Edit tour

Windows Analysis Report
LisectAVT_2403002A_460.exe

Overview

General Information

Sample name:	LisectAVT_2403002A_460.exe
Analysis ID:	1482238
MD5:	8868668372c27888a5ed9e818683ffcb
SHA1:	9ce00390be0e90cecf89c89cd84d9adf2556e772
SHA256:	15ae2b61648414988ae6e5876738382c62f6c90a325354a7e903348bc8c139be
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Drops script at startup location

Yara detected AgentTesla

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Drops VBS files to the startup folder

Found API chain indicative of sandbox detection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

LisectAVT_2403002A_460.exe (PID: 5860 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_460.exe" MD5: 8868668372C27888A5ED9E818683FFCB)

Laddonia.exe (PID: 5352 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_460.exe" MD5: FFF516D7CEF66EF2F8F9494A753E4E06)

RegSvcs.exe (PID: 4712 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_460.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

My App.exe (PID: 1252 cmdline: "C:\Users\user\AppData\Roaming\My App\My App.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 5504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

My App.exe (PID: 4276 cmdline: "C:\Users\user\AppData\Roaming\My App\My App.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 4040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 1568 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Laddonia.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

Laddonia.exe (PID: 2180 cmdline: "C:\Users\user\AppData\Local\Dalymore\Laddonia.exe" MD5: FFF516D7CEF66EF2F8F9494A753E4E06)

RegSvcs.exe (PID: 3160 cmdline: "C:\Users\user\AppData\Local\Dalymore\Laddonia.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.agrosparta.gr", "Username": "sales@agrosparta.gr", "Password": "Agrosparta1209"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.3572441888.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.3572441888.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.3572441888.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x339f6:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33a68:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33af2:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33b84:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33bee:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33c60:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33cf6:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33d86:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000006.00000002.3872504636.00000000003B2000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.3872504636.00000000003B2000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000E.00000002.4463265835.00000000030F3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.3873482742.0000000001190000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.3873482742.0000000001190000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.3873482742.0000000001190000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x339f6:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33a68:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33af2:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33b84:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33bee:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33c60:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33cf6:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33d86:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0000000E.00000002.4463265835.00000000030B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.4463265835.00000000030B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.3874380957.000000000271C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.3874380957.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.3874380957.00000000026F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Laddonia.exe PID: 5352	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Laddonia.exe PID: 5352	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 4712	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 4712	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: Laddonia.exe PID: 2180	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Laddonia.exe PID: 2180	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 3160	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 3160	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.RegSvcs.exe.3b0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.RegSvcs.exe.3b0000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.RegSvcs.exe.3b0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x339f6:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33a68:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33af2:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33b84:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33bee:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33c60:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33cf6:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33d86:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
13.2.Laddonia.exe.1190000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.Laddonia.exe.1190000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
13.2.Laddonia.exe.1190000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x339f6:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33a68:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33af2:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33b84:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33bee:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33c60:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33cf6:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33d86:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
13.2.Laddonia.exe.1190000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.Laddonia.exe.1190000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
13.2.Laddonia.exe.1190000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31bf6:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31c68:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31cf2:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31d84:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31dee:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31e60:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31ef6:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31f86:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.Laddonia.exe.35d0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.Laddonia.exe.35d0000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.Laddonia.exe.35d0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31bf6:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31c68:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31cf2:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31d84:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31dee:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31e60:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31ef6:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31f86:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
5.2.Laddonia.exe.35d0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.Laddonia.exe.35d0000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
5.2.Laddonia.exe.35d0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x339f6:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33a68:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33af2:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33b84:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33bee:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33c60:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33cf6:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33d86:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 10 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Laddonia.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Laddonia.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Laddonia.vbs" , ProcessId: 1568, ProcessName: wscript.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\My App\My App.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 4712, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\My App

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 78.46.216.122, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 4712, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 54050

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Laddonia.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Laddonia.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Laddonia.vbs" , ProcessId: 1568, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe, ProcessId: 5352, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Laddonia.vbs

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 52.165.165.26 - Destination IP: 192.168.2.5

Timestamp:	2024-07-25T19:52:00.788954+0200
SID:	2022930
Source Port:	443
Destination Port:	49704
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 52.165.165.26 - Destination IP: 192.168.2.5

Timestamp:	2024-07-25T19:52:28.697762+0200
SID:	2022930
Source Port:	443
Destination Port:	54048
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002A_460.exe

Avira: detected

Found malware configuration

Source: 6.2.RegSvcs.exe.3b0000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.agrosparta.gr", "Username": "sales@agrosparta.gr", "Password": "Agrosparta1209"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: LisectAVT_2403002A_460.exe

Joe Sandbox ML: detected

Source: LisectAVT_2403002A_460.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:54049 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:54051 version: TLS 1.2

Source:	Binary string: RegSvcs.pdb, source: My App.exe, 00000008.00000000.3672864543.00000000003F2000.00000002.00000001.01000000.00000007.sdmp, My App.exe.6.dr
Source:	Binary string: wntdll.pdbUGP source: Laddonia.exe, 00000005.00000003.3570721282.0000000003C80000.00000004.00001000.00020000.00000000.sdmp, Laddonia.exe, 00000005.00000003.3570445615.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, Laddonia.exe, 0000000D.00000003.3870792223.0000000003900000.00000004.00001000.00020000.00000000.sdmp, Laddonia.exe, 0000000D.00000003.3869735852.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Laddonia.exe, 00000005.00000003.3570721282.0000000003C80000.00000004.00001000.00020000.00000000.sdmp, Laddonia.exe, 00000005.00000003.3570445615.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, Laddonia.exe, 0000000D.00000003.3870792223.0000000003900000.00000004.00001000.00020000.00000000.sdmp, Laddonia.exe, 0000000D.00000003.3869735852.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: My App.exe, 00000008.00000000.3672864543.00000000003F2000.00000002.00000001.01000000.00000007.sdmp, My App.exe.6.dr

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B6DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00B6DBBE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B3C2A2 FindFirstFileExW,	0_2_00B3C2A2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B768EE FindFirstFileW,FindClose,	0_2_00B768EE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B7698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00B7698F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B6D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B6D076
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B6D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B6D3A9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B79642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B79642
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B7979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B7979D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B79B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00B79B2B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B75C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00B75C97
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_0076DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	5_2_0076DBBE
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_0073C2A2 FindFirstFileExW,	5_2_0073C2A2
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_007768EE FindFirstFileW,FindClose,	5_2_007768EE
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_0077698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	5_2_0077698F
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_0076D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_0076D076
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_0076D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_0076D3A9
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_00779642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_00779642
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_0077979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_0077979D
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_00779B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	5_2_00779B2B
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_00775C97 FindFirstFileW,FindNextFileW,FindClose,	5_2_00775C97

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.5:54050 -> 78.46.216.122:587

Source: Joe Sandbox View	IP Address: 78.46.216.122 78.46.216.122
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.5:54050 -> 78.46.216.122:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

Code function: 0_2_00B7CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_00B7CE44

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: mail.agrosparta.gr

Source: RegSvcs.exe, 00000006.00000002.3874380957.000000000271C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.4463265835.00000000030F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://agrosparta.gr
Source: RegSvcs.exe, 00000006.00000002.3874380957.0000000002724000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3873093408.000000000086B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.4463265835.00000000030F3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.4462252618.00000000013D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RegSvcs.exe, 00000006.00000002.3878356934.0000000005AF2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.4466977200.000000000657F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.4461846445.0000000001366000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegSvcs.exe, 00000006.00000002.3874380957.0000000002724000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3873093408.000000000086B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.4466977200.000000000657F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.4463265835.00000000030F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: RegSvcs.exe, 00000006.00000002.3874380957.0000000002724000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3873093408.000000000086B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.4463265835.00000000030F3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.4466977200.0000000006550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: RegSvcs.exe, 00000006.00000002.3874380957.000000000271C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.4463265835.00000000030F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.agrosparta.gr
Source: RegSvcs.exe, 00000006.00000002.3874380957.0000000002724000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3873093408.000000000086B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.4466977200.000000000657F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.4463265835.00000000030F3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.4462252618.00000000013D0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.4466977200.0000000006550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: RegSvcs.exe, 00000006.00000002.3874380957.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.4463265835.000000000306C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Laddonia.exe, 00000005.00000002.3572441888.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3872504636.00000000003B2000.00000040.80000000.00040000.00000000.sdmp, Laddonia.exe, 0000000D.00000002.3873482742.0000000001190000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: Laddonia.exe, 00000005.00000002.3572441888.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3874380957.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3872504636.00000000003B2000.00000040.80000000.00040000.00000000.sdmp, Laddonia.exe, 0000000D.00000002.3873482742.0000000001190000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.4463265835.000000000306C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: RegSvcs.exe, 00000006.00000002.3874380957.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.4463265835.000000000306C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: RegSvcs.exe, 00000006.00000002.3874380957.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.4463265835.000000000306C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: RegSvcs.exe, 00000006.00000002.3874380957.0000000002724000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3873093408.000000000086B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.4463265835.00000000030F3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.4466977200.0000000006550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54049
Source: unknown	Network traffic detected: HTTP traffic on port 54051 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 54051
Source: unknown	Network traffic detected: HTTP traffic on port 54049 -> 443

Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:54049 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:54051 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 5.2.Laddonia.exe.35d0000.1.raw.unpack, NDL2m67zO.cs	.Net Code: _8q7P
Source: 13.2.Laddonia.exe.1190000.1.raw.unpack, NDL2m67zO.cs	.Net Code: _8q7P

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

Code function: 0_2_00B7EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00B7EAFF

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B7ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_00B7ED6A
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_0077ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		5_2_0077ED6A

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

0_2_00B7EAFF

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

Code function: 0_2_00B6AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00B6AA57

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B99576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_00B99576
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_00799576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		5_2_00799576

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.RegSvcs.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 13.2.Laddonia.exe.1190000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 13.2.Laddonia.exe.1190000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.Laddonia.exe.35d0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 5.2.Laddonia.exe.35d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000005.00000002.3572441888.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0000000D.00000002.3873482742.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: LisectAVT_2403002A_460.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: LisectAVT_2403002A_460.exe, 00000000.00000003.3529633667.0000000003D71000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_03e20a85-b
Source: LisectAVT_2403002A_460.exe, 00000000.00000003.3529633667.0000000003D71000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_3a9f9bf0-8
Source: LisectAVT_2403002A_460.exe, 00000000.00000000.2014527317.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c5ad79f9-c
Source: LisectAVT_2403002A_460.exe, 00000000.00000000.2014527317.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_8cf02886-2
Source: Laddonia.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Laddonia.exe, 00000005.00000000.3542239542.00000000007C2000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_5d6980f0-3
Source: Laddonia.exe, 00000005.00000000.3542239542.00000000007C2000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_de3a025d-8
Source: Laddonia.exe, 0000000D.00000000.3845690072.00000000007C2000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_4b01923a-c
Source: Laddonia.exe, 0000000D.00000000.3845690072.00000000007C2000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_109848c6-e
Source: LisectAVT_2403002A_460.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d4483776-2
Source: LisectAVT_2403002A_460.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e44162d8-d
Source: Laddonia.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_11b3194f-0
Source: Laddonia.exe.0.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_590d1277-4

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

Code function: 0_2_00B6D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00B6D5EB

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

Code function: 0_2_00B61201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00B61201

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B6E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_00B6E8F6
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_0076E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		5_2_0076E8F6

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B08060	0_2_00B08060
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B72046	0_2_00B72046
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B68298	0_2_00B68298
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B3E4FF	0_2_00B3E4FF
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B3676B	0_2_00B3676B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B94873	0_2_00B94873
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B2CAA0	0_2_00B2CAA0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B0CAF0	0_2_00B0CAF0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B1CC39	0_2_00B1CC39
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B36DD9	0_2_00B36DD9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B091C0	0_2_00B091C0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B1B119	0_2_00B1B119
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B21394	0_2_00B21394
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B21706	0_2_00B21706
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B2781B	0_2_00B2781B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B219B0	0_2_00B219B0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B07920	0_2_00B07920
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B1997D	0_2_00B1997D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B27A4A	0_2_00B27A4A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B27CA7	0_2_00B27CA7
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B21C77	0_2_00B21C77
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B39EEE	0_2_00B39EEE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B8BE44	0_2_00B8BE44
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B21F32	0_2_00B21F32
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00DC3790	0_2_00DC3790
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_00708060	5_2_00708060
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_00772046	5_2_00772046
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_00768298	5_2_00768298
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_0073E4FF	5_2_0073E4FF
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_0073676B	5_2_0073676B
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_00794873	5_2_00794873
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_0070CAF0	5_2_0070CAF0
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_0072CAA0	5_2_0072CAA0
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_0071CC39	5_2_0071CC39
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_00736DD9	5_2_00736DD9
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_0071B119	5_2_0071B119
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_007091C0	5_2_007091C0
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_00721394	5_2_00721394
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_00721706	5_2_00721706
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_0072781B	5_2_0072781B
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_0071997D	5_2_0071997D
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_00707920	5_2_00707920
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_007219B0	5_2_007219B0
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_00727A4A	5_2_00727A4A
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_00721C77	5_2_00721C77
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_00727CA7	5_2_00727CA7
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_0078BE44	5_2_0078BE44
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_00739EEE	5_2_00739EEE
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_0070BF40	5_2_0070BF40
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_00721F32	5_2_00721F32
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_01F23790	5_2_01F23790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_024BE050	6_2_024BE050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_024BEA31	6_2_024BEA31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_024B4AA8	6_2_024B4AA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_024B3E90	6_2_024B3E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_024B41D8	6_2_024B41D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_024BAD08	6_2_024BAD08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_060A6608	6_2_060A6608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_060ACF50	6_2_060ACF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_060A3478	6_2_060A3478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_060A7D90	6_2_060A7D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_060A55B0	6_2_060A55B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_060AB230	6_2_060AB230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_060AC188	6_2_060AC188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_060A76B0	6_2_060A76B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_060A5CEB	6_2_060A5CEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_060AE3B0	6_2_060AE3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_060A0040	6_2_060A0040
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 13_2_009F3790	13_2_009F3790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_0153E050	14_2_0153E050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_0153EA31	14_2_0153EA31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_01534AA8	14_2_01534AA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_0153ACF7	14_2_0153ACF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_01533E90	14_2_01533E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_015341D8	14_2_015341D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_05BDACDC	14_2_05BDACDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_05BDC050	14_2_05BDC050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_05BD96B0	14_2_05BD96B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_05BDDBF0	14_2_05BDDBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06A66600	14_2_06A66600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06A63470	14_2_06A63470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06A655A8	14_2_06A655A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06A6B228	14_2_06A6B228
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06A6C180	14_2_06A6C180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06A67D88	14_2_06A67D88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06A676A8	14_2_06A676A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06A6E3A8	14_2_06A6E3A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06A60040	14_2_06A60040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_06A65CE3	14_2_06A65CE3

Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: String function: 0071F9F2 appears 40 times
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: String function: 00709CB3 appears 31 times
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: String function: 00720A30 appears 46 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: String function: 00B20A30 appears 46 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: String function: 00B09CB3 appears 31 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: String function: 00B1F9F2 appears 40 times

Source: LisectAVT_2403002A_460.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 6.2.RegSvcs.exe.3b0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 13.2.Laddonia.exe.1190000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 13.2.Laddonia.exe.1190000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.Laddonia.exe.35d0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 5.2.Laddonia.exe.35d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000005.00000002.3572441888.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0000000D.00000002.3873482742.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 5.2.Laddonia.exe.35d0000.1.raw.unpack, OTWUo99bfyR.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.Laddonia.exe.35d0000.1.raw.unpack, OTWUo99bfyR.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.Laddonia.exe.35d0000.1.raw.unpack, Ui9qhZiA7.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.Laddonia.exe.35d0000.1.raw.unpack, Ui9qhZiA7.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.Laddonia.exe.35d0000.1.raw.unpack, BqMB7yHhrXg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.Laddonia.exe.35d0000.1.raw.unpack, BqMB7yHhrXg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.Laddonia.exe.35d0000.1.raw.unpack, BqMB7yHhrXg.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.Laddonia.exe.35d0000.1.raw.unpack, BqMB7yHhrXg.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@14/14@2/2

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

Code function: 0_2_00B737B5 GetLastError,FormatMessageW,

0_2_00B737B5

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B610BF AdjustTokenPrivileges,CloseHandle,	0_2_00B610BF
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B616C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_00B616C3
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_007610BF AdjustTokenPrivileges,CloseHandle,	5_2_007610BF
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_007616C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	5_2_007616C3

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

Code function: 0_2_00B751CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00B751CD

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

Code function: 0_2_00B8A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00B8A67C

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

Code function: 0_2_00B7648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00B7648E

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

Code function: 0_2_00B042A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00B042A2

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

File created: C:\Users\user\AppData\Local\Dalymore

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4040:120:WilError_03

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

File created: C:\Users\user\AppData\Local\Temp\aut1BC1.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Laddonia.vbs"

Source: LisectAVT_2403002A_460.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

File read: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe "C:\Users\user\Desktop\LisectAVT_2403002A_460.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Process created: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe "C:\Users\user\Desktop\LisectAVT_2403002A_460.exe"
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\LisectAVT_2403002A_460.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\My App\My App.exe "C:\Users\user\AppData\Roaming\My App\My App.exe"
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\My App\My App.exe "C:\Users\user\AppData\Roaming\My App\My App.exe"
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Laddonia.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe "C:\Users\user\AppData\Local\Dalymore\Laddonia.exe"
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Dalymore\Laddonia.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Process created: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe "C:\Users\user\Desktop\LisectAVT_2403002A_460.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\LisectAVT_2403002A_460.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe "C:\Users\user\AppData\Local\Dalymore\Laddonia.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Dalymore\Laddonia.exe"	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\My App\My App.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: LisectAVT_2403002A_460.exe

Static file information: File size 1143820 > 1048576

Source: LisectAVT_2403002A_460.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: LisectAVT_2403002A_460.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: LisectAVT_2403002A_460.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: LisectAVT_2403002A_460.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: LisectAVT_2403002A_460.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: LisectAVT_2403002A_460.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: LisectAVT_2403002A_460.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: RegSvcs.pdb, source: My App.exe, 00000008.00000000.3672864543.00000000003F2000.00000002.00000001.01000000.00000007.sdmp, My App.exe.6.dr
Source:	Binary string: wntdll.pdbUGP source: Laddonia.exe, 00000005.00000003.3570721282.0000000003C80000.00000004.00001000.00020000.00000000.sdmp, Laddonia.exe, 00000005.00000003.3570445615.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, Laddonia.exe, 0000000D.00000003.3870792223.0000000003900000.00000004.00001000.00020000.00000000.sdmp, Laddonia.exe, 0000000D.00000003.3869735852.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Laddonia.exe, 00000005.00000003.3570721282.0000000003C80000.00000004.00001000.00020000.00000000.sdmp, Laddonia.exe, 00000005.00000003.3570445615.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, Laddonia.exe, 0000000D.00000003.3870792223.0000000003900000.00000004.00001000.00020000.00000000.sdmp, Laddonia.exe, 0000000D.00000003.3869735852.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: My App.exe, 00000008.00000000.3672864543.00000000003F2000.00000002.00000001.01000000.00000007.sdmp, My App.exe.6.dr

Source: LisectAVT_2403002A_460.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: LisectAVT_2403002A_460.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: LisectAVT_2403002A_460.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: LisectAVT_2403002A_460.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: LisectAVT_2403002A_460.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

Code function: 0_2_00B042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B042DE

Source: LisectAVT_2403002A_460.exe

Static PE information: real checksum: 0x121117 should be: 0x121123

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B20A76 push ecx; ret	0_2_00B20A89
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_00720A76 push ecx; ret	5_2_00720A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_024B0C55 push edi; retf	6_2_024B0C7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 14_2_05BD53E0 push es; ret	14_2_05BD53F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Roaming\My App\My App.exe			Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	File created: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe			Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Laddonia.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Laddonia.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Laddonia.vbs

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run My App			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run My App			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\My App\My App.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\My App\My App.exe:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B1F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_00B1F98E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B91C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_00B91C41
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_0071F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	5_2_0071F98E
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_00791C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	5_2_00791C41

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep			graph_0-99475

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	API/Special instruction interceptor: Address: 1F233B4
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	API/Special instruction interceptor: Address: 9F33B4

Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Memory allocated: 2510000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Memory allocated: 27B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Memory allocated: 2510000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Memory allocated: 7D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Memory allocated: 2310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Memory allocated: 4310000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7361	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1299	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7843	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	API coverage: 3.9 %
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	API coverage: 4.1 %

Source: C:\Users\user\AppData\Roaming\My App\My App.exe TID: 7120	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe TID: 5948	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B6DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00B6DBBE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B3C2A2 FindFirstFileExW,	0_2_00B3C2A2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B768EE FindFirstFileW,FindClose,	0_2_00B768EE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B7698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00B7698F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B6D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B6D076
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B6D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B6D3A9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B79642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B79642
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B7979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B7979D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B79B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00B79B2B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B75C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00B75C97
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_0076DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	5_2_0076DBBE
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_0073C2A2 FindFirstFileExW,	5_2_0073C2A2
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_007768EE FindFirstFileW,FindClose,	5_2_007768EE
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_0077698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	5_2_0077698F
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_0076D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_0076D076
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_0076D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_0076D3A9
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_00779642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_00779642
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_0077979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_0077979D
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_00779B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	5_2_00779B2B
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_00775C97 FindFirstFileW,FindNextFileW,FindClose,	5_2_00775C97

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

Code function: 0_2_00B042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B042DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98074	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97967	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97853	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97070	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96419	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95763	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97572	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97464	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Source: RegSvcs.exe, 0000000E.00000002.4466977200.000000000656D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
Source: RegSvcs.exe, 00000006.00000002.3878356934.0000000005AF2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

Code function: 0_2_00B7EAA2 BlockInput,

0_2_00B7EAA2

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

Code function: 0_2_00B32622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00B32622

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

Code function: 0_2_00B042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B042DE

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B24CE8 mov eax, dword ptr fs:[00000030h]	0_2_00B24CE8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00DC3680 mov eax, dword ptr fs:[00000030h]	0_2_00DC3680
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00DC3620 mov eax, dword ptr fs:[00000030h]	0_2_00DC3620
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00DC1EE0 mov eax, dword ptr fs:[00000030h]	0_2_00DC1EE0
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_00724CE8 mov eax, dword ptr fs:[00000030h]	5_2_00724CE8
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_01F23680 mov eax, dword ptr fs:[00000030h]	5_2_01F23680
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_01F23620 mov eax, dword ptr fs:[00000030h]	5_2_01F23620
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_01F21EE0 mov eax, dword ptr fs:[00000030h]	5_2_01F21EE0
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 13_2_009F3680 mov eax, dword ptr fs:[00000030h]	13_2_009F3680
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 13_2_009F3620 mov eax, dword ptr fs:[00000030h]	13_2_009F3620
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 13_2_009F1EE0 mov eax, dword ptr fs:[00000030h]	13_2_009F1EE0

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

Code function: 0_2_00B60B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00B60B62

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B32622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B32622
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B2083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B2083F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B209D5 SetUnhandledExceptionFilter,	0_2_00B209D5
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B20C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00B20C21
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_00732622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00732622
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_0072083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_0072083F
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_007209D5 SetUnhandledExceptionFilter,	5_2_007209D5
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_00720C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00720C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 408008			Jump to behavior
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: EDB008			Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

0_2_00B61201

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

Code function: 0_2_00B42BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00B42BA5

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

Code function: 0_2_00B6B226 SendInput,keybd_event,

0_2_00B6B226

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

Code function: 0_2_00B822DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00B822DA

Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\LisectAVT_2403002A_460.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe "C:\Users\user\AppData\Local\Dalymore\Laddonia.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Dalymore\Laddonia.exe"	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

0_2_00B60B62

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

Code function: 0_2_00B61663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00B61663

Source: LisectAVT_2403002A_460.exe, Laddonia.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: LisectAVT_2403002A_460.exe, Laddonia.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

Code function: 0_2_00B20698 cpuid

0_2_00B20698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Queries volume information: C:\Users\user\AppData\Roaming\My App\My App.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Queries volume information: C:\Users\user\AppData\Roaming\My App\My App.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\My App\My App.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

Code function: 0_2_00B78195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00B78195

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

Code function: 0_2_00B5D27A GetUserNameW,

0_2_00B5D27A

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

Code function: 0_2_00B3B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00B3B952

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

Code function: 0_2_00B042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B042DE

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 6.2.RegSvcs.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Laddonia.exe.1190000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Laddonia.exe.1190000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Laddonia.exe.35d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Laddonia.exe.35d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3572441888.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3872504636.00000000003B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4463265835.00000000030F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3873482742.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4463265835.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3874380957.000000000271C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3874380957.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Laddonia.exe PID: 5352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Laddonia.exe PID: 2180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3160, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Laddonia.exe	Binary or memory string: WIN_81
Source: Laddonia.exe	Binary or memory string: WIN_XP
Source: Laddonia.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Laddonia.exe	Binary or memory string: WIN_XPe
Source: Laddonia.exe	Binary or memory string: WIN_VISTA
Source: Laddonia.exe	Binary or memory string: WIN_7
Source: Laddonia.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 6.2.RegSvcs.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Laddonia.exe.1190000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Laddonia.exe.1190000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Laddonia.exe.35d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Laddonia.exe.35d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3572441888.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3872504636.00000000003B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3873482742.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4463265835.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3874380957.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Laddonia.exe PID: 5352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Laddonia.exe PID: 2180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3160, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 6.2.RegSvcs.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Laddonia.exe.1190000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Laddonia.exe.1190000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Laddonia.exe.35d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Laddonia.exe.35d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3572441888.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3872504636.00000000003B2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4463265835.00000000030F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3873482742.0000000001190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4463265835.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3874380957.000000000271C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3874380957.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Laddonia.exe PID: 5352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Laddonia.exe PID: 2180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3160, type: MEMORYSTR

Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B81204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	0_2_00B81204
Source: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe	Code function: 0_2_00B81806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00B81806
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_00781204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	5_2_00781204
Source: C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	Code function: 5_2_00781806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	5_2_00781806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	121 Windows Management Instrumentation	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	21 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	138 System Information Discovery	Distributed Component Object Model	121 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	331 Security Software Discovery	SSH	3 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	21 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	241 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	241 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LisectAVT_2403002A_460.exe	100%	Avira	TR/AVI.AgentTesla.ereit
LisectAVT_2403002A_460.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Dalymore\Laddonia.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://api.ipify.org/	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
https://api.ipify.org/t	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://agrosparta.gr	0%	Avira URL Cloud	safe
http://mail.agrosparta.gr	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
api.ipify.org	104.26.13.205	true	false	unknown
agrosparta.gr	78.46.216.122	true	true	unknown
mail.agrosparta.gr	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	Laddonia.exe, 00000005.00000002.3572441888.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3874380957.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3872504636.00000000003B2000.00000040.80000000.00040000.00000000.sdmp, Laddonia.exe, 0000000D.00000002.3873482742.0000000001190000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.4463265835.000000000306C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0	RegSvcs.exe, 00000006.00000002.3874380957.0000000002724000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3873093408.000000000086B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.4463265835.00000000030F3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.4466977200.0000000006550000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.agrosparta.gr	RegSvcs.exe, 00000006.00000002.3874380957.000000000271C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.4463265835.00000000030F3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.dyn.com/	Laddonia.exe, 00000005.00000002.3572441888.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3872504636.00000000003B2000.00000040.80000000.00040000.00000000.sdmp, Laddonia.exe, 0000000D.00000002.3873482742.0000000001190000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org/t	RegSvcs.exe, 00000006.00000002.3874380957.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.4463265835.000000000306C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://agrosparta.gr	RegSvcs.exe, 00000006.00000002.3874380957.000000000271C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.4463265835.00000000030F3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000006.00000002.3874380957.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.4463265835.000000000306C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
78.46.216.122	agrosparta.gr	Germany		24940	HETZNER-ASDE	true
104.26.13.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482238
Start date and time:	2024-07-25 19:50:50 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002A_460.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@14/14@2/2
EGA Information:	Successful, ratio: 71.4%
HCA Information:	Successful, ratio: 99% Number of executed functions: 55 Number of non-executed functions: 296
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target My App.exe, PID 1252 because it is empty
Execution Graph export aborted for target My App.exe, PID 4276 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: LisectAVT_2403002A_460.exe

Simulations

Behavior and APIs

Time	Type	Description
13:54:16	API Interceptor	88x Sleep call for process: RegSvcs.exe modified
19:54:16	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run My App C:\Users\user\AppData\Roaming\My App\My App.exe
19:54:24	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run My App C:\Users\user\AppData\Roaming\My App\My App.exe
19:54:32	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Laddonia.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
78.46.216.122	SOA 820527940511.cmd.exe	Get hash	malicious	AgentTesla	Browse
	CM9pu6tBCT.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	SecuriteInfo.com.Win32.PWSX-gen.11497.7966.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Win32.PWSX-gen.25288.2891.exe	Get hash	malicious	AgentTesla	Browse
	Pitsn.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
104.26.13.205	SecuriteInfo.com.Win64.Evo-gen.28044.10443.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	vstdlib_s64.dll.dll	Get hash	malicious	Quasar	Browse	api.ipify.org/
	golang-modules.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	SecuriteInfo.com.Trojan.Win64.Agent.14415.19839.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	242764.exe	Get hash	malicious	Ficker Stealer, Rusty Stealer	Browse	api.ipify.org/?format=wef
	Ransom.exe	Get hash	malicious	Targeted Ransomware, TrojanRansom	Browse	api.ipify.org/
	ld.exe	Get hash	malicious	Targeted Ransomware, TrojanRansom	Browse	api.ipify.org/
	ReturnLegend.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json
	SecuriteInfo.com.Trojan.DownLoaderNET.960.9931.28151.exe	Get hash	malicious	PureLog Stealer, Targeted Ransomware	Browse	api.ipify.org/
	Sky-Beta-Setup.exe	Get hash	malicious	Stealit	Browse	api.ipify.org/?format=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	LisectAVT_2403002A_481.exe	Get hash	malicious	Luna Grabber, Luna Logger	Browse	104.26.12.205
	LisectAVT_2403002A_63.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	LisectAVT_2403002A_59.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	LisectAVT_2403002A_74.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	SWIFT COPY.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Re_ Q22689 - 07.24.2024_Conduit Construction Network Ltd_Today.eml	Get hash	malicious	Unknown	Browse	172.67.74.152
	LisectAVT_2403002B_385.exe	Get hash	malicious	AgentTesla, Bdaejec	Browse	104.26.12.205
	LisectAVT_2403002B_390.exe	Get hash	malicious	AgentTesla, Bdaejec	Browse	104.26.13.205
	DEBIT NOTE.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	LisectAVT_2403002B_444.exe	Get hash	malicious	Discord Token Stealer, NitroRansomware	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	https://l.facebook.com/l.php?u=https%3A%2F%2Fnutramart.store%2F%3Flabel%3D5efe465a4dbe59fbb290a966697fc1cd%26utm_medium%3Dpaid%26utm_source%3Dfb%26utm_id%3D6599688580361%26utm_content%3D6599688599961%26utm_term%3D6599688590961%26utm_campaign%3D6599688580361%26fbclid%3DIwZXh0bgNhZW0BMAABHdzmJULh8TsQt3pW_qnmIXPFdqLqBaBKW5T-aZYxDkCqac1lwtitUH-fNw_aem_UoCoKjZX08yMSHQS1Rk-lA&h=AT2Rbdo290L85DwdtmvCHSaYZeZQw6zVRZwOCmLUor4sXK9slv2_8Xz3sNHtiR9yk_5i3WV0TyI-vvISy2qX4eX89xJtn5joKswTFrWNikf-8BbcY1c3OSbcsV7ioNYHeRE&__tn__=%2CmH-R&c%5B0%5D=AT1zpbOywPCbT61x3IUZxcKH5NMmiyOktbAovmzxAnO3GQxZoE9RLlfDBYeXTFE8UxKMEzW4i7Rw_yO3qxx7WfbLZEKXf2a_gqDGEIqK5xACO326D8DwbL9YKGpFirOaXzMC_oPb4wgEghT5w108ehD0lVOUa18OX2Yna4VvaAaIUpPjAkk9gOhJw0AtcNc8dmXxzoPXiUwIYEI1VCwKUmK1G_lmEdu24Iq9UJ_ic75uGIJuxQwEttfLYZ0HqkC3D8EpDSqIjHE7T12pe_syL5VjKXEGR6hZ3F-YEVJbiZGhU5diMWZAvsPL2bUpvSMNWrEu14yqnXQK7Z-1xnZRSbLWmzHp53sdCj21	Get hash	malicious	Unknown	Browse	195.201.57.90
	LisectAVT_2403002B_109.exe	Get hash	malicious	Blackshades	Browse	135.181.235.186
	LisectAVT_2403002B_209.exe	Get hash	malicious	Bdaejec, RHADAMANTHYS	Browse	49.13.171.182
	https://yti.com/	Get hash	malicious	Unknown	Browse	148.251.136.139
	LisectAVT_2403002B_272.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	128.140.125.116
	LisectAVT_2403002B_303.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	188.40.141.211
	LisectAVT_2403002B_302.exe	Get hash	malicious	Bdaejec, Emotet	Browse	136.243.205.112
	LisectAVT_2403002B_344.exe	Get hash	malicious	Bdaejec, Vidar	Browse	78.47.233.145
	LisectAVT_2403002B_38.exe	Get hash	malicious	Sality	Browse	195.201.126.132
	LisectAVT_2403002B_48.exe	Get hash	malicious	Bdaejec, BlackMoon	Browse	88.198.117.174
CLOUDFLARENETUS	https://pe-0018d001.gslb.pphosted.com/formpostdir/securereader?id=InqYOBv1z8Zgkk9IGNL78RxMhEjapiNG&brand=f22a3440	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://app.emaze.com/@ALILOQRCF/urban-equation-corporation	Get hash	malicious	Unknown	Browse	172.67.188.53
	LisectAVT_2403002A_481.exe	Get hash	malicious	Luna Grabber, Luna Logger	Browse	104.26.12.205
	LisectAVT_2403002A_496.exe	Get hash	malicious	Unknown	Browse	162.159.135.233
	https://we.tl/t-RErWU1YgQS	Get hash	malicious	Unknown	Browse	104.17.24.14
	https://link.edgepilot.com/s/ffd2b499/yDWVkbNI4U2Q4sOU_SttcQ?u=https://app.smartdraw.com/share.aspx/?pubDocShare=ADCD2AD01498233B06F10716AAA07D9C1E6	Get hash	malicious	Unknown	Browse	104.18.11.207
	LisectAVT_2403002A_496.exe	Get hash	malicious	Unknown	Browse	162.159.133.233
	LisectAVT_2403002A_51.exe	Get hash	malicious	Stealerium	Browse	162.159.128.233
	LisectAVT_2403002A_63.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	LisectAVT_2403002A_59.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	LisectAVT_2403002A_496.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	https://we.tl/t-RErWU1YgQS	Get hash	malicious	Unknown	Browse	104.26.13.205
	https://link.edgepilot.com/s/ffd2b499/yDWVkbNI4U2Q4sOU_SttcQ?u=https://app.smartdraw.com/share.aspx/?pubDocShare=ADCD2AD01498233B06F10716AAA07D9C1E6	Get hash	malicious	Unknown	Browse	104.26.13.205
	LisectAVT_2403002A_496.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	LisectAVT_2403002A_51.exe	Get hash	malicious	Stealerium	Browse	104.26.13.205
	LisectAVT_2403002A_63.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	LisectAVT_2403002A_59.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	LisectAVT_2403002A_74.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	http://i2a.ampygman.com/kv1PX/#Dbharrison@burnsmcd.com	Get hash	malicious	Unknown	Browse	104.26.13.205
	New Order.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.26.13.205

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\My App\My App.exe	LisectAVT_2403002B_289.exe	Get hash	malicious	Nanocore	Browse
	Shipping Documents 7003829465.exe	Get hash	malicious	AgentTesla	Browse
	SKM_C335019110710XX620.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Bank Slip.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe	Get hash	malicious	AgentTesla	Browse
	Remittance INV HSBC ref 072324678.exe	Get hash	malicious	AgentTesla	Browse
	Shipping Documents 88768092140.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	INV PAYMENT RECEIPT.exe	Get hash	malicious	AgentTesla	Browse
	0ssZjk1OSj.exe	Get hash	malicious	Remcos	Browse
	41hKUw86xp.exe	Get hash	malicious	Remcos	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Dalymore\Laddonia.exe

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_460.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	116487180
Entropy (8bit):	7.999614238708887
Encrypted:	true
SSDEEP:	393216:S3dRuAAOivLkUGChUEScn5Z5MAA54RsPcScXTtFAys0G4BpI6FNJ4NOoBBtS4p1R:CQjAl/8lu7nlc3Y1FwP9Jq7efC8te
MD5:	FFF516D7CEF66EF2F8F9494A753E4E06
SHA1:	E74EC56518F6FE7F8B4D54B65C6B01103BA573BF
SHA-256:	6EFF4CF677D768DB95435328F95E08F1ACA227E63AE4511C73C9F02DD5E4B74D
SHA-512:	FCD503CB478953A3E4FA98DB377C082A2367E30209E4D5EADCE820AEAD13CF6AF974D130C33CBA86204BF98F7700D4C7BBA57DEF03AF3819441271D69D5BD24D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L...@..f..........".................w.............@.......................................@...@.......@.....................d...\|....@..x....................P...u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...x....@......................@..@.reloc...u...P...v..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\My App.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\My App\My App.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	142
Entropy (8bit):	5.090621108356562
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
MD5:	8C0458BB9EA02D50565175E38D577E35
SHA1:	F0B50702CD6470F3C17D637908F83212FDBDB2F2
SHA-256:	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
SHA-512:	804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\aut1BC1.tmp

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_460.exe
File Type:	data
Category:	dropped
Size (bytes):	137232
Entropy (8bit):	7.847838443443467
Encrypted:	false
SSDEEP:	3072:IZ3+XR/WSljohWOIJERMVNDst3xsnWBooYmzkWBhCnbEs:IR9SKgOIE6NDrnWBoo6WBh7s
MD5:	29F3D36526329B2EBF81DCAA6746F8EA
SHA1:	2F83F276045FDCC014894C2AAEEBC604C9287737
SHA-256:	435A24C95137E03B28F1CE594827BA7978C1CA8DA2A14423E6CFAFE37BED46C8
SHA-512:	EED337AAC9B39EE8B2347E9B71E6BE3617509761185E77B94842A6DA2ED301201FE3391488B4457A95EAE497119354C1E545FF0B0E6A3D49522C595E688CA3BE
Malicious:	false
Reputation:	low
Preview:	EA06.....@......7..(4}6..O...p..3X.S.......}]...sZ.Nf..F....VHu~.7...sy...(.U.\|.[x.J..y}f/-...x....T.4.e6....<..G..h...b.Q.`.^.X.O(..=g.E..........(.a.....`..Q.4z..Ff`..... ..kE.l..J...H.$iSy.P.c.p....5....1.Qi......B...B? ...A..@.;Q.Q....N.f3.}..0...63...+@...^.Z..f.)...0...?...!.6\|.z%..w.H.u.5jo;.....`z.@.............L.N3Z%....Q).{.no4.$+..5&n.....?.......d..-V....d\|.&..U.a.K...T.H...U..W.nwY}..[@._..i.....T;.\|>va...../;......4.Y..]..}....o6..f'..}..V..?....._....blV-..S..P.p.f.a..N...Zk..Q)4.s4.c.......as./.wC^.B..J.&....9...m.O.9...I.$'.....0.........V@......\@.3..."@....0......jKI.n~.......Z^..{).y9.}..E...h..rw`..=.......E85yv....\9....[3.i$.y..)...+...kB.M'w.\|3O..[.....kC...ZD....E.........h.o.F.>.N.`1.....0.c.O..H.z'.......](.a...8....wU..l39..i.J.........,..,.D.y....3.......n.M....w...k.....5.G...4r.7..T.T..X.R.z.&.D..d..5>gG.I&.J]....X&.Z...D..d.....D..'.....M.N$3y........./BmD.Tt....mo.G. ....P.....K.F....B/7.P..jv.!...Z.V.{..$....

C:\Users\user\AppData\Local\Temp\aut1C00.tmp

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_460.exe
File Type:	data
Category:	dropped
Size (bytes):	10068
Entropy (8bit):	7.598665644644243
Encrypted:	false
SSDEEP:	192:QNAVE5kepr+mdAybEqwka1AnzHxcu7F/q05PWS0qTVzio0mqjJ6p03y4CjhuN:QNAjep+m/ErBmnT7F95SEeDntI03z
MD5:	BB30812E82DB2C890B1BAAE88C4FBFA7
SHA1:	AB820995644BB5C1EC8A1312C06B26418DEC89D7
SHA-256:	B86BA8472E259E3DB2D55D4652F8E2FC7146B90A44D8925FF110B37A69801B43
SHA-512:	7818C8C31522F1496E03E5A505B8440BA6DB489F61F65870988EAC5E6B3A04B30742BAE930AF26300F38887D0E994C1F7C58F25F4BAEB7612352C5235762FC3B
Malicious:	false
Preview:	EA06..t..Nh3*,.5......7..&TY..k5.X..9...c....)...5.Mf.)......&.i..s4..&.)..j.%. ..a......N...(...a.6.,v+....m.YlS........s3.Z...9.X.3 ...f....a4.6.&.........6\|s...gc.0....T...4.Y..`...k....l.1../.q5.N..2....$......x. ..$h.3.....#`...Mf...L.d.!...Mf.....' .Y...n.....0.N&.....d.U..&.<...l.U..'.5_....U..,`5_....U..f.5_..d.U.(..1......V...Nf.`..N&.`..M.^....j.7..$zn.....r..... !..Y&.G[....A6...f../.n.u.M.`>_L........)@...[..a6...z.2.... =........K<.l...$..6.{......0......r\|3K%....L.6>....4...l......_......4\|.+(.7.c...\|3K%.d....f.9....c..i\|v0F...a.l.,`.\..lsy...4.Y.o...mc..,s.$.k3.....f...`.....fcb..l.i....l..np..Y.....M..14.X@..4.......7d.N..;c...,.8.'.!....@!....f .....0.......Brb.....f.)...b..@!...g,. ....36.M&V`.......vd.....l3.,...B.B3p.N...;3.X..Q7...&..8.....f`...M.'I...x..C.....,vh...4.c9.L..@....`...g.,58..,.+..E3.....c.P..Y,3.....`Nf...N.@.;5.X.c9.w.!....f......n...X@A.$...`...g..38.X..I..(...Xl.b.,...#V9..s9..@!...Gf.....,fac.Y' !@.#5.....c........$....~

C:\Users\user\AppData\Local\Temp\aut70BD.tmp

Download File

Process:	C:\Users\user\AppData\Local\Dalymore\Laddonia.exe
File Type:	data
Category:	dropped
Size (bytes):	137232
Entropy (8bit):	7.847838443443467
Encrypted:	false
SSDEEP:	3072:IZ3+XR/WSljohWOIJERMVNDst3xsnWBooYmzkWBhCnbEs:IR9SKgOIE6NDrnWBoo6WBh7s
MD5:	29F3D36526329B2EBF81DCAA6746F8EA
SHA1:	2F83F276045FDCC014894C2AAEEBC604C9287737
SHA-256:	435A24C95137E03B28F1CE594827BA7978C1CA8DA2A14423E6CFAFE37BED46C8
SHA-512:	EED337AAC9B39EE8B2347E9B71E6BE3617509761185E77B94842A6DA2ED301201FE3391488B4457A95EAE497119354C1E545FF0B0E6A3D49522C595E688CA3BE
Malicious:	false
Preview:	EA06.....@......7..(4}6..O...p..3X.S.......}]...sZ.Nf..F....VHu~.7...sy...(.U.\|.[x.J..y}f/-...x....T.4.e6....<..G..h...b.Q.`.^.X.O(..=g.E..........(.a.....`..Q.4z..Ff`..... ..kE.l..J...H.$iSy.P.c.p....5....1.Qi......B...B? ...A..@.;Q.Q....N.f3.}..0...63...+@...^.Z..f.)...0...?...!.6\|.z%..w.H.u.5jo;.....`z.@.............L.N3Z%....Q).{.no4.$+..5&n.....?.......d..-V....d\|.&..U.a.K...T.H...U..W.nwY}..[@._..i.....T;.\|>va...../;......4.Y..]..}....o6..f'..}..V..?....._....blV-..S..P.p.f.a..N...Zk..Q)4.s4.c.......as./.wC^.B..J.&....9...m.O.9...I.$'.....0.........V@......\@.3..."@....0......jKI.n~.......Z^..{).y9.}..E...h..rw`..=.......E85yv....\9....[3.i$.y..)...+...kB.M'w.\|3O..[.....kC...ZD....E.........h.o.F.>.N.`1.....0.c.O..H.z'.......](.a...8....wU..l39..i.J.........,..,.D.y....3.......n.M....w...k.....5.G...4r.7..T.T..X.R.z.&.D..d..5>gG.I&.J]....X&.Z...D..d.....D..'.....M.N$3y........./BmD.Tt....mo.G. ....P.....K.F....B/7.P..jv.!...Z.V.{..$....

C:\Users\user\AppData\Local\Temp\aut713B.tmp

Download File

Process:	C:\Users\user\AppData\Local\Dalymore\Laddonia.exe
File Type:	data
Category:	dropped
Size (bytes):	10068
Entropy (8bit):	7.598665644644243
Encrypted:	false
SSDEEP:	192:QNAVE5kepr+mdAybEqwka1AnzHxcu7F/q05PWS0qTVzio0mqjJ6p03y4CjhuN:QNAjep+m/ErBmnT7F95SEeDntI03z
MD5:	BB30812E82DB2C890B1BAAE88C4FBFA7
SHA1:	AB820995644BB5C1EC8A1312C06B26418DEC89D7
SHA-256:	B86BA8472E259E3DB2D55D4652F8E2FC7146B90A44D8925FF110B37A69801B43
SHA-512:	7818C8C31522F1496E03E5A505B8440BA6DB489F61F65870988EAC5E6B3A04B30742BAE930AF26300F38887D0E994C1F7C58F25F4BAEB7612352C5235762FC3B
Malicious:	false
Preview:	EA06..t..Nh3*,.5......7..&TY..k5.X..9...c....)...5.Mf.)......&.i..s4..&.)..j.%. ..a......N...(...a.6.,v+....m.YlS........s3.Z...9.X.3 ...f....a4.6.&.........6\|s...gc.0....T...4.Y..`...k....l.1../.q5.N..2....$......x. ..$h.3.....#`...Mf...L.d.!...Mf.....' .Y...n.....0.N&.....d.U..&.<...l.U..'.5_....U..,`5_....U..f.5_..d.U.(..1......V...Nf.`..N&.`..M.^....j.7..$zn.....r..... !..Y&.G[....A6...f../.n.u.M.`>_L........)@...[..a6...z.2.... =........K<.l...$..6.{......0......r\|3K%....L.6>....4...l......_......4\|.+(.7.c...\|3K%.d....f.9....c..i\|v0F...a.l.,`.\..lsy...4.Y.o...mc..,s.$.k3.....f...`.....fcb..l.i....l..np..Y.....M..14.X@..4.......7d.N..;c...,.8.'.!....@!....f .....0.......Brb.....f.)...b..@!...g,. ....36.M&V`.......vd.....l3.,...B.B3p.N...;3.X..Q7...&..8.....f`...M.'I...x..C.....,vh...4.c9.L..@....`...g.,58..,.+..E3.....c.P..Y,3.....`Nf...N.@.;5.X.c9.w.!....f......n...X@A.$...`...g..38.X..I..(...Xl.b.,...#V9..s9..@!...Gf.....,fac.Y' !@.#5.....c........$....~

C:\Users\user\AppData\Local\Temp\autE716.tmp

Download File

Process:	C:\Users\user\AppData\Local\Dalymore\Laddonia.exe
File Type:	data
Category:	dropped
Size (bytes):	137232
Entropy (8bit):	7.847838443443467
Encrypted:	false
SSDEEP:	3072:IZ3+XR/WSljohWOIJERMVNDst3xsnWBooYmzkWBhCnbEs:IR9SKgOIE6NDrnWBoo6WBh7s
MD5:	29F3D36526329B2EBF81DCAA6746F8EA
SHA1:	2F83F276045FDCC014894C2AAEEBC604C9287737
SHA-256:	435A24C95137E03B28F1CE594827BA7978C1CA8DA2A14423E6CFAFE37BED46C8
SHA-512:	EED337AAC9B39EE8B2347E9B71E6BE3617509761185E77B94842A6DA2ED301201FE3391488B4457A95EAE497119354C1E545FF0B0E6A3D49522C595E688CA3BE
Malicious:	false
Preview:	EA06.....@......7..(4}6..O...p..3X.S.......}]...sZ.Nf..F....VHu~.7...sy...(.U.\|.[x.J..y}f/-...x....T.4.e6....<..G..h...b.Q.`.^.X.O(..=g.E..........(.a.....`..Q.4z..Ff`..... ..kE.l..J...H.$iSy.P.c.p....5....1.Qi......B...B? ...A..@.;Q.Q....N.f3.}..0...63...+@...^.Z..f.)...0...?...!.6\|.z%..w.H.u.5jo;.....`z.@.............L.N3Z%....Q).{.no4.$+..5&n.....?.......d..-V....d\|.&..U.a.K...T.H...U..W.nwY}..[@._..i.....T;.\|>va...../;......4.Y..]..}....o6..f'..}..V..?....._....blV-..S..P.p.f.a..N...Zk..Q)4.s4.c.......as./.wC^.B..J.&....9...m.O.9...I.$'.....0.........V@......\@.3..."@....0......jKI.n~.......Z^..{).y9.}..E...h..rw`..=.......E85yv....\9....[3.i$.y..)...+...kB.M'w.\|3O..[.....kC...ZD....E.........h.o.F.>.N.`1.....0.c.O..H.z'.......](.a...8....wU..l39..i.J.........,..,.D.y....3.......n.M....w...k.....5.G...4r.7..T.T..X.R.z.&.D..d..5>gG.I&.J]....X&.Z...D..d.....D..'.....M.N$3y........./BmD.Tt....mo.G. ....P.....K.F....B/7.P..jv.!...Z.V.{..$....

C:\Users\user\AppData\Local\Temp\autE755.tmp

Download File

Process:	C:\Users\user\AppData\Local\Dalymore\Laddonia.exe
File Type:	data
Category:	dropped
Size (bytes):	10068
Entropy (8bit):	7.598665644644243
Encrypted:	false
SSDEEP:	192:QNAVE5kepr+mdAybEqwka1AnzHxcu7F/q05PWS0qTVzio0mqjJ6p03y4CjhuN:QNAjep+m/ErBmnT7F95SEeDntI03z
MD5:	BB30812E82DB2C890B1BAAE88C4FBFA7
SHA1:	AB820995644BB5C1EC8A1312C06B26418DEC89D7
SHA-256:	B86BA8472E259E3DB2D55D4652F8E2FC7146B90A44D8925FF110B37A69801B43
SHA-512:	7818C8C31522F1496E03E5A505B8440BA6DB489F61F65870988EAC5E6B3A04B30742BAE930AF26300F38887D0E994C1F7C58F25F4BAEB7612352C5235762FC3B
Malicious:	false
Preview:	EA06..t..Nh3*,.5......7..&TY..k5.X..9...c....)...5.Mf.)......&.i..s4..&.)..j.%. ..a......N...(...a.6.,v+....m.YlS........s3.Z...9.X.3 ...f....a4.6.&.........6\|s...gc.0....T...4.Y..`...k....l.1../.q5.N..2....$......x. ..$h.3.....#`...Mf...L.d.!...Mf.....' .Y...n.....0.N&.....d.U..&.<...l.U..'.5_....U..,`5_....U..f.5_..d.U.(..1......V...Nf.`..N&.`..M.^....j.7..$zn.....r..... !..Y&.G[....A6...f../.n.u.M.`>_L........)@...[..a6...z.2.... =........K<.l...$..6.{......0......r\|3K%....L.6>....4...l......_......4\|.+(.7.c...\|3K%.d....f.9....c..i\|v0F...a.l.,`.\..lsy...4.Y.o...mc..,s.$.k3.....f...`.....fcb..l.i....l..np..Y.....M..14.X@..4.......7d.N..;c...,.8.'.!....@!....f .....0.......Brb.....f.)...b..@!...g,. ....36.M&V`.......vd.....l3.,...B.B3p.N...;3.X..Q7...&..8.....f`...M.'I...x..C.....,vh...4.c9.L..@....`...g.,58..,.+..E3.....c.P..Y,3.....`Nf...N.@.;5.X.c9.w.!....f......n...X@A.$...`...g..38.X..I..(...Xl.b.,...#V9..s9..@!...Gf.....,fac.Y' !@.#5.....c........$....~

C:\Users\user\AppData\Local\Temp\kinematical

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_460.exe
File Type:	data
Category:	dropped
Size (bytes):	241664
Entropy (8bit):	6.417641950026969
Encrypted:	false
SSDEEP:	6144:lGKh32g//7b4dCso5oL4wMMVzfx0u2jDpyWtV:/R//v4osKokvMVzJ0u2jDpyUV
MD5:	0202F18DB58E72BD2CD2246960AD38FF
SHA1:	BF6B086EF8F053B7E1E15321ABE102A7C5AF663D
SHA-256:	123A445A125FB4D8E22E9130ACBFE7466FB3D21D10E42318F3E67518D343AE0F
SHA-512:	62076CA86285DB4570E8AE455FAFCD6155083767BE578AB9BCBCB2D54DEC1D75449B72E8057E356B7D0A9D3EF22B781C19825499D92F7E9B25464AD660FC6A11
Malicious:	false
Preview:	...O4EZ73DAG..FO.EZ77DAG.XFO7EZ77DAGYXFO7EZ77DAGYXFO7EZ77DAG.XFO9Z.97.H.x.G..d._^7a7+7!=V(zTV/(-x$.7/Y.-/g...oZ>R.ILM}XFO7EZ7g.AG.YEO..[Q7DAGYXFO.EX6<EJGY.EO7MZ77DAG'.EO7eZ77.BGYX.O7eZ77FAG]XFO7EZ73DAGYXFO7e^77FAGYXFO5E..7DQGYHFO7EJ77TAGYXFO'EZ77DAGYXFO..Y7dDAGY.EOq@Z77DAGYXFO7EZ77DAGYXBO;EZ77DAGYXFO7EZ77DAGYXFO7EZ77DAGYXFO7EZ77DAGYXFO7EZ77dAGQXFO7EZ77DAGQxFO.EZ77DAGYXFO.1?OCDAG..EO7eZ77.BGYZFO7EZ77DAGYXFO.EZW.625:XFOq@Z77.BGY^FO7.Y77DAGYXFO7EZ7wDA.w##X&Z7;DAGYXBO7GZ77.BGYXFO7EZ77DAG.XF.7EZ77DAGYXFO7EZ7W.BGYXFO.EZ75DDG..DO.v[74DAGXXFI7EZ77DAGYXFO7EZ77DAGYXFO7EZ77DAGYXFO7EZ77DAGYXFO......y.%xEUB...#.D..U.<.x8.T."L.\|.W.....~-@.~E.8...P...0.?2=@.....%QF9,.0vW'...k.y`3...IY. ...?u.6@k.l...bb....@C...0..:7+aV5*[Rj.&?94&.G.67DAG.......^<..t[IQ.W"a...mJ>....IDAG=XFOEEZ7VDAG.XFOXEZ7YDAG'XFOIEZ7qDAG.XFO.EZ7.DAG4XFO.EZ7IDAG.%I@...^D.GYXFO.....).....x....F.?.;`...!.\|..D..W..@..p.O.3.. .11...@X^BJ5B^4;yO....n5A^25CEDUeH.....b..`..F...d>.;YXFO7E.77.AGY..O.EZ7.D.G..FO7.7.D.G...O

C:\Users\user\AppData\Local\Temp\uppishly

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_460.exe
File Type:	ASCII text, with very long lines (29718), with no line terminators
Category:	dropped
Size (bytes):	29718
Entropy (8bit):	3.5708714261009393
Encrypted:	false
SSDEEP:	768:FiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbKE+IB34vfF3if6gyGqN:FiTZ+2QoioGRk6ZklputwjpjBkCiw2RG
MD5:	479B5FAA221F0CECE9BC9182FEA11D3F
SHA1:	360792EF58B6BFDD90472E8F4C460CC06781F078
SHA-256:	E027BA7A8B7168065DA3DB8BF6C29AF85DA319E89E3377A71F056B416821F8BE
SHA-512:	75EDC36EDE4BEC2F93C4679ABB04D4D9CD556C17B937613725E720FA9327C330569666980E1196B4046F2DB377DBD59971251D4956F59C8BDCFB1A9AC5D9E5BB
Malicious:	false
Preview:	D9A2E7D5A75A08C7E82E0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c0000006689857effffff33c966894d80ba

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Laddonia.vbs

Download File

Process:	C:\Users\user\AppData\Local\Dalymore\Laddonia.exe
File Type:	data
Category:	dropped
Size (bytes):	276
Entropy (8bit):	3.4460518622892313
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclo5ZsUEZ+lX1MfQsLnriIM8lfQVn:DsO+vNlzQ1EQAmA2n
MD5:	866B245FF3905C1F6A8F035600B9FBC4
SHA1:	AE33BD10E106D13D0FF3BD3B3FD62BFBC68934E3
SHA-256:	A82329C384E58449FC5D7D6538B279DD757CB12A901C5CB2B3687195B0E00A67
SHA-512:	3D95E822A0BE58D72765F5196F49DF6573E3DC981279F5497E709D83C6B7102BD447A2671E341E2AAB499F3C15043E76C9580E442D517EA5F5263DE8EBD89389
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.D.a.l.y.m.o.r.e.\.L.a.d.d.o.n.i.a...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

C:\Users\user\AppData\Roaming\My App\My App.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	45984
Entropy (8bit):	6.16795797263964
Encrypted:	false
SSDEEP:	768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
MD5:	9D352BC46709F0CB5EC974633A0C3C94
SHA1:	1969771B2F022F9A86D77AC4D4D239BECDF08D07
SHA-256:	2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
SHA-512:	13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
Malicious:	false
Joe Sandbox View:	Filename: LisectAVT_2403002B_289.exe, Detection: malicious, Browse Filename: Shipping Documents 7003829465.exe, Detection: malicious, Browse Filename: SKM_C335019110710XX620.exe, Detection: malicious, Browse Filename: Bank Slip.pdf.exe, Detection: malicious, Browse Filename: DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe, Detection: malicious, Browse Filename: Remittance INV HSBC ref 072324678.exe, Detection: malicious, Browse Filename: Shipping Documents 88768092140.exe, Detection: malicious, Browse Filename: INV PAYMENT RECEIPT.exe, Detection: malicious, Browse Filename: 0ssZjk1OSj.exe, Detection: malicious, Browse Filename: 41hKUw86xp.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........\|...P...........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t........0..(....... ....s$........o%....X..(....-...o&....0...........('......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\My App\My App.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1141
Entropy (8bit):	4.442398121585593
Encrypted:	false
SSDEEP:	24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
MD5:	6FB4D27A716A8851BC0505666E7C7A10
SHA1:	AD2A232C6E709223532C4D1AB892303273D8C814
SHA-256:	1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE
SHA-512:	3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.004653500249907
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LisectAVT_2403002A_460.exe
File size:	1'143'820 bytes
MD5:	8868668372c27888a5ed9e818683ffcb
SHA1:	9ce00390be0e90cecf89c89cd84d9adf2556e772
SHA256:	15ae2b61648414988ae6e5876738382c62f6c90a325354a7e903348bc8c139be
SHA512:	7765a969833b06fbd4744e2112ae5e168f1bef1daad05d2581220750ee910118930d81070f53423e188de21d4c137ca92cccaa2f3aadcd7bac37742b89d65a02
SSDEEP:	24576:yqDEvCTbMWu7rQYlBQcBiT6rprG8aa2O2EqCJWS8YGuITOeN:yTvC/MTQYxsWR7aa2AxHAO
TLSH:	EA35BF0273D1C062FFAB92334B5AF6515ABC79260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66021040 [Tue Mar 26 00:01:04 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F3BA4DDC973h
jmp 00007F3BA4DDC27Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F3BA4DDC45Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F3BA4DDC42Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F3BA4DDF01Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F3BA4DDF068h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F3BA4DDF051h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x40978	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x115000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x40978	0x40a00	bfb8eef2d5643a23b89a4dd3190b80de	False	0.8985621675531915	data	7.823331459120503	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x115000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x37c40	data			1.0003327262538526
RT_GROUP_ICON	0x1143f8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x114470	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x114484	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x114498	0x14	data	English	Great Britain	1.25
RT_VERSION	0x1144ac	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x114588	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T19:52:00.788954+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49704	52.165.165.26	192.168.2.5
2024-07-25T19:52:28.697762+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	54048	52.165.165.26	192.168.2.5

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 19:54:15.365946054 CEST	54049	443	192.168.2.5	104.26.13.205
Jul 25, 2024 19:54:15.365993023 CEST	443	54049	104.26.13.205	192.168.2.5
Jul 25, 2024 19:54:15.366084099 CEST	54049	443	192.168.2.5	104.26.13.205
Jul 25, 2024 19:54:15.372416019 CEST	54049	443	192.168.2.5	104.26.13.205
Jul 25, 2024 19:54:15.372450113 CEST	443	54049	104.26.13.205	192.168.2.5
Jul 25, 2024 19:54:16.063832045 CEST	443	54049	104.26.13.205	192.168.2.5
Jul 25, 2024 19:54:16.063971043 CEST	54049	443	192.168.2.5	104.26.13.205
Jul 25, 2024 19:54:16.066304922 CEST	54049	443	192.168.2.5	104.26.13.205
Jul 25, 2024 19:54:16.066315889 CEST	443	54049	104.26.13.205	192.168.2.5
Jul 25, 2024 19:54:16.066557884 CEST	443	54049	104.26.13.205	192.168.2.5
Jul 25, 2024 19:54:16.110069990 CEST	54049	443	192.168.2.5	104.26.13.205
Jul 25, 2024 19:54:16.124265909 CEST	54049	443	192.168.2.5	104.26.13.205
Jul 25, 2024 19:54:16.164510965 CEST	443	54049	104.26.13.205	192.168.2.5
Jul 25, 2024 19:54:16.266904116 CEST	443	54049	104.26.13.205	192.168.2.5
Jul 25, 2024 19:54:16.266990900 CEST	443	54049	104.26.13.205	192.168.2.5
Jul 25, 2024 19:54:16.267086029 CEST	54049	443	192.168.2.5	104.26.13.205
Jul 25, 2024 19:54:16.282625914 CEST	54049	443	192.168.2.5	104.26.13.205
Jul 25, 2024 19:54:17.110008001 CEST	54050	587	192.168.2.5	78.46.216.122
Jul 25, 2024 19:54:17.115371943 CEST	587	54050	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:17.115461111 CEST	54050	587	192.168.2.5	78.46.216.122
Jul 25, 2024 19:54:17.946763992 CEST	587	54050	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:17.949769974 CEST	54050	587	192.168.2.5	78.46.216.122
Jul 25, 2024 19:54:17.955610991 CEST	587	54050	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:18.155432940 CEST	587	54050	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:18.155659914 CEST	54050	587	192.168.2.5	78.46.216.122
Jul 25, 2024 19:54:18.162787914 CEST	587	54050	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:18.356944084 CEST	587	54050	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:18.357378960 CEST	54050	587	192.168.2.5	78.46.216.122
Jul 25, 2024 19:54:18.362231970 CEST	587	54050	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:18.577676058 CEST	587	54050	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:18.577828884 CEST	587	54050	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:18.577843904 CEST	587	54050	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:18.577944994 CEST	54050	587	192.168.2.5	78.46.216.122
Jul 25, 2024 19:54:18.578845024 CEST	587	54050	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:18.578902006 CEST	54050	587	192.168.2.5	78.46.216.122
Jul 25, 2024 19:54:18.666460991 CEST	587	54050	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:18.683367968 CEST	54050	587	192.168.2.5	78.46.216.122
Jul 25, 2024 19:54:18.688375950 CEST	587	54050	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:18.880592108 CEST	587	54050	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:18.883784056 CEST	54050	587	192.168.2.5	78.46.216.122
Jul 25, 2024 19:54:18.888931036 CEST	587	54050	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:19.081218004 CEST	587	54050	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:19.092375994 CEST	54050	587	192.168.2.5	78.46.216.122
Jul 25, 2024 19:54:19.097237110 CEST	587	54050	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:19.291325092 CEST	587	54050	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:19.295195103 CEST	54050	587	192.168.2.5	78.46.216.122
Jul 25, 2024 19:54:19.300260067 CEST	587	54050	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:21.550997972 CEST	587	54050	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:21.551453114 CEST	54050	587	192.168.2.5	78.46.216.122
Jul 25, 2024 19:54:21.556318998 CEST	587	54050	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:21.748172998 CEST	587	54050	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:21.750439882 CEST	587	54050	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:21.750504971 CEST	54050	587	192.168.2.5	78.46.216.122
Jul 25, 2024 19:54:21.785290956 CEST	54050	587	192.168.2.5	78.46.216.122
Jul 25, 2024 19:54:21.790282011 CEST	587	54050	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:45.458019018 CEST	54051	443	192.168.2.5	104.26.13.205
Jul 25, 2024 19:54:45.458076954 CEST	443	54051	104.26.13.205	192.168.2.5
Jul 25, 2024 19:54:45.458153963 CEST	54051	443	192.168.2.5	104.26.13.205
Jul 25, 2024 19:54:45.461668015 CEST	54051	443	192.168.2.5	104.26.13.205
Jul 25, 2024 19:54:45.461684942 CEST	443	54051	104.26.13.205	192.168.2.5
Jul 25, 2024 19:54:46.044621944 CEST	443	54051	104.26.13.205	192.168.2.5
Jul 25, 2024 19:54:46.044729948 CEST	54051	443	192.168.2.5	104.26.13.205
Jul 25, 2024 19:54:46.049209118 CEST	54051	443	192.168.2.5	104.26.13.205
Jul 25, 2024 19:54:46.049221992 CEST	443	54051	104.26.13.205	192.168.2.5
Jul 25, 2024 19:54:46.049577951 CEST	443	54051	104.26.13.205	192.168.2.5
Jul 25, 2024 19:54:46.094413996 CEST	54051	443	192.168.2.5	104.26.13.205
Jul 25, 2024 19:54:46.100024939 CEST	54051	443	192.168.2.5	104.26.13.205
Jul 25, 2024 19:54:46.140537024 CEST	443	54051	104.26.13.205	192.168.2.5
Jul 25, 2024 19:54:46.216721058 CEST	443	54051	104.26.13.205	192.168.2.5
Jul 25, 2024 19:54:46.216890097 CEST	443	54051	104.26.13.205	192.168.2.5
Jul 25, 2024 19:54:46.216978073 CEST	54051	443	192.168.2.5	104.26.13.205
Jul 25, 2024 19:54:46.220814943 CEST	54051	443	192.168.2.5	104.26.13.205
Jul 25, 2024 19:54:47.020284891 CEST	54052	587	192.168.2.5	78.46.216.122
Jul 25, 2024 19:54:47.030750990 CEST	587	54052	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:47.030838013 CEST	54052	587	192.168.2.5	78.46.216.122
Jul 25, 2024 19:54:48.338850975 CEST	587	54052	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:48.339282990 CEST	54052	587	192.168.2.5	78.46.216.122
Jul 25, 2024 19:54:48.339582920 CEST	587	54052	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:48.339649916 CEST	54052	587	192.168.2.5	78.46.216.122
Jul 25, 2024 19:54:48.339890957 CEST	587	54052	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:48.340106964 CEST	54052	587	192.168.2.5	78.46.216.122
Jul 25, 2024 19:54:48.345870018 CEST	587	54052	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:48.544462919 CEST	587	54052	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:48.544770956 CEST	54052	587	192.168.2.5	78.46.216.122
Jul 25, 2024 19:54:48.549607992 CEST	587	54052	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:48.745273113 CEST	587	54052	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:48.746192932 CEST	54052	587	192.168.2.5	78.46.216.122
Jul 25, 2024 19:54:48.753583908 CEST	587	54052	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:49.124290943 CEST	587	54052	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:49.124404907 CEST	587	54052	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:49.124418974 CEST	587	54052	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:49.124504089 CEST	54052	587	192.168.2.5	78.46.216.122
Jul 25, 2024 19:54:49.125415087 CEST	587	54052	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:49.125426054 CEST	587	54052	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:49.125531912 CEST	54052	587	192.168.2.5	78.46.216.122
Jul 25, 2024 19:54:49.125531912 CEST	54052	587	192.168.2.5	78.46.216.122
Jul 25, 2024 19:54:49.125745058 CEST	587	54052	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:49.129667997 CEST	54052	587	192.168.2.5	78.46.216.122
Jul 25, 2024 19:54:49.135231018 CEST	587	54052	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:49.326699018 CEST	587	54052	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:49.359256029 CEST	54052	587	192.168.2.5	78.46.216.122
Jul 25, 2024 19:54:49.382901907 CEST	587	54052	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:49.587984085 CEST	587	54052	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:49.588438988 CEST	54052	587	192.168.2.5	78.46.216.122
Jul 25, 2024 19:54:49.593308926 CEST	587	54052	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:50.122642040 CEST	587	54052	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:50.123182058 CEST	54052	587	192.168.2.5	78.46.216.122
Jul 25, 2024 19:54:50.125019073 CEST	587	54052	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:50.125098944 CEST	54052	587	192.168.2.5	78.46.216.122
Jul 25, 2024 19:54:50.136275053 CEST	587	54052	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:52.257749081 CEST	587	54052	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:52.258130074 CEST	54052	587	192.168.2.5	78.46.216.122
Jul 25, 2024 19:54:52.263459921 CEST	587	54052	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:52.452651024 CEST	587	54052	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:52.454118013 CEST	587	54052	78.46.216.122	192.168.2.5
Jul 25, 2024 19:54:52.454226971 CEST	54052	587	192.168.2.5	78.46.216.122
Jul 25, 2024 19:54:52.455497980 CEST	54052	587	192.168.2.5	78.46.216.122
Jul 25, 2024 19:54:52.460550070 CEST	587	54052	78.46.216.122	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 19:52:26.745894909 CEST	53	50970	162.159.36.2	192.168.2.5
Jul 25, 2024 19:52:27.635839939 CEST	53	64540	1.1.1.1	192.168.2.5
Jul 25, 2024 19:54:15.348741055 CEST	53058	53	192.168.2.5	1.1.1.1
Jul 25, 2024 19:54:15.360515118 CEST	53	53058	1.1.1.1	192.168.2.5
Jul 25, 2024 19:54:17.069061041 CEST	50992	53	192.168.2.5	1.1.1.1
Jul 25, 2024 19:54:17.108427048 CEST	53	50992	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 25, 2024 19:54:15.348741055 CEST	192.168.2.5	1.1.1.1	0xe708	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 19:54:17.069061041 CEST	192.168.2.5	1.1.1.1	0xb07c	Standard query (0)	mail.agrosparta.gr	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 19:54:15.360515118 CEST	1.1.1.1	192.168.2.5	0xe708	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Jul 25, 2024 19:54:15.360515118 CEST	1.1.1.1	192.168.2.5	0xe708	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Jul 25, 2024 19:54:15.360515118 CEST	1.1.1.1	192.168.2.5	0xe708	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Jul 25, 2024 19:54:17.108427048 CEST	1.1.1.1	192.168.2.5	0xb07c	No error (0)	mail.agrosparta.gr	agrosparta.gr		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 19:54:17.108427048 CEST	1.1.1.1	192.168.2.5	0xb07c	No error (0)	agrosparta.gr		78.46.216.122	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	54049	104.26.13.205	443	4712	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 17:54:16 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-07-25 17:54:16 UTC	211	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 17:54:16 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8a8e03a349108cee-EWR
2024-07-25 17:54:16 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	54051	104.26.13.205	443	3160	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-25 17:54:46 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-07-25 17:54:46 UTC	211	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 17:54:46 GMT Content-Type: text/plain Content-Length: 11 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8a8e045e7d13729f-EWR
2024-07-25 17:54:46 UTC	11	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 25, 2024 19:54:17.946763992 CEST	587	54050	78.46.216.122	192.168.2.5	220-smartserver.swserver85.gr ESMTP Exim 4.96.2 #2 Thu, 25 Jul 2024 20:54:17 +0300 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 25, 2024 19:54:17.949769974 CEST	54050	587	192.168.2.5	78.46.216.122	EHLO 767668
Jul 25, 2024 19:54:18.155432940 CEST	587	54050	78.46.216.122	192.168.2.5	250-smartserver.swserver85.gr Hello 767668 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 25, 2024 19:54:18.155659914 CEST	54050	587	192.168.2.5	78.46.216.122	STARTTLS
Jul 25, 2024 19:54:18.356944084 CEST	587	54050	78.46.216.122	192.168.2.5	220 TLS go ahead
Jul 25, 2024 19:54:48.338850975 CEST	587	54052	78.46.216.122	192.168.2.5	220-smartserver.swserver85.gr ESMTP Exim 4.96.2 #2 Thu, 25 Jul 2024 20:54:47 +0300 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 25, 2024 19:54:48.339282990 CEST	54052	587	192.168.2.5	78.46.216.122	EHLO 767668
Jul 25, 2024 19:54:48.339582920 CEST	587	54052	78.46.216.122	192.168.2.5	220-smartserver.swserver85.gr ESMTP Exim 4.96.2 #2 Thu, 25 Jul 2024 20:54:47 +0300 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 25, 2024 19:54:48.339890957 CEST	587	54052	78.46.216.122	192.168.2.5	220-smartserver.swserver85.gr ESMTP Exim 4.96.2 #2 Thu, 25 Jul 2024 20:54:47 +0300 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jul 25, 2024 19:54:48.544462919 CEST	587	54052	78.46.216.122	192.168.2.5	250-smartserver.swserver85.gr Hello 767668 [8.46.123.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jul 25, 2024 19:54:48.544770956 CEST	54052	587	192.168.2.5	78.46.216.122	STARTTLS
Jul 25, 2024 19:54:48.745273113 CEST	587	54052	78.46.216.122	192.168.2.5	220 TLS go ahead

Target ID:	0
Start time:	13:51:38
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_460.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_460.exe"
Imagebase:	0xb00000
File size:	1'143'820 bytes
MD5 hash:	8868668372C27888A5ED9E818683FFCB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:54:11
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Local\Dalymore\Laddonia.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_460.exe"
Imagebase:	0x700000
File size:	116'487'180 bytes
MD5 hash:	FFF516D7CEF66EF2F8F9494A753E4E06
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3572441888.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3572441888.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000005.00000002.3572441888.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:54:13
Start date:	25/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_460.exe"
Imagebase:	0x2e0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3872504636.00000000003B2000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3872504636.00000000003B2000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3874380957.000000000271C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3874380957.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.3874380957.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:54:24
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Roaming\My App\My App.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\My App\My App.exe"
Imagebase:	0x3f0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:54:24
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:54:32
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Roaming\My App\My App.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\My App\My App.exe"
Imagebase:	0xa0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:54:32
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:54:40
Start date:	25/07/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Laddonia.vbs"
Imagebase:	0x7ff7b4980000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:54:41
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Local\Dalymore\Laddonia.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Dalymore\Laddonia.exe"
Imagebase:	0x700000
File size:	116'487'180 bytes
MD5 hash:	FFF516D7CEF66EF2F8F9494A753E4E06
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.3873482742.0000000001190000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.3873482742.0000000001190000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 0000000D.00000002.3873482742.0000000001190000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	13:54:43
Start date:	25/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Dalymore\Laddonia.exe"
Imagebase:	0xcf0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.4463265835.00000000030F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.4463265835.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.4463265835.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	3%
Total number of Nodes:	2000
Total number of Limit Nodes:	40

Executed Functions

Function 00B042DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00B0430D

Part of subcall function 00B06B57: _wcslen.LIBCMT ref: 00B06B6A

GetCurrentProcess.KERNEL32(?,00B9CB64,00000000,?,?), ref: 00B04422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00B04429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00B04454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00B04466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00B04474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00B0447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00B044A0

Strings

|O, xrefs: 00B436F8
GetNativeSystemInfo, xrefs: 00B04460
kernel32.dll, xrefs: 00B0444F

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: b8e1a17d9ec216ffcf163df6eaa67436d9830bbe2e3d9e7d9e25081f0f9b83c4
Instruction ID: 6e70a1a37e6d7712047a0d33cc2df4f6a6a7df2d0a0aec74a74a830501ca97bc
Opcode Fuzzy Hash: b8e1a17d9ec216ffcf163df6eaa67436d9830bbe2e3d9e7d9e25081f0f9b83c4
Instruction Fuzzy Hash: 56A162A590B2C0FBC711C76DB9A1599BFE5AB26720B084CDBD18593772FE304A04DB2D

Function 00B042A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00B050AA,?,?,00000000,00000000), ref: 00B042B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00B050AA,?,?,00000000,00000000), ref: 00B042C9
LoadResource.KERNEL32(?,00000000,?,?,00B050AA,?,?,00000000,00000000,?,?,?,?,?,?,00B04F20), ref: 00B435BE
SizeofResource.KERNEL32(?,00000000,?,?,00B050AA,?,?,00000000,00000000,?,?,?,?,?,?,00B04F20), ref: 00B435D3
LockResource.KERNEL32(00B050AA,?,?,00B050AA,?,?,00000000,00000000,?,?,?,?,?,?,00B04F20,?), ref: 00B435E6

Strings

SCRIPT, xrefs: 00B042BF

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 2c6e3ec153d91ed46de5aba81f4872bfcbfcff19bed9c2557f3bf2c02aa83003
Instruction ID: 31518c02b3e60231d5416702b0d3282955c38d4a210b4cf4dbd4ca4e95548b1e
Opcode Fuzzy Hash: 2c6e3ec153d91ed46de5aba81f4872bfcbfcff19bed9c2557f3bf2c02aa83003
Instruction Fuzzy Hash: 0E117CB0200700BFDB218B65DD48F277FF9EBC5B51F2481AAB502D62A0DB71D8048A30

Function 00B42BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00B02B6B

Part of subcall function 00B03A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00BD1418,?,00B02E7F,?,?,?,00000000), ref: 00B03A78

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00BC2224), ref: 00B42C10
ShellExecuteW.SHELL32(00000000,?,?,00BC2224), ref: 00B42C17

Strings

runas, xrefs: 00B42C0B

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: c5f83f348e8eb1702d81a7e9c8c1b34bc50043ea0afd03454f99decf95f03a73
Instruction ID: 99ad8e23771f5b7597aaccb928a22c5b41d69d63a814798e98b6c0f934a64b7c
Opcode Fuzzy Hash: c5f83f348e8eb1702d81a7e9c8c1b34bc50043ea0afd03454f99decf95f03a73
Instruction Fuzzy Hash: 6A11A2312083416AC714FF64D89AA7EBFE8DB91740F4458EEF182531E3DF219A499B12

Function 00B6DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00B45222), ref: 00B6DBCE
GetFileAttributesW.KERNELBASE(?), ref: 00B6DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 00B6DBEE
FindClose.KERNEL32(00000000), ref: 00B6DBFA

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 2867ca380cef480379ee9e9349b88a7f30fc6ea9eee58c1a09fa9f3da5d3371f
Instruction ID: 7d7dfc2ce94f6f5207a1579accae057ad333cb323d18e0b099c1a0d5de346449
Opcode Fuzzy Hash: 2867ca380cef480379ee9e9349b88a7f30fc6ea9eee58c1a09fa9f3da5d3371f
Instruction Fuzzy Hash: EDF0A03081091857C220AF78AE0D8AA3BACDE02334B504B43F836C20E0EFB5599486D9

Function 00B0D730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00B0D807
timeGetTime.WINMM ref: 00B0DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B0DB28
TranslateMessage.USER32(?), ref: 00B0DB7B
DispatchMessageW.USER32(?), ref: 00B0DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B0DB9F
Sleep.KERNEL32(0000000A), ref: 00B0DBB1

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 3339d2bd53a82fb43bf4587cb308ddf2a09bbcb8cfa07249300ffaa9230e8605
Instruction ID: 0a3f1ef71d5f86b70af82d5c76550fe0c715bbcad09d381c7e20e9c5cd64fcda
Opcode Fuzzy Hash: 3339d2bd53a82fb43bf4587cb308ddf2a09bbcb8cfa07249300ffaa9230e8605
Instruction Fuzzy Hash: 1C42E430605341EFD724CF64C894BAABBE4FF46314F5489E9E965872D1DB70E848CB92

Function 00B02CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B02D07
RegisterClassExW.USER32(00000030), ref: 00B02D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B02D42
InitCommonControlsEx.COMCTL32(?), ref: 00B02D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B02D6F
LoadIconW.USER32(000000A9), ref: 00B02D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B02D94

Strings

+, xrefs: 00B02CF0
TaskbarCreated, xrefs: 00B02D37
AutoIt v3 GUI, xrefs: 00B02D23
0, xrefs: 00B02CE9

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 2a918df6dd999821570bde23f4be6ee791a2fcbcef381464d2d776596ec87eff
Instruction ID: 9b83b8a5edc25d95de054afa686776134e9d7ee7f2f107c9dd68c57ae6637612
Opcode Fuzzy Hash: 2a918df6dd999821570bde23f4be6ee791a2fcbcef381464d2d776596ec87eff
Instruction Fuzzy Hash: 1421B4B5902218AFDB00DFA8ED69ADDBFB8FB08700F00451BE511A72A0EBB545458F95

Function 00B4065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B4039A: CreateFileW.KERNELBASE(00000000,00000000,?,00B40704,?,?,00000000,?,00B40704,00000000,0000000C), ref: 00B403B7

GetLastError.KERNEL32 ref: 00B4076F
__dosmaperr.LIBCMT ref: 00B40776
GetFileType.KERNELBASE(00000000), ref: 00B40782
GetLastError.KERNEL32 ref: 00B4078C
__dosmaperr.LIBCMT ref: 00B40795
CloseHandle.KERNEL32(00000000), ref: 00B407B5
CloseHandle.KERNEL32(?), ref: 00B408FF
GetLastError.KERNEL32 ref: 00B40931
__dosmaperr.LIBCMT ref: 00B40938

Strings

H, xrefs: 00B408BD

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 64ba2e499f6d06d3b9ad3618c57273bc7909b8d2325c09fddacb6567c6fa4b9a
Instruction ID: 30a40d62fb7cdd4a5aa0b0f99cf3395506461375df905dc1d2ff84d359f184aa
Opcode Fuzzy Hash: 64ba2e499f6d06d3b9ad3618c57273bc7909b8d2325c09fddacb6567c6fa4b9a
Instruction Fuzzy Hash: 00A12832A241148FDF19BF78D891BAD7BF0EB06320F24019EF9159B291DB359E12DB91

Function 00B0344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B03A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00BD1418,?,00B02E7F,?,?,?,00000000), ref: 00B03A78

Part of subcall function 00B03357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B03379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00B0356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00B4318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00B431CE
RegCloseKey.ADVAPI32(?), ref: 00B43210
_wcslen.LIBCMT ref: 00B43277
_wcslen.LIBCMT ref: 00B43286

Strings

Include, xrefs: 00B43184, 00B431C5
Software\AutoIt v3\AutoIt, xrefs: 00B03560
\Include\, xrefs: 00B03527
\, xrefs: 00B4328C

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 09a5e25b1cc038ff6d354d93c82309b14e3c21d2994364769b43373bb7ff2fad
Instruction ID: dd9167f0b9ac3ce4a8137dd48d6ab2c8f6c151ce432c7aa0ad32577d99fbbc40
Opcode Fuzzy Hash: 09a5e25b1cc038ff6d354d93c82309b14e3c21d2994364769b43373bb7ff2fad
Instruction Fuzzy Hash: 0F71C2715053419FC314EF29EC928ABFBE8FFA4750F40496EF545832A0EB708A48CB66

Function 00B02B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B02B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00B02B9D
LoadIconW.USER32(00000063), ref: 00B02BB3
LoadIconW.USER32(000000A4), ref: 00B02BC5
LoadIconW.USER32(000000A2), ref: 00B02BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B02BEF
RegisterClassExW.USER32(?), ref: 00B02C40

Part of subcall function 00B02CD4: GetSysColorBrush.USER32(0000000F), ref: 00B02D07
Part of subcall function 00B02CD4: RegisterClassExW.USER32(00000030), ref: 00B02D31
Part of subcall function 00B02CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B02D42
Part of subcall function 00B02CD4: InitCommonControlsEx.COMCTL32(?), ref: 00B02D5F
Part of subcall function 00B02CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B02D6F
Part of subcall function 00B02CD4: LoadIconW.USER32(000000A9), ref: 00B02D85
Part of subcall function 00B02CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B02D94

Strings

AutoIt v3, xrefs: 00B02C2F
#, xrefs: 00B02C16
0, xrefs: 00B02C0F

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 0982f700ba65dede8eb7b7f38a373cefa2095c355d7284a92b736bd9ef1b76aa
Instruction ID: 9c7003e8d89e0adb62a05d52751f9b8ba5bfce8c259ab5eff775aa3daec47b66
Opcode Fuzzy Hash: 0982f700ba65dede8eb7b7f38a373cefa2095c355d7284a92b736bd9ef1b76aa
Instruction Fuzzy Hash: FC211D71E02314BBDB10DFD9ED65A99BFB4FB48B60F40055BE504A76A0EBB50940CF98

Function 00B03170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00B0316A,?,?), ref: 00B031D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00B0316A,?,?), ref: 00B03204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B03227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00B0316A,?,?), ref: 00B03232
CreatePopupMenu.USER32 ref: 00B03246
PostQuitMessage.USER32(00000000), ref: 00B03267

Strings

TaskbarCreated, xrefs: 00B0322D

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: c1ab2ca0c93a0c74ed59f6c3ed80a87ea77a9ae4dde42ca5218d752277d70d9f
Instruction ID: 2d079530d50e046e511afed1041d6474218e80c3e9f03c9393fba25fe59c1606
Opcode Fuzzy Hash: c1ab2ca0c93a0c74ed59f6c3ed80a87ea77a9ae4dde42ca5218d752277d70d9f
Instruction Fuzzy Hash: 3F411035240200BBDB145FAC9DADB793FDDEB09B50F0405E6F902972E1EB658F81A7A1

Function 00B38D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2644de78947445f4ec8d2cd62c92281dbe109d386bc90ee51dba04a76bc10c09
Instruction ID: 505264239c1354a24d97d195ffe150891810b0d540e808d0be9dd31369090bac
Opcode Fuzzy Hash: 2644de78947445f4ec8d2cd62c92281dbe109d386bc90ee51dba04a76bc10c09
Instruction Fuzzy Hash: DEC1E174904359AFDB15EFA8D881BADBBF0EF09310F2441D9F419A7392CB749941CB61

Function 00DC0920 Relevance: 10.7, APIs: 7, Instructions: 185
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00DC0965

Memory Dump Source

Source File: 00000000.00000002.3543963122.0000000000DC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 28aa79915beb11918698720707ebb43b2bda4a086287e743706ae16bd51aa008
Instruction ID: 586e81ba8c17e6c37f4ed0f55fa021bdd73b5a40b32dde07931db8ad54bc78e0
Opcode Fuzzy Hash: 28aa79915beb11918698720707ebb43b2bda4a086287e743706ae16bd51aa008
Instruction Fuzzy Hash: A5711E75A10209EBDF24DFA4CC45FEEBB79BF48714F148518F645EB280DA749A40CB64

Function 00B02C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B02C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B02CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00B01CAD,?), ref: 00B02CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00B01CAD,?), ref: 00B02CCF

Strings

AutoIt v3, xrefs: 00B02C89, 00B02C8E, 00B02C8F
edit, xrefs: 00B02CAC

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 70114c94ae8709a03f46d0e336ee796ef93cd9321c999ffb96c92a9ef975027f
Instruction ID: 251cb1c81e5f479267dfd2cd2dcea2e93e6e621f5112ee97f4729553bc969f37
Opcode Fuzzy Hash: 70114c94ae8709a03f46d0e336ee796ef93cd9321c999ffb96c92a9ef975027f
Instruction Fuzzy Hash: E0F0DA756412907BEB311B1BAC18E77AFBDD7C6F60B01046BF904A35A0EA651850DAB8

Function 00B72947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B72C05
DeleteFileW.KERNEL32(?), ref: 00B72C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B72C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B72CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B72CC0

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 9004d0b3e15db19ca5b2d3cd7b74aceb4b45b94521dfb1e4b29bb393c841dac9
Instruction ID: d469959b160967c00207a9abec684638f84b065035911e090efb0823d701bc7a
Opcode Fuzzy Hash: 9004d0b3e15db19ca5b2d3cd7b74aceb4b45b94521dfb1e4b29bb393c841dac9
Instruction Fuzzy Hash: 5FB13C72D00129ABDF21DBA4CC85EDEBBFDEF49350F1080EAF519E6151EA309A448F61

Function 00DC24F0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 166
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00DC264C
VirtualAlloc.KERNELBASE(00000000,000000FF,00003000,00000004), ref: 00DC2681
ReadFile.KERNELBASE(000000FF,00000000,000000FF,?,00000000), ref: 00DC26A7

Strings

YXFO7EZ77DAG, xrefs: 00DC26CC, 00DC26CF

Memory Dump Source

Source File: 00000000.00000002.3543963122.0000000000DC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: File$AllocCreateReadVirtual
String ID: YXFO7EZ77DAG
API String ID: 3585551309-3060736364
Opcode ID: 5e4e7af024a3191c8193519d2de683de0d9505c7ab6ffc1307301052ba45625a
Instruction ID: 769d496d51fb290fb7ee8fbdc0cfc57885b0c37873d9b13715b4bd4f1999b3fc
Opcode Fuzzy Hash: 5e4e7af024a3191c8193519d2de683de0d9505c7ab6ffc1307301052ba45625a
Instruction Fuzzy Hash: 14617D3090424ADBEF15EBA4C855BEEBA79AF14300F044198E609BB2C0EA795B45CBB5

Function 00B03B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00B03B0F,SwapMouseButtons,00000004,?), ref: 00B03B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00B03B0F,SwapMouseButtons,00000004,?), ref: 00B03B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00B03B0F,SwapMouseButtons,00000004,?), ref: 00B03B83

Strings

Control Panel\Mouse, xrefs: 00B03B3E

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: b753b43cb2a5e00b0ea2fcf574848301aa915bcf242787dd7a01845f9005e14b
Instruction ID: 9edee84827735eb32216f0982cd9bca4d5c647bdd164894dd92747e977b527f3
Opcode Fuzzy Hash: b753b43cb2a5e00b0ea2fcf574848301aa915bcf242787dd7a01845f9005e14b
Instruction Fuzzy Hash: B9112AB5510208FFDB218FA5DC89AAEBBFCEF04B48B10849AA805D7150D6319E449760

Function 00B0DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00B532B7

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 8ff0fd32b6607b2491b829f4b8456cb17641ae00727f721756d6b584e5a835db
Instruction ID: 29fdcc05fc70089176c90b831d2b7063cc8f3d652e96b8df525f4e973e12ad8b
Opcode Fuzzy Hash: 8ff0fd32b6607b2491b829f4b8456cb17641ae00727f721756d6b584e5a835db
Instruction Fuzzy Hash: 1AC27971A00205CFCB24CF58D891AADBBF1FF18710F2489A9E966AB391D771ED41CB91

Function 00B03923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00B433A2

Part of subcall function 00B06B57: _wcslen.LIBCMT ref: 00B06B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00B03A04

Strings

Line: , xrefs: 00B433EB

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 9af9a042e7bdc1d6647a818209a3f919cfcb31ceea659a148b052ce2af80f26e
Instruction ID: 432de35457381d38275738843f4ef4b16aa4e017fc556dd7fee275c9712a86c9
Opcode Fuzzy Hash: 9af9a042e7bdc1d6647a818209a3f919cfcb31ceea659a148b052ce2af80f26e
Instruction Fuzzy Hash: 2D31D071509300AAC324EB24DC59BEBBBDCAB40B20F0449ABF599831D1EF709A49C7C6

Function 00B1FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00B20668

Part of subcall function 00B232A4: RaiseException.KERNEL32(?,?,?,00B2068A,?,00BD1444,?,?,?,?,?,?,00B2068A,00B01129,00BC8738,00B01129), ref: 00B23304

__CxxThrowException@8.LIBVCRUNTIME ref: 00B20685

Strings

Unknown exception, xrefs: 00B20692

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: c49d25ec3a5f34c3c9a09803ac4b2b7e7331fe6f8bd80ca85fdca7da9c5c2e61
Instruction ID: 50d985966826100e9536e92c5f15249dc00bb055498635d177e48aedb80f0283
Opcode Fuzzy Hash: c49d25ec3a5f34c3c9a09803ac4b2b7e7331fe6f8bd80ca85fdca7da9c5c2e61
Instruction Fuzzy Hash: 7EF0C83490021DB7CB00B664F886DEE77EC9E00310B6045F5B81CD5593EF71DA65C6C0

Function 00DC1060 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00DC10A5
ExitProcess.KERNEL32(00000000), ref: 00DC10C4

Strings

D, xrefs: 00DC1071

Memory Dump Source

Source File: 00000000.00000002.3543963122.0000000000DC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: f8ef6da0ed4a2f740de3a74f448d0fc84c800b9fb59397f2698fb681a88fc9f8
Instruction ID: 83ffef1530760036050919499db9c56ea9e9abb76af4feb5472a934aafdaadb0
Opcode Fuzzy Hash: f8ef6da0ed4a2f740de3a74f448d0fc84c800b9fb59397f2698fb681a88fc9f8
Instruction Fuzzy Hash: 60F0EC7594024DABDB60DFE0CC49FEE777CBF04701F548508BA0A9B180DE7496489B61

Function 00B73017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00B7302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00B73044

Strings

aut, xrefs: 00B73038

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 078ebda694547e00c86f67b957e8b7ff8bf3b7c911db48d4ef443e64d0102127
Instruction ID: d735e597d9db0c8e544fb9b06b9fa5dc399414affa284e76d8c624150d582004
Opcode Fuzzy Hash: 078ebda694547e00c86f67b957e8b7ff8bf3b7c911db48d4ef443e64d0102127
Instruction Fuzzy Hash: A5D05E7250032877DA20A7A4AD0EFCB3F6CDB04750F0002A2B655E30A1DEB09984CAE0

Function 00B87F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00B882F5
TerminateProcess.KERNEL32(00000000), ref: 00B882FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 00B884DD

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 4f9a9d96ecb71e0524c18c04c829df854e806118562cda480fc9946dcf885d3d
Instruction ID: 348cd770ae78d725cc5fe4e4e6d460b8703b8d84b8d59744c49a1a71eeb6a442
Opcode Fuzzy Hash: 4f9a9d96ecb71e0524c18c04c829df854e806118562cda480fc9946dcf885d3d
Instruction Fuzzy Hash: D1125B719083419FC714EF28C484B6ABBE5FF84314F54899DE8998B3A2DB31ED45CB92

Function 00B35AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5fd215051bed4211e054d9c71362a12fb1cc0c779a342c44d6dbb845b337c48
Instruction ID: 3972019231c73921570e942fa698a50907d05daadc9c39823ac3f430e25bc82c
Opcode Fuzzy Hash: b5fd215051bed4211e054d9c71362a12fb1cc0c779a342c44d6dbb845b337c48
Instruction Fuzzy Hash: 3C51AF71D0061AEFCB30AFA8D985FEEBBF8EF06314F64019AF405A7291D73199018B61

Function 00B010F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B01BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B01BF4
Part of subcall function 00B01BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00B01BFC
Part of subcall function 00B01BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B01C07
Part of subcall function 00B01BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B01C12
Part of subcall function 00B01BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00B01C1A
Part of subcall function 00B01BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00B01C22

Part of subcall function 00B01B4A: RegisterWindowMessageW.USER32(00000004,?,00B012C4), ref: 00B01BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00B0136A
OleInitialize.OLE32 ref: 00B01388
CloseHandle.KERNEL32(00000000,00000000), ref: 00B424AB

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: e288b6d10be87ab3893e2b3737ccfd31137bfbc22c56dd4397980c0d30022b13
Instruction ID: 384f912d272b4260ce6647424f884636cc2d1d3d963c9ee70466c5e91b65cded
Opcode Fuzzy Hash: e288b6d10be87ab3893e2b3737ccfd31137bfbc22c56dd4397980c0d30022b13
Instruction Fuzzy Hash: 5671A0B5A13200AEC784DFBDB965655BBE4BBA83483548EABD40AC7362FF384440CF54

Function 00B054C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 00B0556D
SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 00B0557D

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 8e6ec3890b20854d13beb4fb40d5777114a1f67cb178e7e06a604132921e3861
Instruction ID: dcae9fc5a76f78496a726c705e7bdd04c55cd42ddeb519970248a05414317a12
Opcode Fuzzy Hash: 8e6ec3890b20854d13beb4fb40d5777114a1f67cb178e7e06a604132921e3861
Instruction Fuzzy Hash: EB313B71A00609EFDB24CF28C881B9ABBF5FB44714F148669E91597680D771FE94CF90

Function 00B386AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00B385CC,?,00BC8CC8,0000000C), ref: 00B38704
GetLastError.KERNEL32(?,00B385CC,?,00BC8CC8,0000000C), ref: 00B3870E
__dosmaperr.LIBCMT ref: 00B38739

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: a1dc5b818574ad6041639a3c218d584449f52e59efcc255a3603c5e2bccaef96
Instruction ID: eea9a92e8652d75a80c1ed660dabb637c750438d553ba3010f45539a41a5132c
Opcode Fuzzy Hash: a1dc5b818574ad6041639a3c218d584449f52e59efcc255a3603c5e2bccaef96
Instruction Fuzzy Hash: 76014932A0572067D7346334A947B7E7BDACB92774F3901DAF81A8B1D2DEB0CC818196

Function 00B72FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00B72CD4,?,?,?,00000004,00000001), ref: 00B72FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00B72CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B73006
CloseHandle.KERNEL32(00000000,?,00B72CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B7300D

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 24be67f6516ff532700a482e018fc7cb8085944e6cecfaa88f7c64c46af488b1
Instruction ID: feca0f9a7fe572728cab5a1c3c9ec41d7025a50391467ef805ada16bdc032003
Opcode Fuzzy Hash: 24be67f6516ff532700a482e018fc7cb8085944e6cecfaa88f7c64c46af488b1
Instruction Fuzzy Hash: 4DE0863228022077D2301755BD0EF8B3E5CD786F71F104211F729760D04AA1190152BC

Function 00B11310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00B117F6

Strings

CALL, xrefs: 00B117C6

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: d0fe2d9b1271aa89ca30d612e30dfc74b694caa0a33a3c43e1d8d5850e15a44a
Instruction ID: af1955c319c4e24add763c820fef7a5fe3c673f493ad3fed23f5d46d8d99a981
Opcode Fuzzy Hash: d0fe2d9b1271aa89ca30d612e30dfc74b694caa0a33a3c43e1d8d5850e15a44a
Instruction Fuzzy Hash: F6228B706082019FC714DF18C490B6ABBF1FF99314F9489ADF9968B3A1D731E985CB92

Function 00B76EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B76F6B

Part of subcall function 00B04ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00BD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B04EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00B76F5A, 00B76F63

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: c51f4589da73dc01cd1b5daa8ea993ac44047273b05f32273e9b3673bc8d9f32
Instruction ID: d0335325d4c2c694b6bca4a3d0fad0f131bb2b3ae1aea26fad4361b54a3e8285
Opcode Fuzzy Hash: c51f4589da73dc01cd1b5daa8ea993ac44047273b05f32273e9b3673bc8d9f32
Instruction Fuzzy Hash: 8FB174715183018FCB14EF24C89196EBBE5EF95300F04899DF5AA972A2DF30ED49CB92

Function 00B02DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00B42C8C

Part of subcall function 00B03AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B03A97,?,?,00B02E7F,?,?,?,00000000), ref: 00B03AC2

Part of subcall function 00B02DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B02DC4

Strings

X, xrefs: 00B42C5A

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: bb74d3684e5de47c9112bf4a3335bd211afb07b52babfc9554c21bd77727acc4
Instruction ID: b3266be7be2d5e2839259c3254f0f0c63348f3ef2c1475168a27f7a8fa508792
Opcode Fuzzy Hash: bb74d3684e5de47c9112bf4a3335bd211afb07b52babfc9554c21bd77727acc4
Instruction Fuzzy Hash: 2D219371A00258AFDB05EF94C849BEE7BFCAF49714F00409AE505A7281DFB49A8D8B61

Function 00B72557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00B72587

Strings

EA06, xrefs: 00B725B9

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: bfa7c2e110cad6141241c5ebc4774a4bc07a02f2ed7d6d4789e27cfb14fb159c
Instruction ID: 3f41bed7ca270e7b4eb1e0cf635582b28e36072b673c773f408e9b1d45df8d3f
Opcode Fuzzy Hash: bfa7c2e110cad6141241c5ebc4774a4bc07a02f2ed7d6d4789e27cfb14fb159c
Instruction Fuzzy Hash: 5E01B572D042687EDF18D7A8C856EAEBBF8DB15311F00459AF1A6D61C1E5B4E608CB60

Function 00B03837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B03908

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: fdcb506e1fb23e2efe3c2f34e0ebf34763b158e67552e525834282786cb1f68b
Instruction ID: ae31d533037ed47c5d659afdcd61191983aad0503a911b8b4b754d44d7d45a2e
Opcode Fuzzy Hash: fdcb506e1fb23e2efe3c2f34e0ebf34763b158e67552e525834282786cb1f68b
Instruction Fuzzy Hash: 1931A770605701EFD720DF24D898797BBE8FB49718F0009AFF59A83290EB71AA44CB56

Function 00B05745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00B0949C,?,00008000), ref: 00B05773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00B0949C,?,00008000), ref: 00B44052

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 05b44aba74402a5699fa16d78981762a66a29a2c0b3b86f29a56f608d5daf59d
Instruction ID: fb6e669d4c7368218db6b37a5f6c1b3b2dbca94d6e6d9ca363ea9890be8b9e12
Opcode Fuzzy Hash: 05b44aba74402a5699fa16d78981762a66a29a2c0b3b86f29a56f608d5daf59d
Instruction Fuzzy Hash: 28015231145225B6E3304A2ADD0EF977F98EF027B0F14C351BA9C6A1E0CBB45854DBA4

Function 00B0B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00B0BB4E

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 681a44524c02e95e84dd3beeaacbf18873aecd9cdd055ccc171283d9def2099a
Instruction ID: 82e07e8b1186e3c7fb31899e44747bc3d39000a977e21faf62726138f1213e2f
Opcode Fuzzy Hash: 681a44524c02e95e84dd3beeaacbf18873aecd9cdd055ccc171283d9def2099a
Instruction Fuzzy Hash: B1329A31A002099FDB24DF54C894FBABBF9EF48314F1480DAED15AB2A1D774AD85CB91

Function 00DC10D0 Relevance: 1.7, APIs: 1, Instructions: 163COMMON

Download Yara Rule

APIs

Part of subcall function 00DC08E0: GetFileAttributesW.KERNELBASE(?), ref: 00DC08EB

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00DC121A

Memory Dump Source

Source File: 00000000.00000002.3543963122.0000000000DC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 15017126d754fb008acc4372b8eab763b8d9a4dc13d202e9ed8a87343effb646
Instruction ID: 5f967b435d9a453e50c8afe2cc406db3aa3db7df3b2803904ee677278a4c9e8f
Opcode Fuzzy Hash: 15017126d754fb008acc4372b8eab763b8d9a4dc13d202e9ed8a87343effb646
Instruction Fuzzy Hash: D751B335A1121996DF14EFA0D805FEE737AEF58300F108569BA09F7280EB399B45CBB5

Function 00B04ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B04E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B04EDD,?,00BD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B04E9C
Part of subcall function 00B04E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B04EAE
Part of subcall function 00B04E90: FreeLibrary.KERNEL32(00000000,?,?,00B04EDD,?,00BD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B04EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00BD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B04EFD

Part of subcall function 00B04E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B43CDE,?,00BD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B04E62
Part of subcall function 00B04E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B04E74
Part of subcall function 00B04E59: FreeLibrary.KERNEL32(00000000,?,?,00B43CDE,?,00BD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B04E87

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 02079535b4f7ac10efc1de25d76fd4b2b1593ffae5bc32ccfca59d85831ff64f
Instruction ID: ed2ff3f6bf27b964110eccb3eccd0754e2b473a198e7f88ccf5254328f48fec9
Opcode Fuzzy Hash: 02079535b4f7ac10efc1de25d76fd4b2b1593ffae5bc32ccfca59d85831ff64f
Instruction Fuzzy Hash: 4311E771610306AADF24BB60DC42FED7BE5AF40B11F2084ADF656A61D2EFB09A059B50

Function 00B38402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00B38440

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: b39841514df3b22cafd6982922fc3982d99cc324e913327bc4494cd200c96ad1
Instruction ID: d20fd6ac125feb91b029e0c94ed49c077a20f543a154e67207a38f0ae1afe9bd
Opcode Fuzzy Hash: b39841514df3b22cafd6982922fc3982d99cc324e913327bc4494cd200c96ad1
Instruction Fuzzy Hash: 9C112A7590420AAFCF15DF58E94199E7BF5EF48314F104099FC08AB312DB31EA11CBA5

Function 00B09A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,00B0543F,?,00010000,00000000,00000000,00000000,00000000), ref: 00B09A9C

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 9705349c369d33966d478ea4d6683c7761db06b51579b25b98f942582a112da3
Instruction ID: 508c42623f2c502477a9cd8ca04add920354bfc1563255b52da81d6ffd8b1209
Opcode Fuzzy Hash: 9705349c369d33966d478ea4d6683c7761db06b51579b25b98f942582a112da3
Instruction Fuzzy Hash: 2F1106312047059FD7208E15C881B66BBE9EB44764F14C46EE9AB8BA92C770A945CB60

Function 00B35000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B34C7D: RtlAllocateHeap.NTDLL(00000008,00B01129,00000000,?,00B32E29,00000001,00000364,?,?,?,00B2F2DE,00B33863,00BD1444,?,00B1FDF5,?), ref: 00B34CBE

_free.LIBCMT ref: 00B3506C

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
Instruction ID: a4c9d45bd6e9e0c6463bc254c902b8652be94e6eb1a1fa5ec1c731924d427138
Opcode Fuzzy Hash: 70ee4adefee6eb26262b39f529bfb094e1f6354ac2554c6942b38d017f4a210d
Instruction Fuzzy Hash: D80149722047046BE3358F65D881A5AFBECFB89370F75066DE184832C0EB31A805C7B4

Function 00B2E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
Instruction ID: 57f0992646c1725eb15509571e5688c14c3c28994a312d62806ba6dacf9b15c7
Opcode Fuzzy Hash: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
Instruction Fuzzy Hash: D0F0F432510A3096C6323A6ABC05B5A33D8DF52331F2007E5F438962D2DB74E80186A6

Function 00B34C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00B01129,00000000,?,00B32E29,00000001,00000364,?,?,?,00B2F2DE,00B33863,00BD1444,?,00B1FDF5,?), ref: 00B34CBE

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9e7baea4b9a72a9b7caaa399727e147123c85735d414341048c2a609706c5089
Instruction ID: cb15edff741a994fef0b5b12b3dc5f40d4dc319b1ced385f770c763703953afc
Opcode Fuzzy Hash: 9e7baea4b9a72a9b7caaa399727e147123c85735d414341048c2a609706c5089
Instruction Fuzzy Hash: 90F0B431602234A6DB215F62AD05B5B37C8EF417A0F7551A2B819A7191CF70FC0546A0

Function 00B33820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00BD1444,?,00B1FDF5,?,?,00B0A976,00000010,00BD1440,00B013FC,?,00B013C6,?,00B01129), ref: 00B33852

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 25883fe872b88fe502f4ce5468cfbe994b864aedc3a4a11be891539a96114130
Instruction ID: 88479147b0f2bdb61a102894d5e84026db470cebdb62594449ff1c806eea4bfe
Opcode Fuzzy Hash: 25883fe872b88fe502f4ce5468cfbe994b864aedc3a4a11be891539a96114130
Instruction Fuzzy Hash: 79E0E531101234A6E6212A66AC00B9B37C8EF42FB0F3500B1BD08A28A0EF10DD0183E4

Function 00B34D7A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B34D9C

Part of subcall function 00B329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3D7D1,00000000,00000000,00000000,00000000,?,00B3D7F8,00000000,00000007,00000000,?,00B3DBF5,00000000), ref: 00B329DE
Part of subcall function 00B329C8: GetLastError.KERNEL32(00000000,?,00B3D7D1,00000000,00000000,00000000,00000000,?,00B3D7F8,00000000,00000007,00000000,?,00B3DBF5,00000000,00000000), ref: 00B329F0

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction ID: ba8b8ed98e1e0bfa6d1f4bae8c8f818472683d36b51bcf1a427aea751e67cbf8
Opcode Fuzzy Hash: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction Fuzzy Hash: 06E092361003059F8720CF6CE400A82B7F4EF84320B208579E89DD3310D731F812CB80

Function 00B04F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00BD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B04F6D

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: e01cf911c928a2e5559675475854c881394d46f51df658c4fcfbee5d41048b80
Instruction ID: 0b76e03610ce683d5369142bf6cc858722b72d4cda7721f4d9ec63e8e5da555a
Opcode Fuzzy Hash: e01cf911c928a2e5559675475854c881394d46f51df658c4fcfbee5d41048b80
Instruction Fuzzy Hash: 8EF015B1105752CFDB349F64E490822BBE4EF1432932089AEE3EE92661CB319884DB10

Function 00B02DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B02DC4

Part of subcall function 00B06B57: _wcslen.LIBCMT ref: 00B06B6A

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 2fafb7ea477e0f656da037a0401057494f8aae90b735a6756e571072782af778
Instruction ID: 033b96e54742bfaff469dbaa2a8314b095dda8731749367045838a83be295924
Opcode Fuzzy Hash: 2fafb7ea477e0f656da037a0401057494f8aae90b735a6756e571072782af778
Instruction Fuzzy Hash: 6EE0CD72A001245BC710D7589C06FDA77DDDFC8790F0400B1FD09D7248DD60AD848550

Function 00B72693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00B726B5

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: 35a9150c30b2b3c2323177be232f3deb3225e789bf3c7145f6965f6b2f5c73c5
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: 5BE04FB0609B005FDF3D5B28A8517B677E8DF49300F0048AEF6AF82352E572B8458A4D

Function 00B02B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00B03837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B03908

Part of subcall function 00B0D730: GetInputState.USER32 ref: 00B0D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00B02B6B

Part of subcall function 00B030F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00B0314E

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 2e531dfb46ecd48b7be3cc2bdae30bd64c0c8ca84db2eb8f09a0a83f34db9f82
Instruction ID: bf2c5542b5403e1fbe467e4fa0ced64724bf5bf3dd2bebf389be1e0af0f11a56
Opcode Fuzzy Hash: 2e531dfb46ecd48b7be3cc2bdae30bd64c0c8ca84db2eb8f09a0a83f34db9f82
Instruction Fuzzy Hash: 7AE0862230424417C604BB74985A57DFFDD9BD1751F4059FFF142432E3DE2549494751

Function 00DC08E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 00DC08EB

Memory Dump Source

Source File: 00000000.00000002.3543963122.0000000000DC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 41a5724d216bb340c1adc8d3daa4b15e7ae76a67235992830ed96afbc309e11c
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: 26E0867150520DDBD710CBB88804FA97BA4DB08310F148659E455C3181D9308D409B64

Function 00B4039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00B40704,?,?,00000000,?,00B40704,00000000,0000000C), ref: 00B403B7

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9a361ca0bd8d5bd97374ad879cbdb137a6fa89b30286adf9de36bc9cf21e2e3f
Instruction ID: f98dc9624604ee4e51592e429f2e1b766fcb9569bac019ffaad25cef321f951a
Opcode Fuzzy Hash: 9a361ca0bd8d5bd97374ad879cbdb137a6fa89b30286adf9de36bc9cf21e2e3f
Instruction Fuzzy Hash: 4AD06C3204010DBBDF028F84DD06EDA3FAAFB48714F014000BE1866020C732E821ABA4

Function 00DC08B0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 00DC08BB

Memory Dump Source

Source File: 00000000.00000002.3543963122.0000000000DC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: 37a3a94c9410026d0b004d9912ed0af109199cb5a50555687365029ffeaf56f0
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: B9D05E3090620DEBCB10DAA49804A9A77A89B04320F108759E91593280D63199409BA0

Function 00B01CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00B01CBC

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: c6f578b2a5e7521da12698376b18a013151302943809928c702aa4da1622f5d9
Instruction ID: 0bbf5f35545081632cd372ceb1d47292128b686d78f6049c5aee52ab083576a5
Opcode Fuzzy Hash: c6f578b2a5e7521da12698376b18a013151302943809928c702aa4da1622f5d9
Instruction Fuzzy Hash: 20C09B35281304BFF2144784BD5BF10BB54A368B14F544403F609575E3DBA11410D654

Function 00B7744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00B05745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00B0949C,?,00008000), ref: 00B05773

GetLastError.KERNEL32(00000002,00000000), ref: 00B776DE

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: b768a8cd61487de0e1ec48d8d42bad883ed3a478b73a997e2a672a3578dd953c
Instruction ID: ad1271b341696145c63d013fb50402c663d9e6d59ec1ddc4f8b238d0a5a9c5e8
Opcode Fuzzy Hash: b768a8cd61487de0e1ec48d8d42bad883ed3a478b73a997e2a672a3578dd953c
Instruction Fuzzy Hash: 218171306487019FC714EF28C491A6ABBE1EF99354F04859DF89A5B3E2DB30ED45CB92

Function 00B1FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00B1FD1F

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 134307648caad685560d940c68bf7f0ba711b72cb00077556e7234bd96602cf4
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 0831C175A0010A9BC718DF59E4809B9FBE5FB89340BA486F5E80ACB656D731EDC1DBC0

Function 00DC230C Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00DC2322

Memory Dump Source

Source File: 00000000.00000002.3543963122.0000000000DC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 3096e14d89e75d91452536fdabd5f28b039f6dbb9701e42d89b7019d45377341
Instruction ID: b284da2fc3e3453fef988afcf73eff33d2b767aafd441215b6f52bd27fc2a16b
Opcode Fuzzy Hash: 3096e14d89e75d91452536fdabd5f28b039f6dbb9701e42d89b7019d45377341
Instruction Fuzzy Hash: 1401B63094014EABCB04EFE4C989AFEBBB9FF04711F504559FA16A7580DB349A50CB61

Function 00DC2310 Relevance: 1.3, APIs: 1, Instructions: 34sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00DC2322

Memory Dump Source

Source File: 00000000.00000002.3543963122.0000000000DC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dc0000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: dce1e67ee7a905aee1ad479c7a3e30644d0bd5a7b1fbfaf3e5e7a496efc26c57
Instruction ID: eade734fbb558f99d61a570f4984741fd73effce8efa73626e00abfeccc7a03f
Opcode Fuzzy Hash: dce1e67ee7a905aee1ad479c7a3e30644d0bd5a7b1fbfaf3e5e7a496efc26c57
Instruction Fuzzy Hash: DBF0B23094014EABCB00EFE4C989AFEBBB8FF04711F504559EA16A7180DB349A508BA1

Non-executed Functions

Function 00B99576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00B19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B19BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00B9961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B9965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00B9969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B996C9
SendMessageW.USER32 ref: 00B996F2
GetKeyState.USER32(00000011), ref: 00B9978B
GetKeyState.USER32(00000009), ref: 00B99798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B997AE
GetKeyState.USER32(00000010), ref: 00B997B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B997E9
SendMessageW.USER32 ref: 00B99810
SendMessageW.USER32(?,00001030,?,00B97E95), ref: 00B99918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00B9992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00B99941
SetCapture.USER32(?), ref: 00B9994A
ClientToScreen.USER32(?,?), ref: 00B999AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00B999BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B999D6
ReleaseCapture.USER32 ref: 00B999E1
GetCursorPos.USER32(?), ref: 00B99A19
ScreenToClient.USER32(?,?), ref: 00B99A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00B99A80
SendMessageW.USER32 ref: 00B99AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00B99AEB
SendMessageW.USER32 ref: 00B99B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00B99B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00B99B4A
GetCursorPos.USER32(?), ref: 00B99B68
ScreenToClient.USER32(?,?), ref: 00B99B75
GetParent.USER32(?), ref: 00B99B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00B99BFA
SendMessageW.USER32 ref: 00B99C2B
ClientToScreen.USER32(?,?), ref: 00B99C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00B99CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00B99CDE
SendMessageW.USER32 ref: 00B99D01
ClientToScreen.USER32(?,?), ref: 00B99D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00B99D82

Part of subcall function 00B19944: GetWindowLongW.USER32(?,000000EB), ref: 00B19952

GetWindowLongW.USER32(?,000000F0), ref: 00B99E05

Strings

@GUI_DRAGID, xrefs: 00B9997D
F, xrefs: 00B99D07

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 8fc09742d9d9722d1599f472e70d78f9c22554ee809272a01f729286bc300959
Instruction ID: b838dee1b642d91244b0ae3bb3733278679c2fec839c0d9ffc7ca7920f2e626b
Opcode Fuzzy Hash: 8fc09742d9d9722d1599f472e70d78f9c22554ee809272a01f729286bc300959
Instruction Fuzzy Hash: 2442AF31204241AFDB64CF68CD94EAABBE5FF49310F104AAEF559872A1DB31E891CF51

Function 00B94873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00B948F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00B94908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00B94927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00B9494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00B9495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00B9497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00B949AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00B949D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00B94A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00B94A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00B94A7E
IsMenu.USER32(?), ref: 00B94A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B94AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B94B20
GetWindowLongW.USER32(?,000000F0), ref: 00B94B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00B94BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00B94C82
wsprintfW.USER32 ref: 00B94CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B94CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00B94CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00B94D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B94D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00B94D5A

Strings

%d/%02d/%02d, xrefs: 00B94CA8

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 557d3429605207b454ba7466181227f6e215a16c2d92044a9a7c89ba907b944f
Instruction ID: 121c93146cc49ea249d1f2efd5f586873e0e94cd479d1df45fde8cea24f23f6f
Opcode Fuzzy Hash: 557d3429605207b454ba7466181227f6e215a16c2d92044a9a7c89ba907b944f
Instruction Fuzzy Hash: 4312D071600215ABEF248F28CD49FAE7BF8EF45710F1441AAF51AEB2E1DB749942CB50

Function 00B1F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00B1F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B5F474
IsIconic.USER32(00000000), ref: 00B5F47D
ShowWindow.USER32(00000000,00000009), ref: 00B5F48A
SetForegroundWindow.USER32(00000000), ref: 00B5F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B5F4AA
GetCurrentThreadId.KERNEL32 ref: 00B5F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B5F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00B5F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00B5F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00B5F4DE
SetForegroundWindow.USER32(00000000), ref: 00B5F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B5F4F6
keybd_event.USER32(00000012,00000000), ref: 00B5F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B5F50B
keybd_event.USER32(00000012,00000000), ref: 00B5F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B5F519
keybd_event.USER32(00000012,00000000), ref: 00B5F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B5F528
keybd_event.USER32(00000012,00000000), ref: 00B5F52D
SetForegroundWindow.USER32(00000000), ref: 00B5F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00B5F557

Strings

Shell_TrayWnd, xrefs: 00B5F46F

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 9d46f60a163dc9287bc3cdbed417987aeed13b3a9c98656e0f1c1f329e2a3473
Instruction ID: 7bc89c643c0203d6dbd65a32ca5e2a4af55c1a00e790c91c2dc7f1f7713a4886
Opcode Fuzzy Hash: 9d46f60a163dc9287bc3cdbed417987aeed13b3a9c98656e0f1c1f329e2a3473
Instruction Fuzzy Hash: 62317271A40318BBEB206BB55D4AFBF7EACEB44B51F1104A6FA04E71D1DBB15D00AA60

Function 00B61201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00B616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B6170D
Part of subcall function 00B616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B6173A
Part of subcall function 00B616C3: GetLastError.KERNEL32 ref: 00B6174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00B61286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00B612A8
CloseHandle.KERNEL32(?), ref: 00B612B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00B612D1
GetProcessWindowStation.USER32 ref: 00B612EA
SetProcessWindowStation.USER32(00000000), ref: 00B612F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00B61310

Part of subcall function 00B610BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B611FC), ref: 00B610D4
Part of subcall function 00B610BF: CloseHandle.KERNEL32(?,?,00B611FC), ref: 00B610E9

Strings

winsta0, xrefs: 00B612CC
default, xrefs: 00B6130B
, xrefs: 00B6125A

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: c12ae048a865f4356fc5241c16e53e497f71ebdc5f01c24163a40d149265ff94
Instruction ID: 47b236bd2fc45815d2c5747f144421296bdf20f0865acbbda609c23a7457eee4
Opcode Fuzzy Hash: c12ae048a865f4356fc5241c16e53e497f71ebdc5f01c24163a40d149265ff94
Instruction Fuzzy Hash: E5818D71900209ABDF109FA8DD49BEE7BF9EF04704F1845AAF910B72A0DB798944CF21

Function 00B60B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B61114
Part of subcall function 00B610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00B60B9B,?,?,?), ref: 00B61120
Part of subcall function 00B610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00B60B9B,?,?,?), ref: 00B6112F
Part of subcall function 00B610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00B60B9B,?,?,?), ref: 00B61136
Part of subcall function 00B610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B6114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B60BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B60C00
GetLengthSid.ADVAPI32(?), ref: 00B60C17
GetAce.ADVAPI32(?,00000000,?), ref: 00B60C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B60C6D
GetLengthSid.ADVAPI32(?), ref: 00B60C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00B60C8C
HeapAlloc.KERNEL32(00000000), ref: 00B60C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B60CB4
CopySid.ADVAPI32(00000000), ref: 00B60CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B60CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B60D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00B60D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B60D45
HeapFree.KERNEL32(00000000), ref: 00B60D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B60D55
HeapFree.KERNEL32(00000000), ref: 00B60D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B60D65
HeapFree.KERNEL32(00000000), ref: 00B60D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00B60D78
HeapFree.KERNEL32(00000000), ref: 00B60D7F

Part of subcall function 00B61193: GetProcessHeap.KERNEL32(00000008,00B60BB1,?,00000000,?,00B60BB1,?), ref: 00B611A1
Part of subcall function 00B61193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00B60BB1,?), ref: 00B611A8
Part of subcall function 00B61193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00B60BB1,?), ref: 00B611B7

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 436e4c198fc412dc1521fd96a96b55faa984b34cd0c5a24afd8722d5eca2158d
Instruction ID: 5a2d901e54ebc50bb409dee0d83ad95b0df491af014a0505bc7c839525db8b69
Opcode Fuzzy Hash: 436e4c198fc412dc1521fd96a96b55faa984b34cd0c5a24afd8722d5eca2158d
Instruction Fuzzy Hash: 8C717C7290021AAFDF10EFA5DD44FAFBBB8FF05300F1446A5E914A7191DB75A905CB60

Function 00B7EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00B9CC08), ref: 00B7EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00B7EB37
GetClipboardData.USER32(0000000D), ref: 00B7EB43
CloseClipboard.USER32 ref: 00B7EB4F
GlobalLock.KERNEL32(00000000), ref: 00B7EB87
CloseClipboard.USER32 ref: 00B7EB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00B7EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00B7EBC9
GetClipboardData.USER32(00000001), ref: 00B7EBD1
GlobalLock.KERNEL32(00000000), ref: 00B7EBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 00B7EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00B7EC38
GetClipboardData.USER32(0000000F), ref: 00B7EC44
GlobalLock.KERNEL32(00000000), ref: 00B7EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00B7EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00B7EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00B7ECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 00B7ECF3
CountClipboardFormats.USER32 ref: 00B7ED14
CloseClipboard.USER32 ref: 00B7ED59

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: f0d2f09925a67e4b5df07052433427573d54a3c15fc14d613e509b847a698855
Instruction ID: 15cab051d7a7011437e8d31a746479c8785a56e91e621fcbc40a070c2ebe2e06
Opcode Fuzzy Hash: f0d2f09925a67e4b5df07052433427573d54a3c15fc14d613e509b847a698855
Instruction Fuzzy Hash: 6E61BF34204201AFD310EF24D985F2A7FE4EF88714F1485DAF46A972A2DF31D905CBA2

Function 00B7698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B769BE
FindClose.KERNEL32(00000000), ref: 00B76A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B76A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B76A75

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00B76AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B76ADF

Strings

%02d, xrefs: 00B76C00, 00B76C0A, 00B76C5A, 00B76CAA, 00B76CFA, 00B76D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00B76B32
%4d%02d%02d%02d%02d%02d, xrefs: 00B76B6A
%03d, xrefs: 00B76DA2
%4d, xrefs: 00B76BB1

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: b0be3e56fa0747383a505df3cf79cf40da00bcb65685304247ab0ad6a3120557
Instruction ID: 15ed826d91b00fb25c5bbbda8ceeb13b23a56d9b9ee07448bd1b6d0bc611d6f5
Opcode Fuzzy Hash: b0be3e56fa0747383a505df3cf79cf40da00bcb65685304247ab0ad6a3120557
Instruction Fuzzy Hash: 7DD16371508341AFC310EBA4C882EABBBECEF88704F44499DF599D7191EB34DA44CB62

Function 00B79642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00B79663
GetFileAttributesW.KERNEL32(?), ref: 00B796A1
SetFileAttributesW.KERNEL32(?,?), ref: 00B796BB
FindNextFileW.KERNEL32(00000000,?), ref: 00B796D3
FindClose.KERNEL32(00000000), ref: 00B796DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00B796FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00B7974A
SetCurrentDirectoryW.KERNEL32(00BC6B7C), ref: 00B79768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B79772
FindClose.KERNEL32(00000000), ref: 00B7977F
FindClose.KERNEL32(00000000), ref: 00B7978F

Strings

*.*, xrefs: 00B796F5

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: fbdd810d3ad6b7eaddc059981a641f89f100b5a3cab700f6bc1a9bd2dafdad4e
Instruction ID: 9528d42073023db67dfe5871efa4023c58ea9664d0d90d00338574d662d053d3
Opcode Fuzzy Hash: fbdd810d3ad6b7eaddc059981a641f89f100b5a3cab700f6bc1a9bd2dafdad4e
Instruction Fuzzy Hash: F631A2325412196ADB28EFB4ED49EDE7BECDF09320F1081D6E829E31A0DB30DD448A64

Function 00B7979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00B797BE
FindNextFileW.KERNEL32(00000000,?), ref: 00B79819
FindClose.KERNEL32(00000000), ref: 00B79824
FindFirstFileW.KERNEL32(*.*,?), ref: 00B79840
SetCurrentDirectoryW.KERNEL32(?), ref: 00B79890
SetCurrentDirectoryW.KERNEL32(00BC6B7C), ref: 00B798AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B798B8
FindClose.KERNEL32(00000000), ref: 00B798C5
FindClose.KERNEL32(00000000), ref: 00B798D5

Part of subcall function 00B6DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00B6DB00

Strings

*.*, xrefs: 00B7983B

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: dc87a492dd8af81882bde57d334c16c46e868cad7f335379a0c6148a69d67f00
Instruction ID: 28c8c2848c6b6536229ccc01d5a7471cb2c3da9224cf0d192d87ffa47317ae14
Opcode Fuzzy Hash: dc87a492dd8af81882bde57d334c16c46e868cad7f335379a0c6148a69d67f00
Instruction Fuzzy Hash: 63319331541619AADB24EFB4EC49EDE77FCDF06360F1481D6E828A31E0DB30DD448A65

Function 00B78195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00B78257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B78267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00B78273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B78310
SetCurrentDirectoryW.KERNEL32(?), ref: 00B78324
SetCurrentDirectoryW.KERNEL32(?), ref: 00B78356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00B7838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00B78395

Strings

*.*, xrefs: 00B7839B

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 13648d234d96089736664e04b04e2907d67cbfc6f5f345a555786b18ff3db25c
Instruction ID: be77f013e5c4df7ff24197a2593b3036f2083e037babe9524ac7970aad5b1480
Opcode Fuzzy Hash: 13648d234d96089736664e04b04e2907d67cbfc6f5f345a555786b18ff3db25c
Instruction Fuzzy Hash: 88617AB25083059FCB10EF64C8849AEB7E8FF89314F04899EF999D7251DB31E945CB92

Function 00B6D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B03AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B03A97,?,?,00B02E7F,?,?,?,00000000), ref: 00B03AC2

Part of subcall function 00B6E199: GetFileAttributesW.KERNEL32(?,00B6CF95), ref: 00B6E19A

FindFirstFileW.KERNEL32(?,?), ref: 00B6D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00B6D1DD
MoveFileW.KERNEL32(?,?), ref: 00B6D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00B6D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B6D237

Part of subcall function 00B6D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00B6D21C,?,?), ref: 00B6D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00B6D253
FindClose.KERNEL32(00000000), ref: 00B6D264

Strings

\*.*, xrefs: 00B6D0CD, 00B6D0D6, 00B6D0EB

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: baf631d3afb1da7c085a914c4091a62cec3d6eb3cf1b85584fca409e6ae9dbb3
Instruction ID: 4eaff6efb94e0621e259d055c620885e1afdddeeace14291651857107bf393d5
Opcode Fuzzy Hash: baf631d3afb1da7c085a914c4091a62cec3d6eb3cf1b85584fca409e6ae9dbb3
Instruction Fuzzy Hash: 2B614D31D0124D9FCF15EBA0CA929EEBBF9AF55340F2481A5E40177192EB34AF09DB61

Function 00B7ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00B7ED91
EmptyClipboard.USER32 ref: 00B7ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00B7EDAC
CloseClipboard.USER32 ref: 00B7EEA3

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: c89d914856fc85930c388f39665fcfc09021a6e7955253be3ab7d97c374cd594
Instruction ID: 40a4c5fd815de2445da0481b5dee1b85fb522b04d9c1d1cd48d2583be2b6a028
Opcode Fuzzy Hash: c89d914856fc85930c388f39665fcfc09021a6e7955253be3ab7d97c374cd594
Instruction Fuzzy Hash: CD418E35604611AFD720DF15E888B19BFE5EF48328F14C4DAE4298B6A2CB35EC41CB90

Function 00B6E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00B616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B6170D
Part of subcall function 00B616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B6173A
Part of subcall function 00B616C3: GetLastError.KERNEL32 ref: 00B6174A

ExitWindowsEx.USER32(?,00000000), ref: 00B6E932

Strings

, xrefs: 00B6E95C
SeShutdownPrivilege, xrefs: 00B6E902
, xrefs: 00B6E920
@, xrefs: 00B6E925

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 52fe72d0213b1e858fd3157823f3f80c77e8f92063b97944236fdb4db8a600d0
Instruction ID: f92bd16bbebd538187eba42b7ad5d6565432ca625a0acca56a6536a95d339476
Opcode Fuzzy Hash: 52fe72d0213b1e858fd3157823f3f80c77e8f92063b97944236fdb4db8a600d0
Instruction Fuzzy Hash: 0D012B36610210ABFB1426749C8AFBB73ECDF14740F1508A2F822E31D1DAB99C4083A0

Function 00B81204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00B81276
WSAGetLastError.WSOCK32 ref: 00B81283
bind.WSOCK32(00000000,?,00000010), ref: 00B812BA
WSAGetLastError.WSOCK32 ref: 00B812C5
closesocket.WSOCK32(00000000), ref: 00B812F4
listen.WSOCK32(00000000,00000005), ref: 00B81303
WSAGetLastError.WSOCK32 ref: 00B8130D
closesocket.WSOCK32(00000000), ref: 00B8133C

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 4c3bcb1bcef9720a7be89d55cc4f6f8be45eefc821bbb0a917b0f2ae60e47703
Instruction ID: 9805c28f3e2ef23f8e05eb0718695904b3ae2eb75be804fd1aa13d980e278fb7
Opcode Fuzzy Hash: 4c3bcb1bcef9720a7be89d55cc4f6f8be45eefc821bbb0a917b0f2ae60e47703
Instruction Fuzzy Hash: F84181316011009FD710EF68C5C4B69BBE5EF46318F1885C9D8569F2E6C771ED86CBA1

Function 00B3B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B3B9D4
_free.LIBCMT ref: 00B3B9F8
_free.LIBCMT ref: 00B3BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00BA3700), ref: 00B3BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00BD121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00B3BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00BD1270,000000FF,?,0000003F,00000000,?), ref: 00B3BC36
_free.LIBCMT ref: 00B3BD4B

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 8849652c52d1714ba3bd1b3f46a58415d56955ecb8fd6410e3e26790fe206889
Instruction ID: 900c827b64dc2bee07a59096d9c5dcf0a6b4a4b08b8d90c076deb95fd83a4179
Opcode Fuzzy Hash: 8849652c52d1714ba3bd1b3f46a58415d56955ecb8fd6410e3e26790fe206889
Instruction Fuzzy Hash: A0C11371A04208AFCB24DF689C51FAABBE8EF45310F3445EAE694D7259EF319E41C750

Function 00B6D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B03AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B03A97,?,?,00B02E7F,?,?,?,00000000), ref: 00B03AC2

Part of subcall function 00B6E199: GetFileAttributesW.KERNEL32(?,00B6CF95), ref: 00B6E19A

FindFirstFileW.KERNEL32(?,?), ref: 00B6D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00B6D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B6D481
FindClose.KERNEL32(00000000), ref: 00B6D498
FindClose.KERNEL32(00000000), ref: 00B6D4A1

Strings

\*.*, xrefs: 00B6D3F2

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: c28d6ac7e7d1afe836c0935085ba13623c2028e756ec0eb919aab5d9563a63e8
Instruction ID: 91677ac8de408e3fd63e5ee2222b491b64c09fc7a1e4b5081ef0d6ef66755e20
Opcode Fuzzy Hash: c28d6ac7e7d1afe836c0935085ba13623c2028e756ec0eb919aab5d9563a63e8
Instruction Fuzzy Hash: FB316D315183459FC204EF64C8959AFBBE8AE92340F444E9EF4D1932D1EF34AE098B62

Function 00B3E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00B3E645

Strings

1#SNAN, xrefs: 00B3F844
1#INF, xrefs: 00B3F852
1#IND, xrefs: 00B3F83D
1#QNAN, xrefs: 00B3F84B

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 824e569cf8b34866068799c06da4e083fa4be2785bbcb639460e479880943cad
Instruction ID: 35f7b0053496d21c00f73a9cf20e22c0a016975a798247468270cfe7a9cad69f
Opcode Fuzzy Hash: 824e569cf8b34866068799c06da4e083fa4be2785bbcb639460e479880943cad
Instruction Fuzzy Hash: 88C23A71E086298FDB25CE28DD807EAB7F5EB48304F2541EAD45DE7281E774AE858F40

Function 00B7648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B764DC
CoInitialize.OLE32(00000000), ref: 00B76639
CoCreateInstance.OLE32(00B9FCF8,00000000,00000001,00B9FB68,?), ref: 00B76650
CoUninitialize.OLE32 ref: 00B768D4

Strings

.lnk, xrefs: 00B764BA, 00B76524, 00B765E0

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 6facb5bf12b251d574e5bec0d7fb6cc67aa2be575bbd3bc2499f3b1276446839
Instruction ID: c6363f52e3b6d672da95a2e14ace3335e2aa5292ce4c264549b91dc26818325d
Opcode Fuzzy Hash: 6facb5bf12b251d574e5bec0d7fb6cc67aa2be575bbd3bc2499f3b1276446839
Instruction Fuzzy Hash: 56D14A715087019FC314EF24C88196BBBE9FF94704F0089ADF5998B2A1EB70ED09CB92

Function 00B822DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00B822E8

Part of subcall function 00B7E4EC: GetWindowRect.USER32(?,?), ref: 00B7E504

GetDesktopWindow.USER32 ref: 00B82312
GetWindowRect.USER32(00000000), ref: 00B82319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00B82355
GetCursorPos.USER32(?), ref: 00B82381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00B823DF

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 9b0ca28260705c7f11352fcded7523c33909e29648c920d2192a1ae8137d3393
Instruction ID: 5b669bc3604c12a79e9f4f18d627130cac87c745f01354e405016a621a53560a
Opcode Fuzzy Hash: 9b0ca28260705c7f11352fcded7523c33909e29648c920d2192a1ae8137d3393
Instruction Fuzzy Hash: 2E31E072504315AFCB20EF54D849B5BBBE9FF88310F00095AF999A7191DB34EA08CB96

Function 00B79B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00B79B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00B79C8B

Part of subcall function 00B73874: GetInputState.USER32 ref: 00B738CB
Part of subcall function 00B73874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B73966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00B79BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00B79C75

Strings

*.*, xrefs: 00B79B5D

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 4516f6d3fea3e7e95efd65683312f8e519f6e00b1a4b9d57e88952ff0b4b62aa
Instruction ID: 4525ad2bbea6e3e3bc41201d8b843a78f764ec30070c3d23647f53a6f754a0da
Opcode Fuzzy Hash: 4516f6d3fea3e7e95efd65683312f8e519f6e00b1a4b9d57e88952ff0b4b62aa
Instruction Fuzzy Hash: 26413171904209AFDF15DF64C985AEEBBF8EF05350F248196E419A3291DB309E84CF65

Function 00B1997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00B19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B19BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00B19A4E
GetSysColor.USER32(0000000F), ref: 00B19B23
SetBkColor.GDI32(?,00000000), ref: 00B19B36

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: b39ee8e50ba5c7b94245f67535785b42d0e68dcaf9fa0dfd705220f601589715
Instruction ID: 9b8a6cb03ebcb52628ced1850b0d33118c66e53435eac3e53c40ce35529c3531
Opcode Fuzzy Hash: b39ee8e50ba5c7b94245f67535785b42d0e68dcaf9fa0dfd705220f601589715
Instruction Fuzzy Hash: C4A13970318484BEE729AA2CACF8EFB2ADDDF46741F5401D9F802C7691DE259D89C271

Function 00B81806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B8304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00B8307A
Part of subcall function 00B8304E: _wcslen.LIBCMT ref: 00B8309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00B8185D
WSAGetLastError.WSOCK32 ref: 00B81884
bind.WSOCK32(00000000,?,00000010), ref: 00B818DB
WSAGetLastError.WSOCK32 ref: 00B818E6
closesocket.WSOCK32(00000000), ref: 00B81915

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: da92464f375b73886a6ff7a31a3c22a668cfd55bf95d5d6b486babbd378ca73e
Instruction ID: f8c3aeae7db3c69a750c6ad44920ca534637300f4f16da7e4b5812d51d1e8d06
Opcode Fuzzy Hash: da92464f375b73886a6ff7a31a3c22a668cfd55bf95d5d6b486babbd378ca73e
Instruction Fuzzy Hash: 95518171A002109FD710AF28C886F6A7BE5EB44718F5485D8F9095F3D3DB71AD82CBA1

Function 00B91C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00B91CC0
IsWindowEnabled.USER32 ref: 00B91CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00B91CDB
IsIconic.USER32 ref: 00B91CE9
IsZoomed.USER32 ref: 00B91CF7

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 73a2c9fee87f6ae5dc3c6f14f3e8d5ecdef3b2c16bb0d57fea23521442062314
Instruction ID: 1df74a89638af84727ff44751f04f249ca62786ffdd91c11ffb4f14f88bff762
Opcode Fuzzy Hash: 73a2c9fee87f6ae5dc3c6f14f3e8d5ecdef3b2c16bb0d57fea23521442062314
Instruction Fuzzy Hash: 912171317402125FDB208F2AD884B6A7FE5EF95315B1984B9E84A8F351CB71DC42DB90

Function 00B08060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00B083E8
VUUU, xrefs: 00B45DF0
VUUU, xrefs: 00B0843C
VUUU, xrefs: 00B083FA
ERCP, xrefs: 00B0813C

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 250a155ee9a7ee83a2cc7e5f6371dcc49c428f17d3627c730e2d34f881efa066
Instruction ID: 52e7d8921268eac05f74b9e1e6f4b2790e3e09e8f76ae26fa71d6a19293c5e54
Opcode Fuzzy Hash: 250a155ee9a7ee83a2cc7e5f6371dcc49c428f17d3627c730e2d34f881efa066
Instruction Fuzzy Hash: B4A24B70A0061ACBDF24CF58C8807AEBBF1FB55310F2481EAE855A7285DB719F81DB91

Function 00B8A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00B8A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00B8A6BA

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

Process32NextW.KERNEL32(00000000,?), ref: 00B8A79C
CloseHandle.KERNEL32(00000000), ref: 00B8A7AB

Part of subcall function 00B1CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00B43303,?), ref: 00B1CE8A

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 9eaabe40877909c375ae5072d7f7649f653f7537803fe357e67f96932a016999
Instruction ID: 7348216c10058601411d16f7b16b2f664f23b9bee2ddc43bebbfc410c753b07a
Opcode Fuzzy Hash: 9eaabe40877909c375ae5072d7f7649f653f7537803fe357e67f96932a016999
Instruction Fuzzy Hash: 44515C71508301AFD710EF24C886E6BBBE8FF89754F40895DF585972A2EB70E944CB92

Function 00B6AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00B6AAAC
SetKeyboardState.USER32(00000080), ref: 00B6AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00B6AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00B6AB88

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b42ddd25dfe9325a979d764ada8518e06eedec619eb38ed7e0da6643d3cbd03d
Instruction ID: e6736e4dad66ea814529da6c73e50ef820575c5a6ccdd5db3518a7096bb1237d
Opcode Fuzzy Hash: b42ddd25dfe9325a979d764ada8518e06eedec619eb38ed7e0da6643d3cbd03d
Instruction Fuzzy Hash: D6310530A40208AEEF35DA658C45BFE7BEAEB45310F08429BE581A61D1D77D8D85CB62

Function 00B7CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00B7CE89
GetLastError.KERNEL32(?,00000000), ref: 00B7CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00B7CEFE

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: cd7ef4dc40f30b15f7c84d539f4b0e088ec0d78e89eef7e957c281d412e40a9e
Instruction ID: e7e542c5f64b443aa5e588a83d965c5e29869e1bba0a737e70155dc7784edd2f
Opcode Fuzzy Hash: cd7ef4dc40f30b15f7c84d539f4b0e088ec0d78e89eef7e957c281d412e40a9e
Instruction Fuzzy Hash: C721CF715007059FEB30DFA5D988BA77BFCEB00314F10849EE56AD2151EB74EE488B64

Function 00B68298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00B682AA

Strings

|, xrefs: 00B682DA
(, xrefs: 00B682F0

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: d1881091f17af74120cc1d2e9f2bce37863509efe826ffa331eebccb3cf1e2c7
Instruction ID: 7691b221d958d7d9d322366d53c658f75edbe2411257885aeebb506ddb9e525a
Opcode Fuzzy Hash: d1881091f17af74120cc1d2e9f2bce37863509efe826ffa331eebccb3cf1e2c7
Instruction Fuzzy Hash: 24323575A007059FCB28CF19C081A6AB7F0FF48710B15C5AEE49ADB3A1EB74E981CB44

Function 00B75C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B75CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00B75D17
FindClose.KERNEL32(?), ref: 00B75D5F

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 273cdb3eb9efdeb687ac9d28baf6b4c0b1f1afba5bfd54b373adb2e4c3f7c82d
Instruction ID: 6c01ba2d556f47fa974f01bd2d2c6a6a811e4ef2705cdc2802f1d8764d4d891e
Opcode Fuzzy Hash: 273cdb3eb9efdeb687ac9d28baf6b4c0b1f1afba5bfd54b373adb2e4c3f7c82d
Instruction Fuzzy Hash: 51517A74604A019FC724DF28C494E9ABBE4FF49314F1485AEE96A8B3A1DB70FD44CB91

Function 00B32622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00B3271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00B32724
UnhandledExceptionFilter.KERNEL32(?), ref: 00B32731

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 93158d75010296c521d01560a4f49815bbe5a34771130ea399fe4ad27cebbcc8
Instruction ID: 692044feec7c8e0a9d97903f0e82f26f4d929ed5a7fb0988382146a8d051f5d5
Opcode Fuzzy Hash: 93158d75010296c521d01560a4f49815bbe5a34771130ea399fe4ad27cebbcc8
Instruction Fuzzy Hash: D431B474951228ABCB21DF64DD89799BBF8BF08310F5041EAE41CA7261EB309F818F45

Function 00B751CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B751DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00B75238
SetErrorMode.KERNEL32(00000000), ref: 00B752A1

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 5b8a2a12ee7c4f7407d864edc0f0a92d967a7167d52f786e3e4601e91cab5b0e
Instruction ID: 33570aeacdaaa48e2c0f9bb388653dbafffe70fd374c3c35dc5fe981525d6033
Opcode Fuzzy Hash: 5b8a2a12ee7c4f7407d864edc0f0a92d967a7167d52f786e3e4601e91cab5b0e
Instruction Fuzzy Hash: 16313E75A00518DFDB00DF54D884EADBBF4FF49314F098099E909AB3A2DB71E856CBA1

Function 00B616C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00B1FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00B20668
Part of subcall function 00B1FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00B20685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B6170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B6173A
GetLastError.KERNEL32 ref: 00B6174A

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 9c01fd38af7727f4b10555b5f2ccc2ac93843a6b1a697d2d3184dad52ce965f6
Instruction ID: 90c23e4cb501ec3b7c9684ff7a1f7bcc8da6f55dbebba19d0342e1d1ad758a93
Opcode Fuzzy Hash: 9c01fd38af7727f4b10555b5f2ccc2ac93843a6b1a697d2d3184dad52ce965f6
Instruction Fuzzy Hash: 171191B2504305AFD7189F54ECC6DBABBF9FB44714B24856EE05697241EB70BC41CB24

Function 00B6D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00B6D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00B6D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00B6D650

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 7b71d6566c4d3e9209e74c460b8a9f7284a3fdc9d72a850bfd53f7fbff6daf47
Instruction ID: 87236635cf72e4cef99097450d6e71110b8a12fc973f371da90a9cd3eb4dbffe
Opcode Fuzzy Hash: 7b71d6566c4d3e9209e74c460b8a9f7284a3fdc9d72a850bfd53f7fbff6daf47
Instruction Fuzzy Hash: C6115E75E05228BFDB108F95DD45FAFBFBCEB45B50F108166F904E7290D6704A058BA1

Function 00B61663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00B6168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00B616A1
FreeSid.ADVAPI32(?), ref: 00B616B1

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 362548dce6b632dff04c6d351baea68c8a2f813c7e801a22205b38619dc2a8da
Instruction ID: ffa3c4c608e16360fb68496882f25a2719b6d5916a4bab64a71dc99a8f4b48e6
Opcode Fuzzy Hash: 362548dce6b632dff04c6d351baea68c8a2f813c7e801a22205b38619dc2a8da
Instruction Fuzzy Hash: 13F0F475950309FBDB00DFE4DD89AAEBBBCEB08604F5049A5E501E2191E774AA448A50

Function 00B24CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00B328E9,?,00B24CBE,00B328E9,00BC88B8,0000000C,00B24E15,00B328E9,00000002,00000000,?,00B328E9), ref: 00B24D09
TerminateProcess.KERNEL32(00000000,?,00B24CBE,00B328E9,00BC88B8,0000000C,00B24E15,00B328E9,00000002,00000000,?,00B328E9), ref: 00B24D10
ExitProcess.KERNEL32 ref: 00B24D22

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 4a479b11da34f0c2b94f7dc708d2f17baaf073211b184c4c206c8ffae4993a7b
Instruction ID: b536174f8dae6d741372fe542c35d9fbfb7cd77bf5589e868b08efe8039fcb34
Opcode Fuzzy Hash: 4a479b11da34f0c2b94f7dc708d2f17baaf073211b184c4c206c8ffae4993a7b
Instruction Fuzzy Hash: 6AE0B631004158AFCF11AF54EE0AA593FA9EB46B81F104065FC099B522CB35DD42CA94

Function 00B3C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00B3C36C

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 55cfd49cf171e51ddb52cb6f6cca111bc3b5d93698e52a2ad45af42b35c3bfd0
Instruction ID: fcc454e33243a448153d0b8340bca322796eba8feb518d63a865ef66db423e3f
Opcode Fuzzy Hash: 55cfd49cf171e51ddb52cb6f6cca111bc3b5d93698e52a2ad45af42b35c3bfd0
Instruction Fuzzy Hash: 4E412876500219AFCB249FF9DC49EAB7BF8EB84314F6042A9F915E7180E670AD418B54

Function 00B5D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00B5D28C

Strings

X64, xrefs: 00B5D2A8

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 19f2636643c5f90e3a304bae6539cf0a26706c476b81ea72bb6e9708e46ada4d
Instruction ID: 69faa81ba87532de38543a3df718bc01365ea00f955f5d34a2ce2e550a734bcf
Opcode Fuzzy Hash: 19f2636643c5f90e3a304bae6539cf0a26706c476b81ea72bb6e9708e46ada4d
Instruction Fuzzy Hash: 5DD0C9B480111DEECB90CB90DCC8DDDB7BCBB04305F100292F506A2000DB7096488F20

Function 00B2CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: bfd45df29a502ab5c5265a3b1886edc0c2d0fab16f104cdb785946c9aa80db27
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 70023D71E001299FDF14CFA9D9806ADFBF1EF48314F2582AAD819E7385D731AE458B84

Function 00B768EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B76918
FindClose.KERNEL32(00000000), ref: 00B76961

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 43f24e8d1ffeaa26c2e8994307d8610c5424bbbcc61e9d2bbaf6ba9506c2c4c9
Instruction ID: 83d1a6de00622faad3102beb25f885d9997b22ea7f41efae417df27fd2b30656
Opcode Fuzzy Hash: 43f24e8d1ffeaa26c2e8994307d8610c5424bbbcc61e9d2bbaf6ba9506c2c4c9
Instruction Fuzzy Hash: 6F1190716046019FC710DF29D888A16BBE5FF89328F14C6D9E5698F6A2CB30EC45CB91

Function 00B737B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00B84891,?,?,00000035,?), ref: 00B737E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00B84891,?,?,00000035,?), ref: 00B737F4

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 0138629de2fcbae34ba8c536a206802c3ce2497ea1df3839ca9ed35c63412038
Instruction ID: 56ddac236a6668d60c9f54d4eb68de8aab68a69a7110419c00ec6d23c9eec8a1
Opcode Fuzzy Hash: 0138629de2fcbae34ba8c536a206802c3ce2497ea1df3839ca9ed35c63412038
Instruction Fuzzy Hash: 41F0E5B1A042286BEB2017668C8DFEB3BEEEFC4B61F0001A5F509D3281D9609D44C6B1

Function 00B6B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00B6B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 00B6B270

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 928d985c8c1fb843fee979e20fdd07ff3d7601f1a11484ddb413b6bf95d5b910
Instruction ID: f145a7e9517f70ad387e2bb19e510ffa8fa46b1bc708112418d3ed7a35562030
Opcode Fuzzy Hash: 928d985c8c1fb843fee979e20fdd07ff3d7601f1a11484ddb413b6bf95d5b910
Instruction Fuzzy Hash: EDF0177180428EABDB059FA0C806BAE7FB4FF08309F10805AF965A61A2D77D86519F94

Function 00B610BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B611FC), ref: 00B610D4
CloseHandle.KERNEL32(?,?,00B611FC), ref: 00B610E9

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 1cf74c01a5cceaf2434315e5d9331c94c14a5f508492a98408618b6967f1efdb
Instruction ID: eb27b705c1407faa0774c743da90b7ac48029e155cca20deb54004d3171749b5
Opcode Fuzzy Hash: 1cf74c01a5cceaf2434315e5d9331c94c14a5f508492a98408618b6967f1efdb
Instruction Fuzzy Hash: B6E04F32008601EFE7252B11FD05EB77BE9EB04310F14886EF5A5814B1DB626CE0DB14

Function 00B0CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00B50C40

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: f1138c3af8e3599424ccdf1bd3cb43c98d937783b2633c442fecdd815d6fc412
Instruction ID: 5c62aab8596562fbe1c9357025b89e2057b4c47cc2885224df3e4589df9fcec8
Opcode Fuzzy Hash: f1138c3af8e3599424ccdf1bd3cb43c98d937783b2633c442fecdd815d6fc412
Instruction Fuzzy Hash: 0A3259709102199BDF14EF90C891BEDBFF5EF05304F2482E9E806AB292DB75AD49CB51

Function 00B3676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00B36766,?,?,00000008,?,?,00B3FEFE,00000000), ref: 00B36998

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 54ef603056e55ff479010a9f83e89e4bf6ddadb66967cfa8b0aecfeb01bc0fe8
Instruction ID: ccb0b51c3368da5e4648e08103de8b47d12233a748924bc00819b195509f5f92
Opcode Fuzzy Hash: 54ef603056e55ff479010a9f83e89e4bf6ddadb66967cfa8b0aecfeb01bc0fe8
Instruction Fuzzy Hash: A0B13971610608EFD719CF28C48AB657BE0FF49364F25C699E899CF2A2C735E991CB40

Function 00B1B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00B5851F

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 41728b5b08f34b63fc79c93bb2dfd966ca6a5ff177394ad350252da77d5cedd1
Instruction ID: e131818dc8dbb5949032e6a3f3d23172f4d067637d116cd30a89d7a5ad8585ec
Opcode Fuzzy Hash: 41728b5b08f34b63fc79c93bb2dfd966ca6a5ff177394ad350252da77d5cedd1
Instruction Fuzzy Hash: 57125E719002299BDB14CF58D881BEEB7F5FF48710F5481EAE849EB251EB309A85CF94

Function 00B7EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00B7EABD

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 37279a035bbe66a8082e7759ee7a8460cb3276357a81026ae484ec0a51212266
Instruction ID: b320fb242555dfde394845b9374837a54f3a2901d3c1343d85ce9f3d42ea68d3
Opcode Fuzzy Hash: 37279a035bbe66a8082e7759ee7a8460cb3276357a81026ae484ec0a51212266
Instruction Fuzzy Hash: EAE01A312102049FC710EF59D844E9ABBE9AF98760F00849AFC59C7291DB70E8408B91

Function 00B209D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00B203EE), ref: 00B209DA

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 924f0faedc8cc2695abfaa57e91fa34d7b5fcc568695c3a9ea9269afe763ab48
Instruction ID: a059fdf433e44311bb9b66be5dd750316c39ae8560d68416f4b984a9720fc890
Opcode Fuzzy Hash: 924f0faedc8cc2695abfaa57e91fa34d7b5fcc568695c3a9ea9269afe763ab48
Instruction Fuzzy Hash:

Function 00B2781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00B2798B

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 9b0d68b7f9b484b5692cf77464359f8cd513ebbaaaf79a7b37ef295d91c95bb9
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 755125716CC7356ADB38856A789ABBE23C5DB12300F1805C9D98EDF282CE15DE81D35E

Function 00B36DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89e9dada8757c100e994d3dd22c5413ce91f280d0f4ac55f73205c33dae957bd
Instruction ID: b6dd275020b071c156bb41c20ae3d70183db2c794f71e214caadc71bb95228e9
Opcode Fuzzy Hash: 89e9dada8757c100e994d3dd22c5413ce91f280d0f4ac55f73205c33dae957bd
Instruction Fuzzy Hash: DE320261D69F014DD7279638C822335A689AFB73C5F25D737E81AB6EA6EF29C4C34100

Function 00B1CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ee7f8eb67014c6302f49d115d6d876ee9b8220df33b49b3a3a00fa3cc9ab658
Instruction ID: f2dda66499247aa9fc2c8cdcbad8300922aab190742659fd13f06807005ce99a
Opcode Fuzzy Hash: 5ee7f8eb67014c6302f49d115d6d876ee9b8220df33b49b3a3a00fa3cc9ab658
Instruction Fuzzy Hash: 0F32E431A003158FDF24CA68C4D47BD7FE2EB45306F6885EADC499B296E6309D89DB81

Function 00B07920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e949b8ae7ed16afb97f43ec0c25c163432cb9874ed1cbc4fd4c2f480d070c230
Instruction ID: 8deb3d64516072e2e6494a131f1f2dcc92cefe077e31f43f57381af479eb6864
Opcode Fuzzy Hash: e949b8ae7ed16afb97f43ec0c25c163432cb9874ed1cbc4fd4c2f480d070c230
Instruction Fuzzy Hash: 6D22B170E04A0ADFDF14DF64D881AAEB7F5FF48300F1445A9E816A7292EB35AE50DB50

Function 00B091C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 949b428512e33e9b8d244bc72b4981cd7f47fe39bebd23ba5698207a145b0340
Instruction ID: b372e39637586ac5b317c608f632092e353a813c1a4cfc49db43b595497a063f
Opcode Fuzzy Hash: 949b428512e33e9b8d244bc72b4981cd7f47fe39bebd23ba5698207a145b0340
Instruction Fuzzy Hash: E60295B1E00206EFDB04DF54D881AAEBBF5FF44300F5181A9E816DB291EB31EA51DB95

Function 00B21C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: c09faa91ad4a1bcfb3116e4a0a6dbca03abe868f657732a9296994f8be635df9
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: F99199721090B34ADB29463EA57407EFFE1DA623A131A0FEDD4FACA1C5FE14C954D620

Function 00B219B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 5ac6cbf0bcf721995f4ce046434131ea5005b334807852e187996532aad26b25
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: D79152722090F34ADB29467EA57807DFFF19AA23A131A0BEED4FACA1C1FD1485559620

Function 00B27A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4ab645e80035121277a95d68b91dfa5daa9220bab6d5cec78a3d29b6e21bf23
Instruction ID: b20bd6bac8473f71c6c6b94c7aceb74cbec4add2dca811bf05b50cb6b5c4578e
Opcode Fuzzy Hash: e4ab645e80035121277a95d68b91dfa5daa9220bab6d5cec78a3d29b6e21bf23
Instruction Fuzzy Hash: E26147712C873996DF389A28B9B9BBE23D4DF46710F1009D9E84EDB281DE119E42835D

Function 00B27CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7fbe9531fdac51929ff7e18b95f3a24417a57fd054532017241a85ac3ba5881
Instruction ID: 31ca0ef54eb2b32b4d70c97e75d166261d8f7e000f651cafb7f45e5bd792a30a
Opcode Fuzzy Hash: c7fbe9531fdac51929ff7e18b95f3a24417a57fd054532017241a85ac3ba5881
Instruction Fuzzy Hash: DC617EB56C873957DE3499287895BBF23C8DF46780F1009F9E84EDB281DE119D42836D

Function 00B21706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 2596eaf3ae0b80e001a127af0e5c4791ffce9ddcd7af0ed41b83f0a7b114d896
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: D48175726090B309DB2D863E957407EFFE19AA23A131A0FDDD4FACE1D1EE248955D620

Function 00B72046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4bfd8b559a0cb307b2176e35b5c515e6e15fc6d1eac2471cb795fb8a4aa1b87
Instruction ID: 781d28d3911a20a4dfe3f5783dad43577218b3eba57016876a2cb22b2aaf5a1c
Opcode Fuzzy Hash: d4bfd8b559a0cb307b2176e35b5c515e6e15fc6d1eac2471cb795fb8a4aa1b87
Instruction Fuzzy Hash: 3C2196326216518BD728CF79C82267EB3E5A764310F198A6EE4A7C37D0DE35A904C750

Function 00B82ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00B82B30
DeleteObject.GDI32(00000000), ref: 00B82B43
DestroyWindow.USER32 ref: 00B82B52
GetDesktopWindow.USER32 ref: 00B82B6D
GetWindowRect.USER32(00000000), ref: 00B82B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00B82CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00B82CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B82CF8
GetClientRect.USER32(00000000,?), ref: 00B82D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00B82D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B82D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B82D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B82D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B82D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B82D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B82DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B82DA8
GlobalFree.KERNEL32(00000000), ref: 00B82DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B82DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00B9FC38,00000000), ref: 00B82DDB
GlobalFree.KERNEL32(00000000), ref: 00B82DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00B82E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00B82E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B82E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B8303F

Strings

AutoIt v3, xrefs: 00B82CF2
DISPLAY, xrefs: 00B82EA2
, xrefs: 00B82FC5
static, xrefs: 00B82D3A, 00B82E91

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: f563177d4945195cd3cf994e4be5bdc702a09e37ca012d4888ed2322d2b197d3
Instruction ID: ff3006e934f7337e89f2b09a5049f4ab67a198343545e89fb5f0187366dfb412
Opcode Fuzzy Hash: f563177d4945195cd3cf994e4be5bdc702a09e37ca012d4888ed2322d2b197d3
Instruction Fuzzy Hash: E8027B71900214AFDB14DFA4CD89EAE7FF9EF48714F008599F915AB2A1DB70AD01CB60

Function 00B970D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00B9712F
GetSysColorBrush.USER32(0000000F), ref: 00B97160
GetSysColor.USER32(0000000F), ref: 00B9716C
SetBkColor.GDI32(?,000000FF), ref: 00B97186
SelectObject.GDI32(?,?), ref: 00B97195
InflateRect.USER32(?,000000FF,000000FF), ref: 00B971C0
GetSysColor.USER32(00000010), ref: 00B971C8
CreateSolidBrush.GDI32(00000000), ref: 00B971CF
FrameRect.USER32(?,?,00000000), ref: 00B971DE
DeleteObject.GDI32(00000000), ref: 00B971E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00B97230
FillRect.USER32(?,?,?), ref: 00B97262
GetWindowLongW.USER32(?,000000F0), ref: 00B97284

Part of subcall function 00B973E8: GetSysColor.USER32(00000012), ref: 00B97421
Part of subcall function 00B973E8: SetTextColor.GDI32(?,?), ref: 00B97425
Part of subcall function 00B973E8: GetSysColorBrush.USER32(0000000F), ref: 00B9743B
Part of subcall function 00B973E8: GetSysColor.USER32(0000000F), ref: 00B97446
Part of subcall function 00B973E8: GetSysColor.USER32(00000011), ref: 00B97463
Part of subcall function 00B973E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B97471
Part of subcall function 00B973E8: SelectObject.GDI32(?,00000000), ref: 00B97482
Part of subcall function 00B973E8: SetBkColor.GDI32(?,00000000), ref: 00B9748B
Part of subcall function 00B973E8: SelectObject.GDI32(?,?), ref: 00B97498
Part of subcall function 00B973E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00B974B7
Part of subcall function 00B973E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B974CE
Part of subcall function 00B973E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00B974DB

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: d31da6b53fe66b91d9d8f98bc35989de36ac110ce48cfa0ec262ea7a3708d133
Instruction ID: d26b8d4b0353a6622af0a844e58226b6f12e83203d4ecfdf239ab67a7ff17530
Opcode Fuzzy Hash: d31da6b53fe66b91d9d8f98bc35989de36ac110ce48cfa0ec262ea7a3708d133
Instruction Fuzzy Hash: F3A19172018311AFDB009F64DD49E6B7BE9FF89320F100A2AF962A71E1DB71E944CB51

Function 00B18D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00B18E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00B56AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00B56AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00B56F43

Part of subcall function 00B18F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B18BE8,?,00000000,?,?,?,?,00B18BBA,00000000,?), ref: 00B18FC5

SendMessageW.USER32(?,00001053), ref: 00B56F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00B56F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00B56FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00B56FB7

Strings

0, xrefs: 00B56DCF

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: f99d141d7956fb4377fb74523617baa45618788659e52398d8db32d4a7e7a206
Instruction ID: 1ce9e1e1016f9ebccebaa4558dbbe4c60a3516bdadbde1b4ab5ed2e71e159382
Opcode Fuzzy Hash: f99d141d7956fb4377fb74523617baa45618788659e52398d8db32d4a7e7a206
Instruction Fuzzy Hash: 3E12BD31601201EFDB25DF28C995BA5BBF1FB45302F9444EAF8858B262DB31EC96CB51

Function 00B82711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00B8273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00B8286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00B828A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00B828B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00B82900
GetClientRect.USER32(00000000,?), ref: 00B8290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00B82955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00B82964
GetStockObject.GDI32(00000011), ref: 00B82974
SelectObject.GDI32(00000000,00000000), ref: 00B82978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00B82988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B82991
DeleteDC.GDI32(00000000), ref: 00B8299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00B829C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00B829DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00B82A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00B82A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00B82A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00B82A77
GetStockObject.GDI32(00000011), ref: 00B82A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00B82A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00B82A97

Strings

AutoIt v3, xrefs: 00B828F8
msctls_progress32, xrefs: 00B82A13
DISPLAY, xrefs: 00B8295A
static, xrefs: 00B8294F, 00B82A71

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 6d457fdff573dffbf35c95b946c23653e464e73804e71d776baecfdd7e942345
Instruction ID: eed5ba149ef7f955806cd73a09a94ab3754b9fd64f470586bff3e9c02fcb896c
Opcode Fuzzy Hash: 6d457fdff573dffbf35c95b946c23653e464e73804e71d776baecfdd7e942345
Instruction Fuzzy Hash: 9BB14B71A40215BFEB14DFA8CD4AEAEBBB9EB08710F004555F915E72E0DB74AD40CBA4

Function 00B74ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B74AED
GetDriveTypeW.KERNEL32(?,00B9CB68,?,\\.\,00B9CC08), ref: 00B74BCA
SetErrorMode.KERNEL32(00000000,00B9CB68,?,\\.\,00B9CC08), ref: 00B74D36

Strings

iSCSI, xrefs: 00B74CC2
SSD, xrefs: 00B74C4A
FileBackedVirtual, xrefs: 00B74CEC
Fixed, xrefs: 00B74C09
1394, xrefs: 00B74C9F
RAID, xrefs: 00B74CBB
CDROM, xrefs: 00B74BFB
Virtual, xrefs: 00B74CE5
SSA, xrefs: 00B74CA6
Removable, xrefs: 00B74C10, 00B74C15
PhysicalDrive, xrefs: 00B74B76
ATA, xrefs: 00B74C98
ATAPI, xrefs: 00B74C91
SAS, xrefs: 00B74CC9
\\.\, xrefs: 00B74B3F
Network, xrefs: 00B74C02
Unknown, xrefs: 00B74BED, 00B74C83
Fibre, xrefs: 00B74CAD
USB, xrefs: 00B74CB4
MMC, xrefs: 00B74CDE
SATA, xrefs: 00B74CD0
RAMDisk, xrefs: 00B74BF4
SCSI, xrefs: 00B74C8A

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: ccbeb16f3ee3b5237477255a1722ebd9c6eceab0d88f19e420755e085071a058
Instruction ID: a088d1933dafc999ed3e3d2f3a4239b1af5f4dc0d5b58e40faefe530b84f5099
Opcode Fuzzy Hash: ccbeb16f3ee3b5237477255a1722ebd9c6eceab0d88f19e420755e085071a058
Instruction Fuzzy Hash: CA61A131605105ABCB15DF28CAC1E697BE0EF05342B24C4E9F82AAB2A1DB35ED41DB41

Function 00B973E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00B97421
SetTextColor.GDI32(?,?), ref: 00B97425
GetSysColorBrush.USER32(0000000F), ref: 00B9743B
GetSysColor.USER32(0000000F), ref: 00B97446
CreateSolidBrush.GDI32(?), ref: 00B9744B
GetSysColor.USER32(00000011), ref: 00B97463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B97471
SelectObject.GDI32(?,00000000), ref: 00B97482
SetBkColor.GDI32(?,00000000), ref: 00B9748B
SelectObject.GDI32(?,?), ref: 00B97498
InflateRect.USER32(?,000000FF,000000FF), ref: 00B974B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B974CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00B974DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B9752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00B97554
InflateRect.USER32(?,000000FD,000000FD), ref: 00B97572
DrawFocusRect.USER32(?,?), ref: 00B9757D
GetSysColor.USER32(00000011), ref: 00B9758E
SetTextColor.GDI32(?,00000000), ref: 00B97596
DrawTextW.USER32(?,00B970F5,000000FF,?,00000000), ref: 00B975A8
SelectObject.GDI32(?,?), ref: 00B975BF
DeleteObject.GDI32(?), ref: 00B975CA
SelectObject.GDI32(?,?), ref: 00B975D0
DeleteObject.GDI32(?), ref: 00B975D5
SetTextColor.GDI32(?,?), ref: 00B975DB
SetBkColor.GDI32(?,?), ref: 00B975E5

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 56083b94757e8f27d6b05a9a4549da63c900d6c1e3f8edeb368bf496c543b8cf
Instruction ID: 8c1cb69834f3aacf660d732820a9a86e8cf91c65f6de9efac4a26afdd066c03b
Opcode Fuzzy Hash: 56083b94757e8f27d6b05a9a4549da63c900d6c1e3f8edeb368bf496c543b8cf
Instruction Fuzzy Hash: 16616E72900218AFDF019FA4DD49EEE7FB9EB09320F118166F915BB2A1DB749940CF90

Function 00B90FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00B91128
GetDesktopWindow.USER32 ref: 00B9113D
GetWindowRect.USER32(00000000), ref: 00B91144
GetWindowLongW.USER32(?,000000F0), ref: 00B91199
DestroyWindow.USER32(?), ref: 00B911B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00B911ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B9120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B9121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00B91232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00B91245
IsWindowVisible.USER32(00000000), ref: 00B912A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00B912BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00B912D0
GetWindowRect.USER32(00000000,?), ref: 00B912E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00B9130E
GetMonitorInfoW.USER32(00000000,?), ref: 00B91328
CopyRect.USER32(?,?), ref: 00B9133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00B913AA

Strings

tooltips_class32, xrefs: 00B911E6
0, xrefs: 00B910D3
(, xrefs: 00B9131B

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: e57866df8e33291ff899e863f15f46ebb664607b9a400875a30d5e98ad2c4a20
Instruction ID: 938c5b1a45bfd274e7e5445498cad1033cbfe8dec437a32f2926cfdf34e310b0
Opcode Fuzzy Hash: e57866df8e33291ff899e863f15f46ebb664607b9a400875a30d5e98ad2c4a20
Instruction Fuzzy Hash: 24B17E71608341AFDB00DF68C985B5ABBE4FF84354F00899DF9999B2A1CB31EC44DB51

Function 00B90241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B902E5
_wcslen.LIBCMT ref: 00B9031F
_wcslen.LIBCMT ref: 00B90389
_wcslen.LIBCMT ref: 00B903F1
_wcslen.LIBCMT ref: 00B90475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00B904C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B90504

Part of subcall function 00B1F9F2: _wcslen.LIBCMT ref: 00B1F9FD

Part of subcall function 00B6223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B62258
Part of subcall function 00B6223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B6228A

Strings

SELECTCLEAR, xrefs: 00B9052D
SELECTALL, xrefs: 00B90515
FINDITEM, xrefs: 00B90627
GETSELECTED, xrefs: 00B905E1
GETSUBITEMCOUNT, xrefs: 00B90384, 00B9039F
SELECTINVERT, xrefs: 00B9057E
GETITEMCOUNT, xrefs: 00B90316, 00B90337
GETTEXT, xrefs: 00B903EC, 00B90407
SELECT, xrefs: 00B90548
VIEWCHANGE, xrefs: 00B90675
ISSELECTED, xrefs: 00B904DD
DESELECT, xrefs: 00B9059C
GETSELECTEDCOUNT, xrefs: 00B90470, 00B9048B

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: e8d5952e5e17cd063213d859f64acf64c9a7701aaa6dbf171f05b70946a27e6a
Instruction ID: 035fd3b7c0ddd004dacf47ddca67faec0b4c7a11293ec03b05fc389f602f5f0a
Opcode Fuzzy Hash: e8d5952e5e17cd063213d859f64acf64c9a7701aaa6dbf171f05b70946a27e6a
Instruction Fuzzy Hash: 0EE19D312282018FCB14EF24C99197AB7E6FF98754B1449ECF8969B3A2DB30ED45CB51

Function 00B18891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B18968
GetSystemMetrics.USER32(00000007), ref: 00B18970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B1899B
GetSystemMetrics.USER32(00000008), ref: 00B189A3
GetSystemMetrics.USER32(00000004), ref: 00B189C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00B189E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00B189F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00B18A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00B18A3C
GetClientRect.USER32(00000000,000000FF), ref: 00B18A5A
GetStockObject.GDI32(00000011), ref: 00B18A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00B18A81

Part of subcall function 00B1912D: GetCursorPos.USER32(?), ref: 00B19141
Part of subcall function 00B1912D: ScreenToClient.USER32(00000000,?), ref: 00B1915E
Part of subcall function 00B1912D: GetAsyncKeyState.USER32(00000001), ref: 00B19183
Part of subcall function 00B1912D: GetAsyncKeyState.USER32(00000002), ref: 00B1919D

SetTimer.USER32(00000000,00000000,00000028,00B190FC), ref: 00B18AA8

Strings

AutoIt v3 GUI, xrefs: 00B18A20

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 7544bdc7ba1899d077cf21477aa0ba1d9ca56cef4a05a56d1e1e28fbfcd4ea65
Instruction ID: 37f9e10e494ea7e82d5b426f47d9770c20316a098b25b751b74bc1a1e081df20
Opcode Fuzzy Hash: 7544bdc7ba1899d077cf21477aa0ba1d9ca56cef4a05a56d1e1e28fbfcd4ea65
Instruction Fuzzy Hash: B9B17D31A00209AFDB14DFA8CD95BEE7BF5FB48315F5142AAFA15E7290DB34A841CB50

Function 00B60D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B61114
Part of subcall function 00B610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00B60B9B,?,?,?), ref: 00B61120
Part of subcall function 00B610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00B60B9B,?,?,?), ref: 00B6112F
Part of subcall function 00B610F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00B60B9B,?,?,?), ref: 00B61136
Part of subcall function 00B610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B6114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B60DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B60E29
GetLengthSid.ADVAPI32(?), ref: 00B60E40
GetAce.ADVAPI32(?,00000000,?), ref: 00B60E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B60E96
GetLengthSid.ADVAPI32(?), ref: 00B60EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00B60EB5
HeapAlloc.KERNEL32(00000000), ref: 00B60EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B60EDD
CopySid.ADVAPI32(00000000), ref: 00B60EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B60F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B60F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00B60F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B60F6E
HeapFree.KERNEL32(00000000), ref: 00B60F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B60F7E
HeapFree.KERNEL32(00000000), ref: 00B60F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B60F8E
HeapFree.KERNEL32(00000000), ref: 00B60F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00B60FA1
HeapFree.KERNEL32(00000000), ref: 00B60FA8

Part of subcall function 00B61193: GetProcessHeap.KERNEL32(00000008,00B60BB1,?,00000000,?,00B60BB1,?), ref: 00B611A1
Part of subcall function 00B61193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00B60BB1,?), ref: 00B611A8
Part of subcall function 00B61193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00B60BB1,?), ref: 00B611B7

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: d21e02fe01c6f94693853350b907aff4e407c1b98d86c016d2e6e8ac490dc476
Instruction ID: dc97b1d32164f25f0f194084210d1d6e2e6275a6b303890274b7dd57b87c1fa1
Opcode Fuzzy Hash: d21e02fe01c6f94693853350b907aff4e407c1b98d86c016d2e6e8ac490dc476
Instruction Fuzzy Hash: 3F716A7290021AEBDF21AFA5DD48FAFBBB8FF05300F144156F919A7191DB359A05CB60

Function 00B8C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B8C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00B9CC08,00000000,?,00000000,?,?), ref: 00B8C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00B8C5A4
_wcslen.LIBCMT ref: 00B8C5F4
_wcslen.LIBCMT ref: 00B8C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00B8C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00B8C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00B8C84D
RegCloseKey.ADVAPI32(?), ref: 00B8C881
RegCloseKey.ADVAPI32(00000000), ref: 00B8C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00B8C960

Strings

REG_EXPAND_SZ, xrefs: 00B8C5CD
REG_QWORD, xrefs: 00B8C8C3
REG_DWORD, xrefs: 00B8C804
REG_BINARY, xrefs: 00B8C913
REG_SZ, xrefs: 00B8C644
REG_MULTI_SZ, xrefs: 00B8C6F5

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 4860abb8467c23bdf1e2e306fb15c0de68be79ca558896c05a2b8898208cddf1
Instruction ID: 099ab957203c9a7bb09a695f1fe08f4ad278891d7068e1a06929c9ca95e66c9e
Opcode Fuzzy Hash: 4860abb8467c23bdf1e2e306fb15c0de68be79ca558896c05a2b8898208cddf1
Instruction Fuzzy Hash: 661268756042019FDB14EF14C891E6ABBE5EF88714F14889DF88A9B3A2DB31FD41CB91

Function 00B9091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B909C6
_wcslen.LIBCMT ref: 00B90A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B90A54
_wcslen.LIBCMT ref: 00B90A8A
_wcslen.LIBCMT ref: 00B90B06
_wcslen.LIBCMT ref: 00B90B81

Part of subcall function 00B1F9F2: _wcslen.LIBCMT ref: 00B1F9FD

Part of subcall function 00B62BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B62BFA

Strings

EXPAND, xrefs: 00B90BF8
GETSELECTED, xrefs: 00B90C4E
EXISTS, xrefs: 00B90B7C, 00B90B97
SELECT, xrefs: 00B90D11
GETITEMCOUNT, xrefs: 00B90C1E
GETTEXT, xrefs: 00B90C97
UNCHECK, xrefs: 00B90D3E
CHECK, xrefs: 00B90A85, 00B90AA0
GETTOTALCOUNT, xrefs: 00B909F2, 00B90A17
COLLAPSE, xrefs: 00B90B01, 00B90B1C
ISCHECKED, xrefs: 00B90CE1

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 9be7209129dbc1a1fdba11b02315de862b0dadfd4292a1f748d016ebdf9eae6b
Instruction ID: 3505f966acac5c47a8e4331c1658f4dc2cb0a05e722772d7cbc7ae57377b32bf
Opcode Fuzzy Hash: 9be7209129dbc1a1fdba11b02315de862b0dadfd4292a1f748d016ebdf9eae6b
Instruction Fuzzy Hash: 74E17E712187018FCB14EF24C49096ABBE1FF98354B5489EDF8969B3A2DB31ED45CB81

Function 00B8C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B8B6AE,?,?), ref: 00B8C9B5
_wcslen.LIBCMT ref: 00B8C9F1
_wcslen.LIBCMT ref: 00B8CA68
_wcslen.LIBCMT ref: 00B8CA9E
_wcslen.LIBCMT ref: 00B8CAF9
_wcslen.LIBCMT ref: 00B8CB2F
_wcslen.LIBCMT ref: 00B8CB7F

Strings

HKCC, xrefs: 00B8CBAC
HKLM, xrefs: 00B8CA98, 00B8CA9D
HKCU, xrefs: 00B8CBCE
HKEY_CURRENT_CONFIG, xrefs: 00B8CB79, 00B8CB7E
HKEY_CURRENT_USER, xrefs: 00B8CBBD
HKU, xrefs: 00B8CBF0
HKEY_USERS, xrefs: 00B8CBDF
HKEY_CLASSES_ROOT, xrefs: 00B8CAF3, 00B8CAF8
HKEY_LOCAL_MACHINE, xrefs: 00B8CA62, 00B8CA67
HKCR, xrefs: 00B8CB29, 00B8CB2E

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 03a303c5c05e6a1950df091d69f22102d003dcf5676698983fb4cfdcb037ce0a
Instruction ID: 169ec56f082b583fa75da0b163d030bcad4e673ae0cce8720f3f8b708585ce7b
Opcode Fuzzy Hash: 03a303c5c05e6a1950df091d69f22102d003dcf5676698983fb4cfdcb037ce0a
Instruction Fuzzy Hash: 9471F8B360052A8BCB10FE7CD941ABB3BD1EB60754B2105E9F865972A4EA31CD45C7B0

Function 00B9833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B9835A
_wcslen.LIBCMT ref: 00B9836E
_wcslen.LIBCMT ref: 00B98391
_wcslen.LIBCMT ref: 00B983B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00B983F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00B95BF2), ref: 00B9844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B98487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00B984CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B98501
FreeLibrary.KERNEL32(?), ref: 00B9850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B9851D
DestroyIcon.USER32(?,?,?,?,?,00B95BF2), ref: 00B9852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00B98549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00B98555

Strings

.icl, xrefs: 00B98368
.dll, xrefs: 00B983AB
.exe, xrefs: 00B98388

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 4fb647bb5806e817dae4081ff88645bdcff2667fe98f36002c6187d67102809b
Instruction ID: 6d19bc3577f2fab5bfcc6df943bfb926a03b5c671cb40a589f33110baae0d09b
Opcode Fuzzy Hash: 4fb647bb5806e817dae4081ff88645bdcff2667fe98f36002c6187d67102809b
Instruction Fuzzy Hash: 9D61CD71540215BAEF14DF64DC81BBE7BE8EF19720F1046AAF819D61D1DF74A980CBA0

Function 00B07778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

", xrefs: 00B45153
#requireadmin, xrefs: 00B077FF
#include-once, xrefs: 00B0782F
#notrayicon, xrefs: 00B077E7
Unterminated group of comments, xrefs: 00B4528C
#pragma compile, xrefs: 00B077D3
#include, xrefs: 00B07847
Bad directive syntax error, xrefs: 00B4519A
Cannot parse #include, xrefs: 00B45279
#comments-start, xrefs: 00B0785F, 00B078B1
#ce, xrefs: 00B078ED
#OnAutoItStartRegister, xrefs: 00B07817
', xrefs: 00B45169
#comments-end, xrefs: 00B078D9
#cs, xrefs: 00B07873, 00B078C5

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: fef888932bb89cfcd5930c516b10ad02b3e3f3e0886a80e247fed6526ef17e21
Instruction ID: 375874c616bdfce6975322a3c1056a007d5076bde3bb59f7ffdac87699082520
Opcode Fuzzy Hash: fef888932bb89cfcd5930c516b10ad02b3e3f3e0886a80e247fed6526ef17e21
Instruction Fuzzy Hash: EE81D371A44605BBDB20AF60DC82FBE7BE8EF55340F0440E5F905AA1D2EB70EE51D6A1

Function 00B65A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00B65A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00B65A40
SetWindowTextW.USER32(?,?), ref: 00B65A57
GetDlgItem.USER32(?,000003EA), ref: 00B65A6C
SetWindowTextW.USER32(00000000,?), ref: 00B65A72
GetDlgItem.USER32(?,000003E9), ref: 00B65A82
SetWindowTextW.USER32(00000000,?), ref: 00B65A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00B65AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00B65AC3
GetWindowRect.USER32(?,?), ref: 00B65ACC
_wcslen.LIBCMT ref: 00B65B33
SetWindowTextW.USER32(?,?), ref: 00B65B6F
GetDesktopWindow.USER32 ref: 00B65B75
GetWindowRect.USER32(00000000), ref: 00B65B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00B65BD3
GetClientRect.USER32(?,?), ref: 00B65BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00B65C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00B65C2F

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 8424650544d4d5f767685d932d8b68f6a6f4c4ae73297b11fef1c5d399f400a7
Instruction ID: f2f05e44087b08c4cf607b5a0f17b1469863091074f701deeef6a912ffc73756
Opcode Fuzzy Hash: 8424650544d4d5f767685d932d8b68f6a6f4c4ae73297b11fef1c5d399f400a7
Instruction Fuzzy Hash: 4C718E31900B09AFDB30DFA8CE85AAEBBF5FF48704F144559E146A35A0DB78E950CB50

Function 00B200C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00B200C6

Part of subcall function 00B200ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00BD070C,00000FA0,F6470BD3,?,?,?,?,00B423B3,000000FF), ref: 00B2011C
Part of subcall function 00B200ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00B423B3,000000FF), ref: 00B20127
Part of subcall function 00B200ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00B423B3,000000FF), ref: 00B20138
Part of subcall function 00B200ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00B2014E
Part of subcall function 00B200ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00B2015C
Part of subcall function 00B200ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00B2016A
Part of subcall function 00B200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00B20195
Part of subcall function 00B200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00B201A0

___scrt_fastfail.LIBCMT ref: 00B200E7

Part of subcall function 00B200A3: __onexit.LIBCMT ref: 00B200A9

Strings

InitializeConditionVariable, xrefs: 00B20148
kernel32.dll, xrefs: 00B20133
WakeAllConditionVariable, xrefs: 00B20162
SleepConditionVariableCS, xrefs: 00B20154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00B20122

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: d3f10ec9b0981113011fab9af365dd0e7ee9e1d28366d742e869541adb1abbdf
Instruction ID: 09d21b342988fa1fdb940eb173de9e67e1942eb71db2f4a6bd714332032c130e
Opcode Fuzzy Hash: d3f10ec9b0981113011fab9af365dd0e7ee9e1d28366d742e869541adb1abbdf
Instruction Fuzzy Hash: 2021A7326557216BEB107B74BD46B6A77D4DF05B61F1001B7F809F76A2DE609C008B94

Function 00B630F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B6318D
_wcslen.LIBCMT ref: 00B631F8

Strings

NAME, xrefs: 00B63335, 00B63346
REGEXPCLASS, xrefs: 00B63255, 00B63266
CLASSNN, xrefs: 00B631F3, 00B63204
INSTANCE, xrefs: 00B63453
CLASS, xrefs: 00B63188, 00B631A5
TEXT, xrefs: 00B6347C

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 5b335805a4e059aa1197649142b7c92c06faad618d3fd69c1a1cf8a68eb5dc76
Instruction ID: 33a9b97bf0e4ded58a860a69570fcf7779779cce19798f991a03783b91fc314e
Opcode Fuzzy Hash: 5b335805a4e059aa1197649142b7c92c06faad618d3fd69c1a1cf8a68eb5dc76
Instruction Fuzzy Hash: 08E1A632A005269BCB24DFA8C491BEEFBF4FF54B50F548199E456B7240DF34AE858790

Function 00B744C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00B9CC08), ref: 00B74527
_wcslen.LIBCMT ref: 00B7453B
_wcslen.LIBCMT ref: 00B74599
_wcslen.LIBCMT ref: 00B745F4
_wcslen.LIBCMT ref: 00B7463F
_wcslen.LIBCMT ref: 00B746A7

Part of subcall function 00B1F9F2: _wcslen.LIBCMT ref: 00B1F9FD

GetDriveTypeW.KERNEL32(?,00BC6BF0,00000061), ref: 00B74743

Strings

network, xrefs: 00B7469D, 00B746A2
cdrom, xrefs: 00B7458F, 00B74594
all, xrefs: 00B74531, 00B74536
ramdisk, xrefs: 00B746F1
unknown, xrefs: 00B74708
removable, xrefs: 00B745EA, 00B745EF
fixed, xrefs: 00B74635, 00B7463A

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 58f05688d012f046823d899658b27847b103ca2005b0c8a7086ded5d089746dc
Instruction ID: 61792ca1ec69f544b9b0cbe60cb478249c12af88c34a56e25461cd958bbff9df
Opcode Fuzzy Hash: 58f05688d012f046823d899658b27847b103ca2005b0c8a7086ded5d089746dc
Instruction Fuzzy Hash: 5BB1F2316083029FC714DF28C891A6ABBE5FFA5761F50899DF4AAC7291E730DD44CB92

Function 00B8AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B8B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B8B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B8B1D4
_wcslen.LIBCMT ref: 00B8B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B8B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B8B236
_wcslen.LIBCMT ref: 00B8B332

Part of subcall function 00B705A7: GetStdHandle.KERNEL32(000000F6), ref: 00B705C6

_wcslen.LIBCMT ref: 00B8B34B
_wcslen.LIBCMT ref: 00B8B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B8B3B6
GetLastError.KERNEL32(00000000), ref: 00B8B407
CloseHandle.KERNEL32(?), ref: 00B8B439
CloseHandle.KERNEL32(00000000), ref: 00B8B44A
CloseHandle.KERNEL32(00000000), ref: 00B8B45C
CloseHandle.KERNEL32(00000000), ref: 00B8B46E
CloseHandle.KERNEL32(?), ref: 00B8B4E3

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 283e91e7f773c20e60f044b32983f1a3d5f2fff04e217aae488e3cf776bc64f1
Instruction ID: 3b96ff30cc854e3a731dfe7a9b0508e5d893fe01e19704a701d8218d72a0415a
Opcode Fuzzy Hash: 283e91e7f773c20e60f044b32983f1a3d5f2fff04e217aae488e3cf776bc64f1
Instruction Fuzzy Hash: C3F15A716082409FCB14EF24C891F6ABBE5EF85314F18859DF8999B2A2DB31EC45CB52

Function 00B0326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00BD1990), ref: 00B42F8D
GetMenuItemCount.USER32(00BD1990), ref: 00B4303D
GetCursorPos.USER32(?), ref: 00B43081
SetForegroundWindow.USER32(00000000), ref: 00B4308A
TrackPopupMenuEx.USER32(00BD1990,00000000,?,00000000,00000000,00000000), ref: 00B4309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00B430A9

Strings

0, xrefs: 00B0327D

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 0233416141f83c7b66af37fc30fab6c14d122d5fbfb91746e777260b406638a4
Instruction ID: 3ae133fc1dbad6ebf919d1835fa124cb81a5ba2905e534091f6f09bae8a30a25
Opcode Fuzzy Hash: 0233416141f83c7b66af37fc30fab6c14d122d5fbfb91746e777260b406638a4
Instruction Fuzzy Hash: EE711831640215BFEB218F24CC89FAABFE8FF01764F240296F514A61E1C7B1AA54E750

Function 00B96CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00B96DEB

Part of subcall function 00B06B57: _wcslen.LIBCMT ref: 00B06B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00B96E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00B96E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B96E94
DestroyWindow.USER32(?), ref: 00B96EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00B00000,00000000), ref: 00B96EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B96EFD
GetDesktopWindow.USER32 ref: 00B96F16
GetWindowRect.USER32(00000000), ref: 00B96F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B96F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00B96F4D

Part of subcall function 00B19944: GetWindowLongW.USER32(?,000000EB), ref: 00B19952

Strings

tooltips_class32, xrefs: 00B96E58, 00B96EDD
0, xrefs: 00B96D98

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 7a733fcfad871bbb25f472d9bbe42c0740464a22c5c0bff600bd2d6c9e9a48f4
Instruction ID: a7ce2195814635bcdd69f2e6d3c2ad54efd7958c3970bab94a871f6d8c764c3d
Opcode Fuzzy Hash: 7a733fcfad871bbb25f472d9bbe42c0740464a22c5c0bff600bd2d6c9e9a48f4
Instruction Fuzzy Hash: 5D715774104244AFDB21CF18DC58FBABBE9FB89304F44086EF999872A1DB74A906CB11

Function 00B9911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B19BB2

DragQueryPoint.SHELL32(?,?), ref: 00B99147

Part of subcall function 00B97674: ClientToScreen.USER32(?,?), ref: 00B9769A
Part of subcall function 00B97674: GetWindowRect.USER32(?,?), ref: 00B97710
Part of subcall function 00B97674: PtInRect.USER32(?,?,00B98B89), ref: 00B97720

SendMessageW.USER32(?,000000B0,?,?), ref: 00B991B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00B991BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00B991DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00B99225
SendMessageW.USER32(?,000000B0,?,?), ref: 00B9923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00B99255
SendMessageW.USER32(?,000000B1,?,?), ref: 00B99277
DragFinish.SHELL32(?), ref: 00B9927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00B99371

Strings

@GUI_DRAGID, xrefs: 00B992E9
@GUI_DRAGFILE, xrefs: 00B99320
@GUI_DROPID, xrefs: 00B9929E

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 29f8651ba2102553e2f1a54ad99bdf2e678402186ce64d6ccc73ad6c125af217
Instruction ID: 46fa03a8d422c6931212e89f714d442884e3fb710666b0904536e3ea907fdfef
Opcode Fuzzy Hash: 29f8651ba2102553e2f1a54ad99bdf2e678402186ce64d6ccc73ad6c125af217
Instruction Fuzzy Hash: 2D614772108301AFD701DF64DD85DABBFE8EF89750F4009AEB595932A1DB309A49CB62

Function 00B7C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B7C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00B7C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00B7C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00B7C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00B7C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00B7C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B7C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00B7C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00B7C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00B7C5F0
InternetCloseHandle.WININET(00000000), ref: 00B7C5FB

Strings

, xrefs: 00B7C575

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 48502353eb0a3e54a223defc5ae9e6c9738f327e47a87eb8d3ae0c613d71c010
Instruction ID: 2c1adb7c8d221b7d6437296405e85fa037ff639aea9e1e06bf6b49d7c212e5ff
Opcode Fuzzy Hash: 48502353eb0a3e54a223defc5ae9e6c9738f327e47a87eb8d3ae0c613d71c010
Instruction Fuzzy Hash: 54514BB1500608BFDB218FA0C989AAB7FFCFF18754F00845EF95997210DB35EA449B60

Function 00B9856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00B98592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B985A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B985AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B985BA
GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B985C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B985D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B985E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B985E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B985F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00B9FC38,?), ref: 00B98611
GlobalFree.KERNEL32(00000000), ref: 00B98621
GetObjectW.GDI32(?,00000018,?), ref: 00B98641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00B98671
DeleteObject.GDI32(?), ref: 00B98699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00B986AF

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: d36b3a2f0f0e05b4f956637d55b3cc386179961c800840391f553cebde0fe1cd
Instruction ID: 0a95a3876d3576ea7b0190182ac08e2602cc59cfc27327556915f3cbb23fde81
Opcode Fuzzy Hash: d36b3a2f0f0e05b4f956637d55b3cc386179961c800840391f553cebde0fe1cd
Instruction Fuzzy Hash: BD410A75600204AFDB11DFA5DD88EAA7FB8FF8A711F104069F905EB260DB709D01CB60

Function 00B714BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00B71502
VariantCopy.OLEAUT32(?,?), ref: 00B7150B
VariantClear.OLEAUT32(?), ref: 00B71517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00B715FB
VarR8FromDec.OLEAUT32(?,?), ref: 00B71657
VariantInit.OLEAUT32(?), ref: 00B71708
SysFreeString.OLEAUT32(?), ref: 00B7178C
VariantClear.OLEAUT32(?), ref: 00B717D8
VariantClear.OLEAUT32(?), ref: 00B717E7
VariantInit.OLEAUT32(00000000), ref: 00B71823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00B71625
Default, xrefs: 00B716AF

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 4f9a7d36ce3b3cc2638cccc94212cb096a7b6b4f80c8d991aa514954af909ff5
Instruction ID: 5b4cf35c487a35c14ec30d9871f588880e9e8e602140d2d08344d3116a96ef01
Opcode Fuzzy Hash: 4f9a7d36ce3b3cc2638cccc94212cb096a7b6b4f80c8d991aa514954af909ff5
Instruction Fuzzy Hash: 3AD1CE71A00105EBDB189F6DE885BB9BBF5EF44704F14C8D6E42AAB290DB30EC45DB61

Function 00B8B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

Part of subcall function 00B8C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B8B6AE,?,?), ref: 00B8C9B5
Part of subcall function 00B8C998: _wcslen.LIBCMT ref: 00B8C9F1
Part of subcall function 00B8C998: _wcslen.LIBCMT ref: 00B8CA68
Part of subcall function 00B8C998: _wcslen.LIBCMT ref: 00B8CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B8B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B8B772
RegDeleteValueW.ADVAPI32(?,?), ref: 00B8B80A
RegCloseKey.ADVAPI32(?), ref: 00B8B87E
RegCloseKey.ADVAPI32(?), ref: 00B8B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00B8B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00B8B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00B8B922
FreeLibrary.KERNEL32(00000000), ref: 00B8B983
RegCloseKey.ADVAPI32(00000000), ref: 00B8B994

Strings

advapi32.dll, xrefs: 00B8B8ED
RegDeleteKeyExW, xrefs: 00B8B8FE

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: d7b6ff29c6df926e548508100dbe4ee4ed7eb9be6decb1f259204642692bea67
Instruction ID: c417fa1c44a367ceb3a00afdcb020817645ecb60e02a284c227c6834071db167
Opcode Fuzzy Hash: d7b6ff29c6df926e548508100dbe4ee4ed7eb9be6decb1f259204642692bea67
Instruction Fuzzy Hash: 34C16C35208201AFD714EF24C495F2ABBE5FF84318F14859CF5AA8B2A2CB75ED45CB91

Function 00B8255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B825D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00B825E8
CreateCompatibleDC.GDI32(?), ref: 00B825F4
SelectObject.GDI32(00000000,?), ref: 00B82601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00B8266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00B826AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00B826D0
SelectObject.GDI32(?,?), ref: 00B826D8
DeleteObject.GDI32(?), ref: 00B826E1
DeleteDC.GDI32(?), ref: 00B826E8
ReleaseDC.USER32(00000000,?), ref: 00B826F3

Strings

(, xrefs: 00B8268D

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 3314bbd3d4cef55e5ba403f4a50155f5e2131b51d45d94c32dcea16e60dcef46
Instruction ID: 1470472b257a3559ba2685b94e113231b9a009c97229f17a3cc4712219472d98
Opcode Fuzzy Hash: 3314bbd3d4cef55e5ba403f4a50155f5e2131b51d45d94c32dcea16e60dcef46
Instruction Fuzzy Hash: C661E275D00219EFCF04DFA4D984AAEBBF5FF48310F20856AE955A7260E770A941CFA4

Function 00B3DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00B3DAA1

Part of subcall function 00B3D63C: _free.LIBCMT ref: 00B3D659
Part of subcall function 00B3D63C: _free.LIBCMT ref: 00B3D66B
Part of subcall function 00B3D63C: _free.LIBCMT ref: 00B3D67D
Part of subcall function 00B3D63C: _free.LIBCMT ref: 00B3D68F
Part of subcall function 00B3D63C: _free.LIBCMT ref: 00B3D6A1
Part of subcall function 00B3D63C: _free.LIBCMT ref: 00B3D6B3
Part of subcall function 00B3D63C: _free.LIBCMT ref: 00B3D6C5
Part of subcall function 00B3D63C: _free.LIBCMT ref: 00B3D6D7
Part of subcall function 00B3D63C: _free.LIBCMT ref: 00B3D6E9
Part of subcall function 00B3D63C: _free.LIBCMT ref: 00B3D6FB
Part of subcall function 00B3D63C: _free.LIBCMT ref: 00B3D70D
Part of subcall function 00B3D63C: _free.LIBCMT ref: 00B3D71F
Part of subcall function 00B3D63C: _free.LIBCMT ref: 00B3D731

_free.LIBCMT ref: 00B3DA96

Part of subcall function 00B329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3D7D1,00000000,00000000,00000000,00000000,?,00B3D7F8,00000000,00000007,00000000,?,00B3DBF5,00000000), ref: 00B329DE
Part of subcall function 00B329C8: GetLastError.KERNEL32(00000000,?,00B3D7D1,00000000,00000000,00000000,00000000,?,00B3D7F8,00000000,00000007,00000000,?,00B3DBF5,00000000,00000000), ref: 00B329F0

_free.LIBCMT ref: 00B3DAB8
_free.LIBCMT ref: 00B3DACD
_free.LIBCMT ref: 00B3DAD8
_free.LIBCMT ref: 00B3DAFA
_free.LIBCMT ref: 00B3DB0D
_free.LIBCMT ref: 00B3DB1B
_free.LIBCMT ref: 00B3DB26
_free.LIBCMT ref: 00B3DB5E
_free.LIBCMT ref: 00B3DB65
_free.LIBCMT ref: 00B3DB82
_free.LIBCMT ref: 00B3DB9A

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 8ee9de43f67ebc1cac3a354e8ae2ee1554272275cb44f53b0c1eb2eb1274c452
Instruction ID: 7df7c1a0bdc0fbf43111f3a97293dfebe376e4bc80d6bb6c1311a3cce8328f5b
Opcode Fuzzy Hash: 8ee9de43f67ebc1cac3a354e8ae2ee1554272275cb44f53b0c1eb2eb1274c452
Instruction Fuzzy Hash: 8A312A326046059FEB22AB39F845B5AB7E9FF10310F3545E9E459D7291EA31AC408720

Function 00B6365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00B6369C
_wcslen.LIBCMT ref: 00B636A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00B63797
GetClassNameW.USER32(?,?,00000400), ref: 00B6380C
GetDlgCtrlID.USER32(?), ref: 00B6385D
GetWindowRect.USER32(?,?), ref: 00B63882
GetParent.USER32(?), ref: 00B638A0
ScreenToClient.USER32(00000000), ref: 00B638A7
GetClassNameW.USER32(?,?,00000100), ref: 00B63921
GetWindowTextW.USER32(?,?,00000400), ref: 00B6395D

Strings

%s%u, xrefs: 00B63734

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 98c47b348f50ac98ae0689f69aa49f7934eb4c654dc0099202dcb7666435c8b3
Instruction ID: aedd129fdb512a0951eaa2a5a9d71d5c45c24242f3bbbacdf687eb8b3b08325e
Opcode Fuzzy Hash: 98c47b348f50ac98ae0689f69aa49f7934eb4c654dc0099202dcb7666435c8b3
Instruction Fuzzy Hash: 6C919E71204606AFD719DF24C885FAAB7E8FF44750F008669F99AD3190DB38EA45CBA1

Function 00B64954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00B64994
GetWindowTextW.USER32(?,?,00000400), ref: 00B649DA
_wcslen.LIBCMT ref: 00B649EB
CharUpperBuffW.USER32(?,00000000), ref: 00B649F7
_wcsstr.LIBVCRUNTIME ref: 00B64A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00B64A64
GetWindowTextW.USER32(?,?,00000400), ref: 00B64A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00B64AE6
GetClassNameW.USER32(?,?,00000400), ref: 00B64B20
GetWindowRect.USER32(?,?), ref: 00B64B8B

Strings

ThumbnailClass, xrefs: 00B64A6F, 00B64AF1

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: f1c3226ca817f4e7525affd53000810e54264fc08dc17a0762fc6f1adf5fd269
Instruction ID: eff08c43b6a867610bbd5ef14cff0c5d614733741174a714b30b79595f8e8b9f
Opcode Fuzzy Hash: f1c3226ca817f4e7525affd53000810e54264fc08dc17a0762fc6f1adf5fd269
Instruction Fuzzy Hash: A491BF31004605AFDB14DF14C981FAA7BE8FF84754F0884AAFD899B196DB38ED45CBA1

Function 00B98D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B19BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B98D5A
GetFocus.USER32 ref: 00B98D6A
GetDlgCtrlID.USER32(00000000), ref: 00B98D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00B98E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00B98ECF
GetMenuItemCount.USER32(?), ref: 00B98EEC
GetMenuItemID.USER32(?,00000000), ref: 00B98EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00B98F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00B98F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B98FA1

Strings

0, xrefs: 00B98E9F

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 3a78b852cfff2aafdea946e79144bb4a856aecb0ba5d1dcd8bcf958630af3162
Instruction ID: 0f0444a9104fac12e0e05ab38d2261b7d8529e1ec74d00137ac58867db4e6c58
Opcode Fuzzy Hash: 3a78b852cfff2aafdea946e79144bb4a856aecb0ba5d1dcd8bcf958630af3162
Instruction Fuzzy Hash: 5F81AE71508301AFDB11CF24D984AABBBE9FF8A754F1409AEF98597291DF30D901CBA1

Function 00B6DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00B6DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00B6DC46
_wcslen.LIBCMT ref: 00B6DC50
_wcsstr.LIBVCRUNTIME ref: 00B6DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00B6DCBC

Strings

04090000, xrefs: 00B6DCF2
StringFileInfo\, xrefs: 00B6DC8F
\VarFileInfo\Translation, xrefs: 00B6DCB4
DefaultLangCodepage, xrefs: 00B6DD1F
%u.%u.%u.%u, xrefs: 00B6DD9A

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 059a1fd73d928c02a5a7894d4dd23f71f43be22f4267c1e108d770c2bac7c486
Instruction ID: 9001ade61b60242e4419ed9eb775a870bff0e8bf1dce3fad716b3eb9b5899d38
Opcode Fuzzy Hash: 059a1fd73d928c02a5a7894d4dd23f71f43be22f4267c1e108d770c2bac7c486
Instruction Fuzzy Hash: 43410432A40215BADB10B764EC43EFF7BECEF45710F5000FAF904A6192EB78990187A9

Function 00B8CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00B8CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00B8CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00B8CD48

Part of subcall function 00B8CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00B8CCAA
Part of subcall function 00B8CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00B8CCBD
Part of subcall function 00B8CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00B8CCCF
Part of subcall function 00B8CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00B8CD05
Part of subcall function 00B8CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00B8CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00B8CCF3

Strings

advapi32.dll, xrefs: 00B8CCB8
RegDeleteKeyExW, xrefs: 00B8CCC9

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 3db803bd7681609ca606802bd68b3123ffa71f28fcd37597c9992eff591efbe7
Instruction ID: 048b0fc40fce5381349cd48acdd336256e83e79a4e9a1f0f6634aa2af43446a3
Opcode Fuzzy Hash: 3db803bd7681609ca606802bd68b3123ffa71f28fcd37597c9992eff591efbe7
Instruction Fuzzy Hash: 3E3160B1901129BBD720AB55DC88EFFBFBCEF45750F0001A6A905E3161DB749A45DBB0

Function 00B73D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B73D40
_wcslen.LIBCMT ref: 00B73D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00B73D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00B73DBE
RemoveDirectoryW.KERNEL32(?), ref: 00B73DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00B73E55
CloseHandle.KERNEL32(00000000), ref: 00B73E60
CloseHandle.KERNEL32(00000000), ref: 00B73E6B

Strings

\??\%s, xrefs: 00B73D5B
\, xrefs: 00B73D77
:, xrefs: 00B73D82

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 53d7fe8d893ec8c0ef5d530a862dfa4e87e62e0d9afc8bdf86e8c924718740e3
Instruction ID: 25e0cf9f19653ab357b69e77a6a1eb59b90a96f1b96885ca20bc1fcc1ef08acb
Opcode Fuzzy Hash: 53d7fe8d893ec8c0ef5d530a862dfa4e87e62e0d9afc8bdf86e8c924718740e3
Instruction Fuzzy Hash: 91316D71904219AADB219FA0DD49FAB37F8EF88B00F1081B6F519D6160EB7497849B64

Function 00B6E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00B6E6B4

Part of subcall function 00B1E551: timeGetTime.WINMM(?,?,00B6E6D4), ref: 00B1E555

Sleep.KERNEL32(0000000A), ref: 00B6E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00B6E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00B6E727
SetActiveWindow.USER32 ref: 00B6E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00B6E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00B6E773
Sleep.KERNEL32(000000FA), ref: 00B6E77E
IsWindow.USER32 ref: 00B6E78A
EndDialog.USER32(00000000), ref: 00B6E79B

Strings

BUTTON, xrefs: 00B6E719

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: be8ca71aa53d9c547fb217eb7f53f842c1e90ae54fe824fc2aded3a83a00c7cd
Instruction ID: b4600bd22551be362365ebfbaacf5c16669c9dd01420ee07367e07d69e4c02ce
Opcode Fuzzy Hash: be8ca71aa53d9c547fb217eb7f53f842c1e90ae54fe824fc2aded3a83a00c7cd
Instruction Fuzzy Hash: 28219AB4201240BFEB015F64ED99A3A7FA9EB64748B100467F925831B2EF79EC009B24

Function 00B6E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00B6EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00B6EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B6EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00B6EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00B6EAA7

Strings

open , xrefs: 00B6EA0C
status PlayMe mode, xrefs: 00B6EA58
play PlayMe, xrefs: 00B6EAA2
play PlayMe wait, xrefs: 00B6EA91
close PlayMe, xrefs: 00B6EA6E, 00B6EA9B
alias PlayMe, xrefs: 00B6EA36

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: b9167f91c002a4eef714cd7af60df84d31f5c4ad77dc163aa41c13d1393ac8b2
Instruction ID: 968bba54bfe3bee60be09ba0fb01b629ceed9766190cad9c1e1b377faa06d76b
Opcode Fuzzy Hash: b9167f91c002a4eef714cd7af60df84d31f5c4ad77dc163aa41c13d1393ac8b2
Instruction Fuzzy Hash: B2119E35A9021979D720A7A5DD4AEFF6FFCEFD5B40F0004A9B811A20E1EEB04904C6B0

Function 00B65CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00B65CE2
GetWindowRect.USER32(00000000,?), ref: 00B65CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00B65D59
GetDlgItem.USER32(?,00000002), ref: 00B65D69
GetWindowRect.USER32(00000000,?), ref: 00B65D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00B65DCF
GetDlgItem.USER32(?,000003E9), ref: 00B65DDD
GetWindowRect.USER32(00000000,?), ref: 00B65DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00B65E31
GetDlgItem.USER32(?,000003EA), ref: 00B65E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00B65E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00B65E67

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 130c819fbabdd8b0ed380b077290d2bb57c3069fa84fa6ce6681c17f097516e4
Instruction ID: 874c2300daaa5eb3414aef1be5d06e574d79585ead8872dddb67c9b04ee156bf
Opcode Fuzzy Hash: 130c819fbabdd8b0ed380b077290d2bb57c3069fa84fa6ce6681c17f097516e4
Instruction Fuzzy Hash: 0F510D71A00605AFDF18CFA8DD89AAEBBF5FB48300F548169F515E7290DB749E10CB60

Function 00B18BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00B18F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B18BE8,?,00000000,?,?,?,?,00B18BBA,00000000,?), ref: 00B18FC5

DestroyWindow.USER32(?), ref: 00B18C81
KillTimer.USER32(00000000,?,?,?,?,00B18BBA,00000000,?), ref: 00B18D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00B56973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00B18BBA,00000000,?), ref: 00B569A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00B18BBA,00000000,?), ref: 00B569B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00B18BBA,00000000), ref: 00B569D4
DeleteObject.GDI32(00000000), ref: 00B569E6

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 49d1389d8c52d76f610d7b08b087d14ab300523aafc592c9609f0e3ed582c6c7
Instruction ID: f97a4a6be35662571c572049ccffd2bf84651d99d32d7d492f82e86422f6980f
Opcode Fuzzy Hash: 49d1389d8c52d76f610d7b08b087d14ab300523aafc592c9609f0e3ed582c6c7
Instruction Fuzzy Hash: 7C618D31502700EFCB259F18DA68BA5BBF1FB44312F9449AEE4429B560CB35ADC5DF90

Function 00B19838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00B19944: GetWindowLongW.USER32(?,000000EB), ref: 00B19952

GetSysColor.USER32(0000000F), ref: 00B19862

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 10fa75bff101f08af57b5dcc62fb233171a3a96c4dd2bfc0897df27de92ea0ae
Instruction ID: 2435cad1fea82d8564e75b9803316f1b54a054dd8b5d7a7518507461f34ea32d
Opcode Fuzzy Hash: 10fa75bff101f08af57b5dcc62fb233171a3a96c4dd2bfc0897df27de92ea0ae
Instruction Fuzzy Hash: CA41B231104690AFDB205F38ACA4BF93BE5FB163B1F944686F9A2971E1DB309C81DB10

Function 00B696E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00B4F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00B69717
LoadStringW.USER32(00000000,?,00B4F7F8,00000001), ref: 00B69720

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00B4F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00B69742
LoadStringW.USER32(00000000,?,00B4F7F8,00000001), ref: 00B69745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00B69866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00B6984A
Line %d:, xrefs: 00B697A0
^ ERROR, xrefs: 00B697FB
Error: , xrefs: 00B6981D
Line %d (File "%s"):, xrefs: 00B6978F

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: c1b9fc644c438271b5fffe684e24cec368383020c574fab488ebce25ec104ec2
Instruction ID: 949bfcf61d275610ef8ae1020e2fd8f37b0b1f8c473f1aa28915f38acd53a6b3
Opcode Fuzzy Hash: c1b9fc644c438271b5fffe684e24cec368383020c574fab488ebce25ec104ec2
Instruction Fuzzy Hash: 71412D72800209AADB04EBE0CE86EEE7BFCAF55740F5400A5B60572192EB356F49CB61

Function 00B606DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00B06B57: _wcslen.LIBCMT ref: 00B06B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00B607A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00B607BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00B607DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00B60804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00B6082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00B60837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00B6083C

Strings

SOFTWARE\Classes\, xrefs: 00B6070E
\IPC$, xrefs: 00B60784
\CLSID, xrefs: 00B60724

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 449a612c4f105796af88db8764417ea4607105fc123a455ecff7835c9539a5a9
Instruction ID: 5fa6615bc1462121a07609d7ba970015b48d4120cde86be7dd2f3e2da7f49bf6
Opcode Fuzzy Hash: 449a612c4f105796af88db8764417ea4607105fc123a455ecff7835c9539a5a9
Instruction Fuzzy Hash: 91410C71C20229ABDF15EF94DC85DEEBBB8FF04750F4441A9E901A31A1EB745E44CBA0

Function 00B83C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B83C5C
CoInitialize.OLE32(00000000), ref: 00B83C8A
CoUninitialize.OLE32 ref: 00B83C94
_wcslen.LIBCMT ref: 00B83D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00B83DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00B83ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00B83F0E
CoGetObject.OLE32(?,00000000,00B9FB98,?), ref: 00B83F2D
SetErrorMode.KERNEL32(00000000), ref: 00B83F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00B83FC4
VariantClear.OLEAUT32(?), ref: 00B83FD8

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 29aa45909c262534aec574d17e212b2cc399b959f73ec60a97223ff735cfbbd1
Instruction ID: 662686d6434d86f6679cfbf5ef3193925aa22da85ca708414716a24d8a0268d8
Opcode Fuzzy Hash: 29aa45909c262534aec574d17e212b2cc399b959f73ec60a97223ff735cfbbd1
Instruction Fuzzy Hash: 4AC149716083059FD700EF68C88492BBBE9FF89B44F1049ADF9899B261DB31ED05CB52

Function 00B77A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00B77AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00B77B8F
SHGetDesktopFolder.SHELL32(?), ref: 00B77BA3
CoCreateInstance.OLE32(00B9FD08,00000000,00000001,00BC6E6C,?), ref: 00B77BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00B77C74
CoTaskMemFree.OLE32(?,?), ref: 00B77CCC
SHBrowseForFolderW.SHELL32(?), ref: 00B77D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00B77D7A
CoTaskMemFree.OLE32(00000000), ref: 00B77D81
CoTaskMemFree.OLE32(00000000), ref: 00B77DD6
CoUninitialize.OLE32 ref: 00B77DDC

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 78b0173ceb51fd0095febc8b473fe03b6bdcf7123fb5f340717a6e56a4bcc0e1
Instruction ID: 55e7846e195b0eb2200b07e0ed6188c50add4c56a0f81d4ca168e9bc0f36caa3
Opcode Fuzzy Hash: 78b0173ceb51fd0095febc8b473fe03b6bdcf7123fb5f340717a6e56a4bcc0e1
Instruction Fuzzy Hash: 63C10C75A04209AFDB14DF64C894DAEBBF9FF48304B1484A9E819DB361DB31EE45CB90

Function 00B9541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00B95504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B95515
CharNextW.USER32(00000158), ref: 00B95544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00B95585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00B9559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B955AC

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 5e196d44313ee645ea0400c62c3372b9ef782cc56001d0e706ee6c701b2b8ebf
Instruction ID: 94c26c6b88b9b971b978b764c345f4dc019d9e95847d63529022b2276df86a9c
Opcode Fuzzy Hash: 5e196d44313ee645ea0400c62c3372b9ef782cc56001d0e706ee6c701b2b8ebf
Instruction Fuzzy Hash: 8961A071940608EFEF228F54CC84AFE7BF9EB05720F1081A5F925A7291DB749A81DB60

Function 00B5FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00B5FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00B5FB08
VariantInit.OLEAUT32(?), ref: 00B5FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00B5FB3A
VariantCopy.OLEAUT32(?,?), ref: 00B5FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00B5FBA1
VariantClear.OLEAUT32(?), ref: 00B5FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00B5FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B5FBCC
VariantClear.OLEAUT32(?), ref: 00B5FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B5FBE9

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 4d100f1d70421cbc87808e58004d87f1104945dc46febe1b5ea024105096b573
Instruction ID: 8f96cb63e8f4fbe3b52c21665b159580652a24c0b20e9ed5fc59f400280bbc31
Opcode Fuzzy Hash: 4d100f1d70421cbc87808e58004d87f1104945dc46febe1b5ea024105096b573
Instruction Fuzzy Hash: 18414E35A0021ADFCF00DF64D954AADBFB9EF08345F0080A5E915A7361CB30A945CFA1

Function 00B69C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00B69CA1
GetAsyncKeyState.USER32(000000A0), ref: 00B69D22
GetKeyState.USER32(000000A0), ref: 00B69D3D
GetAsyncKeyState.USER32(000000A1), ref: 00B69D57
GetKeyState.USER32(000000A1), ref: 00B69D6C
GetAsyncKeyState.USER32(00000011), ref: 00B69D84
GetKeyState.USER32(00000011), ref: 00B69D96
GetAsyncKeyState.USER32(00000012), ref: 00B69DAE
GetKeyState.USER32(00000012), ref: 00B69DC0
GetAsyncKeyState.USER32(0000005B), ref: 00B69DD8
GetKeyState.USER32(0000005B), ref: 00B69DEA

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 6bdf252abb98800597c90db48d27297a49df4300a795537398b8a6e2744eccea
Instruction ID: cdc115fce61a809db9b4c86edcfd2d52f627835997646a25d3f71777a1538b89
Opcode Fuzzy Hash: 6bdf252abb98800597c90db48d27297a49df4300a795537398b8a6e2744eccea
Instruction Fuzzy Hash: 1341C4345047C969FF30866489043B5BEE8EF21344F0480FADAC6575C2DBB999D8C7A2

Function 00B8055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00B805BC
inet_addr.WSOCK32(?), ref: 00B8061C
gethostbyname.WSOCK32(?), ref: 00B80628
IcmpCreateFile.IPHLPAPI ref: 00B80636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00B806C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00B806E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00B807B9
WSACleanup.WSOCK32 ref: 00B807BF

Strings

Ping, xrefs: 00B80676

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: e30c98813a7363e95ebfaf31ba1dc14a7143db8ac1d3e7f817904dc1f9c6eb37
Instruction ID: 8064291ebaae7a526ce5245ef28f432fa21fdecd0e86703f2ed15a464d2bf269
Opcode Fuzzy Hash: e30c98813a7363e95ebfaf31ba1dc14a7143db8ac1d3e7f817904dc1f9c6eb37
Instruction Fuzzy Hash: 98918E356182419FD360EF15C988F1ABBE0EF44358F1485E9E4699B6B2CB30ED49CF91

Function 00B88CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00B88CF3

Part of subcall function 00B68E54: _wcslen.LIBCMT ref: 00B68E77

_wcslen.LIBCMT ref: 00B88D4E
_wcslen.LIBCMT ref: 00B88D9C
_wcslen.LIBCMT ref: 00B88DDC
_wcslen.LIBCMT ref: 00B88E6E

Strings

none, xrefs: 00B88E65, 00B88E6A
stdcall, xrefs: 00B88DD6, 00B88DDB
winapi, xrefs: 00B88D96, 00B88D9B
cdecl, xrefs: 00B88D48, 00B88D4D

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 5110be49ab6cab80d88e718f209234915dd9160bb6dfb808a936597a2ebbb9b0
Instruction ID: ca27f407c9a8c1f6a5575e3cb472418afc0aeb68377213241a757015fce1271a
Opcode Fuzzy Hash: 5110be49ab6cab80d88e718f209234915dd9160bb6dfb808a936597a2ebbb9b0
Instruction Fuzzy Hash: 33519331A001169BCB14EF6CC9809BEB7E6FF64725BA042A9E426E72D5DF31DD40C790

Function 00B8372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00B83774
CoUninitialize.OLE32 ref: 00B8377F
CoCreateInstance.OLE32(?,00000000,00000017,00B9FB78,?), ref: 00B837D9
IIDFromString.OLE32(?,?), ref: 00B8384C
VariantInit.OLEAUT32(?), ref: 00B838E4
VariantClear.OLEAUT32(?), ref: 00B83936

Strings

Failed to create object, xrefs: 00B837E4, 00B8389A
Invalid parameter, xrefs: 00B83865
NULL Pointer assignment, xrefs: 00B8381E

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: bd11e58fbc7005eac49ca4731423a5d878f56ab0b6a67e32e7672c869d4a3360
Instruction ID: f67e11f2f40819110c5821b920bb89ef75dc132ec894ed69f4891e6a29918f77
Opcode Fuzzy Hash: bd11e58fbc7005eac49ca4731423a5d878f56ab0b6a67e32e7672c869d4a3360
Instruction Fuzzy Hash: 7D618074608301AFD710EF54C889F6ABBE4EF45B10F104899F5859B2A1DB70EE48CB92

Function 00B73388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00B733CF

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00B733F0

Strings

"%s" (%d) : ==> %s:, xrefs: 00B73522
Incorrect parameters to object property !, xrefs: 00B734AB
"%s" (%d) : ==> %s:%s%s, xrefs: 00B73504
^ ERROR , xrefs: 00B7349E
Error: , xrefs: 00B734D1
Line %d (File "%s"):, xrefs: 00B73443, 00B7345C

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: e4595864bd31f160a96db96082fbbd984aed9bd2194cd1fb898b3db55e7b1fb3
Instruction ID: 1456a72027e4ee11134c7aad260a2e0804fc8c1b13a872c1e06f0eba866f7641
Opcode Fuzzy Hash: e4595864bd31f160a96db96082fbbd984aed9bd2194cd1fb898b3db55e7b1fb3
Instruction Fuzzy Hash: 15518D71900209BADF18EBA0CD56EEEBBF8EF14740F1484A5F505721A2EB352F58DB60

Function 00B6B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B6B5FC
_wcslen.LIBCMT ref: 00B6B608
_wcslen.LIBCMT ref: 00B6B64D
_wcslen.LIBCMT ref: 00B6B68C
_wcslen.LIBCMT ref: 00B6B6C7

Strings

EXISTS, xrefs: 00B6B686, 00B6B68B
KEYS, xrefs: 00B6B647, 00B6B64C
APPEND, xrefs: 00B6B6C1, 00B6B6C6
REMOVE, xrefs: 00B6B602, 00B6B607

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 0f39b3d4422f7f4b1bfe492970c93bed3dbed3b81452d494cbd3df03a382fb0a
Instruction ID: d369000e62dc1ce894c79a3c025e1dc725bd2fd70c27898808fe40e8ebb1c1ab
Opcode Fuzzy Hash: 0f39b3d4422f7f4b1bfe492970c93bed3dbed3b81452d494cbd3df03a382fb0a
Instruction Fuzzy Hash: E741C433A001269ACB205F7DC990DBEB7F5EBA0754B2445AAE825DB284E739CDC1C790

Function 00B75393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B753A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00B75416
GetLastError.KERNEL32 ref: 00B75420
SetErrorMode.KERNEL32(00000000,READY), ref: 00B754A7

Strings

READONLY, xrefs: 00B75452
NOTREADY, xrefs: 00B7544B
READY, xrefs: 00B75460, 00B75468
UNKNOWN, xrefs: 00B75444
INVALID, xrefs: 00B75459

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 1090ebaec1acc8f78f3b8c6418e4b1115aeaf7aa89f489a67bd1265821d5288f
Instruction ID: 7ee68e2293b7f6d1e321433c2fae94e36708f5d3c1b928d4e4109ce18aa2eab8
Opcode Fuzzy Hash: 1090ebaec1acc8f78f3b8c6418e4b1115aeaf7aa89f489a67bd1265821d5288f
Instruction Fuzzy Hash: CB318F36A005049FD720DF68C484EAA7BE4EF05305F14C0A9E51ADB396DBB1DD82CB90

Function 00B93C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00B93C79
SetMenu.USER32(?,00000000), ref: 00B93C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B93D10
IsMenu.USER32(?), ref: 00B93D24
CreatePopupMenu.USER32 ref: 00B93D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B93D5B
DrawMenuBar.USER32 ref: 00B93D63

Strings

0, xrefs: 00B93C54
F, xrefs: 00B93D4E

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 32bb8ba0aed18de14726ea88fbcbdd0fe81f8d0a1a7abf477c4f91c6137f012e
Instruction ID: bfc0f0541998c5564f358a2c520c6d5cf11d2706189b3b35f442d84c7654ee25
Opcode Fuzzy Hash: 32bb8ba0aed18de14726ea88fbcbdd0fe81f8d0a1a7abf477c4f91c6137f012e
Instruction Fuzzy Hash: A7419CB4A01209EFDF14CFA4D9A4AAA7BF5FF49300F140069F91697360DB30AA10CF90

Function 00B93A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00B93A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00B93AA0
GetWindowLongW.USER32(?,000000F0), ref: 00B93AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B93AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00B93B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00B93BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00B93BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00B93BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00B93BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00B93C13

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: de038301ed41cb8575b4aa567ed6135cc23699657544e3d9ae4939fb9d9c0c29
Instruction ID: 1753e8f4c8da1a4c9c198c26ba7469518b0841a831db4ec2f0e1bb0df6893efa
Opcode Fuzzy Hash: de038301ed41cb8575b4aa567ed6135cc23699657544e3d9ae4939fb9d9c0c29
Instruction Fuzzy Hash: 58616C75900248AFDF10DFA8CC91EEE77F8EB09700F1045AAFA15A72A2D774AE45DB50

Function 00B6B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B6B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00B6A1E1,?,00000001), ref: 00B6B165
GetWindowThreadProcessId.USER32(00000000), ref: 00B6B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B6A1E1,?,00000001), ref: 00B6B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00B6B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00B6A1E1,?,00000001), ref: 00B6B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B6A1E1,?,00000001), ref: 00B6B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00B6A1E1,?,00000001), ref: 00B6B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00B6A1E1,?,00000001), ref: 00B6B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00B6A1E1,?,00000001), ref: 00B6B21D

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 3ac2bf7574d2892260dc93758162bd01fd53fa28fb386d7bf9b8784a432d9354
Instruction ID: 366462994473836a6835d46a2b30f4bfc7d2675aae4722535d3ff5732d9aacfb
Opcode Fuzzy Hash: 3ac2bf7574d2892260dc93758162bd01fd53fa28fb386d7bf9b8784a432d9354
Instruction Fuzzy Hash: 01317871510204BFDB109F64DDA8F6ABFF9EB51711F208066FA01D71A1EBB89A808F65

Function 00B32C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B32C94

Part of subcall function 00B329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3D7D1,00000000,00000000,00000000,00000000,?,00B3D7F8,00000000,00000007,00000000,?,00B3DBF5,00000000), ref: 00B329DE
Part of subcall function 00B329C8: GetLastError.KERNEL32(00000000,?,00B3D7D1,00000000,00000000,00000000,00000000,?,00B3D7F8,00000000,00000007,00000000,?,00B3DBF5,00000000,00000000), ref: 00B329F0

_free.LIBCMT ref: 00B32CA0
_free.LIBCMT ref: 00B32CAB
_free.LIBCMT ref: 00B32CB6
_free.LIBCMT ref: 00B32CC1
_free.LIBCMT ref: 00B32CCC
_free.LIBCMT ref: 00B32CD7
_free.LIBCMT ref: 00B32CE2
_free.LIBCMT ref: 00B32CED
_free.LIBCMT ref: 00B32CFB

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1d3c63d1ee82fd39176e944fc5c1b564d4295e65e3f692b1624f99be1d3b1b59
Instruction ID: 1f3cb0ba10674a7c14eef15023f3d25467f179778b381ef866f6241962e540a7
Opcode Fuzzy Hash: 1d3c63d1ee82fd39176e944fc5c1b564d4295e65e3f692b1624f99be1d3b1b59
Instruction Fuzzy Hash: 1A117476500118AFCB02EF54E982DDD7BA5FF05350FA146E5FA489F322DA31EE509B90

Function 00B01410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00B01459
OleUninitialize.OLE32(?,00000000), ref: 00B014F8
UnregisterHotKey.USER32(?), ref: 00B016DD
DestroyWindow.USER32(?), ref: 00B424B9
FreeLibrary.KERNEL32(?), ref: 00B4251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B4254B

Strings

close all, xrefs: 00B01454

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 74f7983e37376ca2b9b0c8f38f8d6b605dfe82c663f0108164672dd4f539267b
Instruction ID: a16ab54ee50e0c752de163d18a421c118ca719c16d5b844443fcf1fcfce77e6d
Opcode Fuzzy Hash: 74f7983e37376ca2b9b0c8f38f8d6b605dfe82c663f0108164672dd4f539267b
Instruction Fuzzy Hash: 20D149317012128FCB19EF18C899A29FBE4FF05700F5586EDE54A6B2A2DB31AD12DF51

Function 00B77DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B77FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00B77FC1
GetFileAttributesW.KERNEL32(?), ref: 00B77FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00B78005
SetCurrentDirectoryW.KERNEL32(?), ref: 00B78017
SetCurrentDirectoryW.KERNEL32(?), ref: 00B78060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00B780B0

Strings

*.*, xrefs: 00B78066

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 75b27326e078b2a7c43345bd771a49d57422277713456ce8fab18d6075bbfc1f
Instruction ID: e89ae00c8adb80eaacfc51ded7a9729fb59b382b45fb2d0330821e947aea9ad2
Opcode Fuzzy Hash: 75b27326e078b2a7c43345bd771a49d57422277713456ce8fab18d6075bbfc1f
Instruction Fuzzy Hash: A5818F725482419FDB20DF14C8849AEB7E8EB89314F148CDAF8ADD7250EB74DD498B92

Function 00B05BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00B05C7A

Part of subcall function 00B05D0A: GetClientRect.USER32(?,?), ref: 00B05D30
Part of subcall function 00B05D0A: GetWindowRect.USER32(?,?), ref: 00B05D71
Part of subcall function 00B05D0A: ScreenToClient.USER32(?,?), ref: 00B05D99

GetDC.USER32 ref: 00B446F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00B44708
SelectObject.GDI32(00000000,00000000), ref: 00B44716
SelectObject.GDI32(00000000,00000000), ref: 00B4472B
ReleaseDC.USER32(?,00000000), ref: 00B44733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00B447C4

Strings

U, xrefs: 00B44693

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 3275e0cc1b06b949e449400f7c831acc7c6756e0cf1e2b1396de1c823af36188
Instruction ID: a1b3c30ae2f5a1d2c6c1f92c541b01f5a88cf1b80d85da47adc4947ab548ca20
Opcode Fuzzy Hash: 3275e0cc1b06b949e449400f7c831acc7c6756e0cf1e2b1396de1c823af36188
Instruction Fuzzy Hash: A871CF31400205EFDF218F64C984BBA7BF5FF4A360F1442EAE9555A1A6CB319D62EF60

Function 00B7359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00B735E4

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

LoadStringW.USER32(00BD2390,?,00000FFF,?), ref: 00B7360A

Strings

"%s" (%d) : ==> %s:, xrefs: 00B73742
^ ERROR, xrefs: 00B736C9
"%s" (%d) : ==> %s:%s%s, xrefs: 00B73724
Error: , xrefs: 00B736EF
Line %d (File "%s"):, xrefs: 00B7366B

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: a7817616eda767b7280904b6cde025f8a238d3ffb98fa464aa2987607c85f366
Instruction ID: 63245d6e051dfb06fbc9dc1481ff47fd25f0e78ad6a7e2ebbfbd545967e0a73a
Opcode Fuzzy Hash: a7817616eda767b7280904b6cde025f8a238d3ffb98fa464aa2987607c85f366
Instruction Fuzzy Hash: B3516F71900209BADF15EBA0CC82EEEBFF8EF04750F1441A5F115721A2EB315A99DFA4

Function 00B98B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B19BB2

Part of subcall function 00B1912D: GetCursorPos.USER32(?), ref: 00B19141
Part of subcall function 00B1912D: ScreenToClient.USER32(00000000,?), ref: 00B1915E
Part of subcall function 00B1912D: GetAsyncKeyState.USER32(00000001), ref: 00B19183
Part of subcall function 00B1912D: GetAsyncKeyState.USER32(00000002), ref: 00B1919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00B98B6B
ImageList_EndDrag.COMCTL32 ref: 00B98B71
ReleaseCapture.USER32 ref: 00B98B77
SetWindowTextW.USER32(?,00000000), ref: 00B98C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00B98C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00B98CFF

Strings

@GUI_DRAGFILE, xrefs: 00B98C9A
@GUI_DROPID, xrefs: 00B98C51

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: c35863480eed9c4720f33677f0f96599892855fab8e2cf493bb0192fee322492
Instruction ID: 1ac7ee064c0ffc40eed935a381480ddcf57022786317789b01e219bd5c286763
Opcode Fuzzy Hash: c35863480eed9c4720f33677f0f96599892855fab8e2cf493bb0192fee322492
Instruction Fuzzy Hash: 49518C71505300AFDB00DF14DCA6FAA7BE4FB89710F400AAEF956672E2DB709944CB62

Function 00B7C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B7C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B7C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00B7C2CA
GetLastError.KERNEL32 ref: 00B7C322
SetEvent.KERNEL32(?), ref: 00B7C336
InternetCloseHandle.WININET(00000000), ref: 00B7C341

Strings

, xrefs: 00B7C2BB

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: fb5612042e5734b993351a1e9b15cb034e30455d68c7b21a4d415e48dd0d3d0a
Instruction ID: 3b36ecfc8971473d83248c5a29dc4423f451538dd3d535b17406e1a35162c47d
Opcode Fuzzy Hash: fb5612042e5734b993351a1e9b15cb034e30455d68c7b21a4d415e48dd0d3d0a
Instruction Fuzzy Hash: E33178B1600608AFDB219FA48D88AAB7FFCEB49744F10C55EF49A93201DB34ED049B74

Function 00B6989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00B43AAF,?,?,Bad directive syntax error,00B9CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00B698BC
LoadStringW.USER32(00000000,?,00B43AAF,?), ref: 00B698C3

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00B69987

Strings

Error: , xrefs: 00B69955
., xrefs: 00B6996D
Line %d:, xrefs: 00B69912
%s (%d) : ==> %s.: %s %s, xrefs: 00B698F1
Line %d (File "%s"):, xrefs: 00B6992D

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: e7b33cca79bd0ff170d390564b2c80674f2ec84d154a7807e5a02c0951abe128
Instruction ID: ed3a72f8cab88a82c97c4c952483a68d477289521b07a83309d3f52b44e4489a
Opcode Fuzzy Hash: e7b33cca79bd0ff170d390564b2c80674f2ec84d154a7807e5a02c0951abe128
Instruction Fuzzy Hash: 9F218031C1021AABCF15AF90CC4AEEE7BF9FF18740F0444AAF515620E2EB359658DB50

Function 00B6209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00B620AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00B620C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00B6214D

Strings

smallicons, xrefs: 00B62115
list, xrefs: 00B6212F
SHELLDLL_DefView, xrefs: 00B620CC
details, xrefs: 00B620FB
largeicons, xrefs: 00B620E1

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 263d0aa4c19fefbe2e708cc8e885c044ea9606bc0a2127b445ab7c4e220dbd94
Instruction ID: 35e72c873156cc2e021651eaa0081095351dceacc1cf2054ec575834b08a5009
Opcode Fuzzy Hash: 263d0aa4c19fefbe2e708cc8e885c044ea9606bc0a2127b445ab7c4e220dbd94
Instruction Fuzzy Hash: D2110A7768CB16B9FA116720EC06DA67BDCDB16324B2000EAFB08B50E1EE656C415514

Function 00B3CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00B3CEB7
_free.LIBCMT ref: 00B3CF22
_free.LIBCMT ref: 00B3CF48
_free.LIBCMT ref: 00B3CF71
_free.LIBCMT ref: 00B3CFA9
_free.LIBCMT ref: 00B3CFDA
_free.LIBCMT ref: 00B3D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00B3D09C
_free.LIBCMT ref: 00B3D0B5

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: b05d16e9749ddb3c9b469c6e1cdc55a7deb25e36081c3ca576c58c78a9608680
Instruction ID: 5251a8fdcd8e1f8e7424e600f59cad3e4a1168e4975f5a67cf9c2890caee6aeb
Opcode Fuzzy Hash: b05d16e9749ddb3c9b469c6e1cdc55a7deb25e36081c3ca576c58c78a9608680
Instruction Fuzzy Hash: 9861E571905311AFDB25AFF8A891B69BFE6EF05310F3441FEF944A7241EA329905C750

Function 00B18B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00B56890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00B568A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00B568B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00B568D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00B568F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00B18874,00000000,00000000,00000000,000000FF,00000000), ref: 00B56901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00B5691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00B18874,00000000,00000000,00000000,000000FF,00000000), ref: 00B5692D

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: c826000016347cf2582a4f0a5f8375252743da7289ea79624361a4c71c085b74
Instruction ID: 9238aa37a4ad79a1d2a0fc6c74575a07b17da6e6886045a763636bf159688bb9
Opcode Fuzzy Hash: c826000016347cf2582a4f0a5f8375252743da7289ea79624361a4c71c085b74
Instruction Fuzzy Hash: 33519970A00209EFDB20CF24CCA5BAA7BF5FF58760F504599F906972A0DB71E991DB50

Function 00B7C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B7C182
GetLastError.KERNEL32 ref: 00B7C195
SetEvent.KERNEL32(?), ref: 00B7C1A9

Part of subcall function 00B7C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B7C272
Part of subcall function 00B7C253: GetLastError.KERNEL32 ref: 00B7C322
Part of subcall function 00B7C253: SetEvent.KERNEL32(?), ref: 00B7C336
Part of subcall function 00B7C253: InternetCloseHandle.WININET(00000000), ref: 00B7C341

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 49c391d85ff356768cf0af2c4ec3996e7a39621808f79752414cdc379b9c4356
Instruction ID: 7280f0d28724a2a512c2d337695b48e46b9d0488c5dbda80ff36cb65647df1ee
Opcode Fuzzy Hash: 49c391d85ff356768cf0af2c4ec3996e7a39621808f79752414cdc379b9c4356
Instruction Fuzzy Hash: B1319C71200601AFDB219FF5DD44A66BFF8FF18300B50846EF96A83612DB30E914DBA0

Function 00B625A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B63A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B63A57
Part of subcall function 00B63A3D: GetCurrentThreadId.KERNEL32 ref: 00B63A5E
Part of subcall function 00B63A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00B625B3), ref: 00B63A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00B625BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00B625DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00B625DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00B625E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00B62601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00B62605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00B6260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00B62623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00B62627

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: e00ecf2450208e796a98f032bd09aaee57f3b5d3b6c79cde20a68799b1e523e7
Instruction ID: 1f249fe4030d7c1dabb95057296fa76bc0f33a4053ec11d7d77c664d6df7fc57
Opcode Fuzzy Hash: e00ecf2450208e796a98f032bd09aaee57f3b5d3b6c79cde20a68799b1e523e7
Instruction Fuzzy Hash: A901D830390620BBFB106769DC8AF593F99DF4EB51F100012F318AF0E1CDE11444DA69

Function 00B61803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00B61449,?,?,00000000), ref: 00B6180C
HeapAlloc.KERNEL32(00000000,?,00B61449,?,?,00000000), ref: 00B61813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00B61449,?,?,00000000), ref: 00B61828
GetCurrentProcess.KERNEL32(?,00000000,?,00B61449,?,?,00000000), ref: 00B61830
DuplicateHandle.KERNEL32(00000000,?,00B61449,?,?,00000000), ref: 00B61833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00B61449,?,?,00000000), ref: 00B61843
GetCurrentProcess.KERNEL32(00B61449,00000000,?,00B61449,?,?,00000000), ref: 00B6184B
DuplicateHandle.KERNEL32(00000000,?,00B61449,?,?,00000000), ref: 00B6184E
CreateThread.KERNEL32(00000000,00000000,00B61874,00000000,00000000,00000000), ref: 00B61868

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 3d89e1d27285a677ca69eaec7a344767838c9a1e40f8af93d6dcc0f2a0eb5c91
Instruction ID: f5443b3ffaf9aa15ffce82d29b5cbf5a9af8cf633084b9cced82fcc65e9ec7ab
Opcode Fuzzy Hash: 3d89e1d27285a677ca69eaec7a344767838c9a1e40f8af93d6dcc0f2a0eb5c91
Instruction Fuzzy Hash: 0801BF75240304BFE710AB65DD4DF5B3FACEB89B11F504411FA05DB1A1CA749800CB34

Function 00B8A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00B6D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00B6D501
Part of subcall function 00B6D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00B6D50F
Part of subcall function 00B6D4DC: CloseHandle.KERNEL32(00000000), ref: 00B6D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B8A16D
GetLastError.KERNEL32 ref: 00B8A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B8A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00B8A268
GetLastError.KERNEL32(00000000), ref: 00B8A273
CloseHandle.KERNEL32(00000000), ref: 00B8A2C4

Strings

SeDebugPrivilege, xrefs: 00B8A18F

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 5ed679385d54fbbd7c2d1ef88a5ab559079da553125299ce30ae6ef3a7da92da
Instruction ID: 6c35887d594986b6592fa9d0849124fc79dfe650f4da7f31c7fe2206eb70a320
Opcode Fuzzy Hash: 5ed679385d54fbbd7c2d1ef88a5ab559079da553125299ce30ae6ef3a7da92da
Instruction Fuzzy Hash: 3B616B702082429FE720EF19C494F15BBE5AF44318F1884DDE4668B7A3CB76ED49CB92

Function 00B93886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00B93925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00B9393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00B93954
_wcslen.LIBCMT ref: 00B93999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00B939C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00B939F4

Strings

SysListView32, xrefs: 00B938F7

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 32ca671836520b7580ecb842c97a596ec374bf9f307d32121027f1d44add97d9
Instruction ID: 89586ca7e0cebcc7bc8e62add0c3a6d5d8d61068828e3f95187372c1f74a9e5f
Opcode Fuzzy Hash: 32ca671836520b7580ecb842c97a596ec374bf9f307d32121027f1d44add97d9
Instruction Fuzzy Hash: 0F41A371A00218ABEF219F64CC85FEA7BE9EF08750F1005A6F959E7291D7719E80CB90

Function 00B6BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B6BCFD
IsMenu.USER32(00000000), ref: 00B6BD1D
CreatePopupMenu.USER32 ref: 00B6BD53
GetMenuItemCount.USER32(01436300), ref: 00B6BDA4
InsertMenuItemW.USER32(01436300,?,00000001,00000030), ref: 00B6BDCC

Strings

0, xrefs: 00B6BCA8
2, xrefs: 00B6BD37

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: e80d94e2aa91820be48d7e168a7052d36da53279e0901cd60f5d12b553faeedb
Instruction ID: abfa2cb1fbddd2e8c4ccedb65fc363e3af52a6467096a00a30691a54f61c9c28
Opcode Fuzzy Hash: e80d94e2aa91820be48d7e168a7052d36da53279e0901cd60f5d12b553faeedb
Instruction Fuzzy Hash: 32519E70A00205ABDF20CFA8D9C4FAEBBF8FF55314F1442AAE455DB291D7789981CB61

Function 00B6C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00B6C913

Strings

stop, xrefs: 00B6C8E4
blank, xrefs: 00B6C895
question, xrefs: 00B6C8CC
warning, xrefs: 00B6C8FC
info, xrefs: 00B6C8B4

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 3dae02ab501efefe20e0ce2d20b11b3ec7ff15c9232b014e7fdd493c65cefa9a
Instruction ID: 569831104e1f752be5714ab5af8c5a413c9bebd89c221ebf8339073c8ab3bb15
Opcode Fuzzy Hash: 3dae02ab501efefe20e0ce2d20b11b3ec7ff15c9232b014e7fdd493c65cefa9a
Instruction Fuzzy Hash: 6C110A32789306BAE7069B54AC83DBA6BDCDF16354B2004FFF944E62C2E7B85E005264

Function 00B6ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00B6ED2A
_wcslen.LIBCMT ref: 00B6ED3B
_wcslen.LIBCMT ref: 00B6ED79
_wcslen.LIBCMT ref: 00B6EDAF
_wcslen.LIBCMT ref: 00B6EDDF
_wcslen.LIBCMT ref: 00B6EDEF
_wcslen.LIBCMT ref: 00B6EE2B
_wcslen.LIBCMT ref: 00B6EE5A

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 53024166e61af102c0df2e5999a762e89420149ac4c17b9f3c7d7b46a19507fa
Instruction ID: 5bcfea85b39cb3f1ad8e90067b19188591010c4bd5a83eaf320965fde9cc6b22
Opcode Fuzzy Hash: 53024166e61af102c0df2e5999a762e89420149ac4c17b9f3c7d7b46a19507fa
Instruction Fuzzy Hash: CB41A365C10228B5CB11EBF4DC8A9CFB7E8AF49710F5084A6E52CE3121FB38E655C3A5

Function 00B1F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00B5682C,00000004,00000000,00000000), ref: 00B1F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00B5682C,00000004,00000000,00000000), ref: 00B5F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00B5682C,00000004,00000000,00000000), ref: 00B5F454

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 36430d78a5c881d1231bcf9f6045d33cacd8ac3a8846f2ca1d9881e79be88271
Instruction ID: 68438e67b3bf05d458537913531058741db514e64be15e0b7d9fb26dc5cf2ba5
Opcode Fuzzy Hash: 36430d78a5c881d1231bcf9f6045d33cacd8ac3a8846f2ca1d9881e79be88271
Instruction Fuzzy Hash: 64416C30508282BAD734AB6C89D87BABFD2EB463A0FD844FDE44753660DA35D8C1CB10

Function 00B92D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00B92D1B
GetDC.USER32(00000000), ref: 00B92D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B92D2E
ReleaseDC.USER32(00000000,00000000), ref: 00B92D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00B92D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00B92D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00B95A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00B92DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00B92DE1

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 76ba475c19f740e7870cd19c4a46684d2292bfad0099493fc2c3d13d48eb45da
Instruction ID: 538d8807bd6e27f86ab7fe991d7319f974613b946c5234a20861ecf8c01e8621
Opcode Fuzzy Hash: 76ba475c19f740e7870cd19c4a46684d2292bfad0099493fc2c3d13d48eb45da
Instruction Fuzzy Hash: 6D316B72201214BBEF118F508D8AFEB3FA9EF09715F044066FE089B291CA759C50CBB4

Function 00B65622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00B65637
_memcmp.LIBVCRUNTIME ref: 00B65659
_memcmp.LIBVCRUNTIME ref: 00B65671
_memcmp.LIBVCRUNTIME ref: 00B65684
_memcmp.LIBVCRUNTIME ref: 00B6569E
_memcmp.LIBVCRUNTIME ref: 00B656B1
_memcmp.LIBVCRUNTIME ref: 00B656C9
_memcmp.LIBVCRUNTIME ref: 00B656E4

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: ea788eb2225b797034869a7c00c6db08b7a4312d5ab98a0dda36c8f09fc8ebb0
Instruction ID: e387994279d4b77293f7ae5a5f545fcf6708b5efed452063baa133ae6442ae58
Opcode Fuzzy Hash: ea788eb2225b797034869a7c00c6db08b7a4312d5ab98a0dda36c8f09fc8ebb0
Instruction Fuzzy Hash: D321A762641A1A77D6249E24DD82FBA33DDEF213A4F4440F0FD089A581F728ED30C1A9

Function 00B84FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00B8502E, 00B85383
Not an Object type, xrefs: 00B85007

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 349ac893a226fd09f4f06e587ca3a04ad1d891c9f0d7faa9ccf4212e59bfbdfa
Instruction ID: e660589fcac2ca0dc26b098b9a4261703406691aade603c440ceec507f3ccf2d
Opcode Fuzzy Hash: 349ac893a226fd09f4f06e587ca3a04ad1d891c9f0d7faa9ccf4212e59bfbdfa
Instruction Fuzzy Hash: C4D1B375A0060A9FDF20EFA8C885BAEB7F5FF48344F1480A9E915AB2A1D770DD45CB50

Function 00B41522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00B417FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00B415CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00B417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00B41651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00B417FB,?,00B417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00B416E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00B417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00B416FB

Part of subcall function 00B33820: RtlAllocateHeap.NTDLL(00000000,?,00BD1444,?,00B1FDF5,?,?,00B0A976,00000010,00BD1440,00B013FC,?,00B013C6,?,00B01129), ref: 00B33852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00B417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00B41777
__freea.LIBCMT ref: 00B417A2
__freea.LIBCMT ref: 00B417AE

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: f87961bc1a1524878c700d8b9438808c0064542d4ca5589e4de8248471bd8ed1
Instruction ID: 62502238a2bc3fa68e844b0fa9edd05a5769977878043fe0b1f8f2af11ee2b02
Opcode Fuzzy Hash: f87961bc1a1524878c700d8b9438808c0064542d4ca5589e4de8248471bd8ed1
Instruction Fuzzy Hash: 8391B371E102169ADF208F7CC881AEE7BF5EF59750F184A99E805E7141EB35DE80EB60

Function 00B84523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B84648
VariantInit.OLEAUT32(?), ref: 00B84749
VariantClear.OLEAUT32(?), ref: 00B84753
VariantClear.OLEAUT32(?), ref: 00B847B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00B845D8, 00B84706, 00B847BE
Incorrect Object type in FOR..IN loop, xrefs: 00B8472C

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 28320d32b9f5c5711a598dec905d490d779ce888d11cda0982edf031a7b5f3ed
Instruction ID: 73dcb491d1a9254f28b50cc5c600a0d8ae7f7ca92f14777ce15e75f8b42fea65
Opcode Fuzzy Hash: 28320d32b9f5c5711a598dec905d490d779ce888d11cda0982edf031a7b5f3ed
Instruction Fuzzy Hash: 76918075A00216ABDF20DFA4C884FAEBBF8EF46710F108599F515AB290D7709D45CFA0

Function 00B71187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00B7125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00B71284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00B712A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00B712D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00B7135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00B713C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00B71430

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: c4020deaabd804bc8fe864822112d4b1ced71e7c4be508133fa142c509dbe212
Instruction ID: 0eea9453e7346164e4332519162182a095ee88a193a4bf2dec3c6bf8474639cd
Opcode Fuzzy Hash: c4020deaabd804bc8fe864822112d4b1ced71e7c4be508133fa142c509dbe212
Instruction Fuzzy Hash: D091D171A00209AFDB00DFACD885BBE77F5FF45311F1588A9E924EB292D774A941CB60

Function 00B1948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 81f64bc2b8a76bcb6b7e41a9a8b56be264a0ac129c7438695548d7a8b60f5255
Instruction ID: eeb9f867c681b6da123c9e123590e868c5af5073464b010a1d16132e59e95f62
Opcode Fuzzy Hash: 81f64bc2b8a76bcb6b7e41a9a8b56be264a0ac129c7438695548d7a8b60f5255
Instruction Fuzzy Hash: 80912671E40219EFCB10CFA9C884AEEBBF9FF49320F544095E915B7251D774AA82CB60

Function 00B83947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B8396B
CharUpperBuffW.USER32(?,?), ref: 00B83A7A
_wcslen.LIBCMT ref: 00B83A8A
VariantClear.OLEAUT32(?), ref: 00B83C1F

Part of subcall function 00B70CDF: VariantInit.OLEAUT32(00000000), ref: 00B70D1F
Part of subcall function 00B70CDF: VariantCopy.OLEAUT32(?,?), ref: 00B70D28
Part of subcall function 00B70CDF: VariantClear.OLEAUT32(?), ref: 00B70D34

Strings

Incorrect Parameter format, xrefs: 00B839A6, 00B83BA1
AUTOIT.ERROR, xrefs: 00B83A80, 00B83A85

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 800a6603803ecb7b4b39a7e256c78b2aa4a919e389eb572f357ecfc5100cd5eb
Instruction ID: a195c3d33a31710ca0848851d78214e0c8e380bce6b17c9ee0dca87c6dce9d58
Opcode Fuzzy Hash: 800a6603803ecb7b4b39a7e256c78b2aa4a919e389eb572f357ecfc5100cd5eb
Instruction Fuzzy Hash: 7E915A756083059FC704EF24C49096ABBE4FF89B14F1488ADF89A97361DB31EE45CB92

Function 00B84BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00B6000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B5FF41,80070057,?,?,?,00B6035E), ref: 00B6002B
Part of subcall function 00B6000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B5FF41,80070057,?,?), ref: 00B60046
Part of subcall function 00B6000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B5FF41,80070057,?,?), ref: 00B60054
Part of subcall function 00B6000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B5FF41,80070057,?), ref: 00B60064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00B84C51
_wcslen.LIBCMT ref: 00B84D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00B84DCF
CoTaskMemFree.OLE32(?), ref: 00B84DDA

Strings

NULL Pointer assignment, xrefs: 00B84E23, 00B84E52

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 25451e87bc288dbe55793a6108064cc26374044520849b55b5fb35f9b2cfa5ce
Instruction ID: c6e8428da3fecb95a3e1415e7246903c053b83f267225c11782ac45ef41bc54c
Opcode Fuzzy Hash: 25451e87bc288dbe55793a6108064cc26374044520849b55b5fb35f9b2cfa5ce
Instruction Fuzzy Hash: DD911871D00219AFDF14EFA4D891AEEBBF8FF08310F1085A9E515A7291DB349A44CF60

Function 00B920FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00B92183
GetMenuItemCount.USER32(00000000), ref: 00B921B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00B921DD
_wcslen.LIBCMT ref: 00B92213
GetMenuItemID.USER32(?,?), ref: 00B9224D
GetSubMenu.USER32(?,?), ref: 00B9225B

Part of subcall function 00B63A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B63A57
Part of subcall function 00B63A3D: GetCurrentThreadId.KERNEL32 ref: 00B63A5E
Part of subcall function 00B63A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00B625B3), ref: 00B63A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B922E3

Part of subcall function 00B6E97B: Sleep.KERNEL32 ref: 00B6E9F3

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 198bf6bfd539ff797808817e8ebaedd02a37ee1b06591cbeb1afc132d77cf83f
Instruction ID: 54566410cdf4c2695b0785c80bbc97f762c2ee5b80006e4825d5d5ab7c2b7b2d
Opcode Fuzzy Hash: 198bf6bfd539ff797808817e8ebaedd02a37ee1b06591cbeb1afc132d77cf83f
Instruction Fuzzy Hash: 4B713D75E00215AFCF14EF64C885AAEBBF5EF48310F1584A9E916EB351DB34ED418B90

Function 00B6AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00B6AEF9
GetKeyboardState.USER32(?), ref: 00B6AF0E
SetKeyboardState.USER32(?), ref: 00B6AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00B6AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00B6AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00B6AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00B6B020

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 42b9fe9da02fcefe88a92e34e9a2d3469168a2c865188566bcb0895f4110e311
Instruction ID: 7cf1a4e16903500814f37fcd7a9e5bed7d59f62aa6bcb72d3845677abc978d31
Opcode Fuzzy Hash: 42b9fe9da02fcefe88a92e34e9a2d3469168a2c865188566bcb0895f4110e311
Instruction Fuzzy Hash: 1051C4A1A047D53DFB3642348C45BBA7EE9AB06304F0884C9E1D9958C3C7ADA8C4DB52

Function 00B6ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00B6AD19
GetKeyboardState.USER32(?), ref: 00B6AD2E
SetKeyboardState.USER32(?), ref: 00B6AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00B6ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00B6ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00B6AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00B6AE38

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: bd085e7bfe3402ba7104a5518e8a4d884b0b5dfa2cc2c7291197d404ac95b00a
Instruction ID: 6abc95e878719fee37ec9cb6a557b2312dd946e9331c6fd3e1d580382a894d81
Opcode Fuzzy Hash: bd085e7bfe3402ba7104a5518e8a4d884b0b5dfa2cc2c7291197d404ac95b00a
Instruction Fuzzy Hash: A951E6A16047D53DFF3283348C95B7ABEE8AB46300F1884D9E1D5668C3C69DEC84DB52

Function 00B3542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00B43CD6,?,?,?,?,?,?,?,?,00B35BA3,?,?,00B43CD6,?,?), ref: 00B35470
__fassign.LIBCMT ref: 00B354EB
__fassign.LIBCMT ref: 00B35506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00B43CD6,00000005,00000000,00000000), ref: 00B3552C
WriteFile.KERNEL32(?,00B43CD6,00000000,00B35BA3,00000000,?,?,?,?,?,?,?,?,?,00B35BA3,?), ref: 00B3554B
WriteFile.KERNEL32(?,?,00000001,00B35BA3,00000000,?,?,?,?,?,?,?,?,?,00B35BA3,?), ref: 00B35584

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: d94c57b8aa5c322346cb2567c1d89526e09b6f0c8b93f717a7ead52fccf2cb93
Instruction ID: 950690f0b8b1afb7759f9527dcf62f6ef73802bddbcb4670094c1a0fa18e39d1
Opcode Fuzzy Hash: d94c57b8aa5c322346cb2567c1d89526e09b6f0c8b93f717a7ead52fccf2cb93
Instruction Fuzzy Hash: 4751D6709006499FDB20CFA8D885BEEBBF9EF19300F25455AF555E7291E730AA41CB60

Function 00B22D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00B22D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00B22D53
_ValidateLocalCookies.LIBCMT ref: 00B22DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00B22E0C
_ValidateLocalCookies.LIBCMT ref: 00B22E61

Strings

csm, xrefs: 00B22DF6

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 762c3d6212ab54944c9a6303e5823ea199e08f473c7db350a97137274c4f76b9
Instruction ID: 6e32e41bb9e31a891bff9a952b18192daab49787a5e5b6e33c386feb228e5372
Opcode Fuzzy Hash: 762c3d6212ab54944c9a6303e5823ea199e08f473c7db350a97137274c4f76b9
Instruction Fuzzy Hash: 7A41D634E00228ABCF10DF68D845AAEBBF5FF45364F1481E5E81DAB352D7359A11CB91

Function 00B810B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B8304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00B8307A
Part of subcall function 00B8304E: _wcslen.LIBCMT ref: 00B8309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00B81112
WSAGetLastError.WSOCK32 ref: 00B81121
WSAGetLastError.WSOCK32 ref: 00B811C9
closesocket.WSOCK32(00000000), ref: 00B811F9

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: cac76d88fa4d5114c8f37b103080df1bb11b9dd2affc7ff182716872f06909e0
Instruction ID: a2b9ca38501a60021395d89a827c9f7aecdeb02293dcc23cd9da18598414d857
Opcode Fuzzy Hash: cac76d88fa4d5114c8f37b103080df1bb11b9dd2affc7ff182716872f06909e0
Instruction Fuzzy Hash: A141F731600104AFDB10BF58C888BA9BBE9EF45754F148599F905AB2A1CB74AD42CBA1

Function 00B6CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B6DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B6CF22,?), ref: 00B6DDFD

Part of subcall function 00B6DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B6CF22,?), ref: 00B6DE16

lstrcmpiW.KERNEL32(?,?), ref: 00B6CF45
MoveFileW.KERNEL32(?,?), ref: 00B6CF7F
_wcslen.LIBCMT ref: 00B6D005
_wcslen.LIBCMT ref: 00B6D01B
SHFileOperationW.SHELL32(?), ref: 00B6D061

Strings

\*.*, xrefs: 00B6CFF3

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 9bed999475bee77580376dd6e65a516da947e7a701b5b2f9a758a612cae6eab7
Instruction ID: 9e2010e52448508742abfc15e7120c7aa2ea24142ecc1c69c1fae613fbe4b1da
Opcode Fuzzy Hash: 9bed999475bee77580376dd6e65a516da947e7a701b5b2f9a758a612cae6eab7
Instruction Fuzzy Hash: 0E411871D451199FDF12EFA4D981AED77F9EF08380F1000E6E549E7141EB34A688CB50

Function 00B92DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00B92E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00B92E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00B92E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00B92EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00B92EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00B92EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00B92F0B

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 7b6c89c70bc233ec3a90d6940af1a3def131a9e49adf4478e9875555815cd620
Instruction ID: dfcb41fcdfde3409575728cc7c74e666c6a3dd701e23dbcb8e92877494cfeb10
Opcode Fuzzy Hash: 7b6c89c70bc233ec3a90d6940af1a3def131a9e49adf4478e9875555815cd620
Instruction Fuzzy Hash: 95311035A05640AFEF21CF18DEE5FA53BE0EB8A710F1501A6F9008B2B2CB71A840DB50

Function 00B67726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B67769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B6778F
SysAllocString.OLEAUT32(00000000), ref: 00B67792
SysAllocString.OLEAUT32(?), ref: 00B677B0
SysFreeString.OLEAUT32(?), ref: 00B677B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00B677DE
SysAllocString.OLEAUT32(?), ref: 00B677EC

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 78bac8757bd39890302874470c05055c6947267cc39a922326f34ed251c3787c
Instruction ID: f093d19e8773c4859e5c7b3f3359d26a255870c1d4a0e7ffc814187e89276ee8
Opcode Fuzzy Hash: 78bac8757bd39890302874470c05055c6947267cc39a922326f34ed251c3787c
Instruction Fuzzy Hash: 3921B376608219AFDF10DFA8CD88CBB77ECEB097687148066FA15DB250DA78DC41C7A4

Function 00B677FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B67842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B67868
SysAllocString.OLEAUT32(00000000), ref: 00B6786B
SysAllocString.OLEAUT32 ref: 00B6788C
SysFreeString.OLEAUT32 ref: 00B67895
StringFromGUID2.OLE32(?,?,00000028), ref: 00B678AF
SysAllocString.OLEAUT32(?), ref: 00B678BD

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 360fd4679b3ddecd0b9b9806cbc31c09e6b028b9af5f5067e742a7c47e3da954
Instruction ID: 08c50ffdc2271e986bf6b302b3f4723c56d4c057163870d9958920e066751246
Opcode Fuzzy Hash: 360fd4679b3ddecd0b9b9806cbc31c09e6b028b9af5f5067e742a7c47e3da954
Instruction Fuzzy Hash: 9D21AF32608204AFDB10AFB9DC8CDBA77ECEB087647108166F915CB2A1DE74DC81CB64

Function 00B704D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00B704F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B7052E

Strings

nul, xrefs: 00B70567

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 50e0ab71c01569faf5199821339328d34aefe27eb05ca4c6ddea49e87c4df335
Instruction ID: 462dc9a4f0b9853e032e690f30058e2fd201017c20433a5bc229694cca0cb172
Opcode Fuzzy Hash: 50e0ab71c01569faf5199821339328d34aefe27eb05ca4c6ddea49e87c4df335
Instruction Fuzzy Hash: 91215C75510305EBDB20AF29D884A9A7BF4EF64724F208A5AF8B9D72E0D7709940CF20

Function 00B705A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00B705C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B70601

Strings

nul, xrefs: 00B70639

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 5a774baa18f66b6179d4b910ddbed05eed55ddf3068a998265fd26b3142f7cd8
Instruction ID: 21f1522be1ac3b5fc9c63db9a31919d84d2dd3f810e1cc53b0a9bee5c108644f
Opcode Fuzzy Hash: 5a774baa18f66b6179d4b910ddbed05eed55ddf3068a998265fd26b3142f7cd8
Instruction Fuzzy Hash: 2C21A175510305DBDB20AF698C54A9A77E4FF95720F208A5BF8B5E72E0DB70D960CB20

Function 00B940AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B0604C
Part of subcall function 00B0600E: GetStockObject.GDI32(00000011), ref: 00B06060
Part of subcall function 00B0600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B0606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00B94112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00B9411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00B9412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00B94139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00B94145

Strings

Msctls_Progress32, xrefs: 00B940E3

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 0a7bddb7a1ce12a3af918f3db8a50786a337e5e289de1823fab0e3529d298944
Instruction ID: a0201fbb585e4463712c35d13184a0302370f927ef4421dbe55c45d4389d4e3f
Opcode Fuzzy Hash: 0a7bddb7a1ce12a3af918f3db8a50786a337e5e289de1823fab0e3529d298944
Instruction Fuzzy Hash: C311B2B2140229BEEF118F64CC85EE77F9DEF08798F004121BA18A6090CB72DC21DBA4

Function 00B3D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B3D7A3: _free.LIBCMT ref: 00B3D7CC

_free.LIBCMT ref: 00B3D82D

Part of subcall function 00B329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3D7D1,00000000,00000000,00000000,00000000,?,00B3D7F8,00000000,00000007,00000000,?,00B3DBF5,00000000), ref: 00B329DE
Part of subcall function 00B329C8: GetLastError.KERNEL32(00000000,?,00B3D7D1,00000000,00000000,00000000,00000000,?,00B3D7F8,00000000,00000007,00000000,?,00B3DBF5,00000000,00000000), ref: 00B329F0

_free.LIBCMT ref: 00B3D838
_free.LIBCMT ref: 00B3D843
_free.LIBCMT ref: 00B3D897
_free.LIBCMT ref: 00B3D8A2
_free.LIBCMT ref: 00B3D8AD
_free.LIBCMT ref: 00B3D8B8

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
Instruction ID: 87228a91b2fc617b8a90bad0944f669b7e89f0bf956430d94a456c163124d167
Opcode Fuzzy Hash: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
Instruction Fuzzy Hash: 27118271940B14FAD631BFF0EC47FCB7BDCAF00700F5009A5B699A6292DA75B9058760

Function 00B6DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00B6DA74
LoadStringW.USER32(00000000), ref: 00B6DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00B6DA91
LoadStringW.USER32(00000000), ref: 00B6DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B6DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00B6DAB9

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: e02d2253a78d5e05c6ec8c3977d6b4b29e8cb16cf61950964080c580fbea01a9
Instruction ID: 0356a8f758a0287f6be478f798e845a827e19d58a62c012de72f4788724d5b74
Opcode Fuzzy Hash: e02d2253a78d5e05c6ec8c3977d6b4b29e8cb16cf61950964080c580fbea01a9
Instruction Fuzzy Hash: C50112F69042187FEB51DBE49E89EE77BACE708701F404496B746E3041EA749E844F74

Function 00B7096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0142EE08,0142EE08), ref: 00B7097B
EnterCriticalSection.KERNEL32(0142EDE8,00000000), ref: 00B7098D
TerminateThread.KERNEL32(00000000,000001F6), ref: 00B7099B
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00B709A9
CloseHandle.KERNEL32(00000000), ref: 00B709B8
InterlockedExchange.KERNEL32(0142EE08,000001F6), ref: 00B709C8
LeaveCriticalSection.KERNEL32(0142EDE8), ref: 00B709CF

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 02928b361160065f37036a3fdb33e37578778aa3fee202a246e3844ff7bed1fb
Instruction ID: f7d9771abc75c2b94a7422aeba5563e0793e23db51c16d328f5a93ced8e1f600
Opcode Fuzzy Hash: 02928b361160065f37036a3fdb33e37578778aa3fee202a246e3844ff7bed1fb
Instruction Fuzzy Hash: 00F01D31442912EBD7415BA4EF89AD67A25FF01702F901017F201518A0CB75A465CFA0

Function 00B81C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00B81DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00B81DE1
WSAGetLastError.WSOCK32 ref: 00B81DF2
htons.WSOCK32(?,?,?,?,?), ref: 00B81EDB
inet_ntoa.WSOCK32(?), ref: 00B81E8C

Part of subcall function 00B639E8: _strlen.LIBCMT ref: 00B639F2

Part of subcall function 00B83224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00B7EC0C), ref: 00B83240

_strlen.LIBCMT ref: 00B81F35

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 095db7529e72be0c0dd0ef652a7e645983ebb4f5cb0350e6b444bd6b770eb543
Instruction ID: d3947aa3270cf4c719ed1480b5088298d9feddfe3af49e95454c3299b3791fd3
Opcode Fuzzy Hash: 095db7529e72be0c0dd0ef652a7e645983ebb4f5cb0350e6b444bd6b770eb543
Instruction Fuzzy Hash: CAB1B131204340AFC324EF28C895E6A7BE9EF84318F54899CF5565B2E2DB71ED46CB91

Function 00B05D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00B05D30
GetWindowRect.USER32(?,?), ref: 00B05D71
ScreenToClient.USER32(?,?), ref: 00B05D99
GetClientRect.USER32(?,?), ref: 00B05ED7
GetWindowRect.USER32(?,?), ref: 00B05EF8

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 75f29e663700da0bbf062c831226e5959cb91cd2a0d63ff7c5b488217da7565a
Instruction ID: 82abecf7c225228cf6051109c42e2bff30d193525d506033ce07aef4c3a24b58
Opcode Fuzzy Hash: 75f29e663700da0bbf062c831226e5959cb91cd2a0d63ff7c5b488217da7565a
Instruction Fuzzy Hash: E4B16A34A0064ADFDB20CFA9C4807EABBF1FF58310F14855AE8A9D7690DB34AA51DF54

Function 00B301B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00B300BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B300D6
__allrem.LIBCMT ref: 00B300ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B3010B
__allrem.LIBCMT ref: 00B30122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B30140

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 9ff5503e830f9413901a49ebec1982c0a3a34599de1ce729a8b80691ec804afa
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: C7812672A01B16ABE724AF28DC92B6BB3F8EF41720F3445BAF555D6681E770D9008790

Function 00B361FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00B282D9,00B282D9,?,?,?,00B3644F,00000001,00000001,8BE85006), ref: 00B36258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00B3644F,00000001,00000001,8BE85006,?,?,?), ref: 00B362DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00B363D8
__freea.LIBCMT ref: 00B363E5

Part of subcall function 00B33820: RtlAllocateHeap.NTDLL(00000000,?,00BD1444,?,00B1FDF5,?,?,00B0A976,00000010,00BD1440,00B013FC,?,00B013C6,?,00B01129), ref: 00B33852

__freea.LIBCMT ref: 00B363EE
__freea.LIBCMT ref: 00B36413

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: d2e0c3fb8d4f6832bdd2dd2f163b60c5dfb75e413cf18391b2ca86d429687d44
Instruction ID: 3a2fee5fb73b0e1361fbe8e2595138bd8c6cd49f9de449035b533908ed7c3560
Opcode Fuzzy Hash: d2e0c3fb8d4f6832bdd2dd2f163b60c5dfb75e413cf18391b2ca86d429687d44
Instruction Fuzzy Hash: 4E51BD72A00216BBEB258F68CC81EAF7BE9EB44750F3586A9F805D6140EB34DC40D6A4

Function 00B8BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

Part of subcall function 00B8C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B8B6AE,?,?), ref: 00B8C9B5
Part of subcall function 00B8C998: _wcslen.LIBCMT ref: 00B8C9F1
Part of subcall function 00B8C998: _wcslen.LIBCMT ref: 00B8CA68
Part of subcall function 00B8C998: _wcslen.LIBCMT ref: 00B8CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B8BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B8BD25
RegCloseKey.ADVAPI32(00000000), ref: 00B8BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00B8BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00B8BDF3
RegCloseKey.ADVAPI32(?), ref: 00B8BDFF

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 92597e4c3f73da5bc7e3b4dd870c25d6525c79c0d8b97ccc1c2682a5d7cacff1
Instruction ID: 8a5208f7943432aa3f2a38104884956b63d7e2beac772ef4cc6d8a3eb2d5e8a3
Opcode Fuzzy Hash: 92597e4c3f73da5bc7e3b4dd870c25d6525c79c0d8b97ccc1c2682a5d7cacff1
Instruction Fuzzy Hash: 3F819071208241EFD714EF24C895E2ABBE5FF84308F1489ADF5594B2A2DB31ED45CB92

Function 00B5F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00B5F7B9
SysAllocString.OLEAUT32(00000001), ref: 00B5F860
VariantCopy.OLEAUT32(00B5FA64,00000000), ref: 00B5F889
VariantClear.OLEAUT32(00B5FA64), ref: 00B5F8AD
VariantCopy.OLEAUT32(00B5FA64,00000000), ref: 00B5F8B1
VariantClear.OLEAUT32(?), ref: 00B5F8BB

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 22f62cfb88c981e4221584409ef55b8a8ad126f103f7fa322a1187790dc8244f
Instruction ID: c48ae3398cdeff712b5d5215e240df342235ba70b45998950f76a06efc2ded4c
Opcode Fuzzy Hash: 22f62cfb88c981e4221584409ef55b8a8ad126f103f7fa322a1187790dc8244f
Instruction Fuzzy Hash: A451A331600312AACF20AB65D895B39F7E8EF45312B2494E7ED05DF296DB709C84CB96

Function 00B7910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00B07620: _wcslen.LIBCMT ref: 00B07625

Part of subcall function 00B06B57: _wcslen.LIBCMT ref: 00B06B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00B794E5
_wcslen.LIBCMT ref: 00B79506
_wcslen.LIBCMT ref: 00B7952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00B79585

Strings

X, xrefs: 00B79412

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: ff7c35dcb011ccb3eee2ecb0e194ec248ad771f06ba5ad78663ad53b6373e273
Instruction ID: f11ae35c1b187595217304aacfd1393b8d0c37c3805628630417ea4caae2732f
Opcode Fuzzy Hash: ff7c35dcb011ccb3eee2ecb0e194ec248ad771f06ba5ad78663ad53b6373e273
Instruction Fuzzy Hash: 7CE1A2315083119FD724DF24C881A6ABBE4FF95314F0489ADF8999B3A2DB31DD45CB92

Function 00B1920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00B19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B19BB2

BeginPaint.USER32(?,?,?), ref: 00B19241
GetWindowRect.USER32(?,?), ref: 00B192A5
ScreenToClient.USER32(?,?), ref: 00B192C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00B192D3
EndPaint.USER32(?,?,?,?,?), ref: 00B19321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00B571EA

Part of subcall function 00B19339: BeginPath.GDI32(00000000), ref: 00B19357

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 2f49b95d710f58cbf15ecf07b5ca39858e1f42594dfc085ab43fce88a52fd7f2
Instruction ID: 822fd9a370bff51a7261abd58f82e7d63574e51e9774aeb22b1527a2c237db82
Opcode Fuzzy Hash: 2f49b95d710f58cbf15ecf07b5ca39858e1f42594dfc085ab43fce88a52fd7f2
Instruction Fuzzy Hash: E241C130205340AFD710DF68DCA4FBA7BF8EF45321F1406AAF964972A1DB319985DB61

Function 00B707EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00B7080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00B70847
EnterCriticalSection.KERNEL32(?), ref: 00B70863
LeaveCriticalSection.KERNEL32(?), ref: 00B708DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00B708F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00B70921

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: e2ca755d4b1a3b21e0cc1a0f487daadc396e0b423a7a5a530f55ed5ffec65719
Instruction ID: 043308fe3983950260568ebc76b1dd2dd4df5cab34bf4f72ec974acae1af8fee
Opcode Fuzzy Hash: e2ca755d4b1a3b21e0cc1a0f487daadc396e0b423a7a5a530f55ed5ffec65719
Instruction Fuzzy Hash: 6F416B71A10205EFDF14AF54DC85AAA7BB8FF04300F5480A6ED04AB297DB30DE60DBA4

Function 00B981DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00B5F3AB,00000000,?,?,00000000,?,00B5682C,00000004,00000000,00000000), ref: 00B9824C
EnableWindow.USER32(00000000,00000000), ref: 00B98272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00B982D1
ShowWindow.USER32(00000000,00000004), ref: 00B982E5
EnableWindow.USER32(00000000,00000001), ref: 00B9830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00B9832F

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 5ac7c5daff8eff4d8c6073c4e2634119c4eda6f9f3e3fbdce8fd2aaf906c249e
Instruction ID: 7de77e4fd7df50e9fcea72068504e133df749bea145a3070aae0477cae5527e9
Opcode Fuzzy Hash: 5ac7c5daff8eff4d8c6073c4e2634119c4eda6f9f3e3fbdce8fd2aaf906c249e
Instruction Fuzzy Hash: 9D418034602644AFDF22CF19D9A9BA47BE0FB4B714F1841BAE5084B2B2CB35A841CF50

Function 00B64C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00B64C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00B64CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00B64CEA
_wcslen.LIBCMT ref: 00B64D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00B64D10
_wcsstr.LIBVCRUNTIME ref: 00B64D1A

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 377bc39b55cd572d91ad672cd764f15ac43e8e7a59a28ccf47a9087d93eaa119
Instruction ID: 0b474e31606241da5a954e885e29b8d3c7d8ebcfe6483a2d52db63e4ea548f7a
Opcode Fuzzy Hash: 377bc39b55cd572d91ad672cd764f15ac43e8e7a59a28ccf47a9087d93eaa119
Instruction Fuzzy Hash: A221D432604611BBEB155B39AD49E7B7FE8DF45750F1080BAF809CB192EF65DC40D6A0

Function 00B7581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B03AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B03A97,?,?,00B02E7F,?,?,?,00000000), ref: 00B03AC2

_wcslen.LIBCMT ref: 00B7587B
CoInitialize.OLE32(00000000), ref: 00B75995
CoCreateInstance.OLE32(00B9FCF8,00000000,00000001,00B9FB68,?), ref: 00B759AE
CoUninitialize.OLE32 ref: 00B759CC

Strings

.lnk, xrefs: 00B75876, 00B758C1, 00B75985

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 22a16f5fb36672663ee07fde2e5a43895353ffe4b0dc4ebcb408a3f473995c0d
Instruction ID: ea6f33b6ebf9c4066010960c63a68d8d9c4aa9990d2a6d1af4bf0c1e2691f8f9
Opcode Fuzzy Hash: 22a16f5fb36672663ee07fde2e5a43895353ffe4b0dc4ebcb408a3f473995c0d
Instruction Fuzzy Hash: B5D164716087019FC724DF24C480A6ABBE5FF89710F14899DF89A9B3A1DB71EC45CB92

Function 00B6175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B60FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B60FCA
Part of subcall function 00B60FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B60FD6
Part of subcall function 00B60FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B60FE5
Part of subcall function 00B60FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B60FEC
Part of subcall function 00B60FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B61002

GetLengthSid.ADVAPI32(?,00000000,00B61335), ref: 00B617AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00B617BA
HeapAlloc.KERNEL32(00000000), ref: 00B617C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00B617DA
GetProcessHeap.KERNEL32(00000000,00000000,00B61335), ref: 00B617EE
HeapFree.KERNEL32(00000000), ref: 00B617F5

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: f9377ee3c849739b3afc5656a041f5e475512310df8464860e69da0735965d9a
Instruction ID: 1ef8073f1d48f3598d334e3b003c07ddf35035e87f77ddda28eb5125f7189f71
Opcode Fuzzy Hash: f9377ee3c849739b3afc5656a041f5e475512310df8464860e69da0735965d9a
Instruction Fuzzy Hash: D211ACB1500205EFDB10DFA8CD49BBE7BE9EB41355F184899F541A7220DB39AE40CB60

Function 00B614CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00B614FF
OpenProcessToken.ADVAPI32(00000000), ref: 00B61506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00B61515
CloseHandle.KERNEL32(00000004), ref: 00B61520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B6154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00B61563

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 78e8158b4af084e449c1a91e7bc71c34bf87d28f1066a72ec468dae6a3f51212
Instruction ID: a19bc881ab9c03e0f1cf55a552d41855be6aa7de893ea251b8d1a0eb6fa35049
Opcode Fuzzy Hash: 78e8158b4af084e449c1a91e7bc71c34bf87d28f1066a72ec468dae6a3f51212
Instruction Fuzzy Hash: 3011377250120DABDF11CFA8EE49FDE7BA9EF48748F084465FA05A2160C779CE60DB61

Function 00B23382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B23379,00B22FE5), ref: 00B23390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B2339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B233B7
SetLastError.KERNEL32(00000000,?,00B23379,00B22FE5), ref: 00B23409

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 404dd05b0d01e8e88bfffff2057f554fc3aa1f44012f9fd45779ca4c8fcf37b5
Instruction ID: bb85e8e52096651503a69446c8f45a763dbceb26266bcca4df774170bf472b7b
Opcode Fuzzy Hash: 404dd05b0d01e8e88bfffff2057f554fc3aa1f44012f9fd45779ca4c8fcf37b5
Instruction Fuzzy Hash: 1701D83260D331BEAA163BB47C859562ED8EB19F7672003A9F41C962F0EF194E035558

Function 00B32D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B35686,00B43CD6,?,00000000,?,00B35B6A,?,?,?,?,?,00B2E6D1,?,00BC8A48), ref: 00B32D78
_free.LIBCMT ref: 00B32DAB
_free.LIBCMT ref: 00B32DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00B2E6D1,?,00BC8A48,00000010,00B04F4A,?,?,00000000,00B43CD6), ref: 00B32DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00B2E6D1,?,00BC8A48,00000010,00B04F4A,?,?,00000000,00B43CD6), ref: 00B32DEC
_abort.LIBCMT ref: 00B32DF2

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 027bc58c3d299c63904409d1ff789e7e37a0acd86b3e150a620d343fc6b459d7
Instruction ID: a6aedefa89238042d404e843e8200f4fb25c0eae3cb945409e87c5c168ed21de
Opcode Fuzzy Hash: 027bc58c3d299c63904409d1ff789e7e37a0acd86b3e150a620d343fc6b459d7
Instruction Fuzzy Hash: 0EF0C8355056102BC6123739BC06F1B39E9EFC17A1F3405F9F824932E2EF3488025160

Function 00B98A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00B19639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B19693
Part of subcall function 00B19639: SelectObject.GDI32(?,00000000), ref: 00B196A2
Part of subcall function 00B19639: BeginPath.GDI32(?), ref: 00B196B9
Part of subcall function 00B19639: SelectObject.GDI32(?,00000000), ref: 00B196E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00B98A4E
LineTo.GDI32(?,00000003,00000000), ref: 00B98A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00B98A70
LineTo.GDI32(?,00000000,00000003), ref: 00B98A80
EndPath.GDI32(?), ref: 00B98A90
StrokePath.GDI32(?), ref: 00B98AA0

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: eddc6e7375823d376f70d5398ec1194617024d72596dd5cf8127954315e8bbbc
Instruction ID: 597d59e0a5749bd08ab72513cdf4cf13ad4a0fd8854f4cd47a591d91df80fa7b
Opcode Fuzzy Hash: eddc6e7375823d376f70d5398ec1194617024d72596dd5cf8127954315e8bbbc
Instruction Fuzzy Hash: D7111B7600010CFFDF129F94DC88EAA7FADEB08350F008062FA199A1A1DB719E55DFA0

Function 00B651FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B65218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00B65229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B65230
ReleaseDC.USER32(00000000,00000000), ref: 00B65238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00B6524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00B65261

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: e0be141f7a557a32f0fc1e88e1dbb35459ffb3bc42fbc71b5bf661350786e716
Instruction ID: da0307d98fb10d321b1ea45f7cf97e8874949e2a9860cc93a0fd102e9be1a830
Opcode Fuzzy Hash: e0be141f7a557a32f0fc1e88e1dbb35459ffb3bc42fbc71b5bf661350786e716
Instruction Fuzzy Hash: 96014F75A01719BBEB109BA59D49A5EBFB8EB48751F0440A6FA04A7281DA709810CBA0

Function 00B01BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B01BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00B01BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B01C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B01C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00B01C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B01C22

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: fb9672ac690b713022e47a833f48db5492c816a96fea7fd7f060c9a3e415ea52
Instruction ID: 5f972234dd74317e75c91de93657d887aba40f6c0d68af4232a12750bd82de17
Opcode Fuzzy Hash: fb9672ac690b713022e47a833f48db5492c816a96fea7fd7f060c9a3e415ea52
Instruction Fuzzy Hash: 110167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 00B6EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00B6EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00B6EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00B6EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B6EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B6EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B6EB75

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 155e4b318e4a0150aa8f846b34d469e3b2b4c7cff5db2d2780df56bf4fb243c2
Instruction ID: af5a962a9934ed788542f35fdde76eff9e930fb8f8739a098c50c27c4c80f724
Opcode Fuzzy Hash: 155e4b318e4a0150aa8f846b34d469e3b2b4c7cff5db2d2780df56bf4fb243c2
Instruction Fuzzy Hash: 5AF03072140158BBE72157529E0EEEF3E7CEFCAB11F00015AF611E3091DBA05A01C6B9

Function 00B57439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00B57452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00B57469
GetWindowDC.USER32(?), ref: 00B57475
GetPixel.GDI32(00000000,?,?), ref: 00B57484
ReleaseDC.USER32(?,00000000), ref: 00B57496
GetSysColor.USER32(00000005), ref: 00B574B0

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: eac976cccf5fa6bc937b5d3509a629316afd6c88b43a4259917595c1f3eeca98
Instruction ID: 9e5458dc1ee74b7134744fc696036bcb8572f222bcaf68d1c5d3a59c2d28ec92
Opcode Fuzzy Hash: eac976cccf5fa6bc937b5d3509a629316afd6c88b43a4259917595c1f3eeca98
Instruction Fuzzy Hash: 5D012831500215EFDB515FA4ED09BAA7FB5FB04322F5141A5FA16A31A1CF311E51AB50

Function 00B61874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B6187F
UnloadUserProfile.USERENV(?,?), ref: 00B6188B
CloseHandle.KERNEL32(?), ref: 00B61894
CloseHandle.KERNEL32(?), ref: 00B6189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00B618A5
HeapFree.KERNEL32(00000000), ref: 00B618AC

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: da94bb7d1b5166f598eec1be58cf14b16e49cf6c0e3eef49396af37e037f223b
Instruction ID: 9b9143c76552f4c1b7a3df2057bff32cf8f0591ac9382673ae47d1a9c15f2aef
Opcode Fuzzy Hash: da94bb7d1b5166f598eec1be58cf14b16e49cf6c0e3eef49396af37e037f223b
Instruction Fuzzy Hash: D8E0E536004101BBDB015FA1EF0C90ABF39FF49B22B108222F22592070CF329420DF68

Function 00B6C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B07620: _wcslen.LIBCMT ref: 00B07625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B6C6EE
_wcslen.LIBCMT ref: 00B6C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B6C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00B6C7CA

Strings

0, xrefs: 00B6C6AF

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: a85e61245fc205214445bd03e95e9ce8bf6ab2369b1e6629ce4dd9778650319a
Instruction ID: 3c3497f73f7d084eb7a61ed0f0ff8350dd22a130b9e82d1760e327217c30c572
Opcode Fuzzy Hash: a85e61245fc205214445bd03e95e9ce8bf6ab2369b1e6629ce4dd9778650319a
Instruction Fuzzy Hash: 1651BD716053019BD7109F28C885A7BBFE8EB49314F040AAAF9E5D31A1DB68DD44CB56

Function 00B8AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00B8AEA3

Part of subcall function 00B07620: _wcslen.LIBCMT ref: 00B07625

GetProcessId.KERNEL32(00000000), ref: 00B8AF38
CloseHandle.KERNEL32(00000000), ref: 00B8AF67

Strings

<, xrefs: 00B8AE6B
@, xrefs: 00B8AE72

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: ce0475b56221ed89ec6e4d1988ea785f400201119627afeb73e88d6b9600fba1
Instruction ID: 30e8bc15c1c9f8653274487adb88a7a48d5c6d74c596066677c3b66374e8a52a
Opcode Fuzzy Hash: ce0475b56221ed89ec6e4d1988ea785f400201119627afeb73e88d6b9600fba1
Instruction Fuzzy Hash: 71714871A00615DFDB14EF54C494A9EBBF0FF08314F14889AE81AAB3A2CB75ED45CB91

Function 00B6719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00B67206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00B6723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00B6724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00B672CF

Strings

DllGetClassObject, xrefs: 00B67242

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 8c0fad6329bd8a6180357030d12ba763480984ff9d23ddb8ac04c5f8f9750cd9
Instruction ID: c93fc6f5291b20dceb0d8e1469a0c9be8f984c0b771755f9aea83065e9198e18
Opcode Fuzzy Hash: 8c0fad6329bd8a6180357030d12ba763480984ff9d23ddb8ac04c5f8f9750cd9
Instruction Fuzzy Hash: 3C416D71A44204AFDB15CF64C894A9A7BE9EF45318F1480EDFD099F20ADBB8D944CBA0

Function 00B93D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B93E35
IsMenu.USER32(?), ref: 00B93E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B93E92
DrawMenuBar.USER32 ref: 00B93EA5

Strings

0, xrefs: 00B93D89

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: fe2be58298467c169f836f8b75ca957391c4ebaf8e6c35076d13aa32df97c419
Instruction ID: 77936395cf0bc7ccf70784aa411253e45d362227905f6c987e1b488eb19650df
Opcode Fuzzy Hash: fe2be58298467c169f836f8b75ca957391c4ebaf8e6c35076d13aa32df97c419
Instruction Fuzzy Hash: E5416575A01609EFDF10DF64D884AAABBF9FF49750F0540AAE905AB250D730AE41CF60

Function 00B61DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

Part of subcall function 00B63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B63CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00B61E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00B61E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00B61EA9

Part of subcall function 00B06B57: _wcslen.LIBCMT ref: 00B06B6A

Strings

ComboBox, xrefs: 00B61DF0
ListBox, xrefs: 00B61E25

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 57fd5f26335c12092c019a965712dd798a17709f8d973821eb8f319b7a6d1650
Instruction ID: c77b8ea13ee42f7b782b78b32c7c46eb3aea335b9e6822797e29ed1834311884
Opcode Fuzzy Hash: 57fd5f26335c12092c019a965712dd798a17709f8d973821eb8f319b7a6d1650
Instruction Fuzzy Hash: C621F772A00104BEDB14AB68DC86DFFBBF8DF45350F184599F825A71E1DB398D499620

Function 00B92F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00B92F8D
LoadLibraryW.KERNEL32(?), ref: 00B92F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00B92FA9
DestroyWindow.USER32(?), ref: 00B92FB1

Strings

SysAnimate32, xrefs: 00B92F68

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: ad226ce04589104894829df91790c256a52d643e38dc8f2d26fb2e1b88a6b478
Instruction ID: 95895d9f248fa12e36f0c2dd6c2a53e5df10a80ea99331ef3a45839f4887a8f9
Opcode Fuzzy Hash: ad226ce04589104894829df91790c256a52d643e38dc8f2d26fb2e1b88a6b478
Instruction Fuzzy Hash: 85218872A00205BBEF108F64DC80FBB77F9EB59364F104669F954931A0D771DC519760

Function 00B24D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00B24D1E,00B328E9,?,00B24CBE,00B328E9,00BC88B8,0000000C,00B24E15,00B328E9,00000002), ref: 00B24D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B24DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00B24D1E,00B328E9,?,00B24CBE,00B328E9,00BC88B8,0000000C,00B24E15,00B328E9,00000002,00000000), ref: 00B24DC3

Strings

CorExitProcess, xrefs: 00B24D98
mscoree.dll, xrefs: 00B24D86

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 32950355d349429109b5588a145471e2324833df4d96fefd9cd32a4ff7cf5ccc
Instruction ID: 1c01dcf794c6425ae24f23be7de41e14802037b221dd8789f9abd89109e055d8
Opcode Fuzzy Hash: 32950355d349429109b5588a145471e2324833df4d96fefd9cd32a4ff7cf5ccc
Instruction Fuzzy Hash: 3CF04F34A54228BBDB119F90ED49BAEBFF5EF44751F4001A5F809A3661CF705D40CB94

Function 00B04E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B04EDD,?,00BD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B04E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B04EAE
FreeLibrary.KERNEL32(00000000,?,?,00B04EDD,?,00BD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B04EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00B04EA8
kernel32.dll, xrefs: 00B04E94

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: e0d4fbb3031567d6d93a4d924f4635eca8120fb157cef8eac51fa289f8fcf017
Instruction ID: f4a0e7d5ae4bab7ddccf40ee640d601fda8aa4959172535510563e4c0d4d4bd7
Opcode Fuzzy Hash: e0d4fbb3031567d6d93a4d924f4635eca8120fb157cef8eac51fa289f8fcf017
Instruction Fuzzy Hash: 6DE08635A015325BD2211725BC18B6B6DD4EF81FA27050156FD04E3151DF64CD0240E4

Function 00B04E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B43CDE,?,00BD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B04E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B04E74
FreeLibrary.KERNEL32(00000000,?,?,00B43CDE,?,00BD1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B04E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00B04E6E
kernel32.dll, xrefs: 00B04E5B

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 452f403c73b25a3ced90c250ce9ea3ebf59e8f10861c11cd87abd7838a6ff8e0
Instruction ID: 3ab0eb2430a811ae2e8ff8083e6e08496c92d945a39d1e3dcfec8a13b7a2e7df
Opcode Fuzzy Hash: 452f403c73b25a3ced90c250ce9ea3ebf59e8f10861c11cd87abd7838a6ff8e0
Instruction Fuzzy Hash: C2D0C231502631578A221B24BC18E8B2E98EF81F1134501AABA08B31A1CF20CD0281D4

Function 00B8A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00B8A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00B8A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00B8A468
CloseHandle.KERNEL32(?), ref: 00B8A63D

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 13daa5875318d645b0795d36c6de920b3333b802a655768519e8778c1ba721e4
Instruction ID: 20bb9534f8ec348d21f89d3cf29bf9bc96b7c22fae73982c0557ab6df826241b
Opcode Fuzzy Hash: 13daa5875318d645b0795d36c6de920b3333b802a655768519e8778c1ba721e4
Instruction Fuzzy Hash: C8A161716043019FE720EF18D886B2ABBE5AF44714F14899DF55A9B3D2DBB0EC41CB92

Function 00B3BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00BA3700), ref: 00B3BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00BD121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00B3BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00BD1270,000000FF,?,0000003F,00000000,?), ref: 00B3BC36
_free.LIBCMT ref: 00B3BB7F

Part of subcall function 00B329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3D7D1,00000000,00000000,00000000,00000000,?,00B3D7F8,00000000,00000007,00000000,?,00B3DBF5,00000000), ref: 00B329DE
Part of subcall function 00B329C8: GetLastError.KERNEL32(00000000,?,00B3D7D1,00000000,00000000,00000000,00000000,?,00B3D7F8,00000000,00000007,00000000,?,00B3DBF5,00000000,00000000), ref: 00B329F0

_free.LIBCMT ref: 00B3BD4B

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: b50e7ef4e05e30ad8a30d12f6f9dc4230ba14869ed4cfd25833b85ab4b1d70f5
Instruction ID: 7c57f415d5cff303a654219d503748932f40599562f0e3004b56242813e8a326
Opcode Fuzzy Hash: b50e7ef4e05e30ad8a30d12f6f9dc4230ba14869ed4cfd25833b85ab4b1d70f5
Instruction Fuzzy Hash: 6D51E771900219AFCB24EF699C81D6AB7FCEF44310F6006EBE654D7295EF305E408B50

Function 00B6E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B6DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B6CF22,?), ref: 00B6DDFD

Part of subcall function 00B6DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B6CF22,?), ref: 00B6DE16

Part of subcall function 00B6E199: GetFileAttributesW.KERNEL32(?,00B6CF95), ref: 00B6E19A

lstrcmpiW.KERNEL32(?,?), ref: 00B6E473
MoveFileW.KERNEL32(?,?), ref: 00B6E4AC
_wcslen.LIBCMT ref: 00B6E5EB
_wcslen.LIBCMT ref: 00B6E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00B6E650

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: d087b40e11296388d4d17bbdb7ed255c7fd7d9bdd0d422ccacdf05823f35e753
Instruction ID: 5694618d59bf7686b523a94965e2abca36e4936edd6431c2669b289b4bf0e5bf
Opcode Fuzzy Hash: d087b40e11296388d4d17bbdb7ed255c7fd7d9bdd0d422ccacdf05823f35e753
Instruction Fuzzy Hash: 795164B25083859BC724DBA0D8819DF77DCEF85340F00495EF699D3191EF78E5888B5A

Function 00B8B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

Part of subcall function 00B8C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B8B6AE,?,?), ref: 00B8C9B5
Part of subcall function 00B8C998: _wcslen.LIBCMT ref: 00B8C9F1
Part of subcall function 00B8C998: _wcslen.LIBCMT ref: 00B8CA68
Part of subcall function 00B8C998: _wcslen.LIBCMT ref: 00B8CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B8BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B8BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00B8BB63
RegCloseKey.ADVAPI32(?,?), ref: 00B8BBA6
RegCloseKey.ADVAPI32(00000000), ref: 00B8BBB3

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 51d2fca7e81283caecc04b6cc7f76586e0acd6c9c9cc9566c33ec3256a9a4e59
Instruction ID: 623ca05f5edd39b3a9f60b8f19d80714f3a4929a21fe5a0dd61150177331901d
Opcode Fuzzy Hash: 51d2fca7e81283caecc04b6cc7f76586e0acd6c9c9cc9566c33ec3256a9a4e59
Instruction Fuzzy Hash: F5617371208241EFD714EF24C491E2ABBE5FF84348F54899DF4994B2A2DB31ED45CB92

Function 00B68BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B68BCD
VariantClear.OLEAUT32 ref: 00B68C3E
VariantClear.OLEAUT32 ref: 00B68C9D
VariantClear.OLEAUT32(?), ref: 00B68D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00B68D3B

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: aec72abd2c4e742cea207d1adb1181d496165a49b8fee87ca49f5cc4a904de78
Instruction ID: d82922ee6dfca473ca756aa1749f286338933db1cce883a0f2b6846a6d4af427
Opcode Fuzzy Hash: aec72abd2c4e742cea207d1adb1181d496165a49b8fee87ca49f5cc4a904de78
Instruction Fuzzy Hash: E8516CB5A00219EFCB14CF58D894AAABBF5FF89310B158569F909DB350E734E911CFA0

Function 00B78AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00B78BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00B78BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00B78C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00B78C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00B78C5F

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 07261f9c95398c36c19fe5418344be53cddd525cdc7e6086bf32e3eb8aac177f
Instruction ID: 2f11a793d744326acb63095ca7da808f5381b86a64d745076844d91d8c3b871a
Opcode Fuzzy Hash: 07261f9c95398c36c19fe5418344be53cddd525cdc7e6086bf32e3eb8aac177f
Instruction Fuzzy Hash: D9515C35A002199FCB01DF64C885AADBBF5FF48314F08C499E849AB3A2CB31ED41CB90

Function 00B88EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00B88F40
GetProcAddress.KERNEL32(00000000,?), ref: 00B88FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00B88FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00B89032
FreeLibrary.KERNEL32(00000000), ref: 00B89052

Part of subcall function 00B1F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00B71043,?,7529E610), ref: 00B1F6E6
Part of subcall function 00B1F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00B5FA64,00000000,00000000,?,?,00B71043,?,7529E610,?,00B5FA64), ref: 00B1F70D

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 43fa8d88cf155101b420710b10c0bb15bb17e677490bcde69cb2903f18ebfdc6
Instruction ID: e197ae6ce64589cb7d1820601e8f1438f4f77f2eabff5287c6e31fb6b7d7d131
Opcode Fuzzy Hash: 43fa8d88cf155101b420710b10c0bb15bb17e677490bcde69cb2903f18ebfdc6
Instruction Fuzzy Hash: A9511635604205DFCB11EF58C4948A9BBF1FF49314B4980E9E90AAB3B2DB31ED85CB91

Function 00B96B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00B96C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00B96C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00B96C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00B7AB79,00000000,00000000), ref: 00B96C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00B96CC7

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: a138c21b753f5be6618b341444b1cc133faf5daccfe8192974dae9a3200e6a77
Instruction ID: 969457b9625e866ffdd63419ac9a050f19ac6088931410c017418475da369a8c
Opcode Fuzzy Hash: a138c21b753f5be6618b341444b1cc133faf5daccfe8192974dae9a3200e6a77
Instruction Fuzzy Hash: 7741BE35A04104AFDF24CF28CD99FA97FF4EB0A350F1502B9F899A72A0D771AD41CA50

Function 00B32051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B320C3
_free.LIBCMT ref: 00B320E3

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 98a472df3ecae868b16fee1c5cc2f87c368c4da918943cd75e9a2b30b19c6414
Instruction ID: 89b6dcd077102e185a79daed5a71a7b6c5a2867ae663191f7777db4b87c2f4cb
Opcode Fuzzy Hash: 98a472df3ecae868b16fee1c5cc2f87c368c4da918943cd75e9a2b30b19c6414
Instruction Fuzzy Hash: F941C332A00200AFCB24DF78C981A5EB7F5EF89714F2545E9E515EB351DB31AD01CB80

Function 00B1912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00B19141
ScreenToClient.USER32(00000000,?), ref: 00B1915E
GetAsyncKeyState.USER32(00000001), ref: 00B19183
GetAsyncKeyState.USER32(00000002), ref: 00B1919D

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 26719a7e8025004708cee8ff102d138f1efdf84257f840c39f65f22473e60db6
Instruction ID: bc1da055ae24af3df23a4c9b79332a9fe2334e4a27a03cade88a8bc6d6df7b0e
Opcode Fuzzy Hash: 26719a7e8025004708cee8ff102d138f1efdf84257f840c39f65f22473e60db6
Instruction Fuzzy Hash: 54416071A0855ABBDF159F64D858BEEB7B4FB05320F2042A5E825B32D0CB306D94CF91

Function 00B73874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00B738CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00B73922
TranslateMessage.USER32(?), ref: 00B7394B
DispatchMessageW.USER32(?), ref: 00B73955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B73966

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 0d7f83e1b7f8e48f848b650ccd7a797f96825fdb8ccb1f8084aab2a6128565a0
Instruction ID: ef3a2752ef3602e8a240051d4952f0f8e93d31d614ea55a876cc4c98a5245408
Opcode Fuzzy Hash: 0d7f83e1b7f8e48f848b650ccd7a797f96825fdb8ccb1f8084aab2a6128565a0
Instruction Fuzzy Hash: EC311970505341BEEB34CB34D858BB67BE4EB15700F0485AED57B831D0EBB59A84EB21

Function 00B7CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 00B7CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00B7CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00B7C21E,00000000), ref: 00B7CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00B7C21E,00000000), ref: 00B7CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00B7C21E,00000000), ref: 00B7CFF2

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: bdde8c85e89851e3b9b1f17e3535fca7708610552c712f9fd0c2ebd33163a68c
Instruction ID: 195efefb96c8ce59bdf10b467079cd9c32c02afc359a699f252e383797c98305
Opcode Fuzzy Hash: bdde8c85e89851e3b9b1f17e3535fca7708610552c712f9fd0c2ebd33163a68c
Instruction Fuzzy Hash: 05318C71604205EFDB20DFA5D984AABBFF9EF14350B1084AEF52AD7141DB30AE48DB60

Function 00B61901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00B61915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00B619C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00B619C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00B619DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00B619E2

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: a78182ce9a4c721ea41361a34eb43b0533212d6a0b33eb72347f011a37dfe3fb
Instruction ID: 1f39d82ae47eebcdb55e84744d2abe9c268479f4cb556030312a26740a5296e1
Opcode Fuzzy Hash: a78182ce9a4c721ea41361a34eb43b0533212d6a0b33eb72347f011a37dfe3fb
Instruction Fuzzy Hash: 8231C072A00219EFCB00CFACCD99ADE3BB5EB44315F148669FA25A72D1C7749945CB90

Function 00B95706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00B95745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00B9579D
_wcslen.LIBCMT ref: 00B957AF
_wcslen.LIBCMT ref: 00B957BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B95816

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 63153c9cb9c8258f74dfa9be5a334052b6978f031db3413a5eaade3fd7a8d869
Instruction ID: d9bb7ef7f3bc28716e38ba6f1fe338dae1e754c7a17e70a94e4bd00993c24c24
Opcode Fuzzy Hash: 63153c9cb9c8258f74dfa9be5a334052b6978f031db3413a5eaade3fd7a8d869
Instruction Fuzzy Hash: AE21A7719446189ADF318FA4DC84AED7BF8FF04720F1081A6E929DB2C5D7709A85CF50

Function 00B80930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00B80951
GetForegroundWindow.USER32 ref: 00B80968
GetDC.USER32(00000000), ref: 00B809A4
GetPixel.GDI32(00000000,?,00000003), ref: 00B809B0
ReleaseDC.USER32(00000000,00000003), ref: 00B809E8

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 6485b117a719e649b6149c83da65a834568f42ec82ad14930d17168d79716052
Instruction ID: 7b7ab910e80564c320e7709e201a657c31d3d55700cd9fbd226a7a993d57d057
Opcode Fuzzy Hash: 6485b117a719e649b6149c83da65a834568f42ec82ad14930d17168d79716052
Instruction Fuzzy Hash: 73218135600214AFD714EF69C984EAEBBF5EF48740F0484ADE85A97362DB30AC44CB50

Function 00B3CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00B3CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B3CDE9

Part of subcall function 00B33820: RtlAllocateHeap.NTDLL(00000000,?,00BD1444,?,00B1FDF5,?,?,00B0A976,00000010,00BD1440,00B013FC,?,00B013C6,?,00B01129), ref: 00B33852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00B3CE0F
_free.LIBCMT ref: 00B3CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B3CE31

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 5ca7ae2ec16ef0ca159581980e9f67224bb13a71240fa7191651f323d632b6fb
Instruction ID: 334211fda0c45b3d1601c49914bd13fa3c19fbf4e74c3325095487d20845ccfa
Opcode Fuzzy Hash: 5ca7ae2ec16ef0ca159581980e9f67224bb13a71240fa7191651f323d632b6fb
Instruction Fuzzy Hash: 400188726012357F23212AF66C88D7B7DEDDEC6BA173501AAF905E7201DE619D0193B4

Function 00B19639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B19693
SelectObject.GDI32(?,00000000), ref: 00B196A2
BeginPath.GDI32(?), ref: 00B196B9
SelectObject.GDI32(?,00000000), ref: 00B196E2

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: c7941889aead8d02274facac6c2abedab63897b70cd4fdf10da66a5ca1692a8a
Instruction ID: 8064d8334694f9e4619aacbcadb6bb57b202186da6f83f6cede3355bbb679b21
Opcode Fuzzy Hash: c7941889aead8d02274facac6c2abedab63897b70cd4fdf10da66a5ca1692a8a
Instruction Fuzzy Hash: B621AF30902345EBDB11DF68ED347E9BBA8FB01361F900657F810A30B1EB785892CBA4

Function 00B65711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00B65726
_memcmp.LIBVCRUNTIME ref: 00B65744
_memcmp.LIBVCRUNTIME ref: 00B65757
_memcmp.LIBVCRUNTIME ref: 00B6576F
_memcmp.LIBVCRUNTIME ref: 00B65787

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 86484f3ac66d50d6f58fbd19d6ffd67edf29ebfaf2fb9eaa8453464da0644750
Instruction ID: 47cb1c041a0fff6f94d0060a66bb61943dbd7b8cd0e032c9395d7a0f3be33f2e
Opcode Fuzzy Hash: 86484f3ac66d50d6f58fbd19d6ffd67edf29ebfaf2fb9eaa8453464da0644750
Instruction Fuzzy Hash: C901B57174161ABBD6289914AD82FBB73DDDB313B4F0044B0FD08AA641F765ED3082E4

Function 00B1990C Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00B198CC
SetTextColor.GDI32(?,?), ref: 00B198D6
SetBkMode.GDI32(?,00000001), ref: 00B198E9
GetStockObject.GDI32(00000005), ref: 00B198F1
GetWindowLongW.USER32(?,000000EB), ref: 00B19952

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 57dceeaf3196fdae855cfd66e586ee230472525c19ed470a2ec5896d6d9b355a
Instruction ID: 164571f58c0e07367ec3addc1daf1bb3e9870aca516c91566b3e5358442ea71d
Opcode Fuzzy Hash: 57dceeaf3196fdae855cfd66e586ee230472525c19ed470a2ec5896d6d9b355a
Instruction Fuzzy Hash: 0A1127321462905FCB128F64EC78EE93FA4EB133A1B88409EE682CB1B1DB214881CB51

Function 00B32DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00B2F2DE,00B33863,00BD1444,?,00B1FDF5,?,?,00B0A976,00000010,00BD1440,00B013FC,?,00B013C6), ref: 00B32DFD
_free.LIBCMT ref: 00B32E32
_free.LIBCMT ref: 00B32E59
SetLastError.KERNEL32(00000000,00B01129), ref: 00B32E66
SetLastError.KERNEL32(00000000,00B01129), ref: 00B32E6F

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 30967cc4c2f06b4f3fe715bdd2d3cbca1f871076d07a94091dc430fbc164300c
Instruction ID: a83a0959d392e184bfeb8eb0f859f7e00f0fdbd80275f35663b293fe96bab97a
Opcode Fuzzy Hash: 30967cc4c2f06b4f3fe715bdd2d3cbca1f871076d07a94091dc430fbc164300c
Instruction Fuzzy Hash: 550128362456207BC6122775BD87E2B3AEDEBD57B1F3501E9F825A32E2EF708C015020

Function 00B6000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B5FF41,80070057,?,?,?,00B6035E), ref: 00B6002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B5FF41,80070057,?,?), ref: 00B60046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B5FF41,80070057,?,?), ref: 00B60054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B5FF41,80070057,?), ref: 00B60064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B5FF41,80070057,?,?), ref: 00B60070

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 2913a8cc601da22d45ded0fccd3b2b3e7640621e5c1233e3c4da625db49454e0
Instruction ID: d9d06f36078e3fee15963d0fdb70ade6ec62b48cde7a4639d236857860331b4b
Opcode Fuzzy Hash: 2913a8cc601da22d45ded0fccd3b2b3e7640621e5c1233e3c4da625db49454e0
Instruction Fuzzy Hash: 79018F72620208BFDB115F6ADD44BAB7EEDEB44791F144165F905D3210DB79DD408BA0

Function 00B6E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00B6E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00B6E9A5
Sleep.KERNEL32(00000000), ref: 00B6E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00B6E9B7
Sleep.KERNEL32 ref: 00B6E9F3

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 00e106e358039a0b321e9e5cb675c520d2a356065148b0ebbfb4a398b6737deb
Instruction ID: d1437ffa828f1fa895450b0957cc1726840bf0517572b41404e554fc2e04cd0a
Opcode Fuzzy Hash: 00e106e358039a0b321e9e5cb675c520d2a356065148b0ebbfb4a398b6737deb
Instruction Fuzzy Hash: F5015735C01629DBCF00AFE4D959AEDBBB8FF08700F400586E512B3290CB389650CBA5

Function 00B610F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B61114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00B60B9B,?,?,?), ref: 00B61120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00B60B9B,?,?,?), ref: 00B6112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00B60B9B,?,?,?), ref: 00B61136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B6114D

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: afe97fa1e13e85a3f0eacec5a2afad945a491575e3db15e96a65caebdc1e7168
Instruction ID: b436a228c52e911447d0c365246d4f6c79af39e7c0b2c903c28bd7793970aa6a
Opcode Fuzzy Hash: afe97fa1e13e85a3f0eacec5a2afad945a491575e3db15e96a65caebdc1e7168
Instruction Fuzzy Hash: B6018175100205BFDB114FA8DD49E6A3FAEEF86360B644456FA41D3360DF35DC008A60

Function 00B60FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B60FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B60FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B60FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B60FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B61002

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 248b2128faf5a005f81379a00be1763d8c56349667d3eb9aa2c958626032aa65
Instruction ID: 4d59191837dbc85a51ec221d4121935bbcc0a513e16f4a7cf0c55e47fc64d6c2
Opcode Fuzzy Hash: 248b2128faf5a005f81379a00be1763d8c56349667d3eb9aa2c958626032aa65
Instruction Fuzzy Hash: 3AF04935200311ABDB214FA89E49F5A3FADEF89762F644856FA45D7261CE74DC408A70

Function 00B61014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B6102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B61036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B61045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B6104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B61062

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: afdc00eb32bdeabb610d6a00fa9de064aa53d43a20743c3bbf3a102e7e768761
Instruction ID: a44b2dffbff253dc024d23d3403597c3baeba1387b582fd94b20f4857943c787
Opcode Fuzzy Hash: afdc00eb32bdeabb610d6a00fa9de064aa53d43a20743c3bbf3a102e7e768761
Instruction Fuzzy Hash: 46F06D35200311EBDB215FA8EE49F5A3FADEF89761F240826FA45D7260CE74D8408AB0

Function 00B7030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00B7017D,?,00B732FC,?,00000001,00B42592,?), ref: 00B70324
CloseHandle.KERNEL32(?,?,?,?,00B7017D,?,00B732FC,?,00000001,00B42592,?), ref: 00B70331
CloseHandle.KERNEL32(?,?,?,?,00B7017D,?,00B732FC,?,00000001,00B42592,?), ref: 00B7033E
CloseHandle.KERNEL32(?,?,?,?,00B7017D,?,00B732FC,?,00000001,00B42592,?), ref: 00B7034B
CloseHandle.KERNEL32(?,?,?,?,00B7017D,?,00B732FC,?,00000001,00B42592,?), ref: 00B70358
CloseHandle.KERNEL32(?,?,?,?,00B7017D,?,00B732FC,?,00000001,00B42592,?), ref: 00B70365

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 59c39a9beff881673ac16f78ac1b7cf5b98b520af1fd47cd20316809862536af
Instruction ID: 59e934748ed2b5038b0b78af9d4a0e169a6d6461a7ae76c24cc39e02f1ab22ae
Opcode Fuzzy Hash: 59c39a9beff881673ac16f78ac1b7cf5b98b520af1fd47cd20316809862536af
Instruction Fuzzy Hash: 07019C72810B15DFCB30AF66D880812FBF9FF642153168A7FD1AA52931C7B1A958CE84

Function 00B3D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B3D752

Part of subcall function 00B329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3D7D1,00000000,00000000,00000000,00000000,?,00B3D7F8,00000000,00000007,00000000,?,00B3DBF5,00000000), ref: 00B329DE
Part of subcall function 00B329C8: GetLastError.KERNEL32(00000000,?,00B3D7D1,00000000,00000000,00000000,00000000,?,00B3D7F8,00000000,00000007,00000000,?,00B3DBF5,00000000,00000000), ref: 00B329F0

_free.LIBCMT ref: 00B3D764
_free.LIBCMT ref: 00B3D776
_free.LIBCMT ref: 00B3D788
_free.LIBCMT ref: 00B3D79A

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3cd16cce6f29d60a1f29f630177a07f31582e221adf72c1185aae947f41025eb
Instruction ID: da4510302fef9781029e7212badcf2996a011a91e52a5064a2d14e606fc9f7b4
Opcode Fuzzy Hash: 3cd16cce6f29d60a1f29f630177a07f31582e221adf72c1185aae947f41025eb
Instruction Fuzzy Hash: 9DF01D72544218EBC621EB68F9C6D2A7BDDFB58710FB40995F048E7602CB30FC808A64

Function 00B65C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00B65C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00B65C6F
MessageBeep.USER32(00000000), ref: 00B65C87
KillTimer.USER32(?,0000040A), ref: 00B65CA3
EndDialog.USER32(?,00000001), ref: 00B65CBD

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: ceca2f149b7bb1d3e0ae861845020c04b38063c2485f7498ced9e89c308e0f23
Instruction ID: fd4303629500b39fc444cd16ded81abd51343a741a603caf6f8ccccbcf85a38f
Opcode Fuzzy Hash: ceca2f149b7bb1d3e0ae861845020c04b38063c2485f7498ced9e89c308e0f23
Instruction Fuzzy Hash: 94013670500B04AFEB315B50DE8EFA67FF8FB04B05F04159AA583A24E1DFF4A9948B90

Function 00B322A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B322BE

Part of subcall function 00B329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3D7D1,00000000,00000000,00000000,00000000,?,00B3D7F8,00000000,00000007,00000000,?,00B3DBF5,00000000), ref: 00B329DE
Part of subcall function 00B329C8: GetLastError.KERNEL32(00000000,?,00B3D7D1,00000000,00000000,00000000,00000000,?,00B3D7F8,00000000,00000007,00000000,?,00B3DBF5,00000000,00000000), ref: 00B329F0

_free.LIBCMT ref: 00B322D0
_free.LIBCMT ref: 00B322E3
_free.LIBCMT ref: 00B322F4
_free.LIBCMT ref: 00B32305

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b56149bd3e97b0ef0763abb586f6d386c247a455f60685cabe5338eaa1f0f391
Instruction ID: e1ee3054f971aef0b1db17f4ae7cd4ace5fcb9ba725cd36e1c08e31ac2382ac1
Opcode Fuzzy Hash: b56149bd3e97b0ef0763abb586f6d386c247a455f60685cabe5338eaa1f0f391
Instruction Fuzzy Hash: 5CF03AB58121309B8612BF58BC11A1DBFE4F728760F210A9BF414D33B1EF310812ABA4

Function 00B195C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00B195D4
StrokeAndFillPath.GDI32(?,?,00B571F7,00000000,?,?,?), ref: 00B195F0
SelectObject.GDI32(?,00000000), ref: 00B19603
DeleteObject.GDI32 ref: 00B19616
StrokePath.GDI32(?), ref: 00B19631

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 03262f385afcad672c1cb301d3512ee4f9cdd5f51da0eb0bf235c817dc68ebec
Instruction ID: 39d8c3067f74dc70bdeb33da8d407895eedac8e515d7be91b80c7e6860b79154
Opcode Fuzzy Hash: 03262f385afcad672c1cb301d3512ee4f9cdd5f51da0eb0bf235c817dc68ebec
Instruction Fuzzy Hash: 22F0F630006244EBDB125F69EE387A47FA1EB00322F448256E425660F1DF388992DF34

Function 00B30F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00B310F9
__freea.LIBCMT ref: 00B31117

Part of subcall function 00B31537: _free.LIBCMT ref: 00B3154F

Strings

am/pm, xrefs: 00B3117A
a/p, xrefs: 00B311DE

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: a658ad56843bea1388a4813e294753968db80ac93b5c2860f0b7fb146287276f
Instruction ID: cf9480f8558b4bb2ffb87eedb1cff964619330b7a136c85f18804aa464359cc5
Opcode Fuzzy Hash: a658ad56843bea1388a4813e294753968db80ac93b5c2860f0b7fb146287276f
Instruction Fuzzy Hash: E0D10235900206EACB289F6CC895BFEB7F8EF05700F3849D9E901AB650D7359D80CBA5

Function 00B87B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00B20242: EnterCriticalSection.KERNEL32(00BD070C,00BD1884,?,?,00B1198B,00BD2518,?,?,?,00B012F9,00000000), ref: 00B2024D
Part of subcall function 00B20242: LeaveCriticalSection.KERNEL32(00BD070C,?,00B1198B,00BD2518,?,?,?,00B012F9,00000000), ref: 00B2028A

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

Part of subcall function 00B200A3: __onexit.LIBCMT ref: 00B200A9

__Init_thread_footer.LIBCMT ref: 00B87BFB

Part of subcall function 00B201F8: EnterCriticalSection.KERNEL32(00BD070C,?,?,00B18747,00BD2514), ref: 00B20202
Part of subcall function 00B201F8: LeaveCriticalSection.KERNEL32(00BD070C,?,00B18747,00BD2514), ref: 00B20235

Strings

Variable must be of type 'Object'., xrefs: 00B87C3A
G, xrefs: 00B87C7F
5, xrefs: 00B87C78

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: f8e80aaca90dc8fab2ac28e80308d4b6655ae0fe916867e70a28a62455b9b825
Instruction ID: 388cfc4d1e969d94bd7cf3f11c6ce3eaba237958980aa9721c7904980f1851c4
Opcode Fuzzy Hash: f8e80aaca90dc8fab2ac28e80308d4b6655ae0fe916867e70a28a62455b9b825
Instruction Fuzzy Hash: CC914974A44209EFCB14EF54D8919ADBBF1EF45308F2480D9F806AB2A2DB71EE41DB51

Function 00B62716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B6B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B621D0,?,?,00000034,00000800,?,00000034), ref: 00B6B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00B62760

Part of subcall function 00B6B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B621FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00B6B3F8

Part of subcall function 00B6B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00B6B355
Part of subcall function 00B6B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00B62194,00000034,?,?,00001004,00000000,00000000), ref: 00B6B365
Part of subcall function 00B6B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00B62194,00000034,?,?,00001004,00000000,00000000), ref: 00B6B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00B627CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00B6281A

Strings

@, xrefs: 00B62832

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 2617d0f8f4c1011f5ffa67cfcce8ba40cb55023c94f1ad461f43c429c497bb9c
Instruction ID: dfd7fb9b7bb628c5ca7a26369576aa65682cbfd39ec91dcf8aa3afc054394406
Opcode Fuzzy Hash: 2617d0f8f4c1011f5ffa67cfcce8ba40cb55023c94f1ad461f43c429c497bb9c
Instruction Fuzzy Hash: 71410C76900218AFDB10DFA4CD46EEEBBB8EF09700F108095FA55B7181DB746E85CBA1

Function 00B3172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\LisectAVT_2403002A_460.exe,00000104), ref: 00B31769
_free.LIBCMT ref: 00B31834
_free.LIBCMT ref: 00B3183E

Strings

C:\Users\user\Desktop\LisectAVT_2403002A_460.exe, xrefs: 00B31760, 00B31767, 00B31796, 00B317CE

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\LisectAVT_2403002A_460.exe
API String ID: 2506810119-4254619740
Opcode ID: 5f281b01c0795796ff82b76c2485eabb03781b70e1c74d881ce826b201375346
Instruction ID: 88ec7ecd993728cd821f0f6fcf7d59c9ccf9877880be2d521a750a12f879925a
Opcode Fuzzy Hash: 5f281b01c0795796ff82b76c2485eabb03781b70e1c74d881ce826b201375346
Instruction Fuzzy Hash: 3A315EB5A41218FBDB21DB9D9C85D9EBBFCEB85310F2445E7F804A7211EA709E40CB94

Function 00B6C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00B6C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00B6C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00BD1990,01436300), ref: 00B6C395

Strings

0, xrefs: 00B6C2DF

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: e7a4875a23726b53a0dff5b75b6fbbff9cb041fdfc7e855053a07acfd37b0f91
Instruction ID: f708a4e7eafe14a01c2096e1113998f9d80e9cb622a00c500905040abb6c062e
Opcode Fuzzy Hash: e7a4875a23726b53a0dff5b75b6fbbff9cb041fdfc7e855053a07acfd37b0f91
Instruction Fuzzy Hash: 90418F312043019FD720DF25D885B6ABFE8EB85310F14869EF9A5973D2D734E904CB6A

Function 00B94416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00B9CC08,00000000,?,?,?,?), ref: 00B944AA
GetWindowLongW.USER32 ref: 00B944C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B944D7

Strings

SysTreeView32, xrefs: 00B9447C

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: c9ab9499ac80881fb3410e5bb26a5d3d215ceb28801a331b1c0f821d7664bdcf
Instruction ID: 4775337ce0a872c2c7127aec7076b00d9ab1d7f637e0b6f6bf811bb084e51aa7
Opcode Fuzzy Hash: c9ab9499ac80881fb3410e5bb26a5d3d215ceb28801a331b1c0f821d7664bdcf
Instruction Fuzzy Hash: A2317C31210205ABDF208E78DC85FEA7BE9EB09324F214765F979A32E0DB70EC519B50

Function 00B8304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B8335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00B83077,?,?), ref: 00B83378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00B8307A
_wcslen.LIBCMT ref: 00B8309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00B83106

Strings

255.255.255.255, xrefs: 00B83095, 00B8309A

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 6618ce215cd6a67e23e625f8423dfc424168b9bb87caa7c746551275deb03db4
Instruction ID: 6b0edb380842aaddfa2513a32ed9ad8d57e594ff39657f30df1aedb6e44a49cc
Opcode Fuzzy Hash: 6618ce215cd6a67e23e625f8423dfc424168b9bb87caa7c746551275deb03db4
Instruction Fuzzy Hash: 0E31AF356042059FCB10EF28C5C5FAA7BE1EF14F18F248099E9169B3A2DB72EE41C760

Function 00B93EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00B93F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00B93F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B93F78

Strings

SysMonthCal32, xrefs: 00B93F0B

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 3c9a2a4e0962d05db3ab4b883fdeb397688a0d0a1afcb269939b06e8d7756fd7
Instruction ID: 5e63877e87f81089541ebd399428917da6764860b07c01f96e52ff77efcaa4fb
Opcode Fuzzy Hash: 3c9a2a4e0962d05db3ab4b883fdeb397688a0d0a1afcb269939b06e8d7756fd7
Instruction Fuzzy Hash: ED219F32600219BBDF218F54CC86FEA3BB9EB48714F110265FA156B1D0DAB5A9508BA0

Function 00B94653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00B94705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00B94713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00B9471A

Strings

msctls_updown32, xrefs: 00B94684

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 3acd9b85357ca11d6b83ba66ebbfbd026c62af0d2fe6e74804073c16ff0a328f
Instruction ID: a948efccb8a39b015e0a96ef882ecdc086d1ed79c13c665094ae4e25d4e69dd2
Opcode Fuzzy Hash: 3acd9b85357ca11d6b83ba66ebbfbd026c62af0d2fe6e74804073c16ff0a328f
Instruction Fuzzy Hash: F22160B5600208AFDB10DF68DCD1DBB37EDEB4A394B040499FA009B291DB34EC12CA60

Function 00B695AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B6961D

Strings

#requireadmin, xrefs: 00B695D9
#notrayicon, xrefs: 00B695B7
#OnAutoItStartRegister, xrefs: 00B695F3

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 4b86a327c4d0ad3ad5004230fc4f0fa579274549090a3c8479e3307ee216348a
Instruction ID: d86f3d447279fba3024032597a0574bf58f44c6292cd6fd17a4556e7e6bd1bc1
Opcode Fuzzy Hash: 4b86a327c4d0ad3ad5004230fc4f0fa579274549090a3c8479e3307ee216348a
Instruction Fuzzy Hash: DA213572204721A6C731AA24DC42FBBB3DCEFA1310F1440BAF94AD7081EBB9AD45C295

Function 00B937B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00B93840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00B93850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00B93876

Strings

Listbox, xrefs: 00B9380F

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 9f047c0b95823048dec75747250bc1d89187247d51918ea2a22914834b2c0689
Instruction ID: ec449ad898127661203eba87675e36484613eb4220b409608dfeaa3229d225bd
Opcode Fuzzy Hash: 9f047c0b95823048dec75747250bc1d89187247d51918ea2a22914834b2c0689
Instruction Fuzzy Hash: BB21A472610118BBEF218F94CC85FBB3BEEEF89B54F108165F9059B190DA76DC5187A0

Function 00B749F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B74A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00B74A5C
SetErrorMode.KERNEL32(00000000,?,?,00B9CC08), ref: 00B74AD0

Strings

%lu, xrefs: 00B74A6F

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 0d04489ce236d0857ee3fd80f3b4a67ffe69f91629c24795da2c51e83cdbec3c
Instruction ID: cbf78ec5fc2d51587b339ae2b05575f5976f8bc0c0025e11bb66d99f25d1b687
Opcode Fuzzy Hash: 0d04489ce236d0857ee3fd80f3b4a67ffe69f91629c24795da2c51e83cdbec3c
Instruction Fuzzy Hash: D6312375A00109AFDB10DF54C985EAA7BF8EF09304F1480E5F909DB2A2DB75ED45CB61

Function 00B941EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00B9424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00B94264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00B94271

Strings

msctls_trackbar32, xrefs: 00B94226

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 3edd1a41a1a81572c85ef822661fba0da5f2f039ecc9984209142cf06e0784ac
Instruction ID: c4dfe5824870c8e0d5f77931f29e00723c5fe9a9a91f7b8b44b21e5b221b5bba
Opcode Fuzzy Hash: 3edd1a41a1a81572c85ef822661fba0da5f2f039ecc9984209142cf06e0784ac
Instruction Fuzzy Hash: DE11E332250208BEEF205F29CC46FAB3BECEF85B54F110524FA55E60A0D671DC529B20

Function 00B62F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B06B57: _wcslen.LIBCMT ref: 00B06B6A

Part of subcall function 00B62DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00B62DC5
Part of subcall function 00B62DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B62DD6
Part of subcall function 00B62DA7: GetCurrentThreadId.KERNEL32 ref: 00B62DDD
Part of subcall function 00B62DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00B62DE4

GetFocus.USER32 ref: 00B62F78

Part of subcall function 00B62DEE: GetParent.USER32(00000000), ref: 00B62DF9

GetClassNameW.USER32(?,?,00000100), ref: 00B62FC3
EnumChildWindows.USER32(?,00B6303B), ref: 00B62FEB

Strings

%s%d, xrefs: 00B62FFF

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: cdcb51dd220fa58bb2a98c7494c27d5f2a24a4a9b1e6195ef46ee90fd027a25d
Instruction ID: f9bd64c85e701573ee32672d54ba3d36b9ce4a8cd4536ca60925506c189f45c7
Opcode Fuzzy Hash: cdcb51dd220fa58bb2a98c7494c27d5f2a24a4a9b1e6195ef46ee90fd027a25d
Instruction Fuzzy Hash: BC11A2B56002056BDF157F64CC86FEE3BEAEF94304F0440B5F9099B1A2DE3499498B60

Function 00B95882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00B958C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00B958EE
DrawMenuBar.USER32(?), ref: 00B958FD

Strings

0, xrefs: 00B9588F

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 1e99788f944af454b4b4210565318e85208a094716a7f66b547a4d62d4707d39
Instruction ID: a62a92deb9851045193a990232e71682a0156893f4ff4efa8430686b6ba732bf
Opcode Fuzzy Hash: 1e99788f944af454b4b4210565318e85208a094716a7f66b547a4d62d4707d39
Instruction Fuzzy Hash: B2015B32500218EFDF229F21DC85BAEBBB4FB45760F1080EAE849D6251DB308A84DF31

Function 00B5D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00B5D3BF
FreeLibrary.KERNEL32 ref: 00B5D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 00B5D3B9
X64, xrefs: 00B5D2A8

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 66b46688b97ce92142c506a6ed88213564f37a823cc2b64f4aaf35e97b0b157d
Instruction ID: 789a720242f28ce24ff0a61fc8751910f54e350de271804dccdd119d06f2485e
Opcode Fuzzy Hash: 66b46688b97ce92142c506a6ed88213564f37a823cc2b64f4aaf35e97b0b157d
Instruction Fuzzy Hash: 4AF05522405A11ABC7345710CC88B6937E4EF21703FA083DEF806F20A4EB61CD8CCE4A

Function 00B6007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84cad3813af27bee60ff9e8af489ba4bca701914ccbf23bf859b069e024fddeb
Instruction ID: 1810d8d51bb1d1ea68e245d8503b5a709c6ae5358e4995ca0cb14e0f7568b9cc
Opcode Fuzzy Hash: 84cad3813af27bee60ff9e8af489ba4bca701914ccbf23bf859b069e024fddeb
Instruction Fuzzy Hash: 3AC14875A1020AAFCB14DFA9C894AAEB7F5FF48304F2085D8E505EB251D735EE41CB90

Function 00B8342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00B83459
CoUninitialize.OLE32 ref: 00B83463
VariantInit.OLEAUT32(?), ref: 00B8346E
VariantClear.OLEAUT32(?), ref: 00B8371B

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 28a3d0ba6b989a582bedc6b4509d7ab1b83d257dffe5133a8d3d01cf3c2b8869
Instruction ID: 4a68c1649227ecb75a49a70114c2a3deee8778aa311385497be5d5e71d51a7b2
Opcode Fuzzy Hash: 28a3d0ba6b989a582bedc6b4509d7ab1b83d257dffe5133a8d3d01cf3c2b8869
Instruction Fuzzy Hash: 84A13D756143019FC700EF28C995A6ABBE5FF88B14F048899F9499B3A2DB30EE45CB51

Function 00B60436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00B9FC08,?), ref: 00B605F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00B9FC08,?), ref: 00B60608
CLSIDFromProgID.OLE32(?,?,00000000,00B9CC40,000000FF,?,00000000,00000800,00000000,?,00B9FC08,?), ref: 00B6062D
_memcmp.LIBVCRUNTIME ref: 00B6064E

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 0d56f4da44ac5bd7330d1e48b1d70b4f5b204879a751cc5c621361cf6d5c11a6
Instruction ID: 3963a41d749c590653540d95eb1ad9b2bb13e9f2c7b97dfb487859f1f8a2b123
Opcode Fuzzy Hash: 0d56f4da44ac5bd7330d1e48b1d70b4f5b204879a751cc5c621361cf6d5c11a6
Instruction Fuzzy Hash: F9810971A10109EFCB04DF94C984EEEB7F9FF89315F208599E506AB250DB75AE06CB60

Function 00B41391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B414C0

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 3c0c3d3902c74bf92686b2889d0aa118d477b3424dd95a02941bfcb6bd46c36e
Instruction ID: cbea2e3baafc13e98616ba95cf7f682beb9df0fd94d979a84de43ba83f543e0a
Opcode Fuzzy Hash: 3c0c3d3902c74bf92686b2889d0aa118d477b3424dd95a02941bfcb6bd46c36e
Instruction Fuzzy Hash: 49414D31E00121ABDB216BBDAC456BE3AF4EF42370F244AF5F41DD6391E7744A817A61

Function 00B96278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0143F610,?), ref: 00B962E2
ScreenToClient.USER32(?,?), ref: 00B96315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00B96382

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 73c2ac34119f18fe0327c01faf0cc43e6a01b5e2647b0ccd782d4232f01624ed
Instruction ID: b0bd06143b5bf2ecc708ef792dde452784ab861c8170fd3c65c86ce92fa23436
Opcode Fuzzy Hash: 73c2ac34119f18fe0327c01faf0cc43e6a01b5e2647b0ccd782d4232f01624ed
Instruction Fuzzy Hash: 52510C74904209AFDF14DF68D9909AE7BF5EB45360F1085AAF815972A1D730ED41CB50

Function 00B81AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00B81AFD
WSAGetLastError.WSOCK32 ref: 00B81B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00B81B8A
WSAGetLastError.WSOCK32 ref: 00B81B94

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: a186e949af0faa66a7455e16b872299344c1ac2409198ce3b29b1250a5a48391
Instruction ID: e27a6b2e4ac4d4ccb6abb8b166c3ac11b42195d188809a50df8506ac28acc40f
Opcode Fuzzy Hash: a186e949af0faa66a7455e16b872299344c1ac2409198ce3b29b1250a5a48391
Instruction Fuzzy Hash: 4B4185746402006FD720AF24C886F657BE5EB44718F5485D8F51A9F3D2D772DD82CB91

Function 00B3B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d43260c8f43fca8cf621919cd5c26bedf6a13b01b2225776708db6f98b380f41
Instruction ID: 999a067dd00fa8febc0e8683dd4b7d39724a731794813fd1ca1f2f768b9e6cf8
Opcode Fuzzy Hash: d43260c8f43fca8cf621919cd5c26bedf6a13b01b2225776708db6f98b380f41
Instruction Fuzzy Hash: 12410676A00314BFD7249F38CC41F6ABBE9EB88710F2045AEF255DB382D77199418780

Function 00B756D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00B75783
GetLastError.KERNEL32(?,00000000), ref: 00B757A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00B757CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00B757FA

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 3a1db63888cc0ff18129af9a8a02bf0569ef1f36f02b4513680c2864bef2e4f7
Instruction ID: 3c92c63fe48e47265c071f458f24be87c150101c5378523a1737bde7983e70ec
Opcode Fuzzy Hash: 3a1db63888cc0ff18129af9a8a02bf0569ef1f36f02b4513680c2864bef2e4f7
Instruction Fuzzy Hash: 0F411D39610610DFCB21DF15C554A5EBBE2EF99720B19C4C8E85AAB3A2CB74FD40CB91

Function 00B3D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00B26D71,00000000,00000000,00B282D9,?,00B282D9,?,00000001,00B26D71,8BE85006,00000001,00B282D9,00B282D9), ref: 00B3D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B3D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00B3D9AB
__freea.LIBCMT ref: 00B3D9B4

Part of subcall function 00B33820: RtlAllocateHeap.NTDLL(00000000,?,00BD1444,?,00B1FDF5,?,?,00B0A976,00000010,00BD1440,00B013FC,?,00B013C6,?,00B01129), ref: 00B33852

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 40c12f1d7db05380b1b172ac84fc3a22c0476b0d4b9b338aea557744bc4e4c89
Instruction ID: cee5722286be19968c40c08a1c5abe8a40b902718f89bc01957e68ea1ff61dc8
Opcode Fuzzy Hash: 40c12f1d7db05380b1b172ac84fc3a22c0476b0d4b9b338aea557744bc4e4c89
Instruction Fuzzy Hash: 0D31E172A0021AABDF25DF64EC81EAE7BE5EB40310F2502A8FC04D7250EB35CD50CBA0

Function 00B952C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00B95352
GetWindowLongW.USER32(?,000000F0), ref: 00B95375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B95382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B953A8

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: c51da73b0b42c7d5e3ba33cb3c99122fc8edc6fd4473ae3ba7a3382c17748fe8
Instruction ID: 258b0f02bb8c653d6bd81754d2bad2d6c9f8d640dada061bf933ce7d6a409e51
Opcode Fuzzy Hash: c51da73b0b42c7d5e3ba33cb3c99122fc8edc6fd4473ae3ba7a3382c17748fe8
Instruction Fuzzy Hash: 4131F230AD9A0CEFEF329F14CC55BE877E5EB05390F5841A2FA02871E1C7B099809B59

Function 00B6AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00B6ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00B6AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00B6AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00B6ACC6

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: c295ba6e6273dec1f50415b81457e90cd50f4408a50371ff9a1bcbf160c27f59
Instruction ID: 38f0c6c9fdb8566b9021169615f9800a592898d0922af64ee469ee0d0a0d12c4
Opcode Fuzzy Hash: c295ba6e6273dec1f50415b81457e90cd50f4408a50371ff9a1bcbf160c27f59
Instruction Fuzzy Hash: EF310730A047186FEF35CB658C05BFA7BE9EB89310F04439AE485A31D1C37DD9859B52

Function 00B97674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00B9769A
GetWindowRect.USER32(?,?), ref: 00B97710
PtInRect.USER32(?,?,00B98B89), ref: 00B97720
MessageBeep.USER32(00000000), ref: 00B9778C

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 6e2550aa3ba97b77edcecd87aae8281d8764b3d02d3dc1d8f5e96a8fabc7ce27
Instruction ID: bdb64018c57b7a7a1b5ca4bb151e85f6028e797fad532406ac0da8d0ab63b120
Opcode Fuzzy Hash: 6e2550aa3ba97b77edcecd87aae8281d8764b3d02d3dc1d8f5e96a8fabc7ce27
Instruction Fuzzy Hash: 2F417E34655214EFCF01CF98C8A4EA9BBF5FB49314F1540F9E4249B261DB38AD42CB90

Function 00B916DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00B916EB

Part of subcall function 00B63A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B63A57
Part of subcall function 00B63A3D: GetCurrentThreadId.KERNEL32 ref: 00B63A5E
Part of subcall function 00B63A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00B625B3), ref: 00B63A65

GetCaretPos.USER32(?), ref: 00B916FF
ClientToScreen.USER32(00000000,?), ref: 00B9174C
GetForegroundWindow.USER32 ref: 00B91752

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: b95a25ab9ddb615be82036166a62bf8162d777af743e05ca5d4799c7765731b2
Instruction ID: e4795a8dbd2713df25b6cdd399e73d6f8df542ea05fcae7249a591d5117ffe34
Opcode Fuzzy Hash: b95a25ab9ddb615be82036166a62bf8162d777af743e05ca5d4799c7765731b2
Instruction Fuzzy Hash: 9A3154B5D00149AFDB00DFA9C981CAEBBF9EF48304B5084EAE415E7251DB35DE45CBA1

Function 00B6D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00B6D501
Process32FirstW.KERNEL32(00000000,?), ref: 00B6D50F
Process32NextW.KERNEL32(00000000,?), ref: 00B6D52F
CloseHandle.KERNEL32(00000000), ref: 00B6D5DC

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: d2b4bb28747ca05320e75c7f5fbd2a6bc5ee7bd0588122174aa1559bb6c1fb10
Instruction ID: 9566c9e31ac5004d904c7e54a3a954c2b968b2168f715983df8928831b40be81
Opcode Fuzzy Hash: d2b4bb28747ca05320e75c7f5fbd2a6bc5ee7bd0588122174aa1559bb6c1fb10
Instruction Fuzzy Hash: 7F31B1715083009FD300EF54C881AAFBFF8EF99354F54096DF586971A2EB719948CBA2

Function 00B98FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B19BB2

GetCursorPos.USER32(?), ref: 00B99001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00B57711,?,?,?,?,?), ref: 00B99016
GetCursorPos.USER32(?), ref: 00B9905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00B57711,?,?,?), ref: 00B99094

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 2417fb9310821effdf5f12c26535f404d3aee96ed700cdcffd4375959125ec01
Instruction ID: 44d4e3fd56d961a52bd0ab84952abc9ed35bfbc18c075293b09d0fda6c7c13dd
Opcode Fuzzy Hash: 2417fb9310821effdf5f12c26535f404d3aee96ed700cdcffd4375959125ec01
Instruction Fuzzy Hash: 1821BF35600018FFCF658F99C868EEA7BF9EB49350F0040AAF91547261D73299A0DB60

Function 00B6D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00B9CB68), ref: 00B6D2FB
GetLastError.KERNEL32 ref: 00B6D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00B6D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00B9CB68), ref: 00B6D376

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: eef6a841d5f9cbef4a7d590a2414dd1957b8cfa6526ba67cdc864cbaff353d8d
Instruction ID: 296a097b6d18bcdb8d370dc19049790a7f06b414829c250e7d63e4da82fd6ff6
Opcode Fuzzy Hash: eef6a841d5f9cbef4a7d590a2414dd1957b8cfa6526ba67cdc864cbaff353d8d
Instruction Fuzzy Hash: 49218D70A083019FC710DF28C98186A7BE8EE56364F504A9EF499C73E1EB349945CB97

Function 00B61571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B61014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B6102A
Part of subcall function 00B61014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B61036
Part of subcall function 00B61014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B61045
Part of subcall function 00B61014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B6104C
Part of subcall function 00B61014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B61062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00B615BE
_memcmp.LIBVCRUNTIME ref: 00B615E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B61617
HeapFree.KERNEL32(00000000), ref: 00B6161E

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 64c11cfd1e543f52c6771708ced3dcbe44f8da8c49ed92dc5e9487d3e73f5c39
Instruction ID: 4c089d1164d5004cc09aff2a2c873087efc88dbd1d7f0086f2aa0eb0cbf204ce
Opcode Fuzzy Hash: 64c11cfd1e543f52c6771708ced3dcbe44f8da8c49ed92dc5e9487d3e73f5c39
Instruction Fuzzy Hash: 82217C71E00109EFDF10DFA8C945BEEB7F8EF54354F188899E445AB251E778AA05CBA0

Function 00B92782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00B9280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00B92824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00B92832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00B92840

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 8ca5e93f65474aac281293cb55928cedd67b1445f7dde4a4a4262284e0b720cb
Instruction ID: ac59429422969c20ec99c6c45e5d20a2aebe18c2fec4ebff35eacdb85f320a55
Opcode Fuzzy Hash: 8ca5e93f65474aac281293cb55928cedd67b1445f7dde4a4a4262284e0b720cb
Instruction Fuzzy Hash: C521B031605111BFDB14DB24CC85FAA7BD5EF46324F1481A9F42A8B6E2CB75EC42C790

Function 00B678F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B68D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00B6790A,?,000000FF,?,00B68754,00000000,?,0000001C,?,?), ref: 00B68D8C
Part of subcall function 00B68D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00B68DB2
Part of subcall function 00B68D7D: lstrcmpiW.KERNEL32(00000000,?,00B6790A,?,000000FF,?,00B68754,00000000,?,0000001C,?,?), ref: 00B68DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00B68754,00000000,?,0000001C,?,?,00000000), ref: 00B67923
lstrcpyW.KERNEL32(00000000,?), ref: 00B67949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00B68754,00000000,?,0000001C,?,?,00000000), ref: 00B67984

Strings

cdecl, xrefs: 00B6797B

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: f8f33f0e935c57aa8fea7a2d9ee1fe5663005d87cdaca78cc0d63159d112ccc9
Instruction ID: a04e88627b1959b7829ebc872f6c6f7a9e32bb91c43febf735623a2b705c4df6
Opcode Fuzzy Hash: f8f33f0e935c57aa8fea7a2d9ee1fe5663005d87cdaca78cc0d63159d112ccc9
Instruction Fuzzy Hash: C111223A200302BBCB159F38C844E7A77E9FF85394B40406AF902CB2A4EF359801C7A1

Function 00B97CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00B97D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00B97D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00B97D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00B7B7AD,00000000), ref: 00B97D6B

Part of subcall function 00B19BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B19BB2

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: eedba2581995b3c5542d5095f3c8f42f713976cdf197b0d1e490eb139f8f18ac
Instruction ID: 2889e29ddb2e537c7a8423452024ea59aa9ad3c9f84be8cc37f95e65a9063f50
Opcode Fuzzy Hash: eedba2581995b3c5542d5095f3c8f42f713976cdf197b0d1e490eb139f8f18ac
Instruction Fuzzy Hash: 9A1188B2225614ABCF108F68CC04AA63BE4EF46360B118775F839C72F0EB308951CB50

Function 00B95660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00B956BB
_wcslen.LIBCMT ref: 00B956CD
_wcslen.LIBCMT ref: 00B956D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B95816

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 4291d4d6dd3b0502a272f645bbe44a9e3fa40e7ebac9221aa84c936a38a25c33
Instruction ID: 6afd3dbcc1f561ca863e34d68e404ffac0edbbf679f9921b0e6d8432e06e0fd7
Opcode Fuzzy Hash: 4291d4d6dd3b0502a272f645bbe44a9e3fa40e7ebac9221aa84c936a38a25c33
Instruction Fuzzy Hash: 8711D375680618AADF31DF65DCC5AEE77ECEF11760B1040B6F915D6182EB70DA80CB60

Function 00B31D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba0fa05a7057ed3ad4bc531b86daec8cdf384b0ed391b0335dc1f12cfe096dd3
Instruction ID: 5c3d75f4845dcb510b8c360ea7cb3aeaf243e4b1790b709a1c5a79dfeab92302
Opcode Fuzzy Hash: ba0fa05a7057ed3ad4bc531b86daec8cdf384b0ed391b0335dc1f12cfe096dd3
Instruction Fuzzy Hash: 01012CB62096167EE6112A7C6CC1F67769DDF423B8F3507B6B535611D2DB609C005170

Function 00B61A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00B61A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B61A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B61A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B61A8A

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: be089a2aa61e597d039254115b55a93eb1d7c005bd76fc4116a070092e78006b
Instruction ID: a099ac7d896865435d9ccc4072d512343ca1fe3bbc4c9abe6e83cd03afee2622
Opcode Fuzzy Hash: be089a2aa61e597d039254115b55a93eb1d7c005bd76fc4116a070092e78006b
Instruction Fuzzy Hash: BF112A3A901219FFEB10DBA8C985FADBBB8EB04750F240491E614B7290D6716E50DB94

Function 00B6E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B6E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00B6E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00B6E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00B6E24D

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 9be7bca23f94e67522c6d91dc7c60a74c40627a1f8adc80d4d0e26dbaaa71f10
Instruction ID: 186ed169f64d0ad3a4371d6283893594c48d1077d18885046242a34dd42d3c15
Opcode Fuzzy Hash: 9be7bca23f94e67522c6d91dc7c60a74c40627a1f8adc80d4d0e26dbaaa71f10
Instruction Fuzzy Hash: 2611DB76904254BFC7019FACDD19A9E7FEDEB45320F044666F924E3291DB74CD0487A4

Function 00B2D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00B2CFF9,00000000,00000004,00000000), ref: 00B2D218
GetLastError.KERNEL32 ref: 00B2D224
__dosmaperr.LIBCMT ref: 00B2D22B
ResumeThread.KERNEL32(00000000), ref: 00B2D249

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: c6fb0153564774ef9da4bd7b29930b236d12c6494f24b320d16d20e20b5e5c5c
Instruction ID: a5198819d693e71cf513bed84b2dbef37c85a4f9a1c6774c578ab988597930e7
Opcode Fuzzy Hash: c6fb0153564774ef9da4bd7b29930b236d12c6494f24b320d16d20e20b5e5c5c
Instruction Fuzzy Hash: 3B01D636405124FBDB115BA5EC09BAE7EE9DF81331F100299F92DA21D0CF708901C6A1

Function 00B0600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B0604C
GetStockObject.GDI32(00000011), ref: 00B06060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00B0606A

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: f84a4ae2b2938bfb9b14101287a25f471e411b62282031b67e7bf14d9a2a743b
Instruction ID: f5527b00422564350fb91c42628d87662e89b65060ab3f3663cff86f24560de5
Opcode Fuzzy Hash: f84a4ae2b2938bfb9b14101287a25f471e411b62282031b67e7bf14d9a2a743b
Instruction Fuzzy Hash: 4D116D72541509BFEF164FA4DC94EEABFA9EF083A4F044256FA1452150EB369C60EBA0

Function 00B23B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00B23B56

Part of subcall function 00B23AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00B23AD2
Part of subcall function 00B23AA3: ___AdjustPointer.LIBCMT ref: 00B23AED

_UnwindNestedFrames.LIBCMT ref: 00B23B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00B23B7C
CallCatchBlock.LIBVCRUNTIME ref: 00B23BA4

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 2de09faea756cd9af6cf031c4b01908c632fb02d5999015e2633acf4b0f6fd62
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 2C012932100158BBDF126E95EC46EEB7FEAEF49B54F044094FE4C56121C736E961DBA0

Function 00B33073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00B013C6,00000000,00000000,?,00B3301A,00B013C6,00000000,00000000,00000000,?,00B3328B,00000006,FlsSetValue), ref: 00B330A5
GetLastError.KERNEL32(?,00B3301A,00B013C6,00000000,00000000,00000000,?,00B3328B,00000006,FlsSetValue,00BA2290,FlsSetValue,00000000,00000364,?,00B32E46), ref: 00B330B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00B3301A,00B013C6,00000000,00000000,00000000,?,00B3328B,00000006,FlsSetValue,00BA2290,FlsSetValue,00000000), ref: 00B330BF

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 9cb4eda5a69816b7961be60e28a6eb03cd732542c8028e0afc348eae06dfdf2f
Instruction ID: 6b55d416cf526929ef694d93adc5bfb892da2ac8ee2bbe73c82e8c97522ac13d
Opcode Fuzzy Hash: 9cb4eda5a69816b7961be60e28a6eb03cd732542c8028e0afc348eae06dfdf2f
Instruction Fuzzy Hash: 6301F232302622ABCB354B7CAC84B677BD8EF05FA1F300661F906E7150DB21DA05CAE0

Function 00B67464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00B6747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00B67497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00B674AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00B674CA

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 7be2bb8d6bae58ab5361b84c1a7c8e8dfb21e493d50895f4832ffc2bc7ed06fb
Instruction ID: 737cac83dd7b874e4d8095c7bf8a9fdcb7043ad3aed00338eeb0c8c243cd523a
Opcode Fuzzy Hash: 7be2bb8d6bae58ab5361b84c1a7c8e8dfb21e493d50895f4832ffc2bc7ed06fb
Instruction Fuzzy Hash: A4118EB52453109BE7208F14ED4CB927FFCEB40B08F1085AAA61AD7251DF78E904DBA0

Function 00B6B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00B6ACD3,?,00008000), ref: 00B6B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00B6ACD3,?,00008000), ref: 00B6B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00B6ACD3,?,00008000), ref: 00B6B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00B6ACD3,?,00008000), ref: 00B6B126

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 5a8d0a3123683abe549d49aa1bd09b892f1604924b5daf9796a49ccc144758e8
Instruction ID: 374ed9571ac17e9a4181084bf5412b8796a30dc4a1f43dfe7067c687a3bb58b7
Opcode Fuzzy Hash: 5a8d0a3123683abe549d49aa1bd09b892f1604924b5daf9796a49ccc144758e8
Instruction Fuzzy Hash: 5C115B31C1152CEBCF00AFE4E998AEEBFB8FF0A711F104086D951B3185CB3496908B55

Function 00B62DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00B62DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00B62DD6
GetCurrentThreadId.KERNEL32 ref: 00B62DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00B62DE4

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 30d4d04ef4aa6c8b6804af1c00d35d7f36c72ef8d86866bc7bda1705f20ac66e
Instruction ID: fc26267e2052397e48a5c7692e316698abf0b5c6d3426313699ad216edcd4805
Opcode Fuzzy Hash: 30d4d04ef4aa6c8b6804af1c00d35d7f36c72ef8d86866bc7bda1705f20ac66e
Instruction Fuzzy Hash: EEE092711016247BEB201B729D0DFEB3EACEF43BA1F500466F505D30909EA5C840C6B0

Function 00B98863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00B19639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B19693
Part of subcall function 00B19639: SelectObject.GDI32(?,00000000), ref: 00B196A2
Part of subcall function 00B19639: BeginPath.GDI32(?), ref: 00B196B9
Part of subcall function 00B19639: SelectObject.GDI32(?,00000000), ref: 00B196E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00B98887
LineTo.GDI32(?,?,?), ref: 00B98894
EndPath.GDI32(?), ref: 00B988A4
StrokePath.GDI32(?), ref: 00B988B2

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 51f2fa2b4ea360b5ef4585c4e186e6c52541befe9520ba3e93ce67f0b2192786
Instruction ID: 44d3767ae3ea92edd93bf3f9e8cc36798898f2920be7134c7e0475ee1b701a15
Opcode Fuzzy Hash: 51f2fa2b4ea360b5ef4585c4e186e6c52541befe9520ba3e93ce67f0b2192786
Instruction Fuzzy Hash: 88F05E36042258FADB126F94AD19FCE3F59AF06310F448042FA11660E2CB795652CFF9

Function 00B198B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00B198CC
SetTextColor.GDI32(?,?), ref: 00B198D6
SetBkMode.GDI32(?,00000001), ref: 00B198E9
GetStockObject.GDI32(00000005), ref: 00B198F1

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: e67915d402268b88383fa2af499d05522f1f9cf427c3e11a8b92f75de3f3f9d7
Instruction ID: 2483ea922bf256f635039b3c687b9329e50844670404d8d4072502c6e53943b1
Opcode Fuzzy Hash: e67915d402268b88383fa2af499d05522f1f9cf427c3e11a8b92f75de3f3f9d7
Instruction Fuzzy Hash: F8E06D31284290ABEB215B74BD19BE83F60EB12376F04C25AFBFA690E1CB7146449B10

Function 00B6162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00B61634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00B611D9), ref: 00B6163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00B611D9), ref: 00B61648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00B611D9), ref: 00B6164F

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 5322a7bf0c88d72d537e36c02037394a9e51c7e57c63c7487c4e0d47083d925b
Instruction ID: 9544602fe3a038ac91492610a7aa6b7a97074c8b14698f24c2e9684156e7d71b
Opcode Fuzzy Hash: 5322a7bf0c88d72d537e36c02037394a9e51c7e57c63c7487c4e0d47083d925b
Instruction Fuzzy Hash: 35E08635601211EBD7201FA49F0DB463FBCEF44791F188849F245CA080DA384440C764

Function 00B5D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00B5D858
GetDC.USER32(00000000), ref: 00B5D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B5D882
ReleaseDC.USER32(?), ref: 00B5D8A3

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 34fc4216a2d62d23296c007e6b338efaa34945b1103d6f5d5c521a22dbb654ad
Instruction ID: 476e80b33eb3cd68d2d4a87931a87ac490274a912d57e99d04834313a18494a8
Opcode Fuzzy Hash: 34fc4216a2d62d23296c007e6b338efaa34945b1103d6f5d5c521a22dbb654ad
Instruction Fuzzy Hash: 12E01AB1800205DFCF419FA0DA4C66DBFF1FB08311F14808AE806E7250CB399945EF50

Function 00B5D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00B5D86C
GetDC.USER32(00000000), ref: 00B5D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B5D882
ReleaseDC.USER32(?), ref: 00B5D8A3

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 9a47dd7187cf1cb2b5c96749c8cd3ae2d9a0491d58cc1504029117fe1afe2407
Instruction ID: 1560ae9b78da7b64fe385eda6f07cd616fefde3971c989543da15320422f8961
Opcode Fuzzy Hash: 9a47dd7187cf1cb2b5c96749c8cd3ae2d9a0491d58cc1504029117fe1afe2407
Instruction Fuzzy Hash: AAE092B5800205EFCF51AFA0DA4C66DBFF5BB08311F54848AE94AE7250CB399945EF50

Function 00B74D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00B07620: _wcslen.LIBCMT ref: 00B07625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00B74ED4

Strings

*, xrefs: 00B74E10
LPT, xrefs: 00B74DFB

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 8e4566d67d2796df73fd338d71828bd696b22f3429a61842387f0158f755b414
Instruction ID: f42138214187d0a04964959c3fd9ee3f09364194e9f4855c4f04bfc64cfa886b
Opcode Fuzzy Hash: 8e4566d67d2796df73fd338d71828bd696b22f3429a61842387f0158f755b414
Instruction Fuzzy Hash: 4C913875A002049FCB14DF58C494EAABBF1EF49314F1980D9E81A9F3A2D771EE85CB91

Function 00B2E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00B2E30D

Strings

pow, xrefs: 00B2E2E5, 00B2E302

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 34372d5d66d81419cd3d3c69bc516306cb14fd9acd54138cae34db7fb67b8611
Instruction ID: 121c820fe87b935c7ca33fa57104e308af043125164ee3705c094664562a7c39
Opcode Fuzzy Hash: 34372d5d66d81419cd3d3c69bc516306cb14fd9acd54138cae34db7fb67b8611
Instruction Fuzzy Hash: E5517EE194C11196CB32B719D9423793BD8EF40741F304DE8E0BA432E8EF35CC959A46

Function 00B1E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00B1E1B1

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: b8aa7f3c699637320db6091472c9e9a499a3b7a454fec6096e737ac1ed1ca19d
Instruction ID: dea0d144695cca922685dee9f9c4584e4c1fad6a867a6d189944e049c5b60377
Opcode Fuzzy Hash: b8aa7f3c699637320db6091472c9e9a499a3b7a454fec6096e737ac1ed1ca19d
Instruction Fuzzy Hash: 1D510275904256DFDB19DF28C491AFA7BE8EF19311F6440D5EC619B2C0DA30DE86CBA0

Function 00B1F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00B1F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00B1F2BB

Strings

@, xrefs: 00B1F2AF

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: c72d91cb82d02a5783404a5526c5becb1d6d4711d60be6dd77ad690e10fa8ff4
Instruction ID: 96ae4bfa23501b197b6c9631be486ec996f2fdfa886582f1f5e773e657a0ec46
Opcode Fuzzy Hash: c72d91cb82d02a5783404a5526c5becb1d6d4711d60be6dd77ad690e10fa8ff4
Instruction Fuzzy Hash: 2B5135718087459BD320AF14DC86BABBBF8FB84300F81899DF1D9421A5EF709529CB67

Function 00B85745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00B857E0
_wcslen.LIBCMT ref: 00B857EC

Strings

CALLARGARRAY, xrefs: 00B857E6, 00B857EB

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 33da806050a2bd8235b8ee9d4473141cf66941fcb75eb02e0ff0be402ffecb2b
Instruction ID: 07347aaa3f071fbf423cb25c118adcb73d4d96b3d76d6cffbe667e74d4dee8a1
Opcode Fuzzy Hash: 33da806050a2bd8235b8ee9d4473141cf66941fcb75eb02e0ff0be402ffecb2b
Instruction Fuzzy Hash: C1418131E00209DFCB14EFA9C8819FEBBF5EF59354F5040AAE505A72A1EB749D81CB90

Function 00B7D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B7D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00B7D13A

Strings

|, xrefs: 00B7D10B

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 43ef794619e511f688be3a94e05cbf9c5c25008077cfec130e30d3079daafbc1
Instruction ID: 75bea248a1a02cb6ea45d32bf0c36ea3726e686cf99c58a0130e16c2ca44ee7d
Opcode Fuzzy Hash: 43ef794619e511f688be3a94e05cbf9c5c25008077cfec130e30d3079daafbc1
Instruction Fuzzy Hash: 82311A71D00219ABCF15EFA4CC85AEE7FB9FF04340F404099F819A61A2DB31AA56CB60

Function 00B9356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00B93621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00B9365C

Strings

static, xrefs: 00B935BC

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 88b8b2e9c7f3909422361c8b81178ca06e6fa798a09fa14ca67ca11b5073a5a8
Instruction ID: c52314a7c8eb69491352eb5b5a6f0429bc68a06616fa2ea6aa5092616b9ca26f
Opcode Fuzzy Hash: 88b8b2e9c7f3909422361c8b81178ca06e6fa798a09fa14ca67ca11b5073a5a8
Instruction Fuzzy Hash: 4631AB71100204AADB10DF28CC80EFB77E9FF99B20F01866AF8A5D7290DA31AD81C760

Function 00B94537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00B9461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B94634

Strings

', xrefs: 00B9458E

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 8e553eddbd3237917acd4b7f762a94810cce92aa2f18532798efaec718a9832e
Instruction ID: 6160e7e31eabc0a94f92fb9e46f42c36ce2e5ced8a3621d3a00949b3161c2a69
Opcode Fuzzy Hash: 8e553eddbd3237917acd4b7f762a94810cce92aa2f18532798efaec718a9832e
Instruction Fuzzy Hash: E03117B4A012099FDF14CFA9C990BDABBF5FB19300F1145AAE905AB341E770A942CF90

Function 00B931EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00B9327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B93287

Strings

Combobox, xrefs: 00B93249

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: cc768d48d567ec0d0476c9086fd3641729efe72081a2ccae757df21d91e6efac
Instruction ID: f5032379032b349ebf3d57112ab4842d92e71e53f7dce3ed1576ff27c72c035f
Opcode Fuzzy Hash: cc768d48d567ec0d0476c9086fd3641729efe72081a2ccae757df21d91e6efac
Instruction Fuzzy Hash: 181190713002087FEF259F94DC90EBB3BEAEB98764F104579F918A7291D6319D518760

Function 00B93710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00B0600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B0604C
Part of subcall function 00B0600E: GetStockObject.GDI32(00000011), ref: 00B06060
Part of subcall function 00B0600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B0606A

GetWindowRect.USER32(00000000,?), ref: 00B9377A
GetSysColor.USER32(00000012), ref: 00B93794

Strings

static, xrefs: 00B93757

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 3f84b873a1f46759850f38d6842d961659e84dae2175996d7aa564d77f89f93f
Instruction ID: 5710c4e8ed6e119f5c33d02a398e2dd62d1b9b5938161bc14d8736d436e2e7a5
Opcode Fuzzy Hash: 3f84b873a1f46759850f38d6842d961659e84dae2175996d7aa564d77f89f93f
Instruction Fuzzy Hash: 271129B2610209AFDF00DFB8CD46EEA7BF8EB08714F014965F955E3250EB39E8519B50

Function 00B7CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00B7CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00B7CDA6

Strings

<local>, xrefs: 00B7CD66

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: eda71f3ca6fefc8395bdf97e93ddaca28d14d299e0660fdd46a23879c7d9457e
Instruction ID: b55c5cfaf695559fbbcf5321527351b3a421c6151fb09baf0b043450f61d750e
Opcode Fuzzy Hash: eda71f3ca6fefc8395bdf97e93ddaca28d14d299e0660fdd46a23879c7d9457e
Instruction Fuzzy Hash: DA11A371205631BAD7344A668C85EE7BEE8EB127A4F1082BEB12D93190D6649C40D6F0

Function 00B93429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00B934AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00B934BA

Strings

edit, xrefs: 00B9348F

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 6e7683af5cf78506dc22abcdf8d36c432c2541fefb965815218cfc9556eb125b
Instruction ID: 78dbfcf5516afc7cf5b0d79a08374d8278aa9e76770816705fb442473845ca06
Opcode Fuzzy Hash: 6e7683af5cf78506dc22abcdf8d36c432c2541fefb965815218cfc9556eb125b
Instruction Fuzzy Hash: CF11BF71100108ABEF128F64DC84AAB3BEAEB05B78F524774F965933E0C731EC919760

Function 00B66C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

CharUpperBuffW.USER32(?,?,?), ref: 00B66CB6
_wcslen.LIBCMT ref: 00B66CC2

Strings

STOP, xrefs: 00B66CBC, 00B66CC1

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: eef9f1f7ccf6f3a5e774f908db652df2b49f13ac5498cc8750d1e22b46c4edac
Instruction ID: e0e54f2420e23d9b5ab8d2862451d33ded27a2ff1cfcdc3ecb56f836472951a1
Opcode Fuzzy Hash: eef9f1f7ccf6f3a5e774f908db652df2b49f13ac5498cc8750d1e22b46c4edac
Instruction Fuzzy Hash: 1D01D232A1092A8BCB20AFBDDC809BF77F5EF61750B1009B8E862971D1EB39D950C650

Function 00B61CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

Part of subcall function 00B63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B63CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00B61D4C

Strings

ComboBox, xrefs: 00B61CEB
ListBox, xrefs: 00B61D16

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: b215c0bb14449426f738ca552576fa5f2d5f5bb603a0bcf0d188613b5ecf4a50
Instruction ID: 19639087500eb84351f510e0508ba13bc120cfa135397254b67bdb5433a9c7ac
Opcode Fuzzy Hash: b215c0bb14449426f738ca552576fa5f2d5f5bb603a0bcf0d188613b5ecf4a50
Instruction Fuzzy Hash: 9901D871601218ABCB14EFA4CD51DFE7BE8EB56390F0409A9F822673D2EA3459088760

Function 00B61BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

Part of subcall function 00B63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B63CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00B61C46

Strings

ComboBox, xrefs: 00B61BE5
ListBox, xrefs: 00B61C10

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: b4fa36faaa31aec121bf17c7b1f212922c49ad4ba30985f4e40f5fe356f1dc95
Instruction ID: 89841a899be6ec34c134398b6ca184007fdf9cf00ca9b1ed9f3e7b70f3292eeb
Opcode Fuzzy Hash: b4fa36faaa31aec121bf17c7b1f212922c49ad4ba30985f4e40f5fe356f1dc95
Instruction Fuzzy Hash: AF01A775A8120866DB14EB94CA52EFF7BE8DB11340F140499F506672C2EA249E1896B1

Function 00B61C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

Part of subcall function 00B63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B63CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00B61CC8

Strings

ComboBox, xrefs: 00B61C69
ListBox, xrefs: 00B61C94

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 0caa50b1aefda05547e0de731b02effc270cf77b41f7c92a96b2358af63d7f99
Instruction ID: d928989045ac0f1d0c13b9ab9b39b0b6c73de24aa54bb2778ea129320ee39e77
Opcode Fuzzy Hash: 0caa50b1aefda05547e0de731b02effc270cf77b41f7c92a96b2358af63d7f99
Instruction Fuzzy Hash: 7801D6B1A8121867DB14EBA4CA41EFF7BE8DB11380F180499B802772C2EA249F08D671

Function 00B61D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B09CB3: _wcslen.LIBCMT ref: 00B09CBD

Part of subcall function 00B63CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B63CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00B61DD3

Strings

ComboBox, xrefs: 00B61D75
ListBox, xrefs: 00B61DA0

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 1fb4be989e09408c1552c2b4e588ae3b98f43725377223e15ad4b207b7c690ac
Instruction ID: b5135dcfde979729a0645e8b7ea45c6719c341292e2223dcf297ed9965976c9e
Opcode Fuzzy Hash: 1fb4be989e09408c1552c2b4e588ae3b98f43725377223e15ad4b207b7c690ac
Instruction Fuzzy Hash: 50F0A971E5131466D714E7A4CD91FFF7BE8EB01750F040D99F422632D2DA6459088260

Function 00B8747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B87493
_wcslen.LIBCMT ref: 00B874B9

Strings

3, 3, 16, 1, xrefs: 00B87483

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: afd3ee86d87bff172559f706f7236e5948404936b3c63f2a02bc87a554ae0f55
Instruction ID: 3376e0dea1f603818dbbeba7f3a0de288c97de30660e429d28724e08bd675ac2
Opcode Fuzzy Hash: afd3ee86d87bff172559f706f7236e5948404936b3c63f2a02bc87a554ae0f55
Instruction Fuzzy Hash: AEE02B022542301492313279ACC1A7F56C9CFC975073818ABF989C2376EFD4CDD2D3A0

Function 00B60B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00B60B23

Strings

Error allocating memory., xrefs: 00B60B1C
AutoIt, xrefs: 00B60B17

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: f03d7c86d42439f9adc0f4f3ddf660bf622045b795e0c2114a9d2a84ef177ca7
Instruction ID: 84a55d34e253f6601df21efdca0c1a74fd84f9b5b841f1006d73b83517c8e35a
Opcode Fuzzy Hash: f03d7c86d42439f9adc0f4f3ddf660bf622045b795e0c2114a9d2a84ef177ca7
Instruction Fuzzy Hash: 7FE0D83224831836D61437947C03FD97FC4CF05B10F1004FAFB48554D38AE1289046E9

Function 00B20D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00B1F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00B20D71,?,?,?,00B0100A), ref: 00B1F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00B0100A), ref: 00B20D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00B0100A), ref: 00B20D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00B20D7F

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 35d01e7f88c52a4329a354f7722c99aad35301c7be74160b86c2df6a464efd5c
Instruction ID: 91ab1b846ca10d81aecebd756d294ed7493a957fff800ecc3a8f47cde269128e
Opcode Fuzzy Hash: 35d01e7f88c52a4329a354f7722c99aad35301c7be74160b86c2df6a464efd5c
Instruction Fuzzy Hash: E0E06D702017128BD720AFBCE5043527BE0AB00790F0089BEE886C7652EBB0E4448B91

Function 00B5D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00B5D220

Strings

%.3d, xrefs: 00B5D22B
X64, xrefs: 00B5D2A8

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: f612e15317e5b83bfc8acdd04b358b020d8d4a4495f110ea96a3ab2ce58ebc33
Instruction ID: 8ae50e1d728dc16deaa2c4525fc0ec3fa5e5dc22c45c7bfa77851b101c066688
Opcode Fuzzy Hash: f612e15317e5b83bfc8acdd04b358b020d8d4a4495f110ea96a3ab2ce58ebc33
Instruction Fuzzy Hash: ADD01271808109E9CB6097D0CCC9AFAB3FCEB48302F9085D6FC0692040D625D54DAF61

Function 00B92322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B9232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00B9233F

Part of subcall function 00B6E97B: Sleep.KERNEL32 ref: 00B6E9F3

Strings

Shell_TrayWnd, xrefs: 00B92325

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 36059d4e19761744e014083d8198209ee28499000a910c9b12829bdf6230d488
Instruction ID: 441890e615e2f88460720860e5c2b94a993dc064fc234503fb3f1bf83f89dee8
Opcode Fuzzy Hash: 36059d4e19761744e014083d8198209ee28499000a910c9b12829bdf6230d488
Instruction Fuzzy Hash: C8D0C936394310B6E664A7709D0FFC66E64AF10B10F0149577655AB1E5C9B4A8018A54

Function 00B92356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B9236C
PostMessageW.USER32(00000000), ref: 00B92373

Part of subcall function 00B6E97B: Sleep.KERNEL32 ref: 00B6E9F3

Strings

Shell_TrayWnd, xrefs: 00B92365

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 421858349c4d8c6517c368fa373c836d4a44efc3b3066251da005c27ae8966fa
Instruction ID: 1346118a252d5900b3b8e60583bf4a8336cc5b5367ef44412ea09c7cdcfa112b
Opcode Fuzzy Hash: 421858349c4d8c6517c368fa373c836d4a44efc3b3066251da005c27ae8966fa
Instruction Fuzzy Hash: 82D0C9363813107AE664A7709D0FFC66A64AB14B10F4149577655AB1E5C9B4A8018A54

Function 00B3BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00B3BE93
GetLastError.KERNEL32 ref: 00B3BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B3BEFC

Memory Dump Source

Source File: 00000000.00000002.3543102295.0000000000B01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000000.00000002.3543077802.0000000000B00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000B9C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543229825.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543391876.0000000000BCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3543420195.0000000000BD4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_LisectAVT_2403002A_460.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 5f0be15dc2534ecac4cc988ec5e051c7afe5dec8bbcfdf010d66d0e671e0be07
Instruction ID: ff5c947e30ec2ed95e916ebc7498aedebda956ddd477e32ce6abb37fa8b18005
Opcode Fuzzy Hash: 5f0be15dc2534ecac4cc988ec5e051c7afe5dec8bbcfdf010d66d0e671e0be07
Instruction Fuzzy Hash: F041D535604216AFCF218F68DC54EBA7BE5EF41310F3451EAFA599B1A9DB308D01CB60

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002A_460.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Dalymore\Laddonia.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\My App.exe.log

C:\Users\user\AppData\Local\Temp\aut1BC1.tmp

C:\Users\user\AppData\Local\Temp\aut1C00.tmp

C:\Users\user\AppData\Local\Temp\aut70BD.tmp

C:\Users\user\AppData\Local\Temp\aut713B.tmp

C:\Users\user\AppData\Local\Temp\autE716.tmp

C:\Users\user\AppData\Local\Temp\autE755.tmp

C:\Users\user\AppData\Local\Temp\kinematical

C:\Users\user\AppData\Local\Temp\uppishly

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Laddonia.vbs

Windows Analysis Report
LisectAVT_2403002A_460.exe

Function 00B042DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 00B042A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre