Edit tour

Windows Analysis Report
LisectAVT_2403002A_419.exe

Overview

General Information

Sample name:	LisectAVT_2403002A_419.exe
Analysis ID:	1482269
MD5:	42b90e270ab9cc4d1f6354045048b538
SHA1:	080d0df0d03f707096cb974da2d683037e9cc63a
SHA256:	e4883bfe1480181df3d2eb0e0a587be359260ee11a32176aab234eb707fe6f76
Tags:	exe
Infos:

Detection

RisePro Stealer

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RisePro Stealer

AI detected suspicious sample

Allocates memory in foreign processes

Contains functionality to check for running processes (XOR)

Contains functionality to inject threads in other processes

Drops PE files to the user root directory

Found API chain indicative of sandbox detection

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Injects a PE file into a foreign processes

Writes to foreign memory regions

Abnormal high CPU Usage

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w10x64

LisectAVT_2403002A_419.exe (PID: 7272 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_419.exe" MD5: 42B90E270AB9CC4D1F6354045048B538)

Au3Check.exe (PID: 7416 cmdline: "C:\Program Files (x86)\autoit3\Au3Check.exe" MD5: 3BE697D1A92115D5CA76A633A527DFB7)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\jQRMFClswtrBVwy.pdf	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000003.1507782336.000002BCE88A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000003.1457225393.000002BCE89F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000002.1510031771.000000C000800000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: Au3Check.exe PID: 7416	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.LisectAVT_2403002A_419.exe.c000380000.1.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0.3.LisectAVT_2403002A_419.exe.2bce88a0000.3.raw.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0.2.LisectAVT_2403002A_419.exe.c000600000.5.raw.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0.3.LisectAVT_2403002A_419.exe.2bce88a0000.3.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0.3.LisectAVT_2403002A_419.exe.2bce89f0000.0.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0.2.LisectAVT_2403002A_419.exe.c0009d4000.7.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
2.2.Au3Check.exe.510000.0.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
2.2.Au3Check.exe.510000.0.raw.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0.2.LisectAVT_2403002A_419.exe.c000888000.8.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0.2.LisectAVT_2403002A_419.exe.c0009d4000.7.raw.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0.3.LisectAVT_2403002A_419.exe.2bce89f0000.0.raw.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0.2.LisectAVT_2403002A_419.exe.c000600000.5.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0.2.LisectAVT_2403002A_419.exe.c000572000.4.raw.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0.2.LisectAVT_2403002A_419.exe.c0004f2000.3.raw.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0.2.LisectAVT_2403002A_419.exe.c000888000.8.raw.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0.2.LisectAVT_2403002A_419.exe.c00052c000.2.raw.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Click to see the 11 entries

Suricata Signatures

ET MALWARE RisePro TCP Heartbeat Packet - Source IP: 192.168.2.8 - Destination IP: 193.233.132.67

Timestamp:	2024-07-25T20:24:30.069059+0200
SID:	2049060
Source Port:	49705
Destination Port:	5000
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.12.23.50 - Destination IP: 192.168.2.8

Timestamp:	2024-07-25T20:25:13.610035+0200
SID:	2022930
Source Port:	443
Destination Port:	49708
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.8 - Destination IP: 193.233.132.67

Timestamp:	2024-07-25T20:24:33.064109+0200
SID:	2046269
Source Port:	49705
Destination Port:	5000
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.12.23.50 - Destination IP: 192.168.2.8

Timestamp:	2024-07-25T20:24:36.289495+0200
SID:	2022930
Source Port:	443
Destination Port:	49706
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: LisectAVT_2403002A_419.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_0051E150 FindFirstFileA,GetLastError,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,GetFileAttributesA,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,__Mtx_unlock,	2_2_0051E150
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_0054E2D0 SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CopyFileA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,CopyFileA,__Mtx_unlock,__Mtx_unlock,	2_2_0054E2D0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_0051A750 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,__Mtx_unlock,	2_2_0051A750
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005ED997 FindClose,FindFirstFileExW,GetLastError,	2_2_005ED997
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005EDA1D GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	2_2_005EDA1D

Source: global traffic

TCP traffic: 192.168.2.8:49705 -> 193.233.132.67:5000

Source: Joe Sandbox View

IP Address: 193.233.132.67 193.233.132.67

Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.67
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.67
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.67
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.67
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.67

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 2_2_0052E0A0 recv,setsockopt,WSAStartup,getaddrinfo,closesocket,socket,connect,closesocket,freeaddrinfo,WSACleanup,freeaddrinfo,

2_2_0052E0A0

Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507541737.000002BCE8A40000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1508940725.000000C0000F4000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp, ROxcmXIWiwnYKwA.pdf.0.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507541737.000002BCE8A40000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1508940725.000000C0000F4000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp, ROxcmXIWiwnYKwA.pdf.0.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507541737.000002BCE8A40000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1508940725.000000C0000F4000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp, ROxcmXIWiwnYKwA.pdf.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507541737.000002BCE8A40000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1508940725.000000C0000F4000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp, ROxcmXIWiwnYKwA.pdf.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507541737.000002BCE8A40000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1508940725.000000C0000F4000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp, ROxcmXIWiwnYKwA.pdf.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507541737.000002BCE8A40000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1508940725.000000C0000F4000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp, ROxcmXIWiwnYKwA.pdf.0.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507541737.000002BCE8A40000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1508940725.000000C0000F4000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp, ROxcmXIWiwnYKwA.pdf.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507541737.000002BCE8A40000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1508940725.000000C0000F4000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp, ROxcmXIWiwnYKwA.pdf.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507541737.000002BCE8A40000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1508940725.000000C0000F4000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp, ROxcmXIWiwnYKwA.pdf.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507541737.000002BCE8A40000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1508940725.000000C0000F4000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp, ROxcmXIWiwnYKwA.pdf.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507541737.000002BCE8A40000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1508940725.000000C0000F4000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp, ROxcmXIWiwnYKwA.pdf.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C000400000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1510031771.000000C000800000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507782336.000002BCE88A0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1457225393.000002BCE89F0000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, Au3Check.exe, 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, jQRMFClswtrBVwy.pdf.0.dr	String found in binary or memory: http://www.winimage.com/zLibDll
Source: Au3Check.exe	String found in binary or memory: https://ipinfo.io/
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C000400000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1510031771.000000C000800000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507782336.000002BCE88A0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1457225393.000002BCE89F0000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, jQRMFClswtrBVwy.pdf.0.dr	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507541737.000002BCE8A40000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1508940725.000000C0000F4000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp, ROxcmXIWiwnYKwA.pdf.0.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507541737.000002BCE8A40000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1508940725.000000C0000F4000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp, ROxcmXIWiwnYKwA.pdf.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Au3Check.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 2_2_0051AF30 GdiplusStartup,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,DeleteObject,GdipDisposeImage,DeleteObject,ReleaseDC,GdiplusShutdown,

2_2_0051AF30

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Process Stats: CPU usage > 49%

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_0051B360	2_2_0051B360
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005670F0	2_2_005670F0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005990E0	2_2_005990E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_0051E150	2_2_0051E150
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_0059E140	2_2_0059E140
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_00553160	2_2_00553160
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005E5100	2_2_005E5100
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005411D0	2_2_005411D0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005191A0	2_2_005191A0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005AD1A0	2_2_005AD1A0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_00595240	2_2_00595240
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005B1270	2_2_005B1270
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_00556230	2_2_00556230
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_00551220	2_2_00551220
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_0054E2D0	2_2_0054E2D0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_0055F280	2_2_0055F280
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_0059F360	2_2_0059F360
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_00533330	2_2_00533330
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005A63D0	2_2_005A63D0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_00569440	2_2_00569440
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_0053C470	2_2_0053C470
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005F646A	2_2_005F646A
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005124F0	2_2_005124F0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005AC4F0	2_2_005AC4F0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_0059E490	2_2_0059E490
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_0054B480	2_2_0054B480
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005F84A0	2_2_005F84A0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_00596550	2_2_00596550
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005955B0	2_2_005955B0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_00598610	2_2_00598610
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005A0610	2_2_005A0610
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005A2610	2_2_005A2610
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_0059F600	2_2_0059F600
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_0060F771	2_2_0060F771
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_00567770	2_2_00567770
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005477E0	2_2_005477E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_00609824	2_2_00609824
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_0059F810	2_2_0059F810
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005DF800	2_2_005DF800
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005A68C0	2_2_005A68C0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005248E0	2_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_00599880	2_2_00599880
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005388A0	2_2_005388A0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005458A0	2_2_005458A0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005E2950	2_2_005E2950
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005E6970	2_2_005E6970
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_0059E910	2_2_0059E910
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_0055A900	2_2_0055A900
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005719E0	2_2_005719E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_0053EA60	2_2_0053EA60
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_00525A10	2_2_00525A10
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_00548A00	2_2_00548A00
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_00534AD0	2_2_00534AD0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_0054CA80	2_2_0054CA80
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005DDA80	2_2_005DDA80
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_0059EB70	2_2_0059EB70
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005FBB6D	2_2_005FBB6D
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005C7B30	2_2_005C7B30
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_00595B20	2_2_00595B20
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005CDC70	2_2_005CDC70
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_00596C00	2_2_00596C00
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005A2CF0	2_2_005A2CF0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005F2CE0	2_2_005F2CE0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_0059BD50	2_2_0059BD50
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_00527DC0	2_2_00527DC0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005ECE10	2_2_005ECE10
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_0053AE30	2_2_0053AE30
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_00535E30	2_2_00535E30
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005FBEAF	2_2_005FBEAF
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_00529F50	2_2_00529F50
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005D1F90	2_2_005D1F90
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_00593F80	2_2_00593F80

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: String function: 0057E530 appears 41 times
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: String function: 005A2450 appears 101 times
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: String function: 005EFED0 appears 50 times

Source: LisectAVT_2403002A_419.exe

Static PE information: Number of sections : 12 > 10

Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1511786300.00007FF642639000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename" vs LisectAVT_2403002A_419.exe
Source: LisectAVT_2403002A_419.exe, 00000000.00000003.1507566796.000002BCE8B87000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAu3Check.exeN vs LisectAVT_2403002A_419.exe
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAu3Check.exeN vs LisectAVT_2403002A_419.exe
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_419.exe
Source: LisectAVT_2403002A_419.exe, 00000000.00000003.1507782336.000002BCE89D8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_419.exe
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C000400000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_419.exe
Source: LisectAVT_2403002A_419.exe, 00000000.00000003.1507541737.000002BCE8A40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAu3Check.exeN vs LisectAVT_2403002A_419.exe
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1508940725.000000C0000F4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAu3Check.exeN vs LisectAVT_2403002A_419.exe
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1510031771.000000C000800000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_419.exe
Source: LisectAVT_2403002A_419.exe, 00000000.00000003.1457225393.000002BCE89F0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_419.exe
Source: LisectAVT_2403002A_419.exe	Binary or memory string: OriginalFilename" vs LisectAVT_2403002A_419.exe

Source: LisectAVT_2403002A_419.exe

Binary or memory string: main.SLNxPDSjg

Source: classification engine

Classification label: mal84.troj.evad.winEXE@3/2@0/1

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 2_2_005A47F0 GetLastError,GetVersionExA,FormatMessageW,LocalFree,FormatMessageA,

2_2_005A47F0

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 2_2_005A4110 GetVersionExA,CreateFileW,CreateFileA,GetDiskFreeSpaceW,GetDiskFreeSpaceA,

2_2_005A4110

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 2_2_005191A0 CopyFileA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,

2_2_005191A0

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 2_2_00556230 CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,CopyFileA,GetUserNameA,CopyFileA,SHGetFolderPathA,CoInitialize,CoCreateInstance,MultiByteToWideChar,CoUninitialize,ShellExecuteA,

2_2_00556230

Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe

File created: C:\Users\user\jQRMFClswtrBVwy.pdf

Jump to behavior

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

File created: C:\Users\user\AppData\Local\Temp\adobezReUMOGlGfit

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe

File opened: C:\Windows\system32\0db7f57e1c2f78ea24726f4ea368749bdd86de5fb8e853dffdfb2de10d733165AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Jump to behavior

Source: LisectAVT_2403002A_419.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C000400000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1510031771.000000C000800000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507782336.000002BCE88A0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1457225393.000002BCE89F0000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, Au3Check.exe, 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, jQRMFClswtrBVwy.pdf.0.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C000400000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1510031771.000000C000800000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507782336.000002BCE88A0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1457225393.000002BCE89F0000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, jQRMFClswtrBVwy.pdf.0.dr	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: Au3Check.exe

String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe "C:\Users\user\Desktop\LisectAVT_2403002A_419.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe	Process created: C:\Program Files (x86)\AutoIt3\Au3Check.exe "C:\Program Files (x86)\autoit3\Au3Check.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe	Process created: C:\Program Files (x86)\AutoIt3\Au3Check.exe "C:\Program Files (x86)\autoit3\Au3Check.exe"	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Section loaded: devobj.dll	Jump to behavior

Source: LisectAVT_2403002A_419.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: LisectAVT_2403002A_419.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: LisectAVT_2403002A_419.exe

Static file information: File size 5050885 > 1048576

Source: LisectAVT_2403002A_419.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x142c00
Source: LisectAVT_2403002A_419.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x356000

Source: LisectAVT_2403002A_419.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Data Obfuscation

Contains functionality to check for running processes (XOR)

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: CopyFileA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,

2_2_005191A0

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 2_2_0054B480 SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrlenA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

2_2_0054B480

Source: ROxcmXIWiwnYKwA.pdf.0.dr	Static PE information: real checksum: 0x465e9 should be: 0x4eff9
Source: jQRMFClswtrBVwy.pdf.0.dr	Static PE information: real checksum: 0x0 should be: 0x1557f3
Source: LisectAVT_2403002A_419.exe	Static PE information: real checksum: 0x4d8c61 should be: 0x4d8c66

Source: LisectAVT_2403002A_419.exe

Static PE information: section name: .xdata

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 2_2_005EFA97 push ecx; ret

2_2_005EFAAA

Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe	File created: C:\Users\user\ROxcmXIWiwnYKwA.pdf			Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe	File created: C:\Users\user\jQRMFClswtrBVwy.pdf			Jump to dropped file

Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe	File created: C:\Users\user\ROxcmXIWiwnYKwA.pdf			Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe	File created: C:\Users\user\jQRMFClswtrBVwy.pdf			Jump to dropped file

Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe	File created: C:\Users\user\jQRMFClswtrBVwy.pdf			Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe	File created: C:\Users\user\ROxcmXIWiwnYKwA.pdf			Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe	File created: C:\Users\user\ROxcmXIWiwnYKwA.pdf			Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe	File created: C:\Users\user\jQRMFClswtrBVwy.pdf			Jump to dropped file

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 2_2_005955B0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_005955B0

Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Sandbox detection routine: GetCursorPos, DecisionNode, Sleep

graph_2-80323

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Evasive API call chain: GetPEB, DecisionNodes, Sleep

graph_2-80324

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,

2_2_00573A40

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Window / User API: threadDelayed 1654			Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Window / User API: threadDelayed 6841			Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe	Dropped PE file which has not been started: C:\Users\user\ROxcmXIWiwnYKwA.pdf			Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe	Dropped PE file which has not been started: C:\Users\user\jQRMFClswtrBVwy.pdf			Jump to dropped file

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_2-80306

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

API coverage: 4.4 %

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe TID: 7420	Thread sleep count: 1654 > 30	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe TID: 7420	Thread sleep time: -167054s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe TID: 7432	Thread sleep count: 315 > 30	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe TID: 7420	Thread sleep count: 6841 > 30	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe TID: 7420	Thread sleep time: -690941s >= -30000s	Jump to behavior

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Last function: Thread delayed

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_00579610 GetKeyboardLayoutList followed by cmp: cmp ecx, edx and CTI: je 0057962Ah	2_2_00579610
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_00577750 GetKeyboardLayoutList followed by cmp: cmp eax, 0eh and CTI: jc 00577760h country: Hungarian (hu)	2_2_00577750
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_00577780 GetKeyboardLayoutList followed by cmp: cmp eax, 21h and CTI: jc 00577790h country: Indonesian (id)	2_2_00577780
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_00577D40 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 00577D50h country: Upper Sorbian (hsb)	2_2_00577D40

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 2_2_005A4670 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 005A46C1h

2_2_005A4670

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_0051E150 FindFirstFileA,GetLastError,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,GetFileAttributesA,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,__Mtx_unlock,	2_2_0051E150
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_0054E2D0 SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CopyFileA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,CopyFileA,__Mtx_unlock,__Mtx_unlock,	2_2_0054E2D0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_0051A750 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,__Mtx_unlock,	2_2_0051A750
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005ED997 FindClose,FindFirstFileExW,GetLastError,	2_2_005ED997
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005EDA1D GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	2_2_005EDA1D

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 2_2_0051C430 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,

2_2_0051C430

Source: LisectAVT_2403002A_419.exe	Binary or memory string: oTGTaprHP6Aj.(*k79haqX)._vmCie
Source: Au3Check.exe, 00000002.00000002.3876523073.00000000007A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}:#\lH
Source: LisectAVT_2403002A_419.exe, 00000000.00000002.1510858966.000002BCA3418000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllhk
Source: Au3Check.exe, 00000002.00000003.1520539735.00000000007A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}:#\lJ
Source: LisectAVT_2403002A_419.exe	Binary or memory string: _vmCie
Source: Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -t-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_B6FF812C
Source: Au3Check.exe, 00000002.00000002.3876523073.000000000079F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Au3Check.exe, 00000002.00000002.3876343971.000000000019D000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}x<us <u
Source: Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_B6FF812C
Source: Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000="]k
Source: Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?tx<u#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}t
Source: Au3Check.exe, 00000002.00000002.3876523073.00000000007A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-9
Source: Au3Check.exe, 00000002.00000002.3876523073.0000000000792000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%%

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 2_2_00524100 IsDebuggerPresent,

2_2_00524100

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

2_2_0054B480

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_00573A40 mov eax, dword ptr fs:[00000030h]	2_2_00573A40
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_00573A40 mov eax, dword ptr fs:[00000030h]	2_2_00573A40
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_0052C0A0 mov eax, dword ptr fs:[00000030h]	2_2_0052C0A0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_00524100 mov eax, dword ptr fs:[00000030h]	2_2_00524100
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005248E0 mov eax, dword ptr fs:[00000030h]	2_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005248E0 mov eax, dword ptr fs:[00000030h]	2_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005248E0 mov eax, dword ptr fs:[00000030h]	2_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005248E0 mov eax, dword ptr fs:[00000030h]	2_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005248E0 mov eax, dword ptr fs:[00000030h]	2_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005248E0 mov eax, dword ptr fs:[00000030h]	2_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005248E0 mov eax, dword ptr fs:[00000030h]	2_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005248E0 mov eax, dword ptr fs:[00000030h]	2_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005248E0 mov eax, dword ptr fs:[00000030h]	2_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005248E0 mov eax, dword ptr fs:[00000030h]	2_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005248E0 mov eax, dword ptr fs:[00000030h]	2_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005248E0 mov eax, dword ptr fs:[00000030h]	2_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_00525A10 mov ecx, dword ptr fs:[00000030h]	2_2_00525A10
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_0054CA80 mov eax, dword ptr fs:[00000030h]	2_2_0054CA80

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 2_2_00595240 GetProcessHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,CharNextA,CharNextA,CharNextA,CharNextA,

2_2_00595240

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005F006D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_005F006D
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005F45A4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_005F45A4
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 2_2_005EFCC4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_005EFCC4

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe

Memory allocated: C:\Program Files (x86)\AutoIt3\Au3Check.exe base: 510000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject threads in other processes

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 2_2_00529F50 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,

2_2_00529F50

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe

Memory written: C:\Program Files (x86)\AutoIt3\Au3Check.exe base: 510000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe	Memory written: C:\Program Files (x86)\AutoIt3\Au3Check.exe base: 510000			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe	Memory written: C:\Program Files (x86)\AutoIt3\Au3Check.exe base: 3B2008			Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe

Process created: C:\Program Files (x86)\AutoIt3\Au3Check.exe "C:\Program Files (x86)\autoit3\Au3Check.exe"

Jump to behavior

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 2_2_00524400 cpuid

2_2_00524400

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: EnumSystemLocalesW,	2_2_0061004D
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_006100D8
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: GetLocaleInfoW,	2_2_0061032B
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_00610454
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	2_2_0051C430
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: GetLocaleInfoW,	2_2_006074CE
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: GetLocaleInfoW,	2_2_0061055A
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_00610630
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: GetLocaleInfoEx,FormatMessageA,	2_2_005ED793
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	2_2_0060FCBB
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: GetLocaleInfoW,	2_2_0060FEC0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: EnumSystemLocalesW,	2_2_0060FF67
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: EnumSystemLocalesW,	2_2_00606F4A
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: EnumSystemLocalesW,	2_2_0060FFB2

Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\Au3Check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_419.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\Au3Check.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 2_2_005EF26A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,

2_2_005EF26A

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

2_2_00556230

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 2_2_00609160 GetTimeZoneInformation,

2_2_00609160

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 2_2_005A4110 GetVersionExA,CreateFileW,CreateFileA,GetDiskFreeSpaceW,GetDiskFreeSpaceA,

2_2_005A4110

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match	File source: 0.2.LisectAVT_2403002A_419.exe.c000380000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LisectAVT_2403002A_419.exe.2bce88a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_419.exe.c000600000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LisectAVT_2403002A_419.exe.2bce88a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LisectAVT_2403002A_419.exe.2bce89f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_419.exe.c0009d4000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Au3Check.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Au3Check.exe.510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_419.exe.c000888000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_419.exe.c0009d4000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LisectAVT_2403002A_419.exe.2bce89f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_419.exe.c000600000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_419.exe.c000572000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_419.exe.c0004f2000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_419.exe.c000888000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_419.exe.c00052c000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1507782336.000002BCE88A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1457225393.000002BCE89F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1510031771.000000C000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Au3Check.exe PID: 7416, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\jQRMFClswtrBVwy.pdf, type: DROPPED

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: 0.2.LisectAVT_2403002A_419.exe.c000380000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LisectAVT_2403002A_419.exe.2bce88a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_419.exe.c000600000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LisectAVT_2403002A_419.exe.2bce88a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LisectAVT_2403002A_419.exe.2bce89f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_419.exe.c0009d4000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Au3Check.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Au3Check.exe.510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_419.exe.c000888000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_419.exe.c0009d4000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.LisectAVT_2403002A_419.exe.2bce89f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_419.exe.c000600000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_419.exe.c000572000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_419.exe.c0004f2000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_419.exe.c000888000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_419.exe.c00052c000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1507782336.000002BCE88A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1457225393.000002BCE89F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1510031771.000000C000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Au3Check.exe PID: 7416, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\jQRMFClswtrBVwy.pdf, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	411 Process Injection	121 Masquerading	OS Credential Dumping	12 System Time Discovery	Remote Services	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	LSASS Memory	131 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	411 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	11 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	46 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.winimage.com/zLibDll	0%	URL Reputation	safe
https://ipinfo.io/	0%	URL Reputation	safe
https://www.autoitscript.com/autoit3/	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORT	0%	Avira URL Cloud	safe
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	0%	Avira URL Cloud	safe
https://www.maxmind.com/en/locate-my-ip-address	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C000400000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1510031771.000000C000800000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507782336.000002BCE88A0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1457225393.000002BCE89F0000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, jQRMFClswtrBVwy.pdf.0.dr	false	Avira URL Cloud: safe	unknown
http://www.winimage.com/zLibDll	LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C000400000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1510031771.000000C000800000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507782336.000002BCE88A0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1457225393.000002BCE89F0000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, Au3Check.exe, 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, jQRMFClswtrBVwy.pdf.0.dr	false	URL Reputation: safe	unknown
https://t.me/RiseProSUPPORT	Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/	Au3Check.exe	false	URL Reputation: safe	unknown
https://www.autoitscript.com/autoit3/	LisectAVT_2403002A_419.exe, 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000003.1507541737.000002BCE8A40000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_419.exe, 00000000.00000002.1508940725.000000C0000F4000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000002.00000002.3876523073.000000000073E000.00000004.00000020.00020000.00000000.sdmp, ROxcmXIWiwnYKwA.pdf.0.dr	false	Avira URL Cloud: safe	unknown
https://www.maxmind.com/en/locate-my-ip-address	Au3Check.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.233.132.67	unknown	Russian Federation		2895	FREE-NET-ASFREEnetEU	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482269
Start date and time:	2024-07-25 20:23:23 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002A_419.exe
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@3/2@0/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target LisectAVT_2403002A_419.exe, PID 7272 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: LisectAVT_2403002A_419.exe

Simulations

Behavior and APIs

Time	Type	Description
14:25:02	API Interceptor	1129904x Sleep call for process: Au3Check.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.233.132.67	file.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer	Browse	193.233.132.67:8081/static/crypted_f961bb26.exe
	SecuriteInfo.com.Win32.PWSX-gen.9534.16812.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer	Browse	193.233.132.67:8081/static/crypted_f961bb26.exe
	file.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.67:666/static/rise.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FREE-NET-ASFREEnetEU	LisectAVT_2403002A_464.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.109
	LisectAVT_2403002A_464.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.109
	LisectAVT_2403002A_79.exe	Get hash	malicious	Amadey	Browse	193.233.132.56
	LisectAVT_2403002B_242.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.74
	LisectAVT_2403002B_433.exe	Get hash	malicious	Amadey	Browse	193.233.132.56
	Lisect_AVT_24003_G1B_108.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.62
	Lisect_AVT_24003_G1A_89.exe	Get hash	malicious	Bdaejec, RisePro Stealer	Browse	193.233.132.62
	Lisect_AVT_24003_G1A_37.exe	Get hash	malicious	Bdaejec, RisePro Stealer	Browse	193.233.132.62
	LisectAVT_2403002A_262.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.190
	LisectAVT_2403002A_224.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.74

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\ROxcmXIWiwnYKwA.pdf

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_419.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	284088
Entropy (8bit):	6.5839751375706195
Encrypted:	false
SSDEEP:	3072:4wOvOIXbP5KVkD8QC2mCBFv9m7usyT8tKQ9clyPqlO91/iDVSsWUG0bCP0l/rUT+:nCb4VQjVsxyItKQNhigibiKwDU
MD5:	DA03D5D29A3F3528D91A150E5679AC97
SHA1:	D5F7922707254D7DC8035AD1DD858726A82070E5
SHA-256:	5BDE05F7AC626D14F39C4745BD9B457454FE15ED23E78D4FDDA42D2C600834A3
SHA-512:	0435FC939E2AFEF975C33694B4EC65E831C89816D337B8ABAE8919E0F2E8033C778F18572D7E4CF8262E81BF759978613E7B1BBC95F6DB1ECB36A1BACBB69F6D
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.~.2.-.2.-.2.-n.G-.2.-n.E-J2.-n.D-.2.-.Z.,.2.-.Z.,.2.-.Z.,.2.-.J%-.2.-.2.-.2.-.[.,.2.-.[I-.2.-.2!-.2.-.[.,.2.-Rich.2.-........................PE..L...g.(c.....................6......&........0....@..................................e......................................,b..<....p...............l..h&...........L..8............................L..@............0..,............................text............................... ..`.rdata...8...0...:..."..............@..@.data........p.......\..............@....rsrc........p.......f..............@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\jQRMFClswtrBVwy.pdf

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_419.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1357136
Entropy (8bit):	6.739855442755242
Encrypted:	false
SSDEEP:	24576:9jhWSkCh5jR4pkIhn1Fg7YqPCxYL+ID4ntel4LbKbmNTwEBzpKPSa72gn/:Ob6jCkIhn1PGyuFbmNTrzAPSaP
MD5:	EBE3AA84AB79715A8A97D1D9211D30CF
SHA1:	DB233BD7FFD956C164722DDEC309E84481EE17F6
SHA-256:	22ABEAE29927CD4A1A70E774EA9050D64CB63FC18206AF294B99F839EB1BB3A4
SHA-512:	6DC0B98E0432F095D79A5025FB03B68F79E86E7DE3905FA2D55407BEDFB0245B6716194F8A1E47ED1BB811A50577F7FFEF9E4DB206C8102A1B29479552F55D54
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\jQRMFClswtrBVwy.pdf, Author: Joe Security
Reputation:	low
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$......."...f.{Tf.{Tf.{T-.xUk.{T-.~U..{T-.\|Ug.{T)..Tb.{T)..Ut.{T).xUq.{T).~U3.{T-..U..{T-.}Ug.{T-.zU}.{Tf.zT@.{T..rUz.{T..{Ug.{T...Tg.{Tf..Tg.{T..yUg.{TRichf.{T................PE..L.....e...............".....0....................@..........................0............@.............................L...\...........X+.......................z..8k..8...........................xj..@............................................text...X........................... ..`.rdata...<.......>..................@..@.data....H...0...4..................@....rsrc...X+.......,...J..............@..@.reloc...z.......\|...v..............@..B................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.02180932844593
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	LisectAVT_2403002A_419.exe
File size:	5'050'885 bytes
MD5:	42b90e270ab9cc4d1f6354045048b538
SHA1:	080d0df0d03f707096cb974da2d683037e9cc63a
SHA256:	e4883bfe1480181df3d2eb0e0a587be359260ee11a32176aab234eb707fe6f76
SHA512:	fac869f426d33a58edf8af7b39b3615d774c951174f87ad9e61aee8e06457a95b81c8264db5e2632e7a4f0071cb509392dde14f0fbf212a5bb636852d249ca04
SSDEEP:	49152:vQsLHy/+BFCdShmG/RcxajYhJ5J8tEdTZaEjkulvWKw9pE6UumTS58M3g3hQjDVj:5O/+bzE3BjkV99C64u5o4JHpV
TLSH:	58369C87BC9444F5C0EED336886656827B31BC480F3027D72A50BFA92E7ABD5AD75318
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$.,....M................@..............................S.....a.M...`... ............................

File Icon


Icon Hash:	4951468062846465

Static PE Info

General

Entrypoint:	0x1400014c0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:	0x401384a0, 0x1, 0x40138470, 0x1, 0x4013bf00, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	5929190c8765f5bc37b052ab5c6c53e7

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [004C0375h]
mov dword ptr [eax], 00000001h
call 00007F1628AD1FDFh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [004C0355h]
mov dword ptr [eax], 00000000h
call 00007F1628AD1FBFh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007F1628C1408Ch
dec eax
test eax, eax
sete al
movzx eax, al
neg eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007F1628AD22F9h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 10h
dec eax
mov ecx, dword ptr [00158619h]
dec eax
mov edx, dword ptr [0015860Ah]
dec eax
cmp eax, ecx
jnl 00007F1628AD233Ah
jnc 00007F1628AD2354h
dec eax
shl eax, 04h
dec eax
mov ecx, dword ptr [edx+eax]
dec eax
mov ebx, dword ptr [edx+eax+08h]
dec eax
mov eax, ecx
dec eax
add esp, 10h
pop ebp
ret
dec eax
test ecx, ecx
jbe 00007F1628AD232Fh
dec eax
mov eax, dword ptr [edx]
dec eax
mov ebx, dword ptr [edx+08h]
dec eax
add esp, 10h
pop ebp
ret
xor eax, eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x524000	0x4e	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x525000	0x13d0	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x529000	0x10d5	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x4c2000	0x7398	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x52b000	0x56c0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4c11a0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x52547c	0x440	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x142a30	0x142c00	ec60e9450167f49a2e3734f1215e2d8f	False	0.4552717733346243	data	6.2608703171217615	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x144000	0x27b30	0x27c00	66b100cb0ab9e270ffb1292af60b6ddf	False	0.3416371855345912	data	4.14020611943253	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x16c000	0x355fd0	0x356000	50c5b5722bfdab825047d1d6cf4de2bc	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.pdata	0x4c2000	0x7398	0x7400	0d4944f904275b17f0ba20c90b6309e0	False	0.42120150862068967	data	5.498119784883578	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata	0x4ca000	0xc38	0xe00	0418035c41906d786a61478e845b8e57	False	0.2544642857142857	data	3.9697108368799037	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x4cb000	0x58860	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x524000	0x4e	0x200	a35245cf06a3071989cfb9fc14559e26	False	0.1328125	data	0.8426867641107897	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata	0x525000	0x13d0	0x1400	6a88646a8e1dfcf2a0b9107b9612c66e	False	0.3169921875	data	4.483269562379886	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x527000	0x70	0x200	603a409fb97f7928c0617e2ab51b1a0b	False	0.080078125	data	0.4511542940585521	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x528000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x529000	0x10d5	0x1200	2bf279738e4285db6e16a2026c40ba52	False	0.5733506944444444	data	5.997066503649664	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x52b000	0x56c0	0x5800	158b93ec0088398751adcb6e3b3ef0af	False	0.3039772727272727	data	5.387308434369343	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x52913c	0x79d	PNG image data, 256 x 256, 8-bit/color RGB, non-interlaced			0.7855310415597743
RT_GROUP_ICON	0x5298dc	0x14	data			1.05
RT_VERSION	0x5298f0	0x378	data	English	United States	0.47072072072072074
RT_MANIFEST	0x529c68	0x46d	XML 1.0 document, ASCII text	English	United States	0.4510150044130627

Imports

DLL

Import

KERNEL32.dll

AddAtomA, AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileA, CreateIoCompletionPort, CreateMutexA, CreateSemaphoreA, CreateThread, CreateWaitableTimerExW, DeleteAtom, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FindAtomA, FormatMessageA, FreeEnvironmentStringsW, GetAtomNameA, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetHandleInformation, GetLastError, GetProcAddress, GetProcessAffinityMask, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount, InitializeCriticalSection, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryExW, LoadLibraryW, LocalFree, MultiByteToWideChar, OpenProcess, OutputDebugStringA, PostQueuedCompletionStatus, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, RaiseFailFastException, ReleaseMutex, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessAffinityMask, SetProcessPriorityBoost, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler

msvcrt.dll

___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _beginthread, _beginthreadex, _cexit, _commode, _endthreadex, _errno, _fmode, _initterm, _lock, _memccpy, _onexit, _setjmp, _strdup, _ultoa, _unlock, abort, calloc, exit, fprintf, fputc, free, fwrite, localeconv, longjmp, malloc, memcpy, memmove, memset, printf, realloc, signal, strerror, strlen, strncmp, vfprintf, wcslen

Exports

Name	Ordinal	Address
_cgo_dummy_export	1	0x140522a90

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T20:24:30.069059+0200	TCP	2049060	ET MALWARE RisePro TCP Heartbeat Packet	49705	5000	192.168.2.8	193.233.132.67
2024-07-25T20:25:13.610035+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49708	20.12.23.50	192.168.2.8
2024-07-25T20:24:33.064109+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49705	5000	192.168.2.8	193.233.132.67
2024-07-25T20:24:36.289495+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49706	20.12.23.50	192.168.2.8

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 20:24:30.045792103 CEST	49705	5000	192.168.2.8	193.233.132.67
Jul 25, 2024 20:24:30.051371098 CEST	5000	49705	193.233.132.67	192.168.2.8
Jul 25, 2024 20:24:30.051485062 CEST	49705	5000	192.168.2.8	193.233.132.67
Jul 25, 2024 20:24:30.069058895 CEST	49705	5000	192.168.2.8	193.233.132.67
Jul 25, 2024 20:24:30.076714993 CEST	5000	49705	193.233.132.67	192.168.2.8
Jul 25, 2024 20:24:33.064109087 CEST	49705	5000	192.168.2.8	193.233.132.67
Jul 25, 2024 20:24:33.069199085 CEST	5000	49705	193.233.132.67	192.168.2.8
Jul 25, 2024 20:24:51.465765953 CEST	5000	49705	193.233.132.67	192.168.2.8
Jul 25, 2024 20:24:51.465946913 CEST	49705	5000	192.168.2.8	193.233.132.67

Target ID:	0
Start time:	14:24:17
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_419.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_419.exe"
Imagebase:	0x7ff642110000
File size:	5'050'885 bytes
MD5 hash:	42B90E270AB9CC4D1F6354045048B538
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.1507782336.000002BCE88A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.1457225393.000002BCE89F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.1509621033.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.1510031771.000000C000800000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:24:28
Start date:	25/07/2024
Path:	C:\Program Files (x86)\AutoIt3\Au3Check.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\autoit3\Au3Check.exe"
Imagebase:	0x400000
File size:	234'088 bytes
MD5 hash:	3BE697D1A92115D5CA76A633A527DFB7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.6%
Total number of Nodes:	653
Total number of Limit Nodes:	20

Executed Functions

Function 0051B360 Relevance: 27.4, APIs: 11, Strings: 4, Instructions: 1105COMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0051B3D1

Strings

_, xrefs: 0051BAC6
_, xrefs: 0051BB32
_, xrefs: 0051BB25
:, xrefs: 0051B443

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: DirectoryWindows
String ID: :$_$_$_
API String ID: 3619848164-4119709311
Opcode ID: 0a767f0d9061222dbf496a06ad616178ba4397ed77843cf8ab9939fc8b8dacdd
Instruction ID: 144fbe67849478809701c1046d592d1d5c763818b81d205a7229894bca57ba83
Opcode Fuzzy Hash: 0a767f0d9061222dbf496a06ad616178ba4397ed77843cf8ab9939fc8b8dacdd
Instruction Fuzzy Hash: 339290709002499FEB18CF68DC89BEDBFB5FF45304F1482A9E449A7282E7759A85CF50

Function 0052E0A0 Relevance: 12.1, APIs: 8, Instructions: 93
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 0052E0CA
getaddrinfo.WS2_32(?,?,?,00647320), ref: 0052E15D
socket.WS2_32(?,?,?), ref: 0052E17E
connect.WS2_32(00000000,?,00000000), ref: 0052E192
closesocket.WS2_32(00000000), ref: 0052E19E
freeaddrinfo.WS2_32(?,?,?,?,00647320,?,?,?,?,?,?), ref: 0052E1AB
WSACleanup.WS2_32 ref: 0052E1B1
freeaddrinfo.WS2_32(?,?,?,?,00647320,?,?,?,?,?,?), ref: 0052E1C6

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: freeaddrinfo$CleanupStartupclosesocketconnectgetaddrinfosocket
String ID:
API String ID: 58224237-0
Opcode ID: 1dbee7ac01d11c3f207edcc2f62f04c2f9b17a49c32e817fbbe5caba0fd6d19f
Instruction ID: cac3c2b77853f7bcff5336494e2cb69a9d7d0fc41575315bd56aa2d47c9794b8
Opcode Fuzzy Hash: 1dbee7ac01d11c3f207edcc2f62f04c2f9b17a49c32e817fbbe5caba0fd6d19f
Instruction Fuzzy Hash: C5317E72604310AFD7209F25EC4976ABBE5FF85724F044B2DF9B8962E0D3359814CB92

Function 00573A40 Relevance: 7.7, APIs: 5, Instructions: 156
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCursorPos.USER32(?), ref: 00573A53
GetCursorPos.USER32(?), ref: 00573A59
Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,00573DB6), ref: 00573B08
GetCursorPos.USER32(?), ref: 00573B0E
Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,00573DB6), ref: 00573BBA

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: Cursor$Sleep
String ID:
API String ID: 1847515627-0
Opcode ID: 5b94d7a6f0a2fee03543c2f0ead46ddc954a7b4c5d191674bbc66f5b5d2c93bd
Instruction ID: 109e3ac0b1173c44c13e9c1300e26bde590a3ab1e53f643b58ef21546360212a
Opcode Fuzzy Hash: 5b94d7a6f0a2fee03543c2f0ead46ddc954a7b4c5d191674bbc66f5b5d2c93bd
Instruction Fuzzy Hash: 6451BA35A04219CFCB24CF58D8D5EA9BBB1FF48724B29859AD449AB311D731EE05EB80

Function 005FE813 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005FE4CC: CreateFileW.KERNELBASE(?,?,?,?,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 005FE4E9

GetLastError.KERNEL32 ref: 005FE927
__dosmaperr.LIBCMT ref: 005FE92E
GetFileType.KERNELBASE(00000000), ref: 005FE93A
GetLastError.KERNEL32 ref: 005FE944
__dosmaperr.LIBCMT ref: 005FE94D
CloseHandle.KERNEL32(00000000), ref: 005FE96D
CloseHandle.KERNEL32(?), ref: 005FEABA
GetLastError.KERNEL32 ref: 005FEAEC
__dosmaperr.LIBCMT ref: 005FEAF3

Strings

H, xrefs: 005FEA78

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 537428f3d2f85738b8f2939a80b42b263b1d887533b52fe75c43d5593ccacdd7
Instruction ID: cd9ee92fd73fccb5f37b13421650b881d2e7d05a91940067c6664dce6f9cd352
Opcode Fuzzy Hash: 537428f3d2f85738b8f2939a80b42b263b1d887533b52fe75c43d5593ccacdd7
Instruction Fuzzy Hash: 7AA12432A001599FCF19AF68DC96BBD3FB2BB46314F14015DFA019B2A1DB399D06C752

Function 00604623 Relevance: 9.3, APIs: 6, Instructions: 292
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151553ef43e1e2bc9f9febcb4bf39ac9ae964ade4cb46c6b6e6c8b694a297cd3
Instruction ID: 109cc01d0d77480a202ffb14ea5874ef3c6ceaa841186f58249773a979873ac9
Opcode Fuzzy Hash: 151553ef43e1e2bc9f9febcb4bf39ac9ae964ade4cb46c6b6e6c8b694a297cd3
Instruction Fuzzy Hash: 8BB1D3B4A44249AFDB29DFA8D881BAF7BB3BF46304F144158F644973D1CB709942CBA1

Function 005EF290 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0051220E

Strings

`!Q, xrefs: 005121FC
`!Q, xrefs: 00512216

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!Q$`!Q
API String ID: 2659868963-674047163
Opcode ID: bea4122cb0115a8b9d65407e7c28dc79c0f8986298e99f954259dd21c054b8b6
Instruction ID: 1c5126556307acc7506a7b22bebd4661648819c9edd32a102af14d01b999c4a3
Opcode Fuzzy Hash: bea4122cb0115a8b9d65407e7c28dc79c0f8986298e99f954259dd21c054b8b6
Instruction Fuzzy Hash: 03012B3940030DABCB18EFA9DC058AA7FEDBA00320B444439FB58DB591EB30E990C791

Function 0051A690 Relevance: 4.6, APIs: 3, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE ref: 0051A6BE
GetLastError.KERNEL32 ref: 0051A6C9
__Mtx_unlock.LIBCPMT ref: 0051A6EE

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: AttributesErrorFileLastMtx_unlock
String ID:
API String ID: 441747541-0
Opcode ID: ef09833f780a66896017453d8b4d86062b002d51d542c2492cbd5857399587a9
Instruction ID: 0349615ae64a19efd38a0a50a047703d525dc799bf83c99c267b3f5a77ece004
Opcode Fuzzy Hash: ef09833f780a66896017453d8b4d86062b002d51d542c2492cbd5857399587a9
Instruction Fuzzy Hash: B4F08171D47151167E3A96B56C5A4F93F0AB95332C72C4622E845C6553F607CCC18593

Function 005F4942 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

O_, xrefs: 005F4A93, 005F4A61, 005F4AAB, 005F4AC7

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID: O_
API String ID: 0-2128823147
Opcode ID: c5f0ec7b1c6fc88c5d3552c0a52f83b287307c3b3ab2d58feece3c7eb62e9dd7
Instruction ID: 1626921da8c42e604611b2bb99c594bcf26711910522ccb0e1e1e219ed5d14a1
Opcode Fuzzy Hash: c5f0ec7b1c6fc88c5d3552c0a52f83b287307c3b3ab2d58feece3c7eb62e9dd7
Instruction Fuzzy Hash: 6E51A070A0010CAFDB14CF58C885ABBBFB6FF89364F248158E9899B252D2759E41CF94

Function 00604B12 Relevance: 3.1, APIs: 2, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,006049F9,00000000,CF830579,00641140,0000000C,00604AB5,005F8BBD,?), ref: 00604B68
GetLastError.KERNEL32(?,006049F9,00000000,CF830579,00641140,0000000C,00604AB5,005F8BBD,?), ref: 00604B72

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 3d9ce4fbcdb03520ecb0a5912ac885b713a4830c7c0afca97f1f0e1ace3bba7c
Instruction ID: c10d4ba88b41c38f99e868d3ce223be98d395987f124be8c56ebbeacbc602431
Opcode Fuzzy Hash: 3d9ce4fbcdb03520ecb0a5912ac885b713a4830c7c0afca97f1f0e1ace3bba7c
Instruction Fuzzy Hash: 9F112532AD42145AC73C2774A945BBF7B5B8B867B4F29021DFA088B2D2EF22DC418159

Function 005FE05C Relevance: 3.1, APIs: 2, Instructions: 52
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00640DF8,0051A3EB,00000002,0051A3EB,00000000,?,?,?,005FE166,00000000,?,0051A3EB,00000002,00640DF8), ref: 005FE098
GetLastError.KERNEL32(0051A3EB,?,?,?,005FE166,00000000,?,0051A3EB,00000002,00640DF8,00000000,0051A3EB,00000000,00640DF8,0000000C,005F915E), ref: 005FE0A5

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 93cdd5da7aea4e9ef497547a5c686bf92fa3bf4d0ebb8168052cd25fc50d6389
Instruction ID: 2ff2419506d98a44966b5bbe1b925a6fa90e768581c1e160a5e87b6d4cacebb8
Opcode Fuzzy Hash: 93cdd5da7aea4e9ef497547a5c686bf92fa3bf4d0ebb8168052cd25fc50d6389
Instruction Fuzzy Hash: E2012B36610109AFCF058F65CC0ACAF3F2AFB85324B240248F9119B1E1EA71ED41CBD0

Function 0051A210 Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__fread_nolock.LIBCMT ref: 0051A343

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: b4786ccb5abc9ce717ff485e748ee77bf778934dad8dbca2040e27a9d6ecf089
Instruction ID: f454b76df3c6e6b47d09ca7971dfbfa404390bf54b9db760909911edbbf78c03
Opcode Fuzzy Hash: b4786ccb5abc9ce717ff485e748ee77bf778934dad8dbca2040e27a9d6ecf089
Instruction Fuzzy Hash: D44126709012059FEB15DF68C849BAEBFF4FF41700F20896DF5159B282D7B99981CB92

Function 00580560 Relevance: 1.6, APIs: 1, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 005806AE

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 5b8477abd5dfbafd0efb1f6b93b48d469f4d73f05dc056d89ab6e976788f4514
Instruction ID: f4df40b54ea0e01903499650bc81dd24ea63272c68eae7a981902edc8bdabf84
Opcode Fuzzy Hash: 5b8477abd5dfbafd0efb1f6b93b48d469f4d73f05dc056d89ab6e976788f4514
Instruction Fuzzy Hash: D041E372A001199BCB15EF69DC806AE7FA5BF88350F140569FC05EB382E730DD648BE1

Function 00606A18 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wsopen_s.LIBCMT ref: 00606A52

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 8724513643eea024314cd992aba80936861fde2c76bcb2830cae26b6e57b53eb
Instruction ID: e2ec2eeca04dbcec3af327adc70d07eb0f27b612226570652ba90cce4d3ed369
Opcode Fuzzy Hash: 8724513643eea024314cd992aba80936861fde2c76bcb2830cae26b6e57b53eb
Instruction Fuzzy Hash: C61145B1A0020AAFCB09DF58E9459DB7BF5EF48308F104069F808EB351D630EA21CBA4

Function 00606E2D Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,0060D635,4D88C033,?,0060D635,00000220,?,006057EF,4D88C033), ref: 00606E5F

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f277032d07f74d98d26ee67a4081d6e3cf48d9ad72ec3fcc61f729327466e9ae
Instruction ID: 405eab3e05091c55a44e066254b1307802ad3694a5dfa42e2ccc3a23f6b6e793
Opcode Fuzzy Hash: f277032d07f74d98d26ee67a4081d6e3cf48d9ad72ec3fcc61f729327466e9ae
Instruction Fuzzy Hash: FFE0E5391C87255ADB382A65DC0479B7B5B9B817E1F040121FD05D62D1CB20CD2081E8

Function 005FE4CC Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 005FE4E9

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7efdeef83c5fd10c923e3c940ec20b2c2a22c038daffbfa16762055254062c6f
Instruction ID: d4ec3953310a42f1145e6c9d46ee810abcd2f47364c341068cdf969d7cebf13a
Opcode Fuzzy Hash: 7efdeef83c5fd10c923e3c940ec20b2c2a22c038daffbfa16762055254062c6f
Instruction Fuzzy Hash: 10D06C3200010DFBDF028F84DC06EDA3BAAFB88724F018010BE1856020C732E861EB90

Non-executed Functions

Function 00569440 Relevance: 163.9, APIs: 70, Strings: 19, Instructions: 8125COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0056B6A4

Strings

_, xrefs: 0057014B
-, xrefs: 00570CA7
\, xrefs: 0056ECFF
\, xrefs: 0056A4DA
-, xrefs: 00570FAE
\, xrefs: 005701F7
_, xrefs: 0056F04E
, xrefs: 00571152
_, xrefs: 0056DF0F
\, xrefs: 0056DB80
\, xrefs: 0056FD6F
, xrefs: 0056BAF4
\, xrefs: 0056B7DD
\, xrefs: 0056F0DB
\, xrefs: 0056A7C0
\, xrefs: 0056FF32
\, xrefs: 0056DFBC
\, xrefs: 0056DD24
type must be boolean, but is , xrefs: 0056C5D1, 0056C623, 0056C685, 0056C6D7

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID: $ $-$-$\$\$\$\$\$\$\$\$\$\$\$_$_$_$type must be boolean, but is
API String ID: 4241100979-3297522916
Opcode ID: 74a2649cc73b63e85cbb92f078080c665b0e644dc4d3d35cf837e04065200db4
Instruction ID: d24c8ae9fb2ca65fd9d65074adc5e14bd2aacf0b955cc93019a63677e7ec256f
Opcode Fuzzy Hash: 74a2649cc73b63e85cbb92f078080c665b0e644dc4d3d35cf837e04065200db4
Instruction Fuzzy Hash: A0F3CA709042598FEB29CF28CC997EEBFB5BF45304F1481E9D049A7292EB709A85CF51

Function 0051E150 Relevance: 91.0, APIs: 48, Strings: 3, Instructions: 1776fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(?,?,?,BEBDB8CD,?,?,BEBDB8CD,BEBDB8CE), ref: 0051E29B

Strings

y, xrefs: 0052337B
\, xrefs: 0051FF16
., xrefs: 0051E2C0

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: FileFindFirst
String ID: .$\$y
API String ID: 1974802433-705995259
Opcode ID: d5cf5c937341de7555c206c065dd4ed148498b14d134b9fa0f6b233247d5766d
Instruction ID: 0debe1d1cefbe2e016e1a1b6a5c0d7a2f3d86c31578789a040498b0f3841bbd5
Opcode Fuzzy Hash: d5cf5c937341de7555c206c065dd4ed148498b14d134b9fa0f6b233247d5766d
Instruction Fuzzy Hash: 96D21770D002499BEF18DFA8DC8A6EDBF76BF55300F14826CE855A7292E7309A85CB51

Function 0051C430 Relevance: 83.7, APIs: 43, Strings: 4, Instructions: 1449registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,C0D5DDC2,00000000,00020019,00000000), ref: 0051C6DD
RegQueryValueExA.ADVAPI32(00000000,FCF0F3DC,00000000,00020019,?,00000400), ref: 0051C753
RegCloseKey.ADVAPI32(00000000), ref: 0051C788
GetCurrentHwProfileA.ADVAPI32(?), ref: 0051C82F

Strings

styzix_build, xrefs: 0051C527, 0051C52E, 0051C564
@, xrefs: 0051D7D3
1.8, xrefs: 0051C575, 0051C583, 0051C5BD
?, xrefs: 0051DCB9

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProfileQueryValue
String ID: 1.8$?$@$styzix_build
API String ID: 1240309278-2967258260
Opcode ID: 74622d2d23146962ea74465dab412a5a05e0b8a596b50d840ed6e11caf542412
Instruction ID: 965cbe2944e9e4dca211cb5164a7a934ebb86f62df10307db8c94f357ab5bea7
Opcode Fuzzy Hash: 74622d2d23146962ea74465dab412a5a05e0b8a596b50d840ed6e11caf542412
Instruction Fuzzy Hash: 90E226B180422D9EEF20DF60DC49BEEBBB9BF54304F4440D9E549A6242EB715B89CF61

Function 00553160 Relevance: 74.4, APIs: 40, Strings: 1, Instructions: 2616fileCOMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000), ref: 005531F0
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0055324C
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00553B09
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00553C91
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00553D3B
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00553EE2
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00553F7A
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 005540B7
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0055414E
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 005542D0
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00554365
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0055327D

Part of subcall function 0051A690: GetFileAttributesA.KERNELBASE ref: 0051A6BE
Part of subcall function 0051A690: GetLastError.KERNEL32 ref: 0051A6C9
Part of subcall function 0051A690: __Mtx_unlock.LIBCPMT ref: 0051A6EE

CreateDirectoryA.KERNEL32(00000000,00000000), ref: 005533B8
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 005533E7
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 005534E6
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 005535BD
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0055361B
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00553756
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 005537E4
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0055395B

Strings

l, xrefs: 005560FC

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: CreateDirectory$File$Copy$FolderPath$AttributesErrorLastMtx_unlock
String ID: l
API String ID: 3772196144-2517025534
Opcode ID: 59c3ee000f34ae73ca3c17306f4d4dded7e11705d2677ff8e17237c7c4e2ceae
Instruction ID: 1851345905ba4f1335b944a6c8d7cfeadd7f6bccd6c7ec7696aa36ee3d783bca
Opcode Fuzzy Hash: 59c3ee000f34ae73ca3c17306f4d4dded7e11705d2677ff8e17237c7c4e2ceae
Instruction Fuzzy Hash: C243A0B4C042699AEF25EB64DC5ABDDBB74BF54304F0441D9D84967282EB701BC8CFA2

Function 0054E2D0 Relevance: 52.5, APIs: 22, Strings: 7, Instructions: 1770COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,?), ref: 0054E327
GetFileAttributesA.KERNEL32(?,?,F8F6C6CE,?,?), ref: 0054E449
GetLastError.KERNEL32(?,F8F6C6CE,?,?), ref: 0054E456
__Mtx_unlock.LIBCPMT ref: 0054E475
GetFileAttributesA.KERNEL32(?,F5F7E6CE,?,?,F8F6C6CE,?,?), ref: 0054E540
GetLastError.KERNEL32(?,?,F8F6C6CE,?,?), ref: 0054E547
__Mtx_unlock.LIBCPMT ref: 0054E566

Strings

s, xrefs: 0054F68B
\, xrefs: 0054F698
\, xrefs: 0054F437
\, xrefs: 0054F139
., xrefs: 0054E751
\, xrefs: 0054EEAA
s, xrefs: 0054F42A

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: AttributesErrorFileLastMtx_unlock$FolderPath
String ID: .$\$\$\$\$s$s
API String ID: 3673586248-1144724142
Opcode ID: c5b35c3c0de7a5c6547ee5e1fc31e57aadc931bfb04b53c93f4a64a620e158f6
Instruction ID: 10219ed061191ef3858e1867691b92154a9b46c4a14170a9559d69b539a6b69c
Opcode Fuzzy Hash: c5b35c3c0de7a5c6547ee5e1fc31e57aadc931bfb04b53c93f4a64a620e158f6
Instruction Fuzzy Hash: A8F2B0709002598FDB28CF68CC99BEDBFB5BF45304F1482E9E449A7282E7749A85CF51

Function 0054B480 Relevance: 41.7, APIs: 14, Strings: 9, Instructions: 1484COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0054B596
GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 0054B6B5
GetPrivateProfileStringA.KERNEL32(?,FCE7F3C1,00000000,?,00000104,?), ref: 0054B76A

Strings

/, xrefs: 0054B937
LX+N, xrefs: 0054BDD2
T.ft, xrefs: 0054BDDC
), xrefs: 0054BFD8
%IUL, xrefs: 0054BDC8
\, xrefs: 0054B773
423-, xrefs: 0054BDBE
1S@W, xrefs: 0054BDE6
\, xrefs: 0054BA44

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: PrivateProfile$FolderNamesPathSectionString
String ID: %IUL$)$/$1S@W$423-$LX+N$T.ft$\$\
API String ID: 1539182551-1036846380
Opcode ID: 7d2ff3bd2206225e7a5e1d4c8feda82bfec30de03a5eb7b210212ddde3d3b383
Instruction ID: f4b59638a300917936386fcc22618fa09b142cd821bac7e38d03d6a549b507e1
Opcode Fuzzy Hash: 7d2ff3bd2206225e7a5e1d4c8feda82bfec30de03a5eb7b210212ddde3d3b383
Instruction Fuzzy Hash: C4D2BD709042599FDB28CF68CC99BEDBFB5BF45308F1441E9E449AB282D7709A84CF91

Function 00556230 Relevance: 29.1, APIs: 13, Strings: 2, Instructions: 2835COMMON

Download Yara Rule

Strings

styzix_build, xrefs: 00556592
P, xrefs: 005591E2

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: P$styzix_build
API String ID: 118556049-1643158637
Opcode ID: b98a9700821180d8546c6a2616d5c088904ad59dd7e02ab2e14466a7b202e238
Instruction ID: 911f59d124184d0b2fafd50eb57e465d0cdd164d5b6a234b0341ae034b03c148
Opcode Fuzzy Hash: b98a9700821180d8546c6a2616d5c088904ad59dd7e02ab2e14466a7b202e238
Instruction Fuzzy Hash: 29537D7081425D9ADF25EB64DC6ABEDBB78BF54304F4440D9E84963282EB701F89CF62

Function 00551220 Relevance: 25.5, APIs: 13, Strings: 1, Instructions: 963registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00647420,00000000), ref: 0055130F
RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0055134A
RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00551375
RegQueryValueExA.ADVAPI32(?,FDF2FFD4,00000000,00000001,?,00000104), ref: 00551475
RegQueryValueExA.ADVAPI32(?,C4D2DFD8,00000000,00000001,?,00000104,?,?,?,?,0000002D,?), ref: 005515BF
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000001,?,00000104,?,?,?,?,0000002D,?), ref: 00551610
RegQueryValueExA.ADVAPI32(?,C4D2DFD8,00000000,00000003,?,00000200,?,?,?,?,0000002D,?), ref: 005516BC
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000003,?,00000200,?,?,?,?,0000002D,?), ref: 00551717
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000003,?,00000200,?,?,?,?,0000002D,?), ref: 00551772
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000003,?,00000200,?,?,?,?,0000002D,?), ref: 005517C9
RegCloseKey.ADVAPI32(?), ref: 0055204D
RegEnumKeyA.ADVAPI32(?,00000001,?,00000104), ref: 0055207C
RegCloseKey.ADVAPI32(?), ref: 00552090

Strings

cannot use operator[] with a string argument with , xrefs: 005520EB

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: QueryValue$CloseEnumOpen
String ID: cannot use operator[] with a string argument with
API String ID: 2041898428-2766135566
Opcode ID: a3ebc4535adffc76adf3b3738b3dcd7947c2baccb1005750a0726a6149ebcf53
Instruction ID: 32be46e609e94597c80adf459f73f746bb7487762cc4922aae0d6a0e24e7ac66
Opcode Fuzzy Hash: a3ebc4535adffc76adf3b3738b3dcd7947c2baccb1005750a0726a6149ebcf53
Instruction Fuzzy Hash: 94928A708002599EDB25DF64CC59BEEBFB8BF59304F1081DAD449A7282EB715B88CF61

Function 0051A750 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

\*.*, xrefs: 0051A7E7

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID: \*.*
API String ID: 0-1173974218
Opcode ID: 93ef508fa6cf0f6dbca4859de52fd87fa03b99330e4d914690ae835272948ffe
Instruction ID: cea07eb826e6328f1d7d80f018d8b7dbc1bcdc1ab26125d763f15a707ed1e0c9
Opcode Fuzzy Hash: 93ef508fa6cf0f6dbca4859de52fd87fa03b99330e4d914690ae835272948ffe
Instruction Fuzzy Hash: B3A1A170901249DFEB19DFA8C988BEEBFB6FF48310F144529E445E7282D7709985CB62

Function 005A0610 Relevance: 22.1, APIs: 3, Strings: 9, Instructions: 1060COMMON

Download Yara Rule

Strings

Inf, xrefs: 005A0E1E
+Inf, xrefs: 005A0E15
gfff, xrefs: 005A10BC
+, xrefs: 005A0C3A
NaN, xrefs: 005A0CD7
, xrefs: 005A0E79, 005A0EA1, 005A14D7, 005A14F7
-Inf, xrefs: 005A0DF2
-x0, xrefs: 005A0BC1
0123456789ABCDEF0123456789abcdef, xrefs: 005A0B1B

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID: $+$+Inf$-Inf$-x0$0123456789ABCDEF0123456789abcdef$Inf$NaN$gfff
API String ID: 0-3242634575
Opcode ID: 6be73e1bee1737f9b0bf3526189eda0d078409bb85fa4aed6e23f403afaaf2ef
Instruction ID: 9339eb918f032133901ee87b91e32ea65193c69ed80769c87147ffc464a990b4
Opcode Fuzzy Hash: 6be73e1bee1737f9b0bf3526189eda0d078409bb85fa4aed6e23f403afaaf2ef
Instruction Fuzzy Hash: F8821371A187828BD7268F28C49436FBFE0BBC7344F185D9DE4C597292E635C949CB82

Function 0053C470 Relevance: 20.1, APIs: 1, Strings: 9, Instructions: 2614COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,00000000), ref: 0053C54A

Part of subcall function 0057C860: std::locale::_Init.LIBCPMT ref: 0057C996

Strings

\, xrefs: 0053D723
\, xrefs: 0053D478
\, xrefs: 0053DD19
A, xrefs: 0053EA2C
cannot use operator[] with a string argument with , xrefs: 0053EA0F
\, xrefs: 0053D6A5
\, xrefs: 0053D0FB
\, xrefs: 0053D090
\, xrefs: 0053DCB2

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: FolderInitPathstd::locale::_
String ID: A$\$\$\$\$\$\$\$cannot use operator[] with a string argument with
API String ID: 2462228025-727479227
Opcode ID: 2b9d0cd6590cfde177b2f0c86f81aa106fa5901ae1f0a707f6768f6b5ed6ef50
Instruction ID: 68f6583f34444414230fd5932c8409c5f04c29849d20f0eaab03894cc716c804
Opcode Fuzzy Hash: 2b9d0cd6590cfde177b2f0c86f81aa106fa5901ae1f0a707f6768f6b5ed6ef50
Instruction Fuzzy Hash: 50339F719002598FDB28DF68CC897EEBFB5BF45304F1481D9E449A7282D770AA85CFA1

Function 005458A0 Relevance: 17.7, APIs: 6, Strings: 3, Instructions: 1946stringCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 0054595D
GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,00000000), ref: 005459FE
GetPrivateProfileStringA.KERNEL32(?,FCE7F3C1,00000000,?,00000104,?), ref: 00545AAC
lstrlenA.KERNEL32(?), ref: 005475CA

Strings

cannot use operator[] with a string argument with , xrefs: 0054775D
;, xrefs: 00547485
\, xrefs: 00545AB5

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: PrivateProfile$FolderNamesPathSectionStringlstrlen
String ID: ;$\$cannot use operator[] with a string argument with
API String ID: 1311570089-3867962221
Opcode ID: c4412d9c6a5f852854636bf8b3f2b3c3a558c3c5dc3f673ef1c877b1682ad5de
Instruction ID: d9a9554f5b266b18e0169d9e9fa19ba5db562fc379c648de69d74879d6ac7631
Opcode Fuzzy Hash: c4412d9c6a5f852854636bf8b3f2b3c3a558c3c5dc3f673ef1c877b1682ad5de
Instruction Fuzzy Hash: 6803BC709042598BDF29DB24CC99BEDBF75BF55308F0441D8E449A7282EB705B89CFA2

Function 005477E0 Relevance: 17.0, APIs: 4, Strings: 5, Instructions: 1285COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 005478F6
GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 00547A33
GetPrivateProfileStringA.KERNEL32(?,FCE7F3C1,00000000,?,00000104,?), ref: 00547AEA

Strings

/, xrefs: 00547C9D
cannot use operator[] with a string argument with , xrefs: 0054895A, 005489B2
\, xrefs: 00547DAA
\, xrefs: 00547AF3
, xrefs: 00548394

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: PrivateProfile$FolderNamesPathSectionString
String ID: $/$\$\$cannot use operator[] with a string argument with
API String ID: 1539182551-3367344905
Opcode ID: 88fa7e9d4ac504f75e55cac4d6468e8ac9c8b8596f61dc67357326595495b02c
Instruction ID: 37bed82444e33ef7d02f8d84fad5ab8fd8a86924aee7d0001635e11bfa369b31
Opcode Fuzzy Hash: 88fa7e9d4ac504f75e55cac4d6468e8ac9c8b8596f61dc67357326595495b02c
Instruction Fuzzy Hash: 4DC2C1709042599FDB28CF64CC49BEDBFB5BF45304F1481E9D449AB282EB749A88CF91

Function 005191A0 Relevance: 16.9, APIs: 5, Strings: 4, Instructions: 1127processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00519283
Process32First.KERNEL32(00000000,00000128), ref: 00519293
Process32Next.KERNEL32(00000000,00000128), ref: 005192B0

Strings

/\/, xrefs: 0051956A, 0051959C
k:R, xrefs: 0051950F, 005194F0
/, xrefs: 005194E2
\, xrefs: 00519528

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: Process32$CreateFirstNextSnapshotToolhelp32
String ID: /$/\/$\$k:R
API String ID: 1238713047-4104199226
Opcode ID: a5532653b63562a5f2077e431d5726220666d687bdcd84f60ada98ca753d347d
Instruction ID: 34c8f9642be17b32a3256bc95882219b530ac5a1136b3e202f5b2f5ba3852d2f
Opcode Fuzzy Hash: a5532653b63562a5f2077e431d5726220666d687bdcd84f60ada98ca753d347d
Instruction Fuzzy Hash: 7892F571D002499FEF19CFA8C8A46EEBFB5BF45314F14426DD445AB282E7305E86CBA1

Function 005955B0 Relevance: 15.2, APIs: 10, Instructions: 187libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,F1E7FCD8), ref: 005955FC
GetProcAddress.KERNEL32(00000000,F1E7FCD8), ref: 0059563E
GetProcAddress.KERNEL32(00000000,E4E7E6D9), ref: 00595686
GetProcAddress.KERNEL32(00000000,F1E7FCD8), ref: 005956C7
GetProcAddress.KERNEL32(00000000,F1E7FCD8), ref: 00595708
GetProcAddress.KERNEL32(00000000,E4E7E6D9), ref: 00595746
GetProcAddress.KERNEL32(00000000,F1E7FCD8), ref: 0059578E
GetProcAddress.KERNEL32(00000000,E4E7E6D9), ref: 005957D6
GetProcAddress.KERNEL32(00000000,F1E7FCD8), ref: 00595817
GetProcAddress.KERNEL32(00000000,F1E7FCD8), ref: 0059585D

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 4b754765c7de2766ed18039b3f4a1b09bc732e9621cc5057ea13f0b15216dd1e
Instruction ID: d295fe6d2213ccf14067a8061b50dd42fd58c7a2cb02a829134d74316b2cf658
Opcode Fuzzy Hash: 4b754765c7de2766ed18039b3f4a1b09bc732e9621cc5057ea13f0b15216dd1e
Instruction Fuzzy Hash: 878192B481429C9EDF19CFA4D445AEEBFB9FF06304F5080AED441AB641E378430ACB66

Function 005E5100 Relevance: 14.3, Strings: 10, Instructions: 1841COMMON

Download Yara Rule

Strings

., xrefs: 005E5AF4
,, xrefs: 005E5B09
@, xrefs: 005E5167
Q, xrefs: 005E5B17
H, xrefs: 005E5B1E
+, xrefs: 005E5AFB
@, xrefs: 005E5AE0
-, xrefs: 005E5B02
.,+-, xrefs: 005E5723
>, xrefs: 005E5AEA

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID: +$,$-$.$.,+-$>$@$@$H$Q
API String ID: 0-262771488
Opcode ID: 2bb66d51075f4c401b0db156811db391b67e66e397475115847e4b2db615038b
Instruction ID: 8752559fba0ace90c3a357913066fd11b23a9f1e9c103f160f80f9d3d9435b13
Opcode Fuzzy Hash: 2bb66d51075f4c401b0db156811db391b67e66e397475115847e4b2db615038b
Instruction Fuzzy Hash: 3C13A870A00685CFCB28DF59C480BAABBB1FF48348F15819DD985AB392E775E915CF90

Function 005248E0 Relevance: 13.1, APIs: 8, Instructions: 1127comregistryCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 00524934
CoCreateInstance.OLE32(0062B154,00000000,00000001,00632798,00000000), ref: 0052496E
RegCreateKeyExA.ADVAPI32(?,C0D5DDC2,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 00524A3A

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: Create$InitializeInstance
String ID:
API String ID: 3883656743-0
Opcode ID: 0dcb75c88546d6ed7b7e024f476c0feed2ab7078d194b67b758b1a4e18620ede
Instruction ID: 95e681c302dacdf8b56981db11a2f65a7d0e046736e0aea04dc8fe06325e9a65
Opcode Fuzzy Hash: 0dcb75c88546d6ed7b7e024f476c0feed2ab7078d194b67b758b1a4e18620ede
Instruction Fuzzy Hash: DFB28770A142698FDB28CF48D8A4BAEBBB1FF45704F14409DD4496F292E771AE45CF90

Function 005388A0 Relevance: 13.0, APIs: 2, Strings: 4, Instructions: 2469COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,00000000), ref: 00538971

Part of subcall function 0057C860: std::locale::_Init.LIBCPMT ref: 0057C996

Strings

1, xrefs: 00539EA1
1, xrefs: 00539AC1
cannot use operator[] with a string argument with , xrefs: 0053ACED, 0053AD25, 0053ADBD
P, xrefs: 0053ADD4

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: FolderInitPathstd::locale::_
String ID: 1$1$P$cannot use operator[] with a string argument with
API String ID: 2462228025-2196587224
Opcode ID: cb5b5d42d7f3dcba1c794231bcc1c37cb5dafbc565328684466c3435d91feb68
Instruction ID: 495303cb16f150fd199514d0a133b7937743d5fbf0ec0609980834351390b520
Opcode Fuzzy Hash: cb5b5d42d7f3dcba1c794231bcc1c37cb5dafbc565328684466c3435d91feb68
Instruction Fuzzy Hash: 2933AFB0D002598BDB25DF64CC99BEEBFB4BF55304F1441D8E449A7282EB705B89CB92

Function 005411D0 Relevance: 11.7, Strings: 9, Instructions: 443COMMON

Download Yara Rule

Strings

, xrefs: 00545453
\, xrefs: 00542F7D
\, xrefs: 00543010
-, xrefs: 00541BAE
cannot use operator[] with a string argument with , xrefs: 0054538C, 005453E1, 00545436
\, xrefs: 00542A67
;, xrefs: 005445C4
-, xrefs: 00541B8E
authorization: , xrefs: 005412C4

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: $-$-$;$\$\$\$authorization: $cannot use operator[] with a string argument with
API String ID: 1646373207-2790917795
Opcode ID: a0704703ff41f95840d6c1a40cf62073c665fc4bb64bed1915ae0f7227094da3
Instruction ID: 1726c2c7295f21a312b46300aecbc9cf27d7f63e3f92ad48f9d3303e9e22e77a
Opcode Fuzzy Hash: a0704703ff41f95840d6c1a40cf62073c665fc4bb64bed1915ae0f7227094da3
Instruction Fuzzy Hash: 3402D170D002498FDB08DFA8D8897DEBFB5BF49304F14816DE41AEB682D7349984CB95

Function 00610630 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00605BDB: GetLastError.KERNEL32(005F47AC,00000000,006002A8,?,?,00000003,005F45A3,FF176ACC,005F4512,?,00000000,005F4721), ref: 00605BDF
Part of subcall function 00605BDB: SetLastError.KERNEL32(00000000,00000000,005F4721,?,?,?,?,?,00000000,005F47AC,00000000,00000000,00000000,00000000,00000000,005F89CE), ref: 00605C81

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00610738
IsValidCodePage.KERNEL32(00000000), ref: 00610776
IsValidLocale.KERNEL32(?,00000001), ref: 00610789
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 006107D1
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 006107EC

Strings

`Db, xrefs: 006106E5

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID: `Db
API String ID: 415426439-2151651399
Opcode ID: a774324960514bf7e47775b86eee49274d3166e292b8f3856b81aec5450ae46d
Instruction ID: cea180f9ada95ffaab8fc2f0e31e664feea79005358fe1332d94b11a1dc7d497
Opcode Fuzzy Hash: a774324960514bf7e47775b86eee49274d3166e292b8f3856b81aec5450ae46d
Instruction Fuzzy Hash: 0E518471A04205AFEF50DFA4CC41AEF77BABF48700F184469E515E7291DBB1A9C4CB64

Function 005A47F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 005A47FB
GetVersionExA.KERNEL32(?), ref: 005A4820
FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 005A4853
LocalFree.KERNEL32(?), ref: 005A486A
FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 005A48A3

Part of subcall function 005A3710: AreFileApisANSI.KERNEL32 ref: 005A371C
Part of subcall function 005A3710: MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,00000000), ref: 005A3731
Part of subcall function 005A3710: MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,00000000), ref: 005A3757

Strings

OsError 0x%x (%u), xrefs: 005A48BE

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ByteCharFormatMessageMultiWide$ApisErrorFileFreeLastLocalVersion
String ID: OsError 0x%x (%u)
API String ID: 807219750-2664311388
Opcode ID: a528d8c95632313fcb7761a486af0256c4a9dcf590806df0abb6d5e543c9f0a2
Instruction ID: fbdb5d45437fded61e81d5658e96869aa03656ff335a7647fc71d8fb1669fcba
Opcode Fuzzy Hash: a528d8c95632313fcb7761a486af0256c4a9dcf590806df0abb6d5e543c9f0a2
Instruction Fuzzy Hash: E821CB35A00209FBEB209FA1EC0AF9E7FB9FB85751F144069F909A6191DB705A11CE64

Function 00533330 Relevance: 10.5, APIs: 1, Strings: 4, Instructions: 1726COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,FBE7E7F0), ref: 00533453

Strings

\, xrefs: 00533DED
cannot use operator[] with a string argument with , xrefs: 005349FB, 00534A53
&, xrefs: 00534A18
\, xrefs: 00533D65

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: &$\$\$cannot use operator[] with a string argument with
API String ID: 1514166925-52429261
Opcode ID: 5f919d01a9d6b41b5ab30d5ceab17a2acfda4c3d86bdfcc93d922ec34dccf0a5
Instruction ID: 033a29b7cb64f61e935033b811d2884b7fd150a0db67442f7ad7a0392ea486c1
Opcode Fuzzy Hash: 5f919d01a9d6b41b5ab30d5ceab17a2acfda4c3d86bdfcc93d922ec34dccf0a5
Instruction Fuzzy Hash: F6E2AF719002598FDF28CF68CC997EDBFB5BF45300F1481A9E449AB282D774AA85CF91

Function 0055A900 Relevance: 10.1, APIs: 1, Strings: 3, Instructions: 3117COMMON

Download Yara Rule

Strings

z, xrefs: 0055F20D
:, xrefs: 0055AC6E
type must be boolean, but is , xrefs: 0055C5DA

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID: :$type must be boolean, but is $z
API String ID: 0-1047511338
Opcode ID: d127fc94397f76d8c3743963eec90a2f3643f209d582133f42a85eacdbcffcaa
Instruction ID: dabb6906a3cdd4a572abc8de882db35be6901aae1da934129939395ea9cf658c
Opcode Fuzzy Hash: d127fc94397f76d8c3743963eec90a2f3643f209d582133f42a85eacdbcffcaa
Instruction Fuzzy Hash: 49639AB18042699ADF25EF68C8297EEBF75BF45300F5442C9D84937282D7711B89CFA2

Function 00610454 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00610766,00000002,00000000,?,?,?,00610766,?,00000000), ref: 006104ED
GetLocaleInfoW.KERNEL32(?,20001004,00610766,00000002,00000000,?,?,?,00610766,?,00000000), ref: 00610516
GetACP.KERNEL32(?,?,00610766,?,00000000), ref: 0061052B

Strings

OCP, xrefs: 006104A8
ACP, xrefs: 00610472

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 8779f752ec26bc537e469adf8f0eb0d9de74fac0e04ab07ea39aed8d74cc262e
Instruction ID: 6921c22a5b73752f2e79181c7c085aa43c13f970720e2cf6a69524655fe3ab9a
Opcode Fuzzy Hash: 8779f752ec26bc537e469adf8f0eb0d9de74fac0e04ab07ea39aed8d74cc262e
Instruction Fuzzy Hash: E221B622700105E6FF308F64DA41AEB76E7AF54B64B5E8474EA0ADB214EBB2DDC1C750

Function 00595240 Relevance: 7.8, APIs: 5, Instructions: 250networkCOMMON

Download Yara Rule

APIs

InternetCloseHandle.WININET(?), ref: 00595403
CharNextA.USER32(?,00000000,?,-00000023,?,?,?,?,?,?,?,00000000,00000000,7556F380), ref: 00595475
CharNextA.USER32(?,00000000,?,-00000023,?,?,?,?,?,?,?,00000000,00000000,7556F380), ref: 0059548C
CharNextA.USER32(?,00000000,?,-00000023,?,?,?,?,?,?,?,00000000,00000000,7556F380), ref: 005954A5

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: CharNext$CloseHandleInternet
String ID:
API String ID: 581584189-0
Opcode ID: 7d28dc5c691a0dd1b4395843922dd54029e115c9f1ffaa38c874db2298a0954c
Instruction ID: 89a3e24a2ad303a942da38ddaa8079e7779fe52c009ba1fb59335f1ce82a20c5
Opcode Fuzzy Hash: 7d28dc5c691a0dd1b4395843922dd54029e115c9f1ffaa38c874db2298a0954c
Instruction Fuzzy Hash: 3E81DF71A0060AABDF15CFA9DC51BEEBFB9FF49340F144069E908A3251E7709E518BA0

Function 005E6970 Relevance: 7.0, Strings: 5, Instructions: 751COMMON

Download Yara Rule

Strings

@, xrefs: 005E6E34
@, xrefs: 005E72F7
cannot use index: %s, xrefs: 005E6F5F
@, xrefs: 005E6F35
at most %d tables in a join, xrefs: 005E699B

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID: @$@$@$at most %d tables in a join$cannot use index: %s
API String ID: 0-2763088227
Opcode ID: 1286752b9f09bfa8f2432ed54c98a53eafb320fb6d87578785542d0b8dd6d505
Instruction ID: 6b1db7804b3f3852fbd61b87660f081a4532629b76e1a1745c7b56d50d8a857a
Opcode Fuzzy Hash: 1286752b9f09bfa8f2432ed54c98a53eafb320fb6d87578785542d0b8dd6d505
Instruction Fuzzy Hash: 756299706083828FD718CF19C484B2BBBE1BF99394F158A6DE8D59B391D770E845CB92

Function 00599880 Relevance: 7.0, Strings: 5, Instructions: 748COMMON

Download Yara Rule

Strings

header crc mismatch, xrefs: 00599FE8
unknown compression method, xrefs: 00599A3F, 00599B22
invalid window size, xrefs: 00599ACF
unknown header flags set, xrefs: 00599B39
incorrect header check, xrefs: 00599ADE

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID: header crc mismatch$incorrect header check$invalid window size$unknown compression method$unknown header flags set
API String ID: 0-3633268661
Opcode ID: 14f713258f6c30de99bad4f5c99af0fc1fac02f81c569464100306b633e8a28b
Instruction ID: 9d400d10de0f3470d0e31f2d085479bed0817f6b0bcfe29771d4ee7a4b48a2d9
Opcode Fuzzy Hash: 14f713258f6c30de99bad4f5c99af0fc1fac02f81c569464100306b633e8a28b
Instruction Fuzzy Hash: 4A625CB0E002159BDF14CF5DC5846ADBFB2BF88308F2885ADD808AB356D735D946CB91

Function 005F84A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
Instruction ID: fa72119d763c41ce507c4b5e08828b50c96f072b29f168590d063ceb56f1789b
Opcode Fuzzy Hash: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
Instruction Fuzzy Hash: CF023C71E012199BDF14CFA9C9806BEFBF1FF88314F248669D619E7381DB35A9418B90

Function 0052C0A0 Relevance: 6.3, Strings: 4, Instructions: 1274COMMON

Download Yara Rule

Strings

https://www.maxmind.com/en/locate-my-ip-address, xrefs: 0052D28A
C, xrefs: 0052DF64
https://ipinfo.io/, xrefs: 0052CABC
Content-Type: application/x-www-form-urlencoded, xrefs: 0052C1B1, 0052C43F, 0052CDA2

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: AddressConcurrency::cancel_current_taskHandleModuleProc
String ID: C$Content-Type: application/x-www-form-urlencoded$https://ipinfo.io/$https://www.maxmind.com/en/locate-my-ip-address
API String ID: 2385143733-2400714340
Opcode ID: a4d9850abf7888587847929ef497dce24d0e2f451c3598609469d549ffb619b8
Instruction ID: d8432a5da1ae175fc55bdda7341a7f5c057a8cbdde4add86962f88158ce2db84
Opcode Fuzzy Hash: a4d9850abf7888587847929ef497dce24d0e2f451c3598609469d549ffb619b8
Instruction Fuzzy Hash: 03C28B709042699ADF24EB64DC5ABEEBF75BF95304F0440D8E44977282EB701B89CF62

Function 005A4110 Relevance: 6.2, APIs: 4, Instructions: 225fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,?,00000003,00000000,?,?,00000000), ref: 005A4208
CreateFileA.KERNEL32(00000000,?,00000003,00000000,?,?,00000000), ref: 005A4210

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 79ba54dee12a99d5e1f57adf10db26b1d13320eb8772cbdecd632756f3e3447e
Instruction ID: 3676b17facff502085dcb45424836d17350e3ee2611662772394f07abfecafd0
Opcode Fuzzy Hash: 79ba54dee12a99d5e1f57adf10db26b1d13320eb8772cbdecd632756f3e3447e
Instruction Fuzzy Hash: A071EDB16043018BDB10CF68D845BAFBBE9FFC6314F04492EF99986251E775C985CB92

Function 005A4670 Relevance: 6.1, APIs: 4, Instructions: 61timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 005A468A
GetCurrentProcessId.KERNEL32 ref: 005A46B5
GetTickCount.KERNEL32 ref: 005A46CA
QueryPerformanceCounter.KERNEL32(?), ref: 005A46E1

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: CountCounterCurrentPerformanceProcessQuerySystemTickTime
String ID:
API String ID: 4122616988-0
Opcode ID: 97fe228d6c22aeb01a6a25a303f63774e305b3b128eecb279eae291899a5a0ae
Instruction ID: 48371d23f9f3a07e7bd576459557e1182cf3547f86edcaf45f2c2e9010a357fc
Opcode Fuzzy Hash: 97fe228d6c22aeb01a6a25a303f63774e305b3b128eecb279eae291899a5a0ae
Instruction Fuzzy Hash: 10115B76A00628DBCB10CFA8D8885DDFBF5FB4A320B448476EC49D7315D631E941CB90

Function 005ED793 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(!x-sys-default-locale,20000001,?,00000002,?,?,?,0051363F,?,?,?,?,?,?,0061514D,000000FF), ref: 005ED7A8
FormatMessageA.KERNEL32(00001300,00000000,?,?,00000000,00000000,00000000,?,?,?,0051363F,?,?), ref: 005ED7CA

Strings

!x-sys-default-locale, xrefs: 005ED7A3

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: 0b9833f857ee08166cb84dd1def236c6740cd911ef31909d675f0d8fd7dd1401
Instruction ID: a73c66b1b6d155f5a0acc7396bda06b4e7d6c0f644a339e228b431a9513d6d4b
Opcode Fuzzy Hash: 0b9833f857ee08166cb84dd1def236c6740cd911ef31909d675f0d8fd7dd1401
Instruction Fuzzy Hash: 29E039B6550118FEFB04DBA0CC0BEEB7B6DEB04750B048125B905D2190E6B16E0096A0

Function 006100D8 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00605BDB: GetLastError.KERNEL32(005F47AC,00000000,006002A8,?,?,00000003,005F45A3,FF176ACC,005F4512,?,00000000,005F4721), ref: 00605BDF
Part of subcall function 00605BDB: SetLastError.KERNEL32(00000000,00000000,005F4721,?,?,?,?,?,00000000,005F47AC,00000000,00000000,00000000,00000000,00000000,005F89CE), ref: 00605C81

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0061012C
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00610176
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0061023C

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: a1228b19fd6b5f68162f453634e6f67cb38646d158cff2a757f64013bcd604b7
Instruction ID: acff281ffb4f7c04b33e7ba8199395a31f602d0a8f58c8705136e7de43cac57e
Opcode Fuzzy Hash: a1228b19fd6b5f68162f453634e6f67cb38646d158cff2a757f64013bcd604b7
Instruction Fuzzy Hash: 7C61A07154420B9FEF68DF24CC86BEA77AAEF14300F18416AE915C6689F7B4DAC1CB50

Function 005F45A4 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 005F469C
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 005F46A6
UnhandledExceptionFilter.KERNEL32(005F4484,?,?,?,?,?,00000000), ref: 005F46B3

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 3e5dd56b1fb5298e7fb7ab45f600f5bf7168b0abf22b21694986f8e3c7a7ff96
Instruction ID: 905088620edd0f85bb75edbfb52fa4982d2a50057dc8b094d84a935e8a6aaa62
Opcode Fuzzy Hash: 3e5dd56b1fb5298e7fb7ab45f600f5bf7168b0abf22b21694986f8e3c7a7ff96
Instruction Fuzzy Hash: 8031C37590122DABCB21DF64D8897DDBBB8BF48310F5041EAE50CA7251EB749F858F44

Function 005990E0 Relevance: 4.2, Strings: 3, Instructions: 411COMMON

Download Yara Rule

Strings

invalid distance code, xrefs: 005994C3
invalid literal/length code, xrefs: 005994AA
invalid distance too far back, xrefs: 005994D9

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID: invalid distance code$invalid distance too far back$invalid literal/length code
API String ID: 0-3255898291
Opcode ID: e79e1e614b61c4b8435e2ccd599855c6680f9d307dc00e9d6710b568c99d3ff3
Instruction ID: 77a11e599059b916f01e501a1d8551dbe1548a6263d35bbc6de10ef0a69f7a06
Opcode Fuzzy Hash: e79e1e614b61c4b8435e2ccd599855c6680f9d307dc00e9d6710b568c99d3ff3
Instruction Fuzzy Hash: 9DF16C71E002599FCF04CFADC5906ACBFF2FF99304B2485AED495AB342D635AA46CB50

Function 005DF800 Relevance: 3.7, Strings: 2, Instructions: 1167COMMON

Download Yara Rule

Strings

rows updated, xrefs: 005E078C
no such column: %s, xrefs: 005DFB4A

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID: no such column: %s$rows updated
API String ID: 0-885832449
Opcode ID: da9f202eedd0dedde7acd6e6c8a1f1d0d30254eba9650297ca8db23cec1c0821
Instruction ID: 07f28041a3f1cec0daeff34070ea4cc73827f06c15346c5bbacc7454193806d3
Opcode Fuzzy Hash: da9f202eedd0dedde7acd6e6c8a1f1d0d30254eba9650297ca8db23cec1c0821
Instruction Fuzzy Hash: 58C269706047828FD724DF19C094B2ABBF1FF88344F15896EE9868B392D775E855CB82

Function 005A2610 Relevance: 3.5, APIs: 2, Instructions: 456COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005A28FB
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005A294D

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: e1169bf2a2d88f9097cbc5291f777eb9e6fb9c7e2e75234ed14d65dbaf6a6de8
Instruction ID: 1a288245f105955c42638d63c3b92732988b2e147f454b26f39e54aec7b28d5f
Opcode Fuzzy Hash: e1169bf2a2d88f9097cbc5291f777eb9e6fb9c7e2e75234ed14d65dbaf6a6de8
Instruction Fuzzy Hash: 96F1E271E0021A8BCF14CF5DD8912BDFFF2FB89310F1982AAE595AB291DB7549418B90

Function 005EF26A Relevance: 3.0, APIs: 2, Instructions: 15timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,?,005EEC78,?,?,?,?,005240EB,?,00573C2E), ref: 005EF283
GetSystemTimeAsFileTime.KERNEL32(?,?,?,005EEC78,?,?,?,?,005240EB,?,00573C2E), ref: 005EF287

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: Time$FileSystem$Precise
String ID:
API String ID: 743729956-0
Opcode ID: 0169edcfba86221f0bdc54baff4c70f354a88b29cfc713275bb8e683c312cc1e
Instruction ID: 2d59f8a3579d4c648ca915ac350bcc63844a2a3133431e75e29c03c861c3550a
Opcode Fuzzy Hash: 0169edcfba86221f0bdc54baff4c70f354a88b29cfc713275bb8e683c312cc1e
Instruction Fuzzy Hash: 03D0223A5005B8E78B092FD1FC048DC7F2AFA0AB503088077FA0983124CF211C008BC1

Function 00567770 Relevance: 2.8, Strings: 1, Instructions: 1548COMMON

Download Yara Rule

Strings

/, xrefs: 005690ED

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: e6f9361b79cae30eccac2df57ad2210cb5673d937e8340a67173644a85d68272
Instruction ID: 45115c9e1e7475f37bed64e6ac78eddbe925b7d0a6dc21700beca2db610bdd43
Opcode Fuzzy Hash: e6f9361b79cae30eccac2df57ad2210cb5673d937e8340a67173644a85d68272
Instruction Fuzzy Hash: 84E26D7080425E9ADF25EBA0DC5ABEDBF75BF54300F4044D8E44A67282EB741B89DF62

Function 00609824 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?), ref: 00609A51

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 9978ff0b82d6eaaf016ba493cafe3c960920387c15122b413961ccd9cce6d203
Instruction ID: 2ccc3695b41ff43b27dff3d8d37e07dbfe79a6c28315b93b79bc69df6e9d91e9
Opcode Fuzzy Hash: 9978ff0b82d6eaaf016ba493cafe3c960920387c15122b413961ccd9cce6d203
Instruction Fuzzy Hash: 5CB11A316506089FD719CF28C486BA67BA2FF45364F29865CE899CF3E2C335D992CB50

Function 005B1270 Relevance: 1.8, Strings: 1, Instructions: 513COMMON

Download Yara Rule

Strings

%s-mj%08X, xrefs: 005B1456

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID: %s-mj%08X
API String ID: 0-77246884
Opcode ID: 448fc39f872702818dadb165210a53d9838cf7a70e9be67fe8432c37282cff97
Instruction ID: 0dbe326acba404a3471f2d881f5791bbcd8aac032625ffafd9517a7fc1f43873
Opcode Fuzzy Hash: 448fc39f872702818dadb165210a53d9838cf7a70e9be67fe8432c37282cff97
Instruction Fuzzy Hash: DD126C70604B019FD764CF69C890BAABBE5FFC8314F54892DE99A87251DB31F841CB4A

Function 005A68C0 Relevance: 1.7, APIs: 1, Instructions: 234COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 005A6946

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: __allrem
String ID:
API String ID: 2933888876-0
Opcode ID: 7a44c20f99546b8cb0b7f6f3bc7e91dfe326bceb999c1273d02f7bbc8312f864
Instruction ID: d005bacb5d751484d03050d67539252212aae33d580862b95aea8dda7986990c
Opcode Fuzzy Hash: 7a44c20f99546b8cb0b7f6f3bc7e91dfe326bceb999c1273d02f7bbc8312f864
Instruction Fuzzy Hash: 23816071A001459FDF58CF9CCC80AAEBBB5AF89300F1880A9E955EB346D275EE05CB91

Function 005A63D0 Relevance: 1.7, APIs: 1, Instructions: 168COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 005A6449

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: __allrem
String ID:
API String ID: 2933888876-0
Opcode ID: 1ae21db2f24bae033a874413a08895cf9ef0a6936569dd53fef1bb6e24226d22
Instruction ID: 6a0d4a47c696437260d3519ce59a653953009ccc764e9f33138adf274d0c262f
Opcode Fuzzy Hash: 1ae21db2f24bae033a874413a08895cf9ef0a6936569dd53fef1bb6e24226d22
Instruction Fuzzy Hash: 10616A71610740DFCB28CF6DC88056AFBF5AF99300B088AAEDD86DB756D630E955CB90

Function 00524100 Relevance: 1.7, APIs: 1, Instructions: 167COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,00000000,00000001,?,00000000), ref: 00524293

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: DebuggerPresent
String ID:
API String ID: 1347740429-0
Opcode ID: af5fd15cff890a9ac27f1d996f7fc24282960a7df6c92adc14ff25c9d05ac904
Instruction ID: 60514511a7dd16cb3c7d4ea48fa3f746946ab04a4950e744f2a964b4b1ac5b20
Opcode Fuzzy Hash: af5fd15cff890a9ac27f1d996f7fc24282960a7df6c92adc14ff25c9d05ac904
Instruction Fuzzy Hash: 87518F71E002299FCB18DF99E885AEEBFB5FF89310F144569E419A7381D7349944CFA0

Function 00609160 Relevance: 1.7, APIs: 1, Instructions: 156timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00606DB3: HeapFree.KERNEL32(00000000,00000000,?,0060ECA9,005F89C3,00000000,005F89C3,?,0060EF4A,005F89C3,00000007,005F89C3,?,0060F43E,005F89C3,005F89C3), ref: 00606DC9
Part of subcall function 00606DB3: GetLastError.KERNEL32(005F89C3,?,0060ECA9,005F89C3,00000000,005F89C3,?,0060EF4A,005F89C3,00000007,005F89C3,?,0060F43E,005F89C3,005F89C3), ref: 00606DD4

GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00609313,00000000,00000000,00000000), ref: 006091D2

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3335090040-0
Opcode ID: 047590866a50a0a3ed8b40d57cce0762a1a26530c912eb94fe7bf74fde8b5ecb
Instruction ID: e162799986963195751de8b80979baba6591c4f421e9c48cbe9f5458a8cdcaf4
Opcode Fuzzy Hash: 047590866a50a0a3ed8b40d57cce0762a1a26530c912eb94fe7bf74fde8b5ecb
Instruction Fuzzy Hash: 9941E675940125AFCB18EF65EC0699B7F7BAF42760B10416AF454A72E2EB309E00CBA4

Function 0061032B Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00605BDB: GetLastError.KERNEL32(005F47AC,00000000,006002A8,?,?,00000003,005F45A3,FF176ACC,005F4512,?,00000000,005F4721), ref: 00605BDF
Part of subcall function 00605BDB: SetLastError.KERNEL32(00000000,00000000,005F4721,?,?,?,?,?,00000000,005F47AC,00000000,00000000,00000000,00000000,00000000,005F89CE), ref: 00605C81

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0061037F

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 0ba3c15ef53b571376abd5d4431c1df9cad4954e471b662ac661dff2d933006d
Instruction ID: 2fb6de2176c0ce4f7ee092243e70b1668ea74a5f3fc3c3dcd330d37dbe979520
Opcode Fuzzy Hash: 0ba3c15ef53b571376abd5d4431c1df9cad4954e471b662ac661dff2d933006d
Instruction Fuzzy Hash: 2521A132611207ABEF289B25DC81AFB37AAEB04310F14017AF915D6281EBB4EDC08B54

Function 0059E140 Relevance: 1.6, Strings: 1, Instructions: 303COMMON

Download Yara Rule

Strings

-, xrefs: 0059E198

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 2a2e03b90355dc0d59000aeef2c7e7f9d6bd4af588e3a47cd3e57602e03e1696
Instruction ID: 5bc310b744196eac31cd953c03f2a46461962f343431ff8d175d28990ca305ab
Opcode Fuzzy Hash: 2a2e03b90355dc0d59000aeef2c7e7f9d6bd4af588e3a47cd3e57602e03e1696
Instruction Fuzzy Hash: 71B1A1356007059FEF20CAA4CC41ABEFBF5FF44310F144E1AE9AAD2690D371A946CB61

Function 005AC4F0 Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

d, xrefs: 005AC718

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: a46c03965f89406d21e4840a8879490cd355410da3bfc95495e00d4f6904263f
Instruction ID: 75acc801fc2566a54498e5fa300652ea53ace401c0fd58e5b07d4af67fa206e7
Opcode Fuzzy Hash: a46c03965f89406d21e4840a8879490cd355410da3bfc95495e00d4f6904263f
Instruction Fuzzy Hash: A9C171716047428FC715CF29C48056ABFE2BFDA344F1885ADE8998B346DB35ED06CBA1

Function 00524400 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(FAE1F7FA), ref: 0052446D

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: cc950a95dce5ff95e785122f5184d828b507a2eedb93c1b78dded785e97a1ba2
Instruction ID: fc9eef203d3167730693a814ddc29224c8ca56efc21fde2109924a4f19aa2584
Opcode Fuzzy Hash: cc950a95dce5ff95e785122f5184d828b507a2eedb93c1b78dded785e97a1ba2
Instruction Fuzzy Hash: AC015BB1915218AFDB00DFA9D8856CEFBF8FF08310F5085AAE419E7241D375A205CBA0

Function 0061055A Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 00605BDB: GetLastError.KERNEL32(005F47AC,00000000,006002A8,?,?,00000003,005F45A3,FF176ACC,005F4512,?,00000000,005F4721), ref: 00605BDF
Part of subcall function 00605BDB: SetLastError.KERNEL32(00000000,00000000,005F4721,?,?,?,?,?,00000000,005F47AC,00000000,00000000,00000000,00000000,00000000,005F89CE), ref: 00605C81

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,006103D5,00000000,00000000,?), ref: 00610586

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 005763b52e6410c09ce1b8511ea4d81e0cd6910015807635b6cb8cacbb8b1f0a
Instruction ID: afbc30c313302886a278c6a7cc5870b223ca7b81aa3bf5c4daa390f34718b25b
Opcode Fuzzy Hash: 005763b52e6410c09ce1b8511ea4d81e0cd6910015807635b6cb8cacbb8b1f0a
Instruction Fuzzy Hash: B401DB32600116ABEF289B248A45AFB776BDB40754F194429EC46A31C0EAB4FDC2CD90

Function 0061004D Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00605BDB: GetLastError.KERNEL32(005F47AC,00000000,006002A8,?,?,00000003,005F45A3,FF176ACC,005F4512,?,00000000,005F4721), ref: 00605BDF
Part of subcall function 00605BDB: SetLastError.KERNEL32(00000000,00000000,005F4721,?,?,?,?,?,00000000,005F47AC,00000000,00000000,00000000,00000000,00000000,005F89CE), ref: 00605C81

EnumSystemLocalesW.KERNEL32(0061032B,00000001,FFFFFFFF,?,-00000050,?,006106D4,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00610097

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 698648870ab998a35d3e21d8a0abd4c583c67cc4dd88312cd9ec148d8011cb59
Instruction ID: 92fdf73d9813b16d46527402e4dcafd7e11d96ef09186ef227328806549dfeaf
Opcode Fuzzy Hash: 698648870ab998a35d3e21d8a0abd4c583c67cc4dd88312cd9ec148d8011cb59
Instruction Fuzzy Hash: 3BF0C2362007049FEB246F359881BEA7B92FB84369F19842DF9464B690D6B1ACC2CB50

Function 006074CE Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00603B89,?,20001004,00000000,00000002,?,?,0060317B), ref: 00607502

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: cf4ae74dd506eeff0fb7818d64b21c8a87832422d4a35f6e3d9fd1103e66f4e9
Instruction ID: d7bf2133b4ce6a2b2b4f4f9f6111c25f4b3395656b1c5b3b48320380bd496042
Opcode Fuzzy Hash: cf4ae74dd506eeff0fb7818d64b21c8a87832422d4a35f6e3d9fd1103e66f4e9
Instruction Fuzzy Hash: 35E01A32984528BBCB162F61EC04EEF3F67AB44750F048425FC05652A1CB32AA21AAD4

Function 0059F360 Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

-, xrefs: 0059F3DF

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: ffad52e287b60b8b48c8f6c01dcfbe838c716be90c45fb450b26370899277487
Instruction ID: 80a956d39aa894fe09583f73f8bfb0f9b4aae5ffc161a2b174383d22acec2d80
Opcode Fuzzy Hash: ffad52e287b60b8b48c8f6c01dcfbe838c716be90c45fb450b26370899277487
Instruction Fuzzy Hash: FA818F71951648AEEF219AB4C840BEDFFF0EF05201F1489E8E8D5E3B41D678D64AC7A1

Function 005AD1A0 Relevance: 1.0, Instructions: 966COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6094c59931180dee46fcb7a570bc31a5db8888ad96c1c80ab7b2378a9d329632
Instruction ID: e5dd06fb9e742d12c9ff5ec71d543e2fc7c19b9c22be57ac397748bf796f4e1f
Opcode Fuzzy Hash: 6094c59931180dee46fcb7a570bc31a5db8888ad96c1c80ab7b2378a9d329632
Instruction Fuzzy Hash: 18929D74A083528FC714DF29D48062EBBF2BFCA304F15496DE8968B752D735E845CBA2

Function 0055F280 Relevance: .7, Instructions: 658COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 979fb8f93f60bc7e3a4f33676972e644137c874c556c6cda60a5e639773166af
Instruction ID: 415b1f69013bfa3049c8e2b4ed8b5237d22e1e852f5f384cd5cb82c0dd775f7d
Opcode Fuzzy Hash: 979fb8f93f60bc7e3a4f33676972e644137c874c556c6cda60a5e639773166af
Instruction Fuzzy Hash: 1E526EB190424A8EDB48DF68C4156AEFFF4FF09304F1482AED845EB642E7719689CBD1

Function 005E2950 Relevance: .6, Instructions: 612COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5a7e680b9f4d2905e7ccd588a0a5f6707801662529157b4eab3a2d851289479
Instruction ID: cd44fef8237a88bfaa8c967efe295cc943f640b1cea9e4a39b0e218169d2efe3
Opcode Fuzzy Hash: e5a7e680b9f4d2905e7ccd588a0a5f6707801662529157b4eab3a2d851289479
Instruction Fuzzy Hash: 1B329A716083818FD728CF29C48572ABBE5BF88314F18896DE9C98B359D771ED45CB82

Function 00598610 Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c28d73c0b092ef984f92d42c05f47b3fe9854d4a3893dd605d8e8d710e45b8fc
Instruction ID: 6368f64f042d4186b98edcf152e7f41783211b9fb6a6a35570034c0507328270
Opcode Fuzzy Hash: c28d73c0b092ef984f92d42c05f47b3fe9854d4a3893dd605d8e8d710e45b8fc
Instruction Fuzzy Hash: 0B025A35600B008FCB24CF29C484A6ABBF2FF89314F55495EE9968BB92DB75F851CB50

Function 005670F0 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_taskFolderNamesPathPrivateProfileSection
String ID:
API String ID: 1185923200-0
Opcode ID: 79e802052aba22b5e1dbcb441e2bdf86f60f083011ecf5141175cf5ab1925fd0
Instruction ID: f36b6d8507c617a9eed6374c82864c0465579252861624bd1a23b8658af1d30a
Opcode Fuzzy Hash: 79e802052aba22b5e1dbcb441e2bdf86f60f083011ecf5141175cf5ab1925fd0
Instruction Fuzzy Hash: A2E1EF74D042898FCB15DB68CC49BEDBFB6BF99314F1880D9D449A7342EB705A48CBA1

Function 0060F771 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: ec7cb30a5dc5b3a29324ca80e9e4014bfec278e9a5d19fdf040499880a3c4984
Instruction ID: 2bd7dacbcdda5ce4e7f6423dc7f4233bc8f06dde5f41d64ac0e68878300dd99d
Opcode Fuzzy Hash: ec7cb30a5dc5b3a29324ca80e9e4014bfec278e9a5d19fdf040499880a3c4984
Instruction Fuzzy Hash: 64B1C6756407459BDB3C9B24CC92BF7B3AAEF44308F14493DE94786AC0EB75A986CB10

Function 0059E490 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88923f8df2a61e7006f5ecf14fd7805f83e68085996bdc7208aa9031238299ab
Instruction ID: 490e25d703bf2389942f55cccb75498ed556e8392beed292251798a5721673df
Opcode Fuzzy Hash: 88923f8df2a61e7006f5ecf14fd7805f83e68085996bdc7208aa9031238299ab
Instruction Fuzzy Hash: 36D19D706007418BEB24CF39C49479ABBE1FF58314F548A6DD4EE8B781EB74A489CB91

Function 0059F810 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa4a20ca9efea50b4dec5b5d095b2047d73e52b5fca4e20fe11e8416b54ef34e
Instruction ID: 26ff1b4a958cb3d5f31096c9c1cadc86d488ae95b706d5d3e25c33f0f80737d9
Opcode Fuzzy Hash: fa4a20ca9efea50b4dec5b5d095b2047d73e52b5fca4e20fe11e8416b54ef34e
Instruction Fuzzy Hash: 85B1A1716047019FDB20DE64C880A6BBBE5FF89324F144A3DF9AAC3690D774E949CB52

Function 005124F0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 970760fb301abcd751a2535e2fc00994ad1a2215bf31372becfa56a4f6f65e52
Instruction ID: 09a458d104271dc0fdde13bedee7aebcdf8d8c07d5a10f8380e34d6c8dc67631
Opcode Fuzzy Hash: 970760fb301abcd751a2535e2fc00994ad1a2215bf31372becfa56a4f6f65e52
Instruction Fuzzy Hash: FA7104B4E011468FEB14CF68D8D17FEBFB6FB1A300F050169D85597782CB289996C7A0

Function 0059F600 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d31ba86242bfd7bd76f9ba221a1519e07e8bc4f3f0aa95c67da6b44e1bb030
Instruction ID: d5569f474a28144352b1a2fb2cc242acae7b9b31f6f407bc9e283419549aa584
Opcode Fuzzy Hash: 41d31ba86242bfd7bd76f9ba221a1519e07e8bc4f3f0aa95c67da6b44e1bb030
Instruction Fuzzy Hash: ED61B431500709AFDF30CAA8C880BEEBFE5FF45310F208AB9E595D26A0D275E685C751

Function 00596550 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01fa3ee8db4cf0f3d1f92b962ccb34bcd4349841ee1e19269a56cd65cbf3ca22
Instruction ID: 9c21d87bae517280a858c4eeda8aaec5cbd6f708df631f964d5dd397f332ed9e
Opcode Fuzzy Hash: 01fa3ee8db4cf0f3d1f92b962ccb34bcd4349841ee1e19269a56cd65cbf3ca22
Instruction Fuzzy Hash: 506144316109664FD728CF5EECC04663752E78A301386661AEAC1DB2A6C735F527DBE0

Function 005F646A Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 920c44e739ca4d08db5b5969fbc7a5a158caad0a814d8dad7807257cb044add9
Instruction ID: 2988480aa988442f801a26c19e2885f991f9754534a8e66d8d31943de64ceac2
Opcode Fuzzy Hash: 920c44e739ca4d08db5b5969fbc7a5a158caad0a814d8dad7807257cb044add9
Instruction Fuzzy Hash: 70517F72D00219AFDF14CF98C981AFEBFB6FF88314F598459E915AB201D7389A50DB90

Function 0059E910 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 854d7f0168f0dc93b040c5b83782ce3004fb363419dbd7899f20dfa3d1eb45b6
Instruction ID: 6b72043940b605ff67476cb5c97f11e7ebffca8ec816ebeedd5b4c5b805cdf47
Opcode Fuzzy Hash: 854d7f0168f0dc93b040c5b83782ce3004fb363419dbd7899f20dfa3d1eb45b6
Instruction Fuzzy Hash: 4C317E31600B158FC765CEB9C8817A3F7E5FB49310F150A6EE6EAC7281C6B4B984CB60

Function 00577750 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac8b70dc6646eac00bb8f7aeb5e9057f0b1fa3d1da44066a827c1914688b07cf
Instruction ID: 4dd92dd7dde1a304bcc7d3d61ec1e2c3c28f2bde888e3ef3c77944fba0328c28
Opcode Fuzzy Hash: ac8b70dc6646eac00bb8f7aeb5e9057f0b1fa3d1da44066a827c1914688b07cf
Instruction Fuzzy Hash: 90D0A73102C299CDC32EC964F084B827F85DF06704F16CCCDC0A6CB156D5E0D884E398

Function 00577780 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb43d5ebd18ffb5bfa975f8970044cafa813baba2386a534dcfbb36c7b008315
Instruction ID: 5283c8b63ae8548d8e40bf5470c4245be67efeb7fe5a67d9c850ab03f81b6920
Opcode Fuzzy Hash: fb43d5ebd18ffb5bfa975f8970044cafa813baba2386a534dcfbb36c7b008315
Instruction Fuzzy Hash: 22D05E3202969549D32EC528B048B837FA5AB4A214F168D8980868B052E5A094C9D658

Function 00579610 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3469e2706c7b8808072a0d70d13407581380fe56500d1ba4e961cf50c2cc6b8c
Instruction ID: dbc702a08d152575c0d9f4efb0c0dd8df9a70d10112f3a1208ba3dba4c9c81cc
Opcode Fuzzy Hash: 3469e2706c7b8808072a0d70d13407581380fe56500d1ba4e961cf50c2cc6b8c
Instruction Fuzzy Hash: 9FC0CAB06042108BCA28DB1CB480866B7E6AF98210328CA2EE08A83600E672ED009B90

Function 0057F810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0057F833
std::_Lockit::_Lockit.LIBCPMT ref: 0057F855
std::_Lockit::~_Lockit.LIBCPMT ref: 0057F875
std::_Lockit::~_Lockit.LIBCPMT ref: 0057F89F
std::_Lockit::_Lockit.LIBCPMT ref: 0057F90D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0057F959
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0057F973
std::_Lockit::~_Lockit.LIBCPMT ref: 0057FA08
std::_Facet_Register.LIBCPMT ref: 0057FA15

Strings

bad locale name, xrefs: 0057FA2F
"c, xrefs: 0057F96B, 0057F972

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name$"c
API String ID: 3375549084-968494664
Opcode ID: c9dc5e39d474c26a5d588a029adc1cef0c6c531a087194b2b0bc96c07b065ae1
Instruction ID: 42db759a30de6cc6157f111f38de0f8af23331a62208688d16e4fe1f7948a353
Opcode Fuzzy Hash: c9dc5e39d474c26a5d588a029adc1cef0c6c531a087194b2b0bc96c07b065ae1
Instruction Fuzzy Hash: 95619FB1D002499FEF10DFA4E849B9EBFB5BF45310F148468E849AB341E735E905CBA2

Function 00595450 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,00000000,?,-00000023,?,?,?,?,?,?,?,00000000,00000000,7556F380), ref: 00595475
CharNextA.USER32(?,00000000,?,-00000023,?,?,?,?,?,?,?,00000000,00000000,7556F380), ref: 0059548C
CharNextA.USER32(?,00000000,?,-00000023,?,?,?,?,?,?,?,00000000,00000000,7556F380), ref: 005954A5

Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36, xrefs: 0059557F

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: CharNext
String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36
API String ID: 3213498283-2732702261
Opcode ID: 784c1c15fe1aa32dc9641f7e8f4a1616ef73e0240794f039d3c2f399316f2aa8
Instruction ID: 82ab2f4c158aeb7807b1b6c9c6983b4b0e06d12b8b8d8b892858048b83120db6
Opcode Fuzzy Hash: 784c1c15fe1aa32dc9641f7e8f4a1616ef73e0240794f039d3c2f399316f2aa8
Instruction Fuzzy Hash: 9E416939940614ABCF52DF689C80AADBFB7FF4A311F094069ED88D7321E7314E568B50

Function 00523910 Relevance: 15.1, APIs: 10, Instructions: 138fileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000000), ref: 00523938
RmStartSession.RSTRTMGR(?,00000000,?), ref: 00523990
RmRegisterResources.RSTRTMGR(?,00000001,?,00000000,00000000,00000000,00000000,?), ref: 005239CC
RmGetList.RSTRTMGR(?,00000000,?,?,?), ref: 005239F4
RmShutdown.RSTRTMGR(?,00000001,00000000), ref: 00523A15
RmEndSession.RSTRTMGR(?), ref: 00523A28
SetLastError.KERNEL32(00000000), ref: 00523A2F
CopyFileA.KERNEL32(?,?,00000000), ref: 00523A4E
GetLastError.KERNEL32(?,?,00000000), ref: 00523A59
CopyFileA.KERNEL32(?,?,00000000), ref: 00523A71

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ErrorLast$CopyFileSession$ListRegisterResourcesShutdownStart
String ID:
API String ID: 304452573-0
Opcode ID: 3d54961e041344b6abc5ae9431c808675942ca85bf7f518e53896aef589d52dc
Instruction ID: e0ee568a8aacf3c20d06a4ea4c4bfbd7912edc8d8cfdd1e5732e146f24263e63
Opcode Fuzzy Hash: 3d54961e041344b6abc5ae9431c808675942ca85bf7f518e53896aef589d52dc
Instruction Fuzzy Hash: 6C41AC32D0021AABDF21DBA0EC45BFEBB79FF45710F14412AE905B6290DB755A40CBA0

Function 005F3306 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

___TypeMatch.LIBVCRUNTIME ref: 005F3533
CatchIt.LIBVCRUNTIME ref: 005F3584
_UnwindNestedFrames.LIBCMT ref: 005F3685
CallUnexpected.LIBVCRUNTIME ref: 005F36A0

Strings

b, xrefs: 005F341C
csm, xrefs: 005F33B0
csm, xrefs: 005F345C
csm, xrefs: 005F3343

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwind
String ID: csm$csm$csm$b
API String ID: 944608866-1124614693
Opcode ID: d8b54be5ecb7279b6850f66950320b191d0dfffbac8d575c94d8bfe3c3c2b9cd
Instruction ID: 0f0791b8eb696a74d2c5a4c60a6e97a1b940f28bd6bde632a280b20980339126
Opcode Fuzzy Hash: d8b54be5ecb7279b6850f66950320b191d0dfffbac8d575c94d8bfe3c3c2b9cd
Instruction Fuzzy Hash: BEB1557180020EEBEF15DFA4C8899BEBFB5FF94310B14455AEA01AB202D739DA51CF91

Function 006133AC Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,811C9DC5,?,?,?,?,?,?,?,0061448A), ref: 006133C5

Strings

pow, xrefs: 00613463, 0061350D, 0061355A
sqrt, xrefs: 00613504
asin, xrefs: 006134F2
exp, xrefs: 00613444, 006134A9
log10, xrefs: 00613407, 00613416
log, xrefs: 00613422, 00613431
acos, xrefs: 006134FB

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 297b0b9c951f5bd73616194bbc5f425296444d194a741a00c02861a85b5f6bf7
Instruction ID: eb24b1fd0acbca56f8e351c06700685752a34fbad8da3c68b7611e48c0ed5fd8
Opcode Fuzzy Hash: 297b0b9c951f5bd73616194bbc5f425296444d194a741a00c02861a85b5f6bf7
Instruction Fuzzy Hash: AD5147B4900A2ACBCF119F59E80C1EDBFB7FB49704F184056D492AA354CB798BA5CF54

Function 0051B1A0 Relevance: 13.6, APIs: 9, Instructions: 131memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,0000001C), ref: 0051B1F0
SetupDiEnumDeviceInfo.SETUPAPI(?,00000000,00000000), ref: 0051B1FF
LocalAlloc.KERNEL32(00000040,0000001C,?,00000000,00000000), ref: 0051B239
SetupDiEnumDeviceInterfaces.SETUPAPI(?,00000000,0061F540,00000000,00000000), ref: 0051B251
SetupDiGetDeviceInterfaceDetailA.SETUPAPI(?,00000000,00000000,00000000,?,00000000), ref: 0051B26D
SetupDiGetDeviceInterfaceDetailA.SETUPAPI(?,?,00000000,?,00000000,00000000), ref: 0051B28F
LocalFree.KERNEL32(?,?,?,?,?,00000000,?,00000000,00000000), ref: 0051B2C0
LocalFree.KERNEL32(?,?,?,00000000,?,00000000,00000000), ref: 0051B2C5
LocalFree.KERNEL32(?,?,?,00000000,?,00000000,00000000), ref: 0051B2C8

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: Local$DeviceSetup$Free$AllocDetailEnumInterface$InfoInterfaces
String ID:
API String ID: 45558158-0
Opcode ID: 2fc3ded58bfc13478eb5c79bd7a3a87bc892eb8f736f92cd3746db8217bbe1cd
Instruction ID: dcbd8c47dab12788d076ee99284abccb88a065d76e521a727a8699a6d87d0e63
Opcode Fuzzy Hash: 2fc3ded58bfc13478eb5c79bd7a3a87bc892eb8f736f92cd3746db8217bbe1cd
Instruction Fuzzy Hash: 59413CB5A40309AFDB60DFA9DC41B9EFBF9FB48700F14852AE519E7650E774A9008F60

Function 005A43B0 Relevance: 13.6, APIs: 9, Instructions: 88sleepfileCOMMON

Download Yara Rule

APIs

Part of subcall function 005A3E50: GetVersionExA.KERNEL32(?), ref: 005A3E76

GetVersionExA.KERNEL32(?), ref: 005A43F3
DeleteFileW.KERNEL32(00000000), ref: 005A4412
GetFileAttributesW.KERNEL32(00000000), ref: 005A4419
GetLastError.KERNEL32 ref: 005A4426
Sleep.KERNEL32(00000064), ref: 005A443C
DeleteFileA.KERNEL32(00000000), ref: 005A4445
GetFileAttributesA.KERNEL32(00000000), ref: 005A444C
GetLastError.KERNEL32 ref: 005A4459
Sleep.KERNEL32(00000064), ref: 005A446F

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: File$AttributesDeleteErrorLastSleepVersion
String ID:
API String ID: 1421123951-0
Opcode ID: f8063c74552b481fd06f19973c27757e23bbc73517f8b7ace63e1d926da70a25
Instruction ID: f12187bb19c7de63b763daf322be59253268958384ebdcdee2e6486cc4a4a7a1
Opcode Fuzzy Hash: f8063c74552b481fd06f19973c27757e23bbc73517f8b7ace63e1d926da70a25
Instruction Fuzzy Hash: B721E5359002149BCF10ABB8AC886BE7BF5FB8F335F20C666E91EC2241EB7449419F51

Function 0051C190 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 176registryCOMMON

Download Yara Rule

APIs

RegGetValueA.ADVAPI32(80000002,E0E0EBC2,F5FEFDD5,0001FFFF,00000001,?,00000104), ref: 0051C2B2
GetComputerNameExA.KERNEL32(00000002,?,00000104), ref: 0051C31C
LsaOpenPolicy.ADVAPI32(00000000,006456CC,00000001,00000000), ref: 0051C375

Strings

%wZ, xrefs: 0051C3A5

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ComputerNameOpenPolicyValue
String ID: %wZ
API String ID: 642710655-705104578
Opcode ID: 964aefc5871dd21a5c9538ff98d78de7ddb1eada1a6ce6d5199e0dce2fdc983d
Instruction ID: 53d75ef2b57e7537aa9568300706464194d523846beed17187213c53db81b639
Opcode Fuzzy Hash: 964aefc5871dd21a5c9538ff98d78de7ddb1eada1a6ce6d5199e0dce2fdc983d
Instruction Fuzzy Hash: E871AEB1940258DFEF20CFA4D849BEEBFB8BF05300F04456EE559AB241E7B65689CB50

Function 005950C0 Relevance: 12.1, APIs: 8, Instructions: 140networkCOMMON

Download Yara Rule

APIs

InternetSetOptionA.WININET(00000000,00000006,00000000,00000004), ref: 00595100
HttpOpenRequestA.WININET(00000000,D0D2D7D9,?,00000000,00000000,00000000,80000000,00000000), ref: 00595175
GetLastError.KERNEL32(00000000,00000000), ref: 005951A0
InternetQueryOptionA.WININET(00000000,0000001F,80000000,?), ref: 005951CB
InternetSetOptionA.WININET(00000000,0000001F,00000100,00000004), ref: 005951E1

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: InternetOption$ErrorHttpLastOpenQueryRequest
String ID:
API String ID: 482189329-0
Opcode ID: 519fd74dd3c4f222391f2ca2af2559af22bd4b98511b1bc3005cd8a4b1fc17a0
Instruction ID: 5b8c9bedebde1194860fb76edaae1b081af8cb9346664c6cb1fb08c8a3d67b62
Opcode Fuzzy Hash: 519fd74dd3c4f222391f2ca2af2559af22bd4b98511b1bc3005cd8a4b1fc17a0
Instruction Fuzzy Hash: 79419575A40209BBEB21CF94DC49FAF7BB9EB45704F104059FA05BB280E7B49B04DB55

Function 00552860 Relevance: 11.0, APIs: 2, Strings: 4, Instructions: 470COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001FFFFF,00000000), ref: 005528EA
ReadProcessMemory.KERNEL32(00000000,00000000,?,00000208,00000000), ref: 005529BB

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_., xrefs: 00552A25
A, xrefs: 00552A13
steam, xrefs: 00552CEB
O, xrefs: 00552A2A

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: Process$MemoryOpenRead
String ID: A$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_.$O$steam
API String ID: 435025951-934398379
Opcode ID: 8202b87646b18687101022c30b0c38714c380670410aa6c11c60f2151b4ec0ba
Instruction ID: 188c0b6e12f493e14cefe52798c1858f0533cb96498a378a6fcd288e6289bc2b
Opcode Fuzzy Hash: 8202b87646b18687101022c30b0c38714c380670410aa6c11c60f2151b4ec0ba
Instruction Fuzzy Hash: 5602D370D002498FDF18DF68DC597AEBFB5BF45300F1481ADE849AB282E7745A89CB91

Function 00517820 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 310COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0051799A
___std_exception_copy.LIBVCRUNTIME ref: 00517B75

Strings

`!Q, xrefs: 005179A5, 00517B80
out_of_range, xrefs: 00517A27
type_error, xrefs: 0051784A
`!Q, xrefs: 00517985, 00517B60

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!Q$`!Q$out_of_range$type_error
API String ID: 2659868963-383665097
Opcode ID: 129ec59cb174273058bd2153e000e7cc6d1672668ed282b34513743d3f0bc536
Instruction ID: bbb9ae0747723e5334f8c954386250ac2239ef30c865df8441737301076b6a17
Opcode Fuzzy Hash: 129ec59cb174273058bd2153e000e7cc6d1672668ed282b34513743d3f0bc536
Instruction Fuzzy Hash: ACC159B19042098FDB08CFA8D88479DBFF6FF48310F14866AE459EB742E7749980CB90

Function 00513190 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 170COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 005132C6
___std_exception_destroy.LIBVCRUNTIME ref: 00513350

Strings

@3Q, xrefs: 00513316
`!Q, xrefs: 005132D1
`!Q, xrefs: 005132AD, 00513349
+4Q, xrefs: 00513190

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: +4Q$@3Q$`!Q$`!Q
API String ID: 2970364248-74169555
Opcode ID: 4864e0c79e1366dd5093894e37f81f5854b3674c835b86367817a7941c249697
Instruction ID: b5b0fe487274b767b858b553b5df9d72fcf648426577df82a92fcc68c27a451e
Opcode Fuzzy Hash: 4864e0c79e1366dd5093894e37f81f5854b3674c835b86367817a7941c249697
Instruction Fuzzy Hash: 0F51A0719002499FDB08DF98D899BDEBFF6FF48310F14812AE815A7382D7749A81CB90

Function 005EE5EC Relevance: 10.7, APIs: 7, Instructions: 153threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 005EE614
GetCurrentThreadId.KERNEL32 ref: 005EE631
GetCurrentThreadId.KERNEL32 ref: 005EE652
GetCurrentThreadId.KERNEL32 ref: 005EE6D5
__Xtime_diff_to_millis2.LIBCPMT ref: 005EE6ED
GetCurrentThreadId.KERNEL32 ref: 005EE719
GetCurrentThreadId.KERNEL32 ref: 005EE75F

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: CurrentThread$Xtime_diff_to_millis2
String ID:
API String ID: 1280559528-0
Opcode ID: 3f88ef1a2d2011dffc1c2fc882fd28097b322cc5f72d9f408a340324effe5f81
Instruction ID: 88f078ad942b6932a47670ca62396092b47e1f7c3e5f555803c1c8cfb6601926
Opcode Fuzzy Hash: 3f88ef1a2d2011dffc1c2fc882fd28097b322cc5f72d9f408a340324effe5f81
Instruction Fuzzy Hash: 2B51D235910695CFCF28DF65D9878A9BBF2FF58310B25846AE8869B241DB30EC41CF50

Function 00607118 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00607227,005F89C3,005FD244,00000000,00000000,00000000,?,00607451,00000022,FlsSetValue,00623B28,p;b,00000000), ref: 006071D9

Strings

api-ms-, xrefs: 0060716F
ext-ms-, xrefs: 00607183

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: f8d4f676038b4a1c1e92fe3a192567e8e6eea8b5b4a7a5488bbce0034ba26d6c
Instruction ID: ae0f51698ac3b6db2dc74ba7b7089233ecbde21ea45b0c469ad33d081da09915
Opcode Fuzzy Hash: f8d4f676038b4a1c1e92fe3a192567e8e6eea8b5b4a7a5488bbce0034ba26d6c
Instruction Fuzzy Hash: F3210576E88210ABC7259B64DC40A9B37ABAF42374F1901A0FD06A73D0E770FE01CAD1

Function 005FD513 Relevance: 9.3, APIs: 6, Instructions: 285COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 005FD69B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005FD6B7
__allrem.LIBCMT ref: 005FD6CE
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005FD6EC
__allrem.LIBCMT ref: 005FD703
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005FD721

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 072458b663d47d35d409f30cb4732191d78ed49eac36aae1a03e98589251f805
Instruction ID: 0a15a64cbb04ee4f69b73da031bda36b8aec196cfb0eb73631cbb3b8a4e42b72
Opcode Fuzzy Hash: 072458b663d47d35d409f30cb4732191d78ed49eac36aae1a03e98589251f805
Instruction Fuzzy Hash: E981F8B260170A9BE724AE28DC41B7B7BF7FF40724F144629F611DB681E778D9008BA0

Function 0061301D Relevance: 9.2, APIs: 6, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,006132ED,00000000,00000000,?,00000001,?,?,?,?,00000001,?), ref: 006130C3
__freea.LIBCMT ref: 00613258
__freea.LIBCMT ref: 0061325E
__freea.LIBCMT ref: 00613294
__freea.LIBCMT ref: 0061329A
__freea.LIBCMT ref: 006132AA

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: __freea$Info
String ID:
API String ID: 541289543-0
Opcode ID: 052e44f189a188f99ca8ad6910fe5a6df68fa086b2ade1ac308c63d66be6a28b
Instruction ID: 6b4b08a6c4141cddeef66d6f77359d8fee98aaeb2da538d478682b8eecdfc7ea
Opcode Fuzzy Hash: 052e44f189a188f99ca8ad6910fe5a6df68fa086b2ade1ac308c63d66be6a28b
Instruction Fuzzy Hash: 8471C672904266ABDF24AF54CC42BEF7BABAF49310F2C0059E946BB381D7359F858750

Function 00524490 Relevance: 9.2, APIs: 6, Instructions: 205registryCOMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0052449B
IsProcessorFeaturePresent.KERNEL32(00000015), ref: 005244A7
RegOpenKeyExA.ADVAPI32(80000002,C0C0CBC2,00000000,00020019,?), ref: 0052452C
RegOpenKeyExA.ADVAPI32(80000002,C0C0CBC2,00000000,00020019,?), ref: 005245AA
RegCloseKey.ADVAPI32(?), ref: 005245B5
GetComputerNameA.KERNEL32(?,?), ref: 005245CA

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: OpenPresent$CloseComputerDebuggerFeatureNameProcessor
String ID:
API String ID: 2393775839-0
Opcode ID: c91fda855e356346202d83207b76113f7fd768b696904c9fa85ad288ff5d02c5
Instruction ID: a4d6608399f69672e76826d58c64b4d2bdeb0311dc4ac1c13f27252e962d2912
Opcode Fuzzy Hash: c91fda855e356346202d83207b76113f7fd768b696904c9fa85ad288ff5d02c5
Instruction Fuzzy Hash: E871AD7090026CAEDF14CFA4E884AEDBFB9FF0A304F14415DE845AB282E770A545CF64

Function 00515460 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 339COMMON

Download Yara Rule

APIs

___std_fs_directory_iterator_advance@8.LIBCPMT ref: 005155C4
___std_fs_directory_iterator_advance@8.LIBCPMT ref: 005155FF

Strings

., xrefs: 00515722

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ___std_fs_directory_iterator_advance@8
String ID: .
API String ID: 2610647541-248832578
Opcode ID: 252926316b0406c02cc289696f9d4ec0676907b97eb3fad9dd05e55569c75e58
Instruction ID: 7b1524c8d28a175596b4280d414dbaa6a727882fdf04ff40149e83bc3aa0e623
Opcode Fuzzy Hash: 252926316b0406c02cc289696f9d4ec0676907b97eb3fad9dd05e55569c75e58
Instruction Fuzzy Hash: 22C1EF75A00A26DFEB24CF18C4846E9BBB2FF84320F554669D8559B290F735ADC4CBD0

Function 005173B0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 184COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 005175BE
___std_exception_destroy.LIBVCRUNTIME ref: 005175CD

Strings

, column , xrefs: 00517434, 0051744A
`!Q, xrefs: 005175B6, 005175C6
at line , xrefs: 005173F7

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column $`!Q
API String ID: 4194217158-3570351978
Opcode ID: d9c15410a5c118c90975e1361f7b6b8c659fa07921b49db98d2c8164c43f73fa
Instruction ID: 51829fd37b9b8bb6353c0acd2004eea68b089b5f882f566cc4a003031960c869
Opcode Fuzzy Hash: d9c15410a5c118c90975e1361f7b6b8c659fa07921b49db98d2c8164c43f73fa
Instruction Fuzzy Hash: FC61F971A042499FEB08DF68DC84B9DBFB6FF88300F14462CE415A7782D774AA80CB90

Function 00513370 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON

Download Yara Rule

APIs

Part of subcall function 00513190: ___std_exception_copy.LIBVCRUNTIME ref: 005132C6

___std_exception_copy.LIBVCRUNTIME ref: 0051345F

Strings

@3Q, xrefs: 00513464
@3Q, xrefs: 005133F3, 0051347B
`!Q, xrefs: 00513450
+4Q, xrefs: 005133B3, 00513410

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: +4Q$@3Q$@3Q$`!Q
API String ID: 2659868963-2244486879
Opcode ID: c5b10aef47ef45ffe0d1ae1e360459a342529804b669f832fc9a30a48d1e5127
Instruction ID: a667031697b3c26895c80163bd6b5ef16fee3c5dfab99ccee6be91f318a90bbf
Opcode Fuzzy Hash: c5b10aef47ef45ffe0d1ae1e360459a342529804b669f832fc9a30a48d1e5127
Instruction Fuzzy Hash: 173183B1900209AFCB18DFA8D845AEEFFF9FB48310F14852AF515E7641E774A690CB94

Function 00513410 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 005F0EFB: RaiseException.KERNEL32(E06D7363,00000001,00000003,00573D00,00573D00,?,?,005ED708,00573D00,006409C4,00000000,00573D00,00000000,00000001), ref: 005F0F5B

___std_exception_copy.LIBVCRUNTIME ref: 0051345F

Strings

@3Q, xrefs: 00513464
@3Q, xrefs: 005133F3, 0051347B
`!Q, xrefs: 00513450
+4Q, xrefs: 005133B3, 00513410

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: +4Q$@3Q$@3Q$`!Q
API String ID: 3109751735-2244486879
Opcode ID: 02ac4cfb0c47430e8a23a32c09928d6e41d60212aa2f893110cab2f538bc7af1
Instruction ID: 12060f76310e50b19a33cad5673592cf0d75d8ad7a4bf63da4a8e8ddf17dc5c9
Opcode Fuzzy Hash: 02ac4cfb0c47430e8a23a32c09928d6e41d60212aa2f893110cab2f538bc7af1
Instruction Fuzzy Hash: D2014FB650020AAF8704DFA8D405896FFFDBF44310704842AE62987611EBB0E554CB90

Function 005FF175 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,1D15B573,005F47AC,?,00000000,0061D2B1,000000FF,?,005FF151,FF176ACC,?,005FF125,00000000), ref: 005FF1AA
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 005FF1BC
FreeLibrary.KERNEL32(00000000,?,00000000,0061D2B1,000000FF,?,005FF151,FF176ACC,?,005FF125,00000000), ref: 005FF1DE

Strings

mscoree.dll, xrefs: 005FF1A3
CorExitProcess, xrefs: 005FF1B4

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 6adf3e2a5eb246f5847bf128e56d0028e075a653c01457c80dbe34131a118d62
Instruction ID: 30b4ab417910c1936268a30238db8041801f599f36a9fde87c0e473a2ca430f5
Opcode Fuzzy Hash: 6adf3e2a5eb246f5847bf128e56d0028e075a653c01457c80dbe34131a118d62
Instruction Fuzzy Hash: A4016775544A2AFFDB119B50DC05FEEBBB9FB04B21F048536EC11E2690DB789900CB90

Function 0057D050 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0057D06F
___std_exception_copy.LIBVCRUNTIME ref: 0057D096

Strings

uQ, xrefs: 0057D0A5
`!Q, xrefs: 0057D09B
`!Q, xrefs: 0057D060, 0057D085

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!Q$`!Q$uQ
API String ID: 2659868963-1635935002
Opcode ID: 5542d998bc9f276b9de09799c8a3c6af9b9b123f1bbfd2b1cd3a1a1f2b2d10bd
Instruction ID: 1c9a36f9857229ba223778fa611c24b24e81897b96aed9abb7d89dd684721aa4
Opcode Fuzzy Hash: 5542d998bc9f276b9de09799c8a3c6af9b9b123f1bbfd2b1cd3a1a1f2b2d10bd
Instruction Fuzzy Hash: AF01A4B650060AAF8704DF59D409892FFFAFF58710704852BA529CBB11E7B0E568CFA0

Function 005A4560 Relevance: 7.6, APIs: 5, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 005A3E50: GetVersionExA.KERNEL32(?), ref: 005A3E76

GetVersionExA.KERNEL32(?,?,?,?), ref: 005A4591
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?), ref: 005A45B6
GetFullPathNameW.KERNEL32(00000000,00000003,00000000,00000000,?), ref: 005A45D6
GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?), ref: 005A45EF
GetFullPathNameA.KERNEL32(00000000,00000003,00000000,00000000,?), ref: 005A4621

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: FullNamePath$Version
String ID:
API String ID: 495861893-0
Opcode ID: 2be0e66c9867936495926d750cff8215042d4e4d483c097261c3efae2f7eb728
Instruction ID: 1aed157da81442f69b2fa1603fa575926d78917411fff9065881f5dbe4b18c7e
Opcode Fuzzy Hash: 2be0e66c9867936495926d750cff8215042d4e4d483c097261c3efae2f7eb728
Instruction Fuzzy Hash: 32212DB2A0110967D7107B64EC4AFBF7B69FFC3314F044034F90A57252DB689905C7A6

Function 00517620 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 167COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 005177B4

Strings

`!Q, xrefs: 005177BF
`!Q, xrefs: 0051779F
invalid_iterator, xrefs: 00517656

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!Q$`!Q$invalid_iterator
API String ID: 2659868963-2457165433
Opcode ID: d6f76faeaf49e0222cf05479c9f35fb5ba9f559c2f5d370a5a66870217d9c61c
Instruction ID: f62e94db0ad494021ba79c1c6ab61c43f77cf161d7567bd430a832aac0064341
Opcode Fuzzy Hash: d6f76faeaf49e0222cf05479c9f35fb5ba9f559c2f5d370a5a66870217d9c61c
Instruction Fuzzy Hash: 32514EB09002499FDB18CF68D89479DFFF2FB48310F148669E419EB792E774A980CB90

Function 005F36AB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 005F36D0
CatchIt.LIBVCRUNTIME ref: 005F37B6

Strings

RCC, xrefs: 005F36EA
MOC, xrefs: 005F36E2

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: 342482f0a0998134e8d19b061fcd218d82a8e6241885b77058ccd29af76a4e3b
Instruction ID: 2ec690571fbdaf82dbaed5e57487c85bff868c690c3af66f8e82b3c2b84728fe
Opcode Fuzzy Hash: 342482f0a0998134e8d19b061fcd218d82a8e6241885b77058ccd29af76a4e3b
Instruction Fuzzy Hash: 9C416AB290120EAFEF15EF94CD85AEEBFB5FF48304F188059FA0566261D3399A50DB50

Function 0057D0C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0057D0DF
___std_exception_copy.LIBVCRUNTIME ref: 0057D106

Strings

`!Q, xrefs: 0057D10E
`!Q, xrefs: 0057D0D0, 0057D0F5

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!Q$`!Q
API String ID: 2659868963-674047163
Opcode ID: 9940d1acb60a71fbee33f00c383a2ae0849cec9c513006fc10dc722c846f653f
Instruction ID: f16c871ece39802eadb44443dbbaa31ab9a1d752b09aec970a6d89af778da10d
Opcode Fuzzy Hash: 9940d1acb60a71fbee33f00c383a2ae0849cec9c513006fc10dc722c846f653f
Instruction Fuzzy Hash: CBF0C4B650060AAF8708DF58D409892FFEAFA54710705853BA529CBB01E7B0E568CFA0

Function 0058B3C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0058B3DF
___std_exception_copy.LIBVCRUNTIME ref: 0058B406

Strings

`!Q, xrefs: 0058B40E
`!Q, xrefs: 0058B3D0, 0058B3F5

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!Q$`!Q
API String ID: 2659868963-674047163
Opcode ID: 56f60a0efb31b411004c69370bca0858b066b4b0414069862f8a2c64f9a23001
Instruction ID: 306760a5b0a0c58843ef841e6875e3707fc5825cc462c9d7c96577c4f011cd96
Opcode Fuzzy Hash: 56f60a0efb31b411004c69370bca0858b066b4b0414069862f8a2c64f9a23001
Instruction Fuzzy Hash: 38F0C4B650060AAF8708DF58D409896BFEAFA54710305852BE52ACBB01E7B0E568CFA0

Function 0057A890 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0057A8AF
___std_exception_copy.LIBVCRUNTIME ref: 0057A8D6

Strings

`!Q, xrefs: 0057A8DE
`!Q, xrefs: 0057A8A0, 0057A8C5

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!Q$`!Q
API String ID: 2659868963-674047163
Opcode ID: 2032b15beadde8aa39ddf178bab52cd3986704a9ea8b62f026669beb0a3b9420
Instruction ID: f12c09cb9ccaa05ebbf20c88a474b13fd1f25ab7f79359212760566c69536e69
Opcode Fuzzy Hash: 2032b15beadde8aa39ddf178bab52cd3986704a9ea8b62f026669beb0a3b9420
Instruction Fuzzy Hash: 58F0C4B650060AAF8708DF58D409892FFEAFA54710305853BA529CBB01E7B0E568CFA0

Function 0057A960 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0057A97F
___std_exception_copy.LIBVCRUNTIME ref: 0057A9A6

Strings

`!Q, xrefs: 0057A9AE
`!Q, xrefs: 0057A970, 0057A995

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!Q$`!Q
API String ID: 2659868963-674047163
Opcode ID: 1f0047e6fbe73a5750f2ae1381ec866849626a293e4cc28c6085984445bff7dc
Instruction ID: 20efa7f03bfa3ed1b98c0fb4837b8fe572025763d2435ac105b8e12f4cbbce25
Opcode Fuzzy Hash: 1f0047e6fbe73a5750f2ae1381ec866849626a293e4cc28c6085984445bff7dc
Instruction Fuzzy Hash: 65F0C4B650061AAF8708DF59D409892BFEAFA94710305852BE529CBB01E7B0E568CFA4

Function 005F40C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,005F4078,00000000,?,00646988,?,?,?,005F421B,00000004,InitializeCriticalSectionEx,006215CC,InitializeCriticalSectionEx), ref: 005F40D4
GetLastError.KERNEL32(?,005F4078,00000000,?,00646988,?,?,?,005F421B,00000004,InitializeCriticalSectionEx,006215CC,InitializeCriticalSectionEx,00000000,?,005F3E62), ref: 005F40DE
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 005F4106

Strings

api-ms-, xrefs: 005F40EB

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 59487e1819e3e4d6b9e0c1747807fa37e43665c41ce29fecf557bf2bb1e1545e
Instruction ID: a2e08ee297dbade59886715e4f378b6e993b11ecfa08f4690378606ea8d8bb1b
Opcode Fuzzy Hash: 59487e1819e3e4d6b9e0c1747807fa37e43665c41ce29fecf557bf2bb1e1545e
Instruction Fuzzy Hash: 5AE01A3068820CB6EF105BA1EC06F6A3E6BBB11B50F148031FA0DA84E1EB75E9909944

Function 005F30AF Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 005F3176
___AdjustPointer.LIBCMT ref: 005F3199
___AdjustPointer.LIBCMT ref: 005F3235

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 5731da0b598b6d78cba2267ac0d38802d5865d48c1e3f55e07ead866f44965bf
Instruction ID: 5eec340306c823e1933e993c72371c1d434a78851c523fb4fa1ac709dc1a7f83
Opcode Fuzzy Hash: 5731da0b598b6d78cba2267ac0d38802d5865d48c1e3f55e07ead866f44965bf
Instruction Fuzzy Hash: C151A37560160A9FFB289F14D845FBA7FA5FF40310F244529EE0187291DB3AAA85CB90

Function 005FF54B Relevance: 6.1, APIs: 4, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 599017c89d470981fefea27f155824e36b1cd886e50e5685f193db0a798847b3
Instruction ID: d4829d4132f064b77d27710cf36a8de4e1c66b2f3ae118b727fdcacd4f6d6dda
Opcode Fuzzy Hash: 599017c89d470981fefea27f155824e36b1cd886e50e5685f193db0a798847b3
Instruction Fuzzy Hash: 17410BB2640709AFD724AF38D845B7ABFB5FF84710F10453AF201DBA91D77999408790

Function 005FF276 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0729fb4909c83ad4ecad4a37ccf2d15157d5c48bf3d7ee6d86927987860ca1e
Instruction ID: fb378e397ff78bbf523c6f26fed8c2958a372a6ed2e70450098e802c70bdbf05
Opcode Fuzzy Hash: f0729fb4909c83ad4ecad4a37ccf2d15157d5c48bf3d7ee6d86927987860ca1e
Instruction Fuzzy Hash: EB21927564020EAF9B10AF65DC8497A7F6ABF903647118935FB18D7981EB38ED0187A0

Function 005A3880 Relevance: 6.1, APIs: 4, Instructions: 76fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,?,00000000), ref: 005A38A9
GetLastError.KERNEL32 ref: 005A38B6
WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 005A38EE
GetLastError.KERNEL32 ref: 005A391F

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ErrorFileLast$PointerWrite
String ID:
API String ID: 2977825765-0
Opcode ID: f59be7c20ddad96e5fe1638ff2cb8542237ba605ffcade6b9d761ff1655a608b
Instruction ID: a9dc41451a92f90786e6ef381ffd7ee91283107251ab4b70a0f3186cfbb4cb15
Opcode Fuzzy Hash: f59be7c20ddad96e5fe1638ff2cb8542237ba605ffcade6b9d761ff1655a608b
Instruction Fuzzy Hash: 4C21A132A01209AFDB20CFA9D841BDE7BE8FB45365F144266FE18D7240D771DE108B90

Function 005242C0 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?,00000100), ref: 005242F8
GetComputerNameA.KERNEL32(?,00000100), ref: 0052431F
GetCurrentProcess.KERNEL32(00000000), ref: 005243A8
TerminateProcess.KERNEL32(00000000), ref: 005243AF

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: NameProcess$ComputerCurrentTerminateUser
String ID:
API String ID: 1086297622-0
Opcode ID: efc96081783eca5f1435bdafcca3e43d9d15e3ae63d095d8cea5d459068e07b2
Instruction ID: 2ec99e40e4e0dc7aa4aeba2e0c9d04edbe3f883add55e5bfc39333803fc6a03e
Opcode Fuzzy Hash: efc96081783eca5f1435bdafcca3e43d9d15e3ae63d095d8cea5d459068e07b2
Instruction Fuzzy Hash: 29218671C4425CABDF10DBE0EC49BDEBBBCAF18305F1041AAE945D7182E7759289CBA1

Function 005A37E0 Relevance: 6.1, APIs: 4, Instructions: 66fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000), ref: 005A37FF
GetLastError.KERNEL32 ref: 005A380A
ReadFile.KERNEL32(?,?,?,?,00000000), ref: 005A3832
GetLastError.KERNEL32 ref: 005A383C

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ErrorFileLast$PointerRead
String ID:
API String ID: 2170121939-0
Opcode ID: de2215407c46ecff412d9e71a6e2461da2223d52033b78c1b7ff2d4a582e014a
Instruction ID: e5dae0a11a7d4647a977fa7758eb77aef0b347a8b65d2cbddeb2f306fd0fbe52
Opcode Fuzzy Hash: de2215407c46ecff412d9e71a6e2461da2223d52033b78c1b7ff2d4a582e014a
Instruction Fuzzy Hash: 95116D32600109ABDB108FA9EC05BDABBA9FB45365F008266F92CC6250E775D9208BD0

Function 005A3940 Relevance: 6.0, APIs: 4, Instructions: 35fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,?,?,00000000), ref: 005A395F
GetLastError.KERNEL32 ref: 005A396A
SetEndOfFile.KERNEL32(?), ref: 005A3977
GetLastError.KERNEL32 ref: 005A3981

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ErrorFileLast$Pointer
String ID:
API String ID: 1697706070-0
Opcode ID: 9a4f1cff1090d128d6edcfcc6afc4509b4150bfb18c9430425845f060431a95b
Instruction ID: 898c2b8b8cf55022386a8647aff52515d8cc4bb18e43b59ee37d81801205fa3a
Opcode Fuzzy Hash: 9a4f1cff1090d128d6edcfcc6afc4509b4150bfb18c9430425845f060431a95b
Instruction Fuzzy Hash: 66F03031514608EFDB109FA4ED066ABBBE9FB05325F04826AF92DC21A0EB719D109B80

Function 006141B2 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,005F9087,00000000,00000000,?,00610F2F,00000000,00000001,?,?,?,00604FA4,?,00000000,00000000), ref: 006141C9
GetLastError.KERNEL32(?,00610F2F,00000000,00000001,?,?,?,00604FA4,?,00000000,00000000,?,?,?,0060557E,00000000), ref: 006141D5

Part of subcall function 0061419B: CloseHandle.KERNEL32(FFFFFFFE,006141E5,?,00610F2F,00000000,00000001,?,?,?,00604FA4,?,00000000,00000000,?,?), ref: 006141AB

___initconout.LIBCMT ref: 006141E5

Part of subcall function 0061415D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0061418C,00610F1C,?,?,00604FA4,?,00000000,00000000,?), ref: 00614170

WriteConsoleW.KERNEL32(00000000,00000000,005F9087,00000000,?,00610F2F,00000000,00000001,?,?,?,00604FA4,?,00000000,00000000,?), ref: 006141FA

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 2df3bda3c0e5d09e80aa0c8a33cf6a574ce7d1a610a517150f5924b888a4aa47
Instruction ID: e0d9bf839152ae3d0ffba15970a65bfe3bdf4559e6a1c33c460443f4262b885b
Opcode Fuzzy Hash: 2df3bda3c0e5d09e80aa0c8a33cf6a574ce7d1a610a517150f5924b888a4aa47
Instruction Fuzzy Hash: 6AF0123A000125BBCF226FD1DC099D93F67FF0A3A1F098015FA1D96630CA3289A09B90

Function 0052E1E0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 363libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(Ws2_32.dll,?,?,?,?,?,?,?,?,?,?,00000000,006322E8,00000000), ref: 0052E557
GetProcAddress.KERNEL32(00000000,C7D2C1C6), ref: 0052E562

Strings

Ws2_32.dll, xrefs: 0052E54E

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: Ws2_32.dll
API String ID: 1646373207-3093949381
Opcode ID: aab0e015a796fbe62367bd9e587ee8f51ff09821fcadbac78285a68e97363212
Instruction ID: 5d11e451eab1dadb33dbd2028f9dc5e161f010a06ed81c37cb2250edaa70f5ea
Opcode Fuzzy Hash: aab0e015a796fbe62367bd9e587ee8f51ff09821fcadbac78285a68e97363212
Instruction Fuzzy Hash: F7E1BF70600221DFEB25CF68D88166DBFE2FF56310F24495DE4A69B3D2DB70A941CB91

Function 0060A7CC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 151fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetEndOfFile.KERNEL32(00000000,?,00000000,?,?,?,?,?,a_,0060A7BA,?,?,a_,?,00000000,?), ref: 0060A918
GetLastError.KERNEL32(?,?,?,?,a_,0060A7BA,?,?,a_,?,00000000,?), ref: 0060A922

Strings

a_, xrefs: 0060A7CE

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ErrorFileLast
String ID: a_
API String ID: 734332943-2295455027
Opcode ID: c10fb9b0f26f56fcdd86b26488b2c4e7d2901f2e7c8ca4051a70a2659116c371
Instruction ID: f2b1cf678a21c1f134422b2e0be2e5bc2513cd9e6658cc3f387332049bc15e47
Opcode Fuzzy Hash: c10fb9b0f26f56fcdd86b26488b2c4e7d2901f2e7c8ca4051a70a2659116c371
Instruction Fuzzy Hash: 4D513A31A80705AAEB1C8FE5CC85BDF7B76BF043A0F148219F511962C1E330D892CB92

Function 00513490 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 005134AF

Strings

@3Q, xrefs: 005134B7
`!Q, xrefs: 005134A0

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: @3Q$`!Q
API String ID: 2659868963-2844704439
Opcode ID: 26ccfd862ffb857bb4669486b6ba2dac6845ac4ee95a905b4cba5cf52c6d838b
Instruction ID: 25ad08f5b60d01b37825a46c904af3658f3564112f679ec65ed8c1bd6faafb21
Opcode Fuzzy Hash: 26ccfd862ffb857bb4669486b6ba2dac6845ac4ee95a905b4cba5cf52c6d838b
Instruction Fuzzy Hash: 83F0A5B660470AAF8708CF59D401896FBE9FB99320305853BE529C7B00E7B0E5248BA4

Function 00513050 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00513078

Strings

`!Q, xrefs: 00513080
`!Q, xrefs: 00513063

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!Q$`!Q
API String ID: 2659868963-674047163
Opcode ID: 0b78440d9291ec1e783ac7c08242bf6ad28a5221b5ecd803e107569c13f4949b
Instruction ID: fd0ee94aa4340964ea0801a4b488dd923d23cd9493619fa2b0658b0e48f51f6f
Opcode Fuzzy Hash: 0b78440d9291ec1e783ac7c08242bf6ad28a5221b5ecd803e107569c13f4949b
Instruction Fuzzy Hash: 8FE012B29013099BC710DFA8D8059CAFFF9AB59711F0486BAE948D7301F6B0D5948BD1

Function 005175E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 005175F1
___std_exception_destroy.LIBVCRUNTIME ref: 00517600

Strings

`!Q, xrefs: 005175E9, 005175F9

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: `!Q
API String ID: 4194217158-660956851
Opcode ID: 73c2244f9fc807076d07fba8c252deb731c01c674e66a1b7b70aaacd15a80fed
Instruction ID: 5a724f3f3b6cfa56aa7d7f67e3638b0da99a29a9cf31a3c22f9e69b4d3e12872
Opcode Fuzzy Hash: 73c2244f9fc807076d07fba8c252deb731c01c674e66a1b7b70aaacd15a80fed
Instruction Fuzzy Hash: B3E026F240074813C720AF549C0DBCABEEDAF60314F08083AFA5092342E7B4E65883E0

Function 00513090 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 005130AE

Strings

`!Q, xrefs: 005130B6
`!Q, xrefs: 0051309C

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!Q$`!Q
API String ID: 2659868963-674047163
Opcode ID: c2d4a24d0ab07bacfbe2ccd4410b2f665a8b3164d6c814142d23e2f662bdd90c
Instruction ID: dfb2b47b467553cec50254d5e986dda1a7ca0008b7d94c0be3c8d9d1d4d169cd
Opcode Fuzzy Hash: c2d4a24d0ab07bacfbe2ccd4410b2f665a8b3164d6c814142d23e2f662bdd90c
Instruction Fuzzy Hash: 6BE012B25042199FC714DF48D805896BFDDEB15754709843EF649DB301E670D4508BA8

Function 00512230 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0051224E

Strings

`!Q, xrefs: 0051223C
`!Q, xrefs: 00512256

Memory Dump Source

Source File: 00000002.00000002.3876360133.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!Q$`!Q
API String ID: 2659868963-674047163
Opcode ID: 401f76050f5728a0f12d10cc5740254eae01a823aea7712218f10f69a5bc145a
Instruction ID: dd1332e80cdb1cd88eb2bdc2220f6f74893cb9ca54e2ef14f5cfe7b4d910754c
Opcode Fuzzy Hash: 401f76050f5728a0f12d10cc5740254eae01a823aea7712218f10f69a5bc145a
Instruction Fuzzy Hash: A2E012B25042159BC714DF48D805896BFDDEB15754749843EF649DB301E770D8508BA4

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002A_419.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\ROxcmXIWiwnYKwA.pdf

C:\Users\user\jQRMFClswtrBVwy.pdf

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Windows Analysis Report
LisectAVT_2403002A_419.exe

Function 0052E0A0 Relevance: 12.1, APIs: 8, Instructions: 93
networkCOMMON

Function 00573A40 Relevance: 7.7, APIs: 5, Instructions: 156
sleepCOMMON

Function 005FE813 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273
COMMONLIBRARYCODE

Function 00604623 Relevance: 9.3, APIs: 6, Instructions: 292
COMMONLIBRARYCODE

Function 005EF290 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
COMMONLIBRARYCODE

Function 0051A690 Relevance: 4.6, APIs: 3, Instructions: 60
COMMON

Function 005F4942 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 157
COMMON

Function 00604B12 Relevance: 3.1, APIs: 2, Instructions: 63
COMMONLIBRARYCODE

Function 005FE05C Relevance: 3.1, APIs: 2, Instructions: 52
COMMONLIBRARYCODE

Function 0051A210 Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Function 00580560 Relevance: 1.6, APIs: 1, Instructions: 138
COMMON

Function 00606A18 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Function 00606E2D Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Function 005FE4CC Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMONLIBRARYCODE