 00000000.00000002.1670735327.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1670717248.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670856493.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: Unknown exception
API String ID: 0-410509341
Opcode ID: 92a7e9cbd1796ee93d6c32d8ff50cda8cb39b6834f272cb2106cd042f9c33895
Instruction ID: ce8999780e174267bbe89af9928873aa1a1b45619e07ebe9b3ba6fb56e086b22
Opcode Fuzzy Hash: 92a7e9cbd1796ee93d6c32d8ff50cda8cb39b6834f272cb2106cd042f9c33895
Instruction Fuzzy Hash: E2E29B76A91A900FEF419978C4B93DB1FE24773732F2A671586F40B6E3C54B110AAF50

Function 005A4680 Relevance: 3.4, Strings: 2, Instructions: 856COMMON

Download Yara Rule

Strings

8, xrefs: 005A5018
0, xrefs: 005A5023

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: dcd6e10817bcf6b0dcfd9f8d90b9e05080c086d014f8be4c284e07c9d3f7dc20
Instruction ID: a335059bf33039d5b392a982e06648b76c20e8b87da589c124e97eccb2037258
Opcode Fuzzy Hash: dcd6e10817bcf6b0dcfd9f8d90b9e05080c086d014f8be4c284e07c9d3f7dc20
Instruction Fuzzy Hash: 347224716083409FD724CF58C880B9EBBE2BFD6314F19892DE9898B391D7B5D845CB92

Function 005C2863 Relevance: 3.3, Strings: 2, Instructions: 766COMMON

Download Yara Rule

Strings

FY~, xrefs: 005C2A8F
d, xrefs: 005C2871

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: FY~$d
API String ID: 0-1120672609
Opcode ID: 2a77dad7d625777af608848375b946450808228e89fcb9e73973c727a84eb25f
Instruction ID: 8ac47ea2e1f6dd7da4857358ae9e6de462c13127ced1ceb5d39d6f1f5315612b
Opcode Fuzzy Hash: 2a77dad7d625777af608848375b946450808228e89fcb9e73973c727a84eb25f
Instruction Fuzzy Hash: ED42AD71104B418FD325CF25C894BA3BBE2BF56304F188A5DD4EB8BA96D778A809CB54

Function 005A8DA0 Relevance: 2.8, Strings: 2, Instructions: 341COMMON

Download Yara Rule

Strings

, xrefs: 005A8F88
z, xrefs: 005A9095

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: z$
API String ID: 0-1376504176
Opcode ID: 2c7021178ed4bff8e83ae50436233b2660486697bd32c8c9c7dcdc42a9523aa1
Instruction ID: 749631be692ba0500262d4611b2ad63a43ba13cfa420e0ac9e01f431b7464613
Opcode Fuzzy Hash: 2c7021178ed4bff8e83ae50436233b2660486697bd32c8c9c7dcdc42a9523aa1
Instruction Fuzzy Hash: AEF1D2B02083828BE724CF14C4A4B5FBBE5BBC6348F144D1CE5D54B692C77AD949CB92

Function 005B4160 Relevance: 2.6, Strings: 2, Instructions: 122COMMON

Download Yara Rule

Strings

y{, xrefs: 005B41A0
uw, xrefs: 005B4188

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: uw$y{
API String ID: 0-756344669
Opcode ID: cd94a78860907570e88e08c6dc9872753c63102ca23bfd10c249738200a0b99a
Instruction ID: 4ee9e130f057117e57c5c96a00bdb6e20b28b3351134f119dbbffdc41a2b5374
Opcode Fuzzy Hash: cd94a78860907570e88e08c6dc9872753c63102ca23bfd10c249738200a0b99a
Instruction Fuzzy Hash: E54117741083419BC724CF14C8A1AABBBF1FFC6394F149A1CF8958B6A2D7749845DB86

Function 005BDC90 Relevance: 1.6, Strings: 1, Instructions: 379COMMON

Download Yara Rule

Strings

<=4, xrefs: 005BE0A5

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: <=4
API String ID: 0-979447913
Opcode ID: 86e1fcea3d435c6822c6e7e50cbc205664531b226dda02baed332cea8563bab7
Instruction ID: 216a009ec999e8bd4f0192b3e093c2a321a4f9d6f625cf16c29eccf83ba0656f
Opcode Fuzzy Hash: 86e1fcea3d435c6822c6e7e50cbc205664531b226dda02baed332cea8563bab7
Instruction Fuzzy Hash: 25D18B71A083129FD710CF18C8857ABBBE5FB85714F18492DF59587391E7B4E908CB92

Function 005D5630 Relevance: 1.6, Strings: 1, Instructions: 300COMMON

Download Yara Rule

Strings

R-,T, xrefs: 005D5780

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: R-,T
API String ID: 0-635581381
Opcode ID: 560e430512cb16a1c1741d611f78755730a8e3f4ec7801fee53e254cf81ef1e9
Instruction ID: 959a61c2f2bfeefbc88e72f86573cb6e51aba8e7c7630bb274ff5b5512315512
Opcode Fuzzy Hash: 560e430512cb16a1c1741d611f78755730a8e3f4ec7801fee53e254cf81ef1e9
Instruction Fuzzy Hash: 5EA1BD312047119FD724CF18C850B6ABBE5FF88764F158A2EE9A59B3A0E774D905CB82

Function 005C0A88 Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

::34, xrefs: 005C0C5C

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: ::34
API String ID: 0-1123104282
Opcode ID: 970b202120b6acec8297ed952c28573b78af85fde32d5b32feaca1a1dc70bab2
Instruction ID: d1cd6929848c24609303c18b8eaa604bd136ecd558e1abf4b98fecb6052d0f89
Opcode Fuzzy Hash: 970b202120b6acec8297ed952c28573b78af85fde32d5b32feaca1a1dc70bab2
Instruction Fuzzy Hash: 1591D320104B81CED728CB798490B76FFE1BF56308F24666DD4EB4B6C2D735A845CB19

Function 005D02D0 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

`123, xrefs: 005D0409

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: `123
API String ID: 0-1835766495
Opcode ID: f371ec5be9cfe348c9adbfe97d05548a62fc3287c840bcbf8332135b437d0a7c
Instruction ID: 5ccb15860bb7007e90b5fddadb88066479d377933d660b7607dd3c5711a58e3e
Opcode Fuzzy Hash: f371ec5be9cfe348c9adbfe97d05548a62fc3287c840bcbf8332135b437d0a7c
Instruction Fuzzy Hash: 3D715675208301AFE310CF18C884B6ABBE5FB85724F144A2EF9A58B3D1D775D948CB96

Function 005D1A5F Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

uvw, xrefs: 005D1B52

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: uvw
API String ID: 0-3462500642
Opcode ID: 97560bb2bbeedc7fd32a6568eb78f77fd416d4edd6c8241397858aa5d56f0e7c
Instruction ID: f0fe3c49d3dbd7c4fb9fbb2ff968c0b9a2ab18aebe3722554f4482cc774c8218
Opcode Fuzzy Hash: 97560bb2bbeedc7fd32a6568eb78f77fd416d4edd6c8241397858aa5d56f0e7c
Instruction Fuzzy Hash: BF419D75240E42AFD718CF15C4A0A26F7B2FB85324B29DA1EC4A647B44CB34F465CF84

Function 005A70A0 Relevance: .9, Instructions: 868COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8107378514094fb91d2011c44157bd921049a5dd61101435c93894fbe4891d56
Instruction ID: f2e96c7121f8c3e9bce89e8feeb84e8d5ff7a1df6f57995a2a947865192c6b0d
Opcode Fuzzy Hash: 8107378514094fb91d2011c44157bd921049a5dd61101435c93894fbe4891d56
Instruction Fuzzy Hash: 1242F53160C71A8BC724DF18DC842BEBBE2FFD9314F15892DD98587291E734A955CB82

Function 0056C480 Relevance: .7, Instructions: 704COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670735327.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1670717248.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670856493.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26757ac80d42ced1fb4cf03ee6e31a23c17b94514262c8d0605aebe3b9ca67d3
Instruction ID: db786a496bc6d3a85f034c833daab6cc788d19473ec7d0b1f4591b4bbd650e07
Opcode Fuzzy Hash: 26757ac80d42ced1fb4cf03ee6e31a23c17b94514262c8d0605aebe3b9ca67d3
Instruction Fuzzy Hash: F112AE76A915504FEB40987CC8AD3DB1FE247B7336F2A6B15C6B05B7E2C50B110EAB60

Function 005A2630 Relevance: .7, Instructions: 680COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 334614bb912fe0a8ec80b38eb42e96bf3f733cdb0d6b0b6837ec45e227af2fc4
Instruction ID: b145ffe0b50437acb3fceb7bf8ec70b149e9891d7645ef9c0a0b27da93cba5fd
Opcode Fuzzy Hash: 334614bb912fe0a8ec80b38eb42e96bf3f733cdb0d6b0b6837ec45e227af2fc4
Instruction Fuzzy Hash: 7652D131508742AFC314CF29C4816AAFBE1FF89314F188A6DE89997B42D734E995CBC1

Function 005A3050 Relevance: .6, Instructions: 606COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 102393df12addee668e0cab0de08fc4e08f621fbbcb6102736f61e1656738cec
Instruction ID: 5070a8f0e1a79fa9ac998618b46cb0b79e09ef245485934de448b92df361a069
Opcode Fuzzy Hash: 102393df12addee668e0cab0de08fc4e08f621fbbcb6102736f61e1656738cec
Instruction Fuzzy Hash: 7C4267B0514B518FC768CF29C59056ABBF1FF8A314BA08A2DE5978BB90D735FA44CB10

Function 005B10B9 Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60abedbf0d7cdc9ed90b4759ded6b94b48f1fd9f7470bed82d4814919ef40edd
Instruction ID: b938f0629a2a31cc8c163e59ec09ff48051a083b69377557ba59e5f83309c8b3
Opcode Fuzzy Hash: 60abedbf0d7cdc9ed90b4759ded6b94b48f1fd9f7470bed82d4814919ef40edd
Instruction Fuzzy Hash: 2E0237B0600B029FD324CF28C8A5BA6BBF1FF46304F548A5CD4A68BB91D775B954CB94

Function 005A53D0 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 157c2a1f72e5aeb674d4194251b1766745e95691f6069f276572bd04f70c292f
Instruction ID: 652f03e3032b49f723bfbf01e270eab54f809a06ce477484ed6448f10e5c7b79
Opcode Fuzzy Hash: 157c2a1f72e5aeb674d4194251b1766745e95691f6069f276572bd04f70c292f
Instruction Fuzzy Hash: E7029C32608741CFC714CF28C880A2EBFE5FF9A314F59496DE9989B352E675D805CB92

Function 005B5170 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcc788d35870b48299a5be17c72e36008dc41d56e2ad6c818609256912d8e203
Instruction ID: 09e5cfeddd2f1f22d48c1c1dc4769ee1d9c70bd08d45b11b54b92cebae67b7a6
Opcode Fuzzy Hash: dcc788d35870b48299a5be17c72e36008dc41d56e2ad6c818609256912d8e203
Instruction Fuzzy Hash: 9CD1BF715083429FC718CF28C4957AFFBE2BBD6304F19892DE4998B252D735E945CB82

Function 005B638C Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcd2ffbc4b82c1d882844f184c9fdbdcd50d0f0be2e9b79395f6acbdad6169e4
Instruction ID: 57b4df4a3eab9bf2a6b7c3b3a5a086cfce8b6677d5fa104f94c83a27b5121ace
Opcode Fuzzy Hash: bcd2ffbc4b82c1d882844f184c9fdbdcd50d0f0be2e9b79395f6acbdad6169e4
Instruction Fuzzy Hash: 21B189B16083118BE724CF14C8A17ABBBF2FFD5318F148A1DE8954B385E7799905CB82

Function 005BF31D Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c672c105196754dd2aaeef6d798aba4eefc491f6edf1c72cf2cd09ee1f6529dd
Instruction ID: 3ae68e730be33a18d2bba0034f745619a8ce6525569496fdd5b8795266b27b81
Opcode Fuzzy Hash: c672c105196754dd2aaeef6d798aba4eefc491f6edf1c72cf2cd09ee1f6529dd
Instruction Fuzzy Hash: F0B15671600B118BD724CF28C8A17A3B7F2FF95308F548A2CD8978BA91E775B446CB94

Function 005D5290 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d090cc250f98bf42054d3bb8bbf8d12395c41b175a022f6c4bf0f105ce3ebf7
Instruction ID: 4755084221d114bd353197c0675fe1c19b3465ce1b007b176b8fb5a4f42a4e92
Opcode Fuzzy Hash: 2d090cc250f98bf42054d3bb8bbf8d12395c41b175a022f6c4bf0f105ce3ebf7
Instruction Fuzzy Hash: 8CB17C752083059FD725CF18C880B2ABBE5FF88754F148A2DF9948B3A0E774E905CB92

Function 005A19A0 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d99f8d41c7df77f2d3b52a78271401870cbe394498f7bd3f1d161ad2f4ec67f1
Instruction ID: 26e34e9435e2abe2e1021454778453b5749a17d2b408ac29c41185f83643fbdc
Opcode Fuzzy Hash: d99f8d41c7df77f2d3b52a78271401870cbe394498f7bd3f1d161ad2f4ec67f1
Instruction Fuzzy Hash: A251A2B05046019FD7048F28EC4D71BBBA0FF55318F049538E49A962A1E775D979CBCB

Function 005A2060 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 813f2283ced66242b932afb7d5ae310599c0b57294438bfd8ef7d69577514262
Instruction ID: 97425c12f3f77b1ae61660c483da8446097f0cf3d616653b1e324bbb4cdfb6bb
Opcode Fuzzy Hash: 813f2283ced66242b932afb7d5ae310599c0b57294438bfd8ef7d69577514262
Instruction Fuzzy Hash: FF41C332B082614BCB188A2DCC6127EBAD3AFC6344F1DC639E8C5DB78AE574DD019795

Function 005AFAB0 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d7173ae5d0430bb5046c5331b5ef1101a435c94758ffe20dc0c5fc3056e6a0f
Instruction ID: 370650ac10abaf5f62e905c3364ea472fe8b3bc8fa158ba949dec46cdea6d292
Opcode Fuzzy Hash: 0d7173ae5d0430bb5046c5331b5ef1101a435c94758ffe20dc0c5fc3056e6a0f
Instruction Fuzzy Hash: 7C410AB27082144BD30C8A3AC4B037EBBD2EBC9310F19863EE5DAC73D1DA3888469711

Function 005C02E6 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d18625f0908cecff049b9a64cb01ffa2d29a01b3a6db87df0c1a62bfb7c4c9bf
Instruction ID: 4843ff27f91c25ed1052e2befebc824aefac768d815c091a2bd88831686b2c8d
Opcode Fuzzy Hash: d18625f0908cecff049b9a64cb01ffa2d29a01b3a6db87df0c1a62bfb7c4c9bf
Instruction Fuzzy Hash: E0418E71110B118FC724CF24C852BABB7F2FF95314F199A6CD4E68BAA1D739A506CB80

Function 005A2220 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29dfaf6598850af173aa98e7724b302156e33b83498a2fec1274f73804136cd8
Instruction ID: b88285e988e165fe0d827acdbbd314f25b6696e9e9d7978fb44fdeda1ebcc132
Opcode Fuzzy Hash: 29dfaf6598850af173aa98e7724b302156e33b83498a2fec1274f73804136cd8
Instruction Fuzzy Hash: E321F4757181B10B9B10CA3D8CD056BBBA2AFC7316B5E96BADBC0D7252C125D8069264

Function 005BFBAB Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79e8db71ba4f9665dad2d026aa8b343711c060313d5c0f2216595d78a2d09bf0
Instruction ID: 9286fce71b60c2dd5f4626c0e25b5f29d44eb25814970233f9c60a59fb151bd0
Opcode Fuzzy Hash: 79e8db71ba4f9665dad2d026aa8b343711c060313d5c0f2216595d78a2d09bf0
Instruction Fuzzy Hash: 25315AB6105B409FE765CF28C854B96BBF4FB09304F148A2CE5ABC7A90D774B809CB58

Function 005BC9B0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72abc1f488f3fc7b1de6a90e8d4f94ef489a32a748214985adf3ef8e5e25d72a
Instruction ID: 92501fbfd9b33f6be5970e317c4c028aad66cf9a98605cbf17ed259639e97493
Opcode Fuzzy Hash: 72abc1f488f3fc7b1de6a90e8d4f94ef489a32a748214985adf3ef8e5e25d72a
Instruction Fuzzy Hash: 57214875100B108FE321CF24C845BA6BBF5FB45714F148A2CD6AA8BBA0C771F848CB59

Function 005CC880 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 9babfd50cabe76fe10f3c6be0ecd94974fb2172751387fcdcf50255edb88d7af
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 1C11E533A051D50EC3168D7C8400A66BFA32AA7234F59839DF4FC9B2D6D722CD8B8354

Function 005D2482 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7639dcc65c5d8be46f3ad0d870236425ebe6d137049c442f10c23d73c04440fb
Instruction ID: f8833c53c69144339328f29689d3396a49ef86a3ef44f07543eda14728b97323
Opcode Fuzzy Hash: 7639dcc65c5d8be46f3ad0d870236425ebe6d137049c442f10c23d73c04440fb
Instruction Fuzzy Hash: F301C46990531286DB305F18D803232BAF1FF72745F18A06BE8469B3A0F729D641D31D

Function 005B6DDA Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb078615302290289a0f922f370e69c24df401b3e2536963dbb6dbbc34b158b
Instruction ID: a717c141514f9ce05eccb930965b41743b0f9367556d31d8ded980e776d91339
Opcode Fuzzy Hash: adb078615302290289a0f922f370e69c24df401b3e2536963dbb6dbbc34b158b
Instruction Fuzzy Hash: 6D1128705183419FD304CF04C450B6FFBE4FB89318F408A1EF89897242D379E6098B96

Function 005C2000 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd71607f690bce657e8853982f1fa76d169d81fd16fa2a586a5d4fd35f608dde
Instruction ID: 6512fec38bc2cc3827343b3c2056b2c76f8b17da33a104a69701633083b62256
Opcode Fuzzy Hash: bd71607f690bce657e8853982f1fa76d169d81fd16fa2a586a5d4fd35f608dde
Instruction Fuzzy Hash: 24F0901454C3D28EC3018B6A80D4732FFA35FA7245F6C6099C0C02B356C767590E8A66

Function 005A7CF0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc49a0553ebbd101380e3ae575d33830016ab1546283f0a9f204abc104f43c0
Instruction ID: f7dfc8ebd38af7491749572c069e1cc3a55b315c1cecd7842f97f6b95146ca71
Opcode Fuzzy Hash: ebc49a0553ebbd101380e3ae575d33830016ab1546283f0a9f204abc104f43c0
Instruction Fuzzy Hash: 03E0483B91D7755742218A1CA81057ABBE5BDDF720F1A2949DC41F7304D621EC0787E5

Function 005C1F63 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5f1da324531e67c562e1cfadbf0852f7166e7d103d5258cb488b8e41f4f6388
Instruction ID: e3eb3954bd331eb0e60a643b918f94394e89fe75df17fe08e93293c171d015b4
Opcode Fuzzy Hash: c5f1da324531e67c562e1cfadbf0852f7166e7d103d5258cb488b8e41f4f6388
Instruction Fuzzy Hash: C7E086145487D2CFC301CB5990D4733BF636BA7245F68A0AAC1C427356D667680ECA65

Function 005ACDB0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2044051f06bb029c9e823812dcc2e061d3b89e47936c5c72b85e7b0847b4fd87
Instruction ID: 2a18582a3469647c12d9bf41e262e32d9d7bae8c1f9f595996634241fee888bc
Opcode Fuzzy Hash: 2044051f06bb029c9e823812dcc2e061d3b89e47936c5c72b85e7b0847b4fd87
Instruction Fuzzy Hash: CED0A7A194D3F10E57594D3904A0477FFE4F947222B1854AEF0D1E3145D220EC0156B9

Function 005C1168 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57b89f182764def7251bf465b3c8a7126975dbc71fa6886cdb6034776b4f3fcc
Instruction ID: 4645570a0382b17b1b6c51f4e26db94bad45b1f3e3ce5700ada329c131968311
Opcode Fuzzy Hash: 57b89f182764def7251bf465b3c8a7126975dbc71fa6886cdb6034776b4f3fcc
Instruction Fuzzy Hash: 17C01230A402428AC304DF38D989A32FBF0EB2B205B20302AC487E32A1D32094668A0C

Function 005CE61E Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da94d63b8ec6cece7e65a459c64aa78c2d0b4bc40c0ba22fb9f97c1c40e1aae0
Instruction ID: 7770ab6b708bcd15daec446eb3a5e246c06f3721a660359b25f9d5e30aa820c4
Opcode Fuzzy Hash: da94d63b8ec6cece7e65a459c64aa78c2d0b4bc40c0ba22fb9f97c1c40e1aae0
Instruction Fuzzy Hash: D4C0123B90C120878640AF08AC00128E3EBAAC7260F5E29208D44B7320C270F8228BCD

Function 005D308A Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68e6fbe17eb71514485956fdd485fa415fecd4696a6bdd50eae747e9863cc9c1
Instruction ID: 7c6b7bd78b67ee6ceedf21f1d2ed7e46c718b4e63303c933d62d5ba34f4607c9
Opcode Fuzzy Hash: 68e6fbe17eb71514485956fdd485fa415fecd4696a6bdd50eae747e9863cc9c1
Instruction Fuzzy Hash: 5DC04C3ABC0250478308CF55EC91539E2F6979B51171EB1358402E3760D5A494414548

Function 005BC60E Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5352d5a74675f77acd47e212ad8e59a7e0062af5d315182045b7aedf2aa6d508
Instruction ID: c08aa4d372e9f5af8b490940a951aacf186fae9da1f0b66a2e298ebf15a278c4
Opcode Fuzzy Hash: 5352d5a74675f77acd47e212ad8e59a7e0062af5d315182045b7aedf2aa6d508
Instruction Fuzzy Hash: 1DC00225E59150879258CE14FA904B6B3F7ABCA2147B9B029D84663B59CA70EC02890C

Function 005D2B30 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d24856321a6e452066d19aad862414ae37b90c2dd411f1b78de3affb8e1ff68
Instruction ID: 023736880b9bd43421c6e6c74ebdcf06ec1962d12d21f34926fa163f4d450445
Opcode Fuzzy Hash: 4d24856321a6e452066d19aad862414ae37b90c2dd411f1b78de3affb8e1ff68
Instruction Fuzzy Hash: C3C08CB9D880008BC704CB20AC06971723F6297284B003438C803E3222E430E050860C

Function 005D3DB3 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d48b3c7d2e914f36e85ebb4af494930ed814840934d146237549294ac11a46f
Instruction ID: cacd315472da8f1adfdb46a76d889c778805fd235407da719b80bb14d9e97af4
Opcode Fuzzy Hash: 9d48b3c7d2e914f36e85ebb4af494930ed814840934d146237549294ac11a46f
Instruction Fuzzy Hash: 32B00275E446018F8224CE00C150866F376AB9F221B25F6458859276058230F8868AD8

Function 005BD9B6 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11c5bb682c4e1173fb85fafe91c63964559ee3f050481804446c2cae164d9f0b
Instruction ID: 179238d3a42e7975d31a0b4d1fcc9a52f058f4605d86cf7c1cad0b364b4f1386
Opcode Fuzzy Hash: 11c5bb682c4e1173fb85fafe91c63964559ee3f050481804446c2cae164d9f0b
Instruction Fuzzy Hash: 3FA00220D4D1008A81048E09A444570E2B8621F205F103C24E04CF3153C210D805450C

Function 005D37BA Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0d8189cabcdb90c19035327ce217268f333d6db7c63e2bec84614f7baa6318a
Instruction ID: 6b829ceb6c1765329310cd6cac7a0d622d38305eb221885039c711e86d49a699
Opcode Fuzzy Hash: e0d8189cabcdb90c19035327ce217268f333d6db7c63e2bec84614f7baa6318a
Instruction Fuzzy Hash:

Function 005C3670 Relevance: 67.7, Strings: 54, Instructions: 219COMMON

Download Yara Rule

Strings

C, xrefs: 005C3802
C, xrefs: 005C3A3B
C, xrefs: 005C3C6D
C, xrefs: 005C3A69
C, xrefs: 005C3D15
C, xrefs: 005C39DF
C, xrefs: 005C384A
C, xrefs: 005C3981
C, xrefs: 005C39C7
C, xrefs: 005C3D5D
C, xrefs: 005C3D45
C, xrefs: 005C3C9D
C, xrefs: 005C3AF5
C, xrefs: 005C3CB5
C, xrefs: 005C3C85
C, xrefs: 005C36CE
C, xrefs: 005C36FB
C, xrefs: 005C381A
C, xrefs: 005C3BF7
C, xrefs: 005C3CCD
C, xrefs: 005C3C55
C, xrefs: 005C3ADD
C, xrefs: 005C3D72
C, xrefs: 005C3B0D
C, xrefs: 005C36BD
C, xrefs: 005C3741
C, xrefs: 005C3C25
C, xrefs: 005C3948
C, xrefs: 005C37A6
C, xrefs: 005C3925
C, xrefs: 005C38BE
C, xrefs: 005C3A81
C, xrefs: 005C36AD
C, xrefs: 005C3C3D
C, xrefs: 005C3B83
C, xrefs: 005C3729
C, xrefs: 005C38A6
C, xrefs: 005C3B53
C, xrefs: 005C3B25
C, xrefs: 005C3CFD
C, xrefs: 005C3CE5
C, xrefs: 005C3BC9
C, xrefs: 005C3883
C, xrefs: 005C38D6
C, xrefs: 005C3832
C, xrefs: 005C37BE
C, xrefs: 005C3AAF
C, xrefs: 005C39AF
C, xrefs: 005C3BB1
C, xrefs: 005C3697
C, xrefs: 005C3D2D
C, xrefs: 005C3B6B
C, xrefs: 005C3A02
C, xrefs: 005C36EA

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C
API String ID: 0-1918521486
Opcode ID: c938d9e6c19457aab954c006da1c620e983825f560c4718e0d82284b1d787cc2
Instruction ID: 17a564318dc008fab82d14543aed12bce6f8ff604ee98d149e5ce122277cf760
Opcode Fuzzy Hash: c938d9e6c19457aab954c006da1c620e983825f560c4718e0d82284b1d787cc2
Instruction Fuzzy Hash: 05F13DB490A7818BC739DF06E58578BBBE5BBC8308F10FD2E858847365D37465498F8A

Function 005C6A40 Relevance: 61.5, Strings: 49, Instructions: 211COMMON

Download Yara Rule

Strings

C, xrefs: 005C7031
C, xrefs: 005C7079
C, xrefs: 005C6E03
C, xrefs: 005C6E1B
C, xrefs: 005C6D6C
C, xrefs: 005C6F39
C, xrefs: 005C6FE9
C, xrefs: 005C6E61
C, xrefs: 005C6CFA
C, xrefs: 005C6BD7
C, xrefs: 005C6CB4
C, xrefs: 005C6F78
C, xrefs: 005C70C1
C, xrefs: 005C6F0B
C, xrefs: 005C6F51
C, xrefs: 005C70F1
C, xrefs: 005C6C6E
C, xrefs: 005C70A9
C, xrefs: 005C6C56
C, xrefs: 005C70D9
C, xrefs: 005C6E84
C, xrefs: 005C7001
C, xrefs: 005C6DA5
C, xrefs: 005C6B91
C, xrefs: 005C6AA9
C, xrefs: 005C6C28
C, xrefs: 005C6FA8
C, xrefs: 005C6F90
C, xrefs: 005C6E9C
C, xrefs: 005C7049
C, xrefs: 005C6AD0
C, xrefs: 005C6D1D
C, xrefs: 005C6AE8
C, xrefs: 005C6E49
C, xrefs: 005C6C86
C, xrefs: 005C6EFA
C, xrefs: 005C7019
C, xrefs: 005C6EB4
C, xrefs: 005C7061
C, xrefs: 005C6DD3
C, xrefs: 005C7091
C, xrefs: 005C6DEB
C, xrefs: 005C6CCC
C, xrefs: 005C6BA9
C, xrefs: 005C6FB9
C, xrefs: 005C6C10
C, xrefs: 005C6EE2
C, xrefs: 005C6B79
C, xrefs: 005C6FD1

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C
API String ID: 0-1806908614
Opcode ID: aa12c5568008614e22bfeb7f6fb387fa9ede4ec4712e9ea2fb395dba554e2cbd
Instruction ID: 855e3cc7b0681e4f4bdf058e62b607a8832b6e3fa6e9a7a7275163bacb192d3c
Opcode Fuzzy Hash: aa12c5568008614e22bfeb7f6fb387fa9ede4ec4712e9ea2fb395dba554e2cbd
Instruction Fuzzy Hash: 31E16FB494A3818BC774DF05E59969ABBE4BB89308F10BD2ED98D47391CB742508CF4E

Function 005CA840 Relevance: 60.2, Strings: 48, Instructions: 208COMMON

Download Yara Rule

Strings

C, xrefs: 005CA884
C, xrefs: 005CAEBA
C, xrefs: 005CAC89
C, xrefs: 005CAF23
C, xrefs: 005CAE39
C, xrefs: 005CAD61
C, xrefs: 005CAD91
C, xrefs: 005CA89C
C, xrefs: 005CAD19
C, xrefs: 005CADA9
L, xrefs: 005CA910
C, xrefs: 005CAE90
C, xrefs: 005CACD1
C, xrefs: 005CADF1
C, xrefs: 005CAE7B
C, xrefs: 005CABF9
C, xrefs: 005CAC41
C, xrefs: 005CABD0
C, xrefs: 005CADC1
|, xrefs: 005CA93C
C, xrefs: 005CAEE4
@, xrefs: 005CA905
C, xrefs: 005CADD9
C, xrefs: 005CAC59
p, xrefs: 005CA931
C, xrefs: 005CAECF
C, xrefs: 005CAC29
X, xrefs: 005CA91B
C, xrefs: 005CAEF9
C, xrefs: 005CAD31
C, xrefs: 005CAD49
C, xrefs: 005CAE09
C, xrefs: 005CAC11
C, xrefs: 005CACE9
C, xrefs: 005CAF0E
C, xrefs: 005CAE66
4, xrefs: 005CA8FA
C, xrefs: 005CAE51
C, xrefs: 005CAD79
C, xrefs: 005CABE1
C, xrefs: 005CACA1
C, xrefs: 005CAEA5
C, xrefs: 005CACB9
C, xrefs: 005CAC71
C, xrefs: 005CAE21
(, xrefs: 005CA8EF
C, xrefs: 005CAD01
d, xrefs: 005CA926

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$($4$@$L$X$d$p$|
API String ID: 0-4215602226
Opcode ID: fd5a510157a3eb7df68cc3e4bd4a1b70b6ab275ea9813702b4fccdf76dbdadc6
Instruction ID: c565546c47d054021fca8928c08ec0a514a9422b6b0299143c43e1b34350dcb1
Opcode Fuzzy Hash: fd5a510157a3eb7df68cc3e4bd4a1b70b6ab275ea9813702b4fccdf76dbdadc6
Instruction Fuzzy Hash: 77E16FB451A3818BD774DF01E55979FBBE0BB89308F00AD1E9A8C5B391C7B91528CF4A

Function 005C3FDD Relevance: 50.2, Strings: 40, Instructions: 178COMMON

Download Yara Rule

Strings

R, xrefs: 005C4145
c, xrefs: 005C42BD
c, xrefs: 005C4115
s, xrefs: 005C40E5
[, xrefs: 005C41C5
h, xrefs: 005C4315
_, xrefs: 005C4225
, xrefs: 005C4275
), xrefs: 005C4215
l, xrefs: 005C4185
a, xrefs: 005C42CD
0, xrefs: 005C400B
5, xrefs: 005C4285
i, xrefs: 005C430D
g, xrefs: 005C42DD
e, xrefs: 005C42ED
0, xrefs: 005C43DF
/, xrefs: 005C41D5
^, xrefs: 005C4155
7, xrefs: 005C42A5
x, xrefs: 005C4135
<, xrefs: 005C4235
4, xrefs: 005C41E5
q, xrefs: 005C41F5
|, xrefs: 005C4205
m, xrefs: 005C41A5
1, xrefs: 005C4265
9, xrefs: 005C4245
~, xrefs: 005C4175
*, xrefs: 005C4295
I, xrefs: 005C42B5
f, xrefs: 005C4105
&, xrefs: 005C4255
\, xrefs: 005C41B5
i, xrefs: 005C4195
V, xrefs: 005C4165
k, xrefs: 005C4125
k, xrefs: 005C42FD
o, xrefs: 005C40F5
o, xrefs: 005C431D

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: $&$)$*$/$0$0$1$4$5$7$9$<$I$R$V$[$\$^$_$a$c$c$e$f$g$h$i$i$k$k$l$m$o$o$q$s$x$|$~
API String ID: 0-2076901766
Opcode ID: 3bdebb55d431c8634d57a0e1e2d8ac3574faeff928a2f785b5f0b86b73f8aaba
Instruction ID: 1625da2733e13926bdbf8e5ea2520bf8b743348ff6ffa37cb4a74078b439c189
Opcode Fuzzy Hash: 3bdebb55d431c8634d57a0e1e2d8ac3574faeff928a2f785b5f0b86b73f8aaba
Instruction Fuzzy Hash: EAB1B43000C7C28ED336CA2888587DFBFE16BA6324F084A9DD5E95B2D2D7B64545CB67

Function 005C811C Relevance: 41.4, Strings: 33, Instructions: 171COMMON

Download Yara Rule

Strings

[, xrefs: 005C83DC
_, xrefs: 005C83FC
g, xrefs: 005C83BC
i, xrefs: 005C836C
R, xrefs: 005C8424
6, xrefs: 005C8264
c, xrefs: 005C839C
K, xrefs: 005C8284
/, xrefs: 005C8254
}, xrefs: 005C830C
0, xrefs: 005C8509
Q, xrefs: 005C842C
q, xrefs: 005C832C
f, xrefs: 005C82C4
w, xrefs: 005C833C
#, xrefs: 005C8244
>, xrefs: 005C82D4
{, xrefs: 005C82DC
Y, xrefs: 005C83EC
y, xrefs: 005C82EC
8, xrefs: 005C8294
o, xrefs: 005C837C
], xrefs: 005C840C
k, xrefs: 005C835C
b, xrefs: 005C82A4
a, xrefs: 005C83AC
3, xrefs: 005C8274
e, xrefs: 005C83CC
m, xrefs: 005C838C
u, xrefs: 005C834C
s, xrefs: 005C831C
S, xrefs: 005C841C
^, xrefs: 005C82B4

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: #$/$0$3$6$8$>$K$Q$R$S$Y$[$]$^$_$a$b$c$e$f$g$i$k$m$o$q$s$u$w$y${$}
API String ID: 0-1133209118
Opcode ID: fcd249ec573c39407cf2c70f889c80ebafd94e547ca05926b1b178d7d28f4204
Instruction ID: 71e6e082ea462a0ecb2c8559067d1fd347e9b7d9fc0c9835453c5640c1c9f3fc
Opcode Fuzzy Hash: fcd249ec573c39407cf2c70f889c80ebafd94e547ca05926b1b178d7d28f4204
Instruction Fuzzy Hash: EAB1937010CBC18ED336CA2888587DFBFE16BA6364F084A5DD4E94A2E2C7B55145CB67

Function 005C5053 Relevance: 32.6, Strings: 26, Instructions: 91COMMON

Download Yara Rule

Strings

A, xrefs: 005C510A
_, xrefs: 005C50BA
A, xrefs: 005C512A
C, xrefs: 005C513A
/, xrefs: 005C5142
#, xrefs: 005C50E2
_, xrefs: 005C50AA
?, xrefs: 005C50C2
-, xrefs: 005C5132
S, xrefs: 005C5162
!, xrefs: 005C50D2
%, xrefs: 005C50F2
Q, xrefs: 005C5152
), xrefs: 005C5112
R, xrefs: 005C50CA
z, xrefs: 005C508A
;, xrefs: 005C50A2
P, xrefs: 005C515A
+, xrefs: 005C5122
\, xrefs: 005C511A
9, xrefs: 005C5092
d, xrefs: 005C50DA
=, xrefs: 005C50B2
I, xrefs: 005C514A
', xrefs: 005C5102
A, xrefs: 005C50EA

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: !$#$%$'$)$+$-$/$9$;$=$?$A$A$A$C$I$P$Q$R$S$\$_$_$d$z
API String ID: 0-624435820
Opcode ID: 741b58949618608ad9d621743f3b974a56599811373b7e935e3143183862f57d
Instruction ID: 6256a119d061edf7368fc579588709c524e78426388c21a0b3f2cb23a49dc4b5
Opcode Fuzzy Hash: 741b58949618608ad9d621743f3b974a56599811373b7e935e3143183862f57d
Instruction Fuzzy Hash: 9F51E37020D7C08EE336DB68D5987DBBFE1AB96308F08496DD4D84B282C3B95949CB53

Function 005ACAF2 Relevance: 25.1, Strings: 20, Instructions: 92COMMON

Download Yara Rule

Strings

g, xrefs: 005ACB3C
3, xrefs: 005ACB88
9, xrefs: 005ACBA0
@, xrefs: 005ACB2C
?, xrefs: 005ACB98
=, xrefs: 005ACB90
b, xrefs: 005ACB54
5, xrefs: 005ACB70
o, xrefs: 005ACB4C
a, xrefs: 005ACB44
o, xrefs: 005ACB5C
7, xrefs: 005ACB78
u, xrefs: 005ACB1C
>, xrefs: 005ACB9C
T, xrefs: 005ACB7C
1, xrefs: 005ACB80
{, xrefs: 005ACB94
w, xrefs: 005ACB24
$, xrefs: 005ACB34
U, xrefs: 005ACB74

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: $$1$3$5$7$9$=$>$?$@$T$U$a$b$g$o$o$u$w${
API String ID: 0-803865081
Opcode ID: 96d01b6ccda33baf9ae67b23402032f238422a132f2a4a2b2c855122dad561b6
Instruction ID: b9c0112c4f010ebb314f17610c096de405615ae929100d349a7798454a9d5428
Opcode Fuzzy Hash: 96d01b6ccda33baf9ae67b23402032f238422a132f2a4a2b2c855122dad561b6
Instruction Fuzzy Hash: DB41E6601087C0CEEB26CF2884D87427FE15B26318F1982DDC8994F69BC3BAD51AC776

Function 005C9640 Relevance: 23.9, Strings: 19, Instructions: 105COMMON

Download Yara Rule

Strings

C, xrefs: 005C9837
C, xrefs: 005C980B
C, xrefs: 005C9689
C, xrefs: 005C984D
C, xrefs: 005C98BB
C, xrefs: 005C9879
C, xrefs: 005C9863
C, xrefs: 005C98A5
C, xrefs: 005C9821
C, xrefs: 005C98D1
C, xrefs: 005C9651
C, xrefs: 005C988F
C, xrefs: 005C97CF
C, xrefs: 005C97F5
C, xrefs: 005C9929
C, xrefs: 005C98E7
C, xrefs: 005C97DF
C, xrefs: 005C98FD
C, xrefs: 005C9913

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C$ C
API String ID: 0-4205221254
Opcode ID: 930af8b64b56cd43365158fe36df7fe95aef3b4a0c2239a368953af2567379a9
Instruction ID: 0153027d063e5706c6c29ec6e93e483daead757886c64c083bdd37ad514c2b1f
Opcode Fuzzy Hash: 930af8b64b56cd43365158fe36df7fe95aef3b4a0c2239a368953af2567379a9
Instruction Fuzzy Hash: 5B7142B0905B418BD724DF25E559797BBE1BB4A308F40AD2FD5AA473A1C7B43448CF88

Function 005C717C Relevance: 22.6, Strings: 18, Instructions: 113COMMON

Download Yara Rule

Strings

J, xrefs: 005C7203
:, xrefs: 005C71B3
H, xrefs: 005C722B
X, xrefs: 005C71EF
3, xrefs: 005C71A9
I, xrefs: 005C720D
], xrefs: 005C71F9
U, xrefs: 005C71E5
D, xrefs: 005C7235
v, xrefs: 005C7255
1, xrefs: 005C71C7
M, xrefs: 005C71DB
A, xrefs: 005C71D1
D, xrefs: 005C71BD
Q, xrefs: 005C7221
1, xrefs: 005C7217
W, xrefs: 005C7245
4, xrefs: 005C7265

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: 1$1$3$4$:$A$D$D$H$I$J$M$Q$U$W$X$]$v
API String ID: 0-3526330400
Opcode ID: 4c4dde784ecaccb4c1f82dc4f83eb58c15311623e9b5025230cc517a33559933
Instruction ID: ab20fe4ea6096b78a6bb8de981a9c84cf334f021927a871beb6bb334dfb57f48
Opcode Fuzzy Hash: 4c4dde784ecaccb4c1f82dc4f83eb58c15311623e9b5025230cc517a33559933
Instruction Fuzzy Hash: 3F51C77010C7C18ED322CB38845874FBFD16B96224F584A5DE5E98B3E2C775954ACB53

Function 005C75B6 Relevance: 22.6, Strings: 18, Instructions: 105COMMON

Download Yara Rule

Strings

J, xrefs: 005C7634
W, xrefs: 005C7676
D, xrefs: 005C7666
M, xrefs: 005C760C
H, xrefs: 005C765C
v, xrefs: 005C7686
1, xrefs: 005C7648
D, xrefs: 005C75EE
A, xrefs: 005C7602
1, xrefs: 005C75F8
U, xrefs: 005C7616
Q, xrefs: 005C7652
], xrefs: 005C762A
:, xrefs: 005C75E4
4, xrefs: 005C7696
3, xrefs: 005C75DA
X, xrefs: 005C7620
I, xrefs: 005C763E

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: 1$1$3$4$:$A$D$D$H$I$J$M$Q$U$W$X$]$v
API String ID: 0-3526330400
Opcode ID: 21dc155316d35b391ad26d2ab4e86cee74c387308d8040a50545a97ed3e958a5
Instruction ID: 48e0299e503574d3f374029b73c712eb1aa968803d03fa3a39a06f19707d04b9
Opcode Fuzzy Hash: 21dc155316d35b391ad26d2ab4e86cee74c387308d8040a50545a97ed3e958a5
Instruction Fuzzy Hash: 0751A47010CBC18ED322CB38844874FBFE16B96224F188A9DE5E54B3E2C775854ACB67

Function 005C7811 Relevance: 15.1, Strings: 12, Instructions: 93COMMON

Download Yara Rule

Strings

{, xrefs: 005C787B
z, xrefs: 005C788B
{, xrefs: 005C78EB
}, xrefs: 005C78AB
|, xrefs: 005C785B
P, xrefs: 005C78DB
k, xrefs: 005C790B
T, xrefs: 005C78FB
D, xrefs: 005C786B
L, xrefs: 005C78BB
q, xrefs: 005C78CB
I, xrefs: 005C789B

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: D$I$L$P$T$k$q$z${${$|$}
API String ID: 0-3654948518
Opcode ID: eb987f407f37c6ecd8580b2140394d95563597a7645639d309ff5f17de0f5ef5
Instruction ID: ea1d28c82bc65de195bf7abb1d821985be1a7a72ffd56d21156e90eb485c7eb5
Opcode Fuzzy Hash: eb987f407f37c6ecd8580b2140394d95563597a7645639d309ff5f17de0f5ef5
Instruction Fuzzy Hash: D751037010C7C18AE336CB28C498BDBBFE1AB96314F044A5DD5E94B2D2D77A9505CB93

Function 005C73C1 Relevance: 15.1, Strings: 12, Instructions: 90COMMON

Download Yara Rule

Strings

}, xrefs: 005C7428
w, xrefs: 005C7478
y, xrefs: 005C7408
q, xrefs: 005C7448
u, xrefs: 005C7468
M, xrefs: 005C74A8
s, xrefs: 005C7458
{, xrefs: 005C7418
K, xrefs: 005C7498
L, xrefs: 005C74B0
O, xrefs: 005C74B8
I, xrefs: 005C7488

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: I$K$L$M$O$q$s$u$w$y${$}
API String ID: 0-2287174937
Opcode ID: eb4ce4336640a3dafa6ced1e02c8dbdcee340fa4fed27c9f6b9ef64845528719
Instruction ID: 976b4a21e1c6fc0403e9f0ba803a61ad5e6cf074645fa1ad23ca9c9be2cb0890
Opcode Fuzzy Hash: eb4ce4336640a3dafa6ced1e02c8dbdcee340fa4fed27c9f6b9ef64845528719
Instruction Fuzzy Hash: 7F51F27050C3C18EE335CB288858B9BBFE2AB96314F044A5DE4E84B292C7B955498B53

Function 005C8BF7 Relevance: 15.1, Strings: 12, Instructions: 89COMMON

Download Yara Rule

Strings

}, xrefs: 005C8C65
I, xrefs: 005C8CC5
w, xrefs: 005C8CB5
y, xrefs: 005C8C45
s, xrefs: 005C8C95
O, xrefs: 005C8CF5
M, xrefs: 005C8CE5
u, xrefs: 005C8CA5
{, xrefs: 005C8C55
L, xrefs: 005C8CED
q, xrefs: 005C8C85
K, xrefs: 005C8CD5

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: I$K$L$M$O$q$s$u$w$y${$}
API String ID: 0-2287174937
Opcode ID: b52ba7697a32cbfeeb4b21c81f5419e46dbb5c4d24021f58c5c95e1243109093
Instruction ID: 7baf00e0173ea84dee848a04fa6ef80bdd9ca9e8773ac27a3322c0c8d249a859
Opcode Fuzzy Hash: b52ba7697a32cbfeeb4b21c81f5419e46dbb5c4d24021f58c5c95e1243109093
Instruction Fuzzy Hash: 0B51E47050C3C1CBE335CB28C858B9BBBE2AB96314F044A5DD4D94B2D2C7B95449CB63

Function 005C538E Relevance: 13.8, Strings: 11, Instructions: 98COMMON

Download Yara Rule

Strings

q, xrefs: 005C5465
y, xrefs: 005C5445
t, xrefs: 005C53F5
w, xrefs: 005C53D5
w, xrefs: 005C5485
v, xrefs: 005C53E5
x, xrefs: 005C5425
m, xrefs: 005C5405
t, xrefs: 005C5495
d, xrefs: 005C5415
y, xrefs: 005C54A5

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: d$m$q$t$t$v$w$w$x$y$y
API String ID: 0-516703108
Opcode ID: 5b77419dbff5e1936998b48a1fe1d72f9740be4d262098fa61d9181769bf05f1
Instruction ID: bf1ccc87ab3e3abf7e184fe182a579f7ed808c22b4445b44f1e7d9c9ad5a6492
Opcode Fuzzy Hash: 5b77419dbff5e1936998b48a1fe1d72f9740be4d262098fa61d9181769bf05f1
Instruction Fuzzy Hash: 5851E03050CBC1CAD336CA28989879ABFD16BD6364F080A5DE4ED4B3E2D7745545CBA3

Function 005BB4F2 Relevance: 13.0, Strings: 10, Instructions: 494COMMON

Download Yara Rule

Strings

GT, xrefs: 005BBA97
RG, xrefs: 005BB7DC
TN, xrefs: 005BBAB5
[@, xrefs: 005BBAAB
!#, xrefs: 005BB5F4
D), xrefs: 005BB7C8
ZR, xrefs: 005BB7E6
Y\, xrefs: 005BB7D2
K9E;, xrefs: 005BBB7D
WQ, xrefs: 005BBAA1

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: D)$GT$K9E;$RG$TN$WQ$Y\$ZR$[@$!#
API String ID: 0-2740541214
Opcode ID: 4ab964777bb2a9bcd58c2577d21e1a6dfbfb1548f92dee1b78d1290b4c8e7b8e
Instruction ID: 20fa6134d79b2ccc7468fba3cee441dcbdff934fab71ffca39692fbb5d9247e0
Opcode Fuzzy Hash: 4ab964777bb2a9bcd58c2577d21e1a6dfbfb1548f92dee1b78d1290b4c8e7b8e
Instruction Fuzzy Hash: 0652B3B4105B818AE364CF21D894BD7BBE2BB85344F508E2DC1FB1B285CBB5614ACF95

Function 0058E00A Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 0058E129
___TypeMatch.LIBVCRUNTIME ref: 0058E237
_UnwindNestedFrames.LIBCMT ref: 0058E389
CallUnexpected.LIBVCRUNTIME ref: 0058E3A4

Strings

csm, xrefs: 0058E0B4
csm, xrefs: 0058E047
csm, xrefs: 0058E160

Memory Dump Source

Source File: 00000000.00000002.1670735327.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1670717248.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670856493.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 97af79e2e64291b1052b2f63078a1b1ec2e3d5e38b1876228455e09239f9478d
Instruction ID: ea1f3680b35a669f9243c88df6c8795576dc9c05e1bac09b2d51e2a5545d610a
Opcode Fuzzy Hash: 97af79e2e64291b1052b2f63078a1b1ec2e3d5e38b1876228455e09239f9478d
Instruction Fuzzy Hash: BBB1887180020AEFCF18EFA4D88A9AEBFB5BF54310B14455AEC157B242D730EE51CBA1

Function 005C4785 Relevance: 11.3, Strings: 9, Instructions: 74COMMON

Download Yara Rule

Strings

a, xrefs: 005C4813
_, xrefs: 005C4823
c, xrefs: 005C4803
g, xrefs: 005C47E3
k, xrefs: 005C47C3
^, xrefs: 005C481B
e, xrefs: 005C47F3
m, xrefs: 005C47B3
i, xrefs: 005C47D3

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: ^$_$a$c$e$g$i$k$m
API String ID: 0-3425094176
Opcode ID: 3eb87c03781164b36f52ff7db0fd93214d06bb14808f17c1678df36346f50137
Instruction ID: 4ade89cc0a81a71e8f496075ec333aae3e8dbf79bd597364424de98baa5abac8
Opcode Fuzzy Hash: 3eb87c03781164b36f52ff7db0fd93214d06bb14808f17c1678df36346f50137
Instruction Fuzzy Hash: 3E41253054C7C48ED339DB28C4A879BBFE1ABE6314F148A5CE4E94B282C7B54545CB93

Function 005A84E0 Relevance: 10.3, Strings: 8, Instructions: 260COMMON

Download Yara Rule

Strings

bbp|, xrefs: 005A86B0
Ta, xrefs: 005A85E6
CEE~, xrefs: 005A8690
2P, xrefs: 005A8708
SD_\, xrefs: 005A8668
u}w~, xrefs: 005A8698
LIGA, xrefs: 005A8680
HVRP, xrefs: 005A8618

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: CEE~$HVRP$LIGA$SD_\$Ta$bbp|$u}w~$2P
API String ID: 0-1774221220
Opcode ID: ed306716715ec182923c9cd8cc63dfba65a15c3bd9df844ffcd8c81a9f60aa2e
Instruction ID: 38bbe9edbb813b989de2acae6d09ee800e8817305a3d1cc9f3a822d8f6507905
Opcode Fuzzy Hash: ed306716715ec182923c9cd8cc63dfba65a15c3bd9df844ffcd8c81a9f60aa2e
Instruction Fuzzy Hash: FB8125B19493928BD321CF25C49075FBFE1BFD2714F288A4CE8E41B285D7769809CB92

Function 005AF115 Relevance: 8.9, Strings: 7, Instructions: 113COMMON

Download Yara Rule

Strings

V9X;, xrefs: 005AF31E
a-R/, xrefs: 005AF2FD
Y[, xrefs: 005AF166
^!^#, xrefs: 005AF308
:M,O, xrefs: 005AF145
6AC, xrefs: 005AF150
R%Z', xrefs: 005AF313

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: 6AC$:M,O$R%Z'$V9X;$^!^#$a-R/$Y[
API String ID: 0-2223191178
Opcode ID: fbaaa146c132f7d111ffcb86e1f245e71eaac4c225a319455b1c74a60d79a04b
Instruction ID: 1030e426f4eb76ace363eeed6c6e5cc78f9400ff7a3fa6a387c36a45b3063527
Opcode Fuzzy Hash: fbaaa146c132f7d111ffcb86e1f245e71eaac4c225a319455b1c74a60d79a04b
Instruction Fuzzy Hash: 5C51E8B41493C19BE234CF11D892B8EBBE2BB86340F218E1CD5E81B245CB788146CF92

Function 005C4B77 Relevance: 8.8, Strings: 7, Instructions: 82COMMON

Download Yara Rule

Strings

u, xrefs: 005C4C2D
), xrefs: 005C4C05
v, xrefs: 005C4C35
w, xrefs: 005C4C3D
B, xrefs: 005C4BF5
!, xrefs: 005C4BC5
Q, xrefs: 005C4B85

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: !$)$B$Q$u$v$w
API String ID: 0-614236814
Opcode ID: 3b7f4ab4a208292ada3f69a24dd441349c952d78576ab4a6153cd3d00e0c0f13
Instruction ID: 52eea7d7b870407bb6b7d9ff93d234914b6c80a0040ce62269c947e82c9a46c1
Opcode Fuzzy Hash: 3b7f4ab4a208292ada3f69a24dd441349c952d78576ab4a6153cd3d00e0c0f13
Instruction Fuzzy Hash: 7841EF7010C7C1CBD335CA6884AC79ABFE1ABD6324F088A5CE5D90B292C7B95509DB67

Function 005BE2B1 Relevance: 8.8, Strings: 7, Instructions: 65COMMON

Download Yara Rule

Strings

DHB|, xrefs: 005BE2FD
l@e`, xrefs: 005BE2E7
Usr, xrefs: 005BE38F, 005BE393
ySx, xrefs: 005BE358
MmsT, xrefs: 005BE308
I@Fg, xrefs: 005BE2DC
{^w\, xrefs: 005BE2F2

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: DHB|$I@Fg$MmsT$Usr$l@e`$ySx${^w\
API String ID: 0-2781994780
Opcode ID: d6e41a6cf18baabb6e8cb67d77a9a6bff6e86c1c008bbb8b6b0abab65954b9d8
Instruction ID: dd0818aca3a96dcaa3df618381914b158c9395dd2ea615ad08f7ea046f7e3823
Opcode Fuzzy Hash: d6e41a6cf18baabb6e8cb67d77a9a6bff6e86c1c008bbb8b6b0abab65954b9d8
Instruction Fuzzy Hash: D62112B45083818FD324CF65C495B9ABBE1BBC4744F144D1DE5EA8B3A1CB74A80ACF56

Function 0058D883 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,0058D834,00000000,?,005E6B48,?,?,?,0058D9D7,00000004,InitializeCriticalSectionEx,0059A800,InitializeCriticalSectionEx), ref: 0058D890
GetLastError.KERNEL32(?,0058D834,00000000,?,005E6B48,?,?,?,0058D9D7,00000004,InitializeCriticalSectionEx,0059A800,InitializeCriticalSectionEx,00000000,?,0058D757), ref: 0058D89A
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0058D8C2

Strings

api-ms-, xrefs: 0058D8A7

Memory Dump Source

Source File: 00000000.00000002.1670735327.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1670717248.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670856493.0000000000599000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 999cd540cd405eeabce98fead5422f7b77018d13d5e8fb31087c6fcecba6b759
Instruction ID: 48883a79de55452ea467b09fe12d0678ab7fc829fcb41fd465394b8f9f11bc00
Opcode Fuzzy Hash: 999cd540cd405eeabce98fead5422f7b77018d13d5e8fb31087c6fcecba6b759
Instruction Fuzzy Hash: 71E04F30280209FBEF502B61EC0BB583FA8BB20B51F204431FD0DF80E0D766E954ABA4

Function 005BEEA0 Relevance: 6.5, Strings: 5, Instructions: 268COMMON

Download Yara Rule

Strings

h=t3, xrefs: 005BF16A
W%L;, xrefs: 005BF15C
W!A', xrefs: 005BF155
h-[#, xrefs: 005BF14E
\9n?, xrefs: 005BF163

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: W!A'$W%L;$\9n?$h-[#$h=t3
API String ID: 0-1876427022
Opcode ID: d4a0183eedbcec72fc9faccd38bb065b82f9f302c599514ef752f4cc02fa0c59
Instruction ID: 56291f5db09d8a1d1c4d1ab9ca50be82c7a784f7c6c111fc3074bf03df39231b
Opcode Fuzzy Hash: d4a0183eedbcec72fc9faccd38bb065b82f9f302c599514ef752f4cc02fa0c59
Instruction Fuzzy Hash: ABB10575200B118FD365CF24C895B97BBE5FB48304F448A2DD5EB8BA81DB75B50ACB84

Function 005C04A0 Relevance: 5.2, Strings: 4, Instructions: 242COMMON

Download Yara Rule

Strings

SYz,, xrefs: 005C0659
9:]I, xrefs: 005C06A9
2%Zc, xrefs: 005C06BD
TYhY, xrefs: 005C06D1

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: 2%Zc$9:]I$SYz,$TYhY
API String ID: 0-2887525975
Opcode ID: 867d6a1f2ebf885864a12db5e28d001c387d0e3474002c68b25a1037bf5d3136
Instruction ID: 6d52a27655b92188468167d77231b2f83c184ca9b47ca1e266cfc4c63ec053ee
Opcode Fuzzy Hash: 867d6a1f2ebf885864a12db5e28d001c387d0e3474002c68b25a1037bf5d3136
Instruction Fuzzy Hash: 359148B4105F818BE7288F25D4A87A3BBE2BF96305F18995CC4EB0B382C7752505CF95

Function 005A0DEF Relevance: 5.2, Strings: 4, Instructions: 210COMMON

Download Yara Rule

Strings

,, xrefs: 005A0FD7
}, xrefs: 005A0ED3
}, xrefs: 005A1004
{, xrefs: 005A0E65

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: ,${$}$}
API String ID: 0-728446245
Opcode ID: 647350696943e9c5b411a443cd1b87a17007b20444049e6207778866511cb5fb
Instruction ID: e44b5e1a795cf61a089c90977f984fd72a8f6de9dfac81d818b2fe3987f6e05c
Opcode Fuzzy Hash: 647350696943e9c5b411a443cd1b87a17007b20444049e6207778866511cb5fb
Instruction Fuzzy Hash: 2E5138B49043098FD7205F259C5872F7FE4BF96348F185938E4C687292E735D904CB96

Function 005BCC85 Relevance: 5.2, Strings: 4, Instructions: 155COMMON

Download Yara Rule

Strings

afdx, xrefs: 005BCDD9
|~}x, xrefs: 005BCDED
mfgs, xrefs: 005BCDCF
~pv~, xrefs: 005BCE01

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: afdx$mfgs$|~}x$~pv~
API String ID: 0-695628238
Opcode ID: 11507d8175d1d29e44784b882bbcdbb279b1f375ab6ac0885af2e402e2a0cf14
Instruction ID: 74e6840ffc1e30654cc13c13ea0b8f26357f846cd0b44873ad1ea79b3d9dac8a
Opcode Fuzzy Hash: 11507d8175d1d29e44784b882bbcdbb279b1f375ab6ac0885af2e402e2a0cf14
Instruction Fuzzy Hash: 21512575604B818FD724CF28C4917A7BFE2FB55340F148A2ED0AB8B685D734B845CB99

Function 005A40F0 Relevance: 5.1, Strings: 4, Instructions: 112COMMON

Download Yara Rule

Strings

@/@, xrefs: 005A41C6
/@, xrefs: 005A41BB
/@, xrefs: 005A41B4
P/@, xrefs: 005A41DB

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: /@$ /@$@/@$P/@
API String ID: 0-873909677
Opcode ID: 90ea0fe63ca919318d403ce11a13caa070a2f0a91cfa4d1db11bc91ef7697813
Instruction ID: 9478faed413f468352df44de5df8c95d6fc93dc089aefbfbff9455c8e1d65993
Opcode Fuzzy Hash: 90ea0fe63ca919318d403ce11a13caa070a2f0a91cfa4d1db11bc91ef7697813
Instruction Fuzzy Hash: 0D418BB17106048BDB18CF59C8C47567BE2BBD5328F18C1A9DA058B28ED7B9C989CF81

Function 005B5761 Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

17,4, xrefs: 005B5835
#./,, xrefs: 005B583D
17,4, xrefs: 005B5898
8$, xrefs: 005B5845

Memory Dump Source

Source File: 00000000.00000002.1670872716.00000000005A0000.00000004.00000001.01000000.00000003.sdmp, Offset: 005A0000, based on PE: true

Associated: 00000000.00000002.1670908467.00000000005E8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_445.jbxd

Similarity

API ID:
String ID: #./,$17,4$17,4$8$
API String ID: 0-1726388302
Opcode ID: 2c7d5255162c6dfa8c22f78920da2ff47ec92d9ec8d7e4496b41a6f46a099c67
Instruction ID: 8f0d180a1ff2d9da4e5afd4f3e2852c30f1bf683519e19376d39df2e10f82218
Opcode Fuzzy Hash: 2c7d5255162c6dfa8c22f78920da2ff47ec92d9ec8d7e4496b41a6f46a099c67
Instruction Fuzzy Hash: 584155B1518381ABD318CF14C890B4FBFF0BB86354F946A2CF8C99B251D779D8458B92

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002B_445.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Windows Analysis Report
LisectAVT_2403002B_445.exe

Function 004410E0 Relevance: 49.8, APIs: 1, Strings: 16, Instructions: 20001
librarymemoryloaderCOMMON

Function 007052B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148
nativememoryCOMMON

Function 007057A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97
nativememoryCOMMON

Function 0070265F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98
libraryCOMMON

Function 00702E7A Relevance: 3.2, APIs: 2, Instructions: 158
nativememoryCOMMON

Function 00440060 Relevance: 3.1, APIs: 1, Instructions: 1627
COMMON

Function 007023F3 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 80
libraryCOMMON

Function 006D8DA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
COMMON

Function 00594B44 Relevance: 4.7, APIs: 3, Instructions: 197
COMMON

Function 00703636 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76
memoryCOMMON

Function 007037BF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51
memoryCOMMON

Function 00700A20 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45
memoryCOMMON

Function 00591C85 Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Function 00592939 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON