Edit tour

Windows Analysis Report
LisectAVT_2403002A_35.exe

Overview

General Information

Sample name:	LisectAVT_2403002A_35.exe
Analysis ID:	1482318
MD5:	292b38ef1365ee19ef46925535305891
SHA1:	4e7d964212b15097bc867935dae6ab71b72ec6fc
SHA256:	81794c637b54a673f7e5af3f1f0aeb3479e9279b6870c07caa0a380ea7ad1dce
Tags:	DarkTortillaexe
Infos:

Detection

AgentTesla, DarkTortilla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected DarkTortilla Crypter

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Allocates memory in foreign processes

Contains functionality to log keystrokes (.Net Source)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to launch a process as a different user

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses FTP

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

LisectAVT_2403002A_35.exe (PID: 7756 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_35.exe" MD5: 292B38EF1365EE19EF46925535305891)

RegAsm.exe (PID: 756 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
DarkTortilla	DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.	No Attribution	https://www.secureworks.com/research/darktortilla-malware-analysis	https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.rusticpensiune.ro", "Username": "FTPAdmin@rusticpensiune.ro", "Password": "99AM}+NZ&CCq!4Vq)9!(zXx01.lQ!~nS.fBnY,4Z~fjHnGo*B3Gd;B{Q1!%-Xw--%vn^0%nt"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.2660172800.000000000309E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2112490398.0000000002901000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.2122076409.00000000053C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000006.00000002.2657339981.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2657339981.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.2660172800.0000000003051000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2660172800.0000000003051000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2119612704.0000000003909000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2119612704.0000000003909000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2119612704.0000000003A30000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.2119612704.0000000003A30000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2119612704.0000000003A30000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: LisectAVT_2403002A_35.exe PID: 7756	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: LisectAVT_2403002A_35.exe PID: 7756	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: LisectAVT_2403002A_35.exe PID: 7756	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: LisectAVT_2403002A_35.exe PID: 7756	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: LisectAVT_2403002A_35.exe PID: 7756	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x4032e:$a20: get_LastAccessed 0x7c1f0:$a20: get_LastAccessed 0x4373c:$a30: set_GuidMasterKey 0x7f5fe:$a30: set_GuidMasterKey 0x40e91:$a31: set_username 0x7cd53:$a31: set_username 0xd669:$a33: get_Clipboard 0x422b0:$a35: get_ShiftKeyDown 0x7e172:$a35: get_ShiftKeyDown 0x422c1:$a36: get_AltKeyDown 0x7e183:$a36: get_AltKeyDown 0x407b6:$a37: get_Password 0x7c678:$a37: get_Password 0x42c16:$a39: get_DefaultCredentials 0x7ead8:$a39: get_DefaultCredentials
Process Memory Space: RegAsm.exe PID: 756	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 756	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.LisectAVT_2403002A_35.exe.3b219f0.0.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.LisectAVT_2403002A_35.exe.3b219f0.0.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.LisectAVT_2403002A_35.exe.53c0000.6.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.LisectAVT_2403002A_35.exe.53c0000.6.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.LisectAVT_2403002A_35.exe.3944642.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.LisectAVT_2403002A_35.exe.3944642.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.LisectAVT_2403002A_35.exe.3944642.5.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31cfc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31d6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31df8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31e8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31ef4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31f66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31ffc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3208c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.LisectAVT_2403002A_35.exe.3944642.5.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f044:$s2: GetPrivateProfileString 0x2e771:$s3: get_OSFullName 0x2fdbd:$s5: remove_Key 0x2ff68:$s5: remove_Key 0x30e4f:$s6: FtpWebRequest 0x31cde:$s7: logins 0x32250:$s7: logins 0x34f33:$s7: logins 0x35013:$s7: logins 0x36966:$s7: logins 0x35bad:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.LisectAVT_2403002A_35.exe.3a30972.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.LisectAVT_2403002A_35.exe.3a30972.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.LisectAVT_2403002A_35.exe.3a30972.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31cfc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31d6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31df8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31e8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31ef4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31f66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31ffc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3208c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.LisectAVT_2403002A_35.exe.3a30972.3.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f044:$s2: GetPrivateProfileString 0x2e771:$s3: get_OSFullName 0x2fdbd:$s5: remove_Key 0x2ff68:$s5: remove_Key 0x30e4f:$s6: FtpWebRequest 0x31cde:$s7: logins 0x32250:$s7: logins 0x34f33:$s7: logins 0x35013:$s7: logins 0x36966:$s7: logins 0x35bad:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31cfc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31d6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31df8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31e8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31ef4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31f66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31ffc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3208c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f044:$s2: GetPrivateProfileString 0x2e771:$s3: get_OSFullName 0x2fdbd:$s5: remove_Key 0x2ff68:$s5: remove_Key 0x30e4f:$s6: FtpWebRequest 0x31cde:$s7: logins 0x32250:$s7: logins 0x34f33:$s7: logins 0x35013:$s7: logins 0x36966:$s7: logins 0x35bad:$s9: 1.85 (Hash, version 2, native byte-order)
6.2.RegAsm.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.RegAsm.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.RegAsm.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33afc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33b6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33bf8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33c8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33cf4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33d66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33dfc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33e8c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.RegAsm.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30e44:$s2: GetPrivateProfileString 0x30571:$s3: get_OSFullName 0x31bbd:$s5: remove_Key 0x31d68:$s5: remove_Key 0x32c4f:$s6: FtpWebRequest 0x33ade:$s7: logins 0x34050:$s7: logins 0x36d33:$s7: logins 0x36e13:$s7: logins 0x38766:$s7: logins 0x379ad:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31cfc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31d6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31df8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31e8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31ef4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31f66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31ffc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3208c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f044:$s2: GetPrivateProfileString 0x2e771:$s3: get_OSFullName 0x2fdbd:$s5: remove_Key 0x2ff68:$s5: remove_Key 0x30e4f:$s6: FtpWebRequest 0x31cde:$s7: logins 0x32250:$s7: logins 0x34f33:$s7: logins 0x35013:$s7: logins 0x36966:$s7: logins 0x35bad:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.LisectAVT_2403002A_35.exe.397f722.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.LisectAVT_2403002A_35.exe.397f722.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.LisectAVT_2403002A_35.exe.397f722.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31cfc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x31d6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31df8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31e8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31ef4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31f66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31ffc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3208c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.LisectAVT_2403002A_35.exe.397f722.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f044:$s2: GetPrivateProfileString 0x2e771:$s3: get_OSFullName 0x2fdbd:$s5: remove_Key 0x2ff68:$s5: remove_Key 0x30e4f:$s6: FtpWebRequest 0x31cde:$s7: logins 0x32250:$s7: logins 0x34f33:$s7: logins 0x35013:$s7: logins 0x36966:$s7: logins 0x35bad:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33afc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33b6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33bf8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33c8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33cf4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33d66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33dfc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33e8c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30e44:$s2: GetPrivateProfileString 0x30571:$s3: get_OSFullName 0x31bbd:$s5: remove_Key 0x31d68:$s5: remove_Key 0x32c4f:$s6: FtpWebRequest 0x33ade:$s7: logins 0x34050:$s7: logins 0x36d33:$s7: logins 0x36e13:$s7: logins 0x38766:$s7: logins 0x379ad:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.LisectAVT_2403002A_35.exe.397f722.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.LisectAVT_2403002A_35.exe.397f722.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.LisectAVT_2403002A_35.exe.397f722.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33afc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6ebcc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33b6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6ec3e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33bf8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6ecc8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33c8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6ed5a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33cf4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6edc4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33d66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6ee36:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33dfc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6eecc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33e8c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6ef5c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.LisectAVT_2403002A_35.exe.397f722.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30e44:$s2: GetPrivateProfileString 0x6bf14:$s2: GetPrivateProfileString 0x30571:$s3: get_OSFullName 0x6b641:$s3: get_OSFullName 0x31bbd:$s5: remove_Key 0x31d68:$s5: remove_Key 0x6cc8d:$s5: remove_Key 0x6ce38:$s5: remove_Key 0x32c4f:$s6: FtpWebRequest 0x6dd1f:$s6: FtpWebRequest 0x33ade:$s7: logins 0x34050:$s7: logins 0x36d33:$s7: logins 0x36e13:$s7: logins 0x38766:$s7: logins 0x6ebae:$s7: logins 0x6f120:$s7: logins 0x71e03:$s7: logins 0x71ee3:$s7: logins 0x73836:$s7: logins 0x379ad:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.LisectAVT_2403002A_35.exe.3944642.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.LisectAVT_2403002A_35.exe.3944642.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.LisectAVT_2403002A_35.exe.3944642.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33afc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6ebdc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa9cac:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33b6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6ec4e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa9d1e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33bf8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6ecd8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa9da8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33c8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6ed6a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa9e3a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33cf4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6edd4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa9ea4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33d66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6ee46:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa9f16:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33dfc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6eedc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa9fac:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.LisectAVT_2403002A_35.exe.3944642.5.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30e44:$s2: GetPrivateProfileString 0x6bf24:$s2: GetPrivateProfileString 0xa6ff4:$s2: GetPrivateProfileString 0x30571:$s3: get_OSFullName 0x6b651:$s3: get_OSFullName 0xa6721:$s3: get_OSFullName 0x31bbd:$s5: remove_Key 0x31d68:$s5: remove_Key 0x6cc9d:$s5: remove_Key 0x6ce48:$s5: remove_Key 0xa7d6d:$s5: remove_Key 0xa7f18:$s5: remove_Key 0x32c4f:$s6: FtpWebRequest 0x6dd2f:$s6: FtpWebRequest 0xa8dff:$s6: FtpWebRequest 0x33ade:$s7: logins 0x34050:$s7: logins 0x36d33:$s7: logins 0x36e13:$s7: logins 0x38766:$s7: logins 0x6ebbe:$s7: logins
0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33afc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6e91c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33b6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6e98e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33bf8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6ea18:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33c8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6eaaa:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33cf4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6eb14:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33d66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6eb86:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33dfc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6ec1c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33e8c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6ecac:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30e44:$s2: GetPrivateProfileString 0x6bc64:$s2: GetPrivateProfileString 0x30571:$s3: get_OSFullName 0x6b391:$s3: get_OSFullName 0x31bbd:$s5: remove_Key 0x31d68:$s5: remove_Key 0x6c9dd:$s5: remove_Key 0x6cb88:$s5: remove_Key 0x32c4f:$s6: FtpWebRequest 0x6da6f:$s6: FtpWebRequest 0x33ade:$s7: logins 0x34050:$s7: logins 0x36d33:$s7: logins 0x36e13:$s7: logins 0x38766:$s7: logins 0x6e8fe:$s7: logins 0x6ee70:$s7: logins 0x71b53:$s7: logins 0x71c33:$s7: logins 0x73586:$s7: logins 0x379ad:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.LisectAVT_2403002A_35.exe.3a30972.3.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.LisectAVT_2403002A_35.exe.3a30972.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.LisectAVT_2403002A_35.exe.3a30972.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.LisectAVT_2403002A_35.exe.3a30972.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33afc:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6ebba:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa99da:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33b6e:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6ec2c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa9a4c:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33bf8:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6ecb6:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa9ad6:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33c8a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6ed48:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa9b68:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33cf4:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6edb2:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa9bd2:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33d66:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6ee24:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa9c44:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33dfc:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6eeba:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa9cda:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.LisectAVT_2403002A_35.exe.3a30972.3.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x30e44:$s2: GetPrivateProfileString 0x6bf02:$s2: GetPrivateProfileString 0xa6d22:$s2: GetPrivateProfileString 0x30571:$s3: get_OSFullName 0x6b62f:$s3: get_OSFullName 0xa644f:$s3: get_OSFullName 0x31bbd:$s5: remove_Key 0x31d68:$s5: remove_Key 0x6cc7b:$s5: remove_Key 0x6ce26:$s5: remove_Key 0xa7a9b:$s5: remove_Key 0xa7c46:$s5: remove_Key 0x32c4f:$s6: FtpWebRequest 0x6dd0d:$s6: FtpWebRequest 0xa8b2d:$s6: FtpWebRequest 0x33ade:$s7: logins 0x34050:$s7: logins 0x36d33:$s7: logins 0x36e13:$s7: logins 0x38766:$s7: logins 0x6eb9c:$s7: logins
Click to see the 45 entries

Suricata Signatures

ETPRO MALWARE Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.8 - Destination IP: 185.146.87.128

Timestamp:	2024-07-25T21:18:24.137078+0200
SID:	2855542
Source Port:	62221
Destination Port:	54603
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.127.169.103 - Destination IP: 192.168.2.8

Timestamp:	2024-07-25T21:17:54.682331+0200
SID:	2022930
Source Port:	443
Destination Port:	62219
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.127.169.103 - Destination IP: 192.168.2.8

Timestamp:	2024-07-25T21:17:27.394284+0200
SID:	2022930
Source Port:	443
Destination Port:	49711
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE AgentTesla Exfil via FTP - Source IP: 192.168.2.8 - Destination IP: 185.146.87.128

Timestamp:	2024-07-25T21:18:23.528932+0200
SID:	2029927
Source Port:	62220
Destination Port:	21
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.8 - Destination IP: 185.146.87.128

Timestamp:	2024-07-25T21:18:24.143987+0200
SID:	2855542
Source Port:	62221
Destination Port:	54603
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002A_35.exe

Avira: detected

Found malware configuration

Source: LisectAVT_2403002A_35.exe.7756.0.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.rusticpensiune.ro", "Username": "FTPAdmin@rusticpensiune.ro", "Password": "99AM}+NZ&CCq!4Vq)9!(zXx01.lQ!~nS.fBnY,4Z~fjHnGo*B3Gd;B{Q1!%-Xw--%vn^0%nt"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: LisectAVT_2403002A_35.exe

Joe Sandbox ML: detected

Source: LisectAVT_2403002A_35.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: LisectAVT_2403002A_35.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: global traffic

TCP traffic: 192.168.2.8:62221 -> 185.146.87.128:54603

Source: Joe Sandbox View

IP Address: 185.146.87.128 185.146.87.128

Source: Joe Sandbox View

ASN Name: GTSCEGTSCentralEuropeAntelGermanyCZ GTSCEGTSCentralEuropeAntelGermanyCZ

Source: unknown

FTP traffic detected: 185.146.87.128:21 -> 192.168.2.8:62220 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 22:18. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 22:18. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 22:18. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 22:18. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: ftp.rusticpensiune.ro

Source: LisectAVT_2403002A_35.exe	String found in binary or memory: http://api.radioreference.com/soap2
Source: RegAsm.exe, 00000006.00000002.2660172800.000000000309E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2660172800.00000000030AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.rusticpensiune.ro
Source: RegAsm.exe, 00000006.00000002.2660172800.000000000309E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: LisectAVT_2403002A_35.exe	String found in binary or memory: http://www.radioreference.com/apps/register/
Source: LisectAVT_2403002A_35.exe, 00000000.00000002.2119612704.0000000003A30000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_35.exe, 00000000.00000002.2119612704.0000000003909000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2657339981.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, 8AYyiOU7.cs	.Net Code: _7y2ZauGs
Source: 0.2.LisectAVT_2403002A_35.exe.3a30972.3.raw.unpack, 8AYyiOU7.cs	.Net Code: _7y2ZauGs
Source: 0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.raw.unpack, 8AYyiOU7.cs	.Net Code: _7y2ZauGs
Source: 0.2.LisectAVT_2403002A_35.exe.3944642.5.raw.unpack, 8AYyiOU7.cs	.Net Code: _7y2ZauGs
Source: 0.2.LisectAVT_2403002A_35.exe.397f722.1.raw.unpack, 8AYyiOU7.cs	.Net Code: _7y2ZauGs

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.LisectAVT_2403002A_35.exe.3944642.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.3944642.5.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.3a30972.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.3a30972.3.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.397f722.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.397f722.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.397f722.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.397f722.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.3944642.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.3944642.5.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.3a30972.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_35.exe.3a30972.3.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: Process Memory Space: LisectAVT_2403002A_35.exe PID: 7756, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe

Code function: 0_2_02779BA8 CreateProcessAsUserW,

0_2_02779BA8

Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_00E67978	0_2_00E67978
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_00E69CD8	0_2_00E69CD8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_0277A248	0_2_0277A248
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_02774AFB	0_2_02774AFB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_02774048	0_2_02774048
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_027728E0	0_2_027728E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_02773210	0_2_02773210
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_02773200	0_2_02773200
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_02778378	0_2_02778378
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_02772B78	0_2_02772B78
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_02777BB9	0_2_02777BB9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_0277E390	0_2_0277E390
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_02772B80	0_2_02772B80
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_02773878	0_2_02773878
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_02773869	0_2_02773869
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_02770040	0_2_02770040
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_02774038	0_2_02774038
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_02770007	0_2_02770007
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_02776800	0_2_02776800
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_027728D0	0_2_027728D0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_027779C0	0_2_027779C0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_027779B1	0_2_027779B1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_0277EE10	0_2_0277EE10
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_027767F0	0_2_027767F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_02776798	0_2_02776798
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05A410AC	0_2_05A410AC
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05A4ADFC	0_2_05A4ADFC
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05A4CD20	0_2_05A4CD20
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05A4CD10	0_2_05A4CD10
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05CD22B8	0_2_05CD22B8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05CDD1FB	0_2_05CDD1FB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05CDD200	0_2_05CDD200
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05CE2488	0_2_05CE2488
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05CE2483	0_2_05CE2483
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05CEC3B0	0_2_05CEC3B0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_072F1C68	0_2_072F1C68
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_0730AF69	0_2_0730AF69
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_0730B938	0_2_0730B938
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_07308C31	0_2_07308C31
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_0730A840	0_2_0730A840
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_0730C848	0_2_0730C848
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_0730EFB3	0_2_0730EFB3
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_0730EB90	0_2_0730EB90
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_0730EB80	0_2_0730EB80
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_0730D6F0	0_2_0730D6F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_0730D6E0	0_2_0730D6E0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_0730E2E8	0_2_0730E2E8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_0730E2D8	0_2_0730E2D8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_0730E958	0_2_0730E958
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_0730E95C	0_2_0730E95C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_0730B180	0_2_0730B180
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_0730E5DB	0_2_0730E5DB
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_07309C00	0_2_07309C00
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_07300007	0_2_07300007
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_0730C80D	0_2_0730C80D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_0730A80F	0_2_0730A80F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_07300040	0_2_07300040
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_0730CC88	0_2_0730CC88
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_072F1C4F	0_2_072F1C4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_054D9400	6_2_054D9400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_054DD060	6_2_054DD060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_054D3E40	6_2_054D3E40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_054D9BB0	6_2_054D9BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_054D4A58	6_2_054D4A58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_054D4188	6_2_054D4188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_064156D8	6_2_064156D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_06413F40	6_2_06413F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0641DC20	6_2_0641DC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0641BCF0	6_2_0641BCF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_06412AF0	6_2_06412AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_06418B80	6_2_06418B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_06410040	6_2_06410040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_06414FF8	6_2_06414FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_06413240	6_2_06413240

Source: LisectAVT_2403002A_35.exe, 00000000.00000002.2125558779.0000000007560000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRP8SH.dll, vs LisectAVT_2403002A_35.exe
Source: LisectAVT_2403002A_35.exe, 00000000.00000002.2119612704.0000000003A30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename9f5f3d95-0f9a-4fca-99d3-94ce8fa4a2b9.exe4 vs LisectAVT_2403002A_35.exe
Source: LisectAVT_2403002A_35.exe, 00000000.00000002.2119612704.0000000003A30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMiPro.dll, vs LisectAVT_2403002A_35.exe
Source: LisectAVT_2403002A_35.exe, 00000000.00000000.1408033059.0000000000166000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameONUMUJURUEKELE240322.exeP vs LisectAVT_2403002A_35.exe
Source: LisectAVT_2403002A_35.exe, 00000000.00000002.2119612704.0000000003909000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename9f5f3d95-0f9a-4fca-99d3-94ce8fa4a2b9.exe4 vs LisectAVT_2403002A_35.exe
Source: LisectAVT_2403002A_35.exe, 00000000.00000002.2122076409.00000000053C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMiPro.dll, vs LisectAVT_2403002A_35.exe
Source: LisectAVT_2403002A_35.exe, 00000000.00000002.2111675749.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs LisectAVT_2403002A_35.exe
Source: LisectAVT_2403002A_35.exe	Binary or memory string: OriginalFilenameONUMUJURUEKELE240322.exeP vs LisectAVT_2403002A_35.exe

Source: LisectAVT_2403002A_35.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.LisectAVT_2403002A_35.exe.3944642.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.LisectAVT_2403002A_35.exe.3944642.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.LisectAVT_2403002A_35.exe.3a30972.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.LisectAVT_2403002A_35.exe.3a30972.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.LisectAVT_2403002A_35.exe.397f722.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.LisectAVT_2403002A_35.exe.397f722.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.LisectAVT_2403002A_35.exe.397f722.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.LisectAVT_2403002A_35.exe.397f722.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.LisectAVT_2403002A_35.exe.3944642.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.LisectAVT_2403002A_35.exe.3944642.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.LisectAVT_2403002A_35.exe.3a30972.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.LisectAVT_2403002A_35.exe.3a30972.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: Process Memory Space: LisectAVT_2403002A_35.exe PID: 7756, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20

Source: LisectAVT_2403002A_35.exe, Fb7r9.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, pedwBeAo9.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, Mi6W.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, s0nDliRGT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, UGDeyt2ww1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, xpue.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, u4JW9.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, EBT4fOCjU.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, EBT4fOCjU.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, EBT4fOCjU.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, EBT4fOCjU.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/1

Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LisectAVT_2403002A_35.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Mutant created: NULL

Source: LisectAVT_2403002A_35.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: LisectAVT_2403002A_35.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe "C:\Users\user\Desktop\LisectAVT_2403002A_35.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: LisectAVT_2403002A_35.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: LisectAVT_2403002A_35.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: LisectAVT_2403002A_35.exe

Static file information: File size 1062923 > 1048576

Source: LisectAVT_2403002A_35.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x102e00

Source: LisectAVT_2403002A_35.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected DarkTortilla Crypter

Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.3b219f0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.3b219f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.53c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.53c0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.3a30972.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2112490398.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2122076409.00000000053C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2119612704.0000000003A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_35.exe PID: 7756, type: MEMORYSTR

.NET source code contains method to dynamically call methods (often used by packers)

Source: LisectAVT_2403002A_35.exe, Zi62.cs	.Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs	.Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs	.Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs	.Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs	.Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs	.Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs	.Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs	.Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs	.Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs	.Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs	.Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs	.Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs	.Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs	.Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs	.Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs	.Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs	.Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs	.Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs	.Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs	.Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs	.Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs	.Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs	.Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs	.Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs	.Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs	.Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs	.Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs	.Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs	.Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs	.Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Zi62.cs	.Net Code: NewLateBinding.LateCall(frmkolix, (Type)null, "InvokeAsync", obj, (string[])null, (Type[])null, array2 = new bool[4] { false, false, true, true }, true)
Source: LisectAVT_2403002A_35.exe, Eg0b.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "invoke", new object[2]{null,new object[0]}, (string[])null, (Type[])null, (bool[])null, true)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_00E6D99F push 5D0C50FFh; ret	0_2_00E6D99C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_02777414 push edi; retf	0_2_02777415
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05A37798 push eax; retf	0_2_05A37799
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05CD88CB push eax; iretd	0_2_05CD8919
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05CEE5EB pushfd ; retf	0_2_05CEE5F2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05CE140B push es; retf	0_2_05CE1412
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05CE1407 push es; retf	0_2_05CE140A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05CE979B push edi; retf	0_2_05CE97A2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05CE9799 push edi; retf	0_2_05CE979A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05CEA773 pushad ; retf	0_2_05CEA77A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05CEA771 pushad ; retf	0_2_05CEA772
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05CE9718 push edi; retf	0_2_05CE971A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05CE96E9 push esi; retf	0_2_05CE96EA
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05CE96B3 push esi; retf	0_2_05CE96BA
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05CE96B0 push esi; retf	0_2_05CE96B2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05CE9621 push esi; retf	0_2_05CE9622
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05CEE1DB pushfd ; retf	0_2_05CEE392
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05CE91E9 push edx; retf	0_2_05CE91EA
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05CE9123 push ecx; retf	0_2_05CE912A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05CEE39B pushfd ; retf	0_2_05CEE5EA
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05CE1351 push es; retf	0_2_05CE1352
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05CE2364 push eax; retf	0_2_05CE3911
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05CE1373 push es; retf	0_2_05CE137A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05CE1370 push es; retf	0_2_05CE1372
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05CE8DBF push eax; retf	0_2_05CE8E12
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05CE8F23 push eax; retf	0_2_05CE8F2A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05CE8F20 push eax; retf	0_2_05CE8F22
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05CE8EF0 push eax; retf	0_2_05CE8EF2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05CEA913 pushad ; retf	0_2_05CEA91A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05CE9809 push edi; retf	0_2_05CE980A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Code function: 0_2_05CEE813 push 9805CB9Dh; iretd	0_2_05CEE81D

Source: LisectAVT_2403002A_35.exe

Static PE information: section name: .text entropy: 6.948309386213313

Source: LisectAVT_2403002A_35.exe, Zi62.cs	High entropy of concatenated method names: 'Yg1', 'c5R', 'o7A', 'p2K', 'r9S', 'j4H', 'Eq7', 'Di1', 'Df2', 'Qe4'
Source: LisectAVT_2403002A_35.exe, Ze52.cs	High entropy of concatenated method names: 'SetWindowPos', 'ShellExecute', 'c3AF', 'Jm93', 'o2N8', 'Pm15', 'Cn6o', 'w7ZT', 'Ee6g', 'd7F4'
Source: LisectAVT_2403002A_35.exe, Fb7r9.cs	High entropy of concatenated method names: 'Ya5f8', 'y7E4Z', 'r9YQy', 'e7WJb', 'Mg7c1', 't9E7W', 'f6', 'Do', 'x7', 'Km'

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe

File opened: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe\:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: LisectAVT_2403002A_35.exe PID: 7756, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Memory allocated: E20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Memory allocated: 2900000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Memory allocated: 2700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Memory allocated: 7E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Memory allocated: 8E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Memory allocated: 9040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Memory allocated: A040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Memory allocated: A3F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Memory allocated: B3F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 3050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2DA0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Window / User API: threadDelayed 8749			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Window / User API: threadDelayed 1118			Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe TID: 8044	Thread sleep time: -20291418481080494s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe TID: 8044	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Thread delayed: delay time: 30000			Jump to behavior

Source: LisectAVT_2403002A_35.exe, 00000000.00000002.2119612704.0000000003A30000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_35.exe, 00000000.00000002.2122076409.00000000053C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: VBoxTray
Source: LisectAVT_2403002A_35.exe, 00000000.00000002.2122076409.00000000053C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: sandboxierpcssGSOFTWARE\VMware, Inc.\VMware VGAuth
Source: RegAsm.exe, 00000006.00000002.2664566925.00000000062E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllstringPNPDeviceID

Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43E000	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 440000	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F03008	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Queries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_35.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.3944642.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.3a30972.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.397f722.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.397f722.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.3944642.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.3a30972.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2660172800.000000000309E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2657339981.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2660172800.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2119612704.0000000003909000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2119612704.0000000003A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_35.exe PID: 7756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 756, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.3944642.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.3a30972.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.397f722.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.397f722.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.3944642.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.3a30972.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2657339981.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2660172800.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2119612704.0000000003909000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2119612704.0000000003A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_35.exe PID: 7756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 756, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.3944642.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.3a30972.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.397f722.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.39ba7f2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.397f722.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.3944642.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.3a6ba30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_35.exe.3a30972.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2660172800.000000000309E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2657339981.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2660172800.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2119612704.0000000003909000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2119612704.0000000003A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_35.exe PID: 7756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 756, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	1 Exfiltration Over Alternative Protocol	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Valid Accounts	1 Valid Accounts	1 Deobfuscate/Decode Files or Information	1 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Access Token Manipulation	2 Obfuscated Files or Information	1 Credentials in Registry	111 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	311 Process Injection	11 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Valid Accounts	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	141 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	311 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Hidden Files and Directories	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LisectAVT_2403002A_35.exe	100%	Avira	TR/AD.GenSteal.rawzd
LisectAVT_2403002A_35.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://account.dyn.com/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.radioreference.com/apps/register/	0%	Avira URL Cloud	safe
http://api.radioreference.com/soap2	0%	Avira URL Cloud	safe
http://ftp.rusticpensiune.ro	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ftp.rusticpensiune.ro	185.146.87.128	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://api.radioreference.com/soap2	LisectAVT_2403002A_35.exe	false	Avira URL Cloud: safe	unknown
https://account.dyn.com/	LisectAVT_2403002A_35.exe, 00000000.00000002.2119612704.0000000003A30000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_35.exe, 00000000.00000002.2119612704.0000000003909000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2657339981.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ftp.rusticpensiune.ro	RegAsm.exe, 00000006.00000002.2660172800.000000000309E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.2660172800.00000000030AC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.radioreference.com/apps/register/	LisectAVT_2403002A_35.exe	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegAsm.exe, 00000006.00000002.2660172800.000000000309E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.146.87.128	ftp.rusticpensiune.ro	Romania		5588	GTSCEGTSCentralEuropeAntelGermanyCZ	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482318
Start date and time:	2024-07-25 21:16:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002A_35.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 162 Number of non-executed functions: 38
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: LisectAVT_2403002A_35.exe

Simulations

Behavior and APIs

Time	Type	Description
15:17:16	API Interceptor	226x Sleep call for process: LisectAVT_2403002A_35.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
185.146.87.128	COMANDA_AXM_NR17_DIN_240717.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	ZAMOWIEN.EXE.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	ZAMOWIEN.EXE.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	ZAMOWIEN.EXE.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	BESTELLU.EXE.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	Ordine_nr.24061168372.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	ZAMOWIEN.EXE.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	ZAMOWIEN.EXE.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse
	CCTC_PO_N.24042291PDF.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	MILTECH_N24032201PDF.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ftp.rusticpensiune.ro	COMANDA_AXM_NR17_DIN_240717.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.146.87.128
	ZAMOWIEN.EXE.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.146.87.128
	ZAMOWIEN.EXE.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.146.87.128
	ZAMOWIEN.EXE.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.146.87.128
	BESTELLU.EXE.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.146.87.128
	Ordine_nr.24061168372.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.146.87.128
	ZAMOWIEN.EXE.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.146.87.128
	ZAMOWIEN.EXE.exe	Get hash	malicious	AgentTesla, DBatLoader	Browse	185.146.87.128
	CCTC_PO_N.24042291PDF.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.146.87.128
	MILTECH_N24032201PDF.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.146.87.128

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GTSCEGTSCentralEuropeAntelGermanyCZ	sh4.elf	Get hash	malicious	Mirai	Browse	195.56.40.173
	RiI7W2cj7p.elf	Get hash	malicious	Unknown	Browse	213.29.127.166
	https://liceultehnologicrosiajiu.ro/ulin/ulin8ce.html	Get hash	malicious	CVE-2024-21412	Browse	85.9.47.248
	KBNCt45Gpk.elf	Get hash	malicious	Mirai	Browse	212.203.170.235
	5xUAAMwlnJ.elf	Get hash	malicious	Unknown	Browse	193.86.218.248
	COMANDA_AXM_NR17_DIN_240717.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.146.87.128
	92.249.48.47-skid.ppc-2024-07-20T09_04_20.elf	Get hash	malicious	Mirai, Moobot	Browse	217.153.110.218
	waybill_shipping_documents_original_BL_CI&PL_01_07_2024_00000000_doc.vbs	Get hash	malicious	GuLoader, Remcos	Browse	188.214.214.160
	botx.arm6.elf	Get hash	malicious	Mirai	Browse	213.29.20.194
	botx.mips.elf	Get hash	malicious	Mirai	Browse	194.149.9.246

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_35.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:ML9E4KiE4Kx1qE4x84qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MxHKiHKx1qHxviYHKh3oPtHo6hAHKzea
MD5:	E6FF533E8DBB2605A16817894AAAD8BA
SHA1:	B5DAB6E50E652D392A005E6C1B03D6CE526ECEC1
SHA-256:	D0E8C3274C00E0278C7F1D4C57CD0AB9B1F76107FB76D0F02FE0C2C89ACC3063
SHA-512:	45B7A0B75DFD3E4C8C44E16177E11CCFC04DDF837DF6D27A1718C1951E03333CBD6C5FAF4481520F9AF4C4840F00E26B0975E8184E27E83F52A1D5984042CB33
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.940387730444121
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	LisectAVT_2403002A_35.exe
File size:	1'062'923 bytes
MD5:	292b38ef1365ee19ef46925535305891
SHA1:	4e7d964212b15097bc867935dae6ab71b72ec6fc
SHA256:	81794c637b54a673f7e5af3f1f0aeb3479e9279b6870c07caa0a380ea7ad1dce
SHA512:	9aefe7897746af6afc77016dca6b57012d94085b6346c9769d78e3e5780c85c597a58c5dc730e9a2395c55b55abeee4f7acb52590505a255a4876e62d413a932
SSDEEP:	12288:Ac3bAWWghMMjiPPcgFXw4+sNS3RbtEgMfSNhjAyiXBo5JNHrU322WrM9uOAHnh42:I2ziPPcgFXRShqgFNhoRo4wA9gh4q
TLSH:	E935D05C6BF8E510F27E3B75A4B512204334F8DB9622D31E02E150E97BB27D28A51BE7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....(.M............................NL... ...`....@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x504c4e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4D1128AC [Tue Dec 21 22:22:36 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x104bf8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x106000	0x440	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x108000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x102c54	0x102e00	cef10b4641961f3bd209bfb702e0c689	False	0.6612945512433607	data	6.948309386213313	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x106000	0x440	0x600	3f3a33811cdc8e8c06f28ffc63d35f54	False	0.3059895833333333	data	2.698453529095136	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x108000	0xc	0x200	ee93ee7d44811945b1d33eb6af2e3ce4	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x106058	0x3e8	data			0.434

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T21:18:24.137078+0200	TCP	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	62221	54603	192.168.2.8	185.146.87.128
2024-07-25T21:17:54.682331+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	62219	40.127.169.103	192.168.2.8
2024-07-25T21:17:27.394284+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49711	40.127.169.103	192.168.2.8
2024-07-25T21:18:23.528932+0200	TCP	2029927	ET MALWARE AgentTesla Exfil via FTP	62220	21	192.168.2.8	185.146.87.128
2024-07-25T21:18:24.143987+0200	TCP	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	62221	54603	192.168.2.8	185.146.87.128

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 21:18:20.752249002 CEST	62220	21	192.168.2.8	185.146.87.128
Jul 25, 2024 21:18:20.757215023 CEST	21	62220	185.146.87.128	192.168.2.8
Jul 25, 2024 21:18:20.757596970 CEST	62220	21	192.168.2.8	185.146.87.128
Jul 25, 2024 21:18:21.381934881 CEST	21	62220	185.146.87.128	192.168.2.8
Jul 25, 2024 21:18:21.382250071 CEST	62220	21	192.168.2.8	185.146.87.128
Jul 25, 2024 21:18:21.387095928 CEST	21	62220	185.146.87.128	192.168.2.8
Jul 25, 2024 21:18:21.592977047 CEST	21	62220	185.146.87.128	192.168.2.8
Jul 25, 2024 21:18:21.593214035 CEST	62220	21	192.168.2.8	185.146.87.128
Jul 25, 2024 21:18:21.598259926 CEST	21	62220	185.146.87.128	192.168.2.8
Jul 25, 2024 21:18:21.854808092 CEST	21	62220	185.146.87.128	192.168.2.8
Jul 25, 2024 21:18:21.854981899 CEST	62220	21	192.168.2.8	185.146.87.128
Jul 25, 2024 21:18:21.859817028 CEST	21	62220	185.146.87.128	192.168.2.8
Jul 25, 2024 21:18:22.066272020 CEST	21	62220	185.146.87.128	192.168.2.8
Jul 25, 2024 21:18:22.070596933 CEST	62220	21	192.168.2.8	185.146.87.128
Jul 25, 2024 21:18:22.075504065 CEST	21	62220	185.146.87.128	192.168.2.8
Jul 25, 2024 21:18:22.691878080 CEST	21	62220	185.146.87.128	192.168.2.8
Jul 25, 2024 21:18:22.692133904 CEST	62220	21	192.168.2.8	185.146.87.128
Jul 25, 2024 21:18:22.693696022 CEST	21	62220	185.146.87.128	192.168.2.8
Jul 25, 2024 21:18:22.693753004 CEST	62220	21	192.168.2.8	185.146.87.128
Jul 25, 2024 21:18:23.000746965 CEST	62220	21	192.168.2.8	185.146.87.128
Jul 25, 2024 21:18:23.093033075 CEST	21	62220	185.146.87.128	192.168.2.8
Jul 25, 2024 21:18:23.093142033 CEST	62220	21	192.168.2.8	185.146.87.128
Jul 25, 2024 21:18:23.099307060 CEST	21	62220	185.146.87.128	192.168.2.8
Jul 25, 2024 21:18:23.099323988 CEST	21	62220	185.146.87.128	192.168.2.8
Jul 25, 2024 21:18:23.310800076 CEST	21	62220	185.146.87.128	192.168.2.8
Jul 25, 2024 21:18:23.311142921 CEST	62220	21	192.168.2.8	185.146.87.128
Jul 25, 2024 21:18:23.316152096 CEST	21	62220	185.146.87.128	192.168.2.8
Jul 25, 2024 21:18:23.522793055 CEST	21	62220	185.146.87.128	192.168.2.8
Jul 25, 2024 21:18:23.523772955 CEST	62221	54603	192.168.2.8	185.146.87.128
Jul 25, 2024 21:18:23.528793097 CEST	54603	62221	185.146.87.128	192.168.2.8
Jul 25, 2024 21:18:23.528873920 CEST	62221	54603	192.168.2.8	185.146.87.128
Jul 25, 2024 21:18:23.528932095 CEST	62220	21	192.168.2.8	185.146.87.128
Jul 25, 2024 21:18:23.533796072 CEST	21	62220	185.146.87.128	192.168.2.8
Jul 25, 2024 21:18:24.136720896 CEST	21	62220	185.146.87.128	192.168.2.8
Jul 25, 2024 21:18:24.137078047 CEST	62221	54603	192.168.2.8	185.146.87.128
Jul 25, 2024 21:18:24.137183905 CEST	62221	54603	192.168.2.8	185.146.87.128
Jul 25, 2024 21:18:24.143271923 CEST	54603	62221	185.146.87.128	192.168.2.8
Jul 25, 2024 21:18:24.143922091 CEST	54603	62221	185.146.87.128	192.168.2.8
Jul 25, 2024 21:18:24.143986940 CEST	62221	54603	192.168.2.8	185.146.87.128
Jul 25, 2024 21:18:24.188240051 CEST	62220	21	192.168.2.8	185.146.87.128
Jul 25, 2024 21:18:24.370178938 CEST	21	62220	185.146.87.128	192.168.2.8
Jul 25, 2024 21:18:24.422708035 CEST	62220	21	192.168.2.8	185.146.87.128

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 21:17:52.792355061 CEST	53	55611	162.159.36.2	192.168.2.8
Jul 25, 2024 21:17:53.344027996 CEST	53	61820	1.1.1.1	192.168.2.8
Jul 25, 2024 21:18:20.661515951 CEST	52148	53	192.168.2.8	1.1.1.1
Jul 25, 2024 21:18:20.742671967 CEST	53	52148	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 25, 2024 21:18:20.661515951 CEST	192.168.2.8	1.1.1.1	0x7b26	Standard query (0)	ftp.rusticpensiune.ro	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 21:18:20.742671967 CEST	1.1.1.1	192.168.2.8	0x7b26	No error (0)	ftp.rusticpensiune.ro		185.146.87.128	A (IP address)	IN (0x0001)	false

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 25, 2024 21:18:21.381934881 CEST	21	62220	185.146.87.128	192.168.2.8	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 22:18. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 22:18. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 22:18. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 3 of 50 allowed.220-Local time is now 22:18. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Jul 25, 2024 21:18:21.382250071 CEST	62220	21	192.168.2.8	185.146.87.128	USER FTPAdmin@rusticpensiune.ro
Jul 25, 2024 21:18:21.592977047 CEST	21	62220	185.146.87.128	192.168.2.8	331 User FTPAdmin@rusticpensiune.ro OK. Password required
Jul 25, 2024 21:18:21.593214035 CEST	62220	21	192.168.2.8	185.146.87.128	PASS 99AM}+NZ&CCq!4Vq)9!(zXx01.lQ!~nS.fBnY,4Z~fjHnGo*B3Gd;B{Q1!%-Xw--%vn^0%nt
Jul 25, 2024 21:18:21.854808092 CEST	21	62220	185.146.87.128	192.168.2.8	230 OK. Current restricted directory is /
Jul 25, 2024 21:18:22.066272020 CEST	21	62220	185.146.87.128	192.168.2.8	504 Unknown command
Jul 25, 2024 21:18:22.070596933 CEST	62220	21	192.168.2.8	185.146.87.128	PWD
Jul 25, 2024 21:18:22.691878080 CEST	21	62220	185.146.87.128	192.168.2.8	257 "/" is your current location
Jul 25, 2024 21:18:22.692133904 CEST	62220	21	192.168.2.8	185.146.87.128	TYPE I
Jul 25, 2024 21:18:22.693696022 CEST	21	62220	185.146.87.128	192.168.2.8	257 "/" is your current location
Jul 25, 2024 21:18:23.000746965 CEST	62220	21	192.168.2.8	185.146.87.128	TYPE I
Jul 25, 2024 21:18:23.093033075 CEST	21	62220	185.146.87.128	192.168.2.8	257 "/" is your current location
Jul 25, 2024 21:18:23.310800076 CEST	21	62220	185.146.87.128	192.168.2.8	200 TYPE is now 8-bit binary
Jul 25, 2024 21:18:23.311142921 CEST	62220	21	192.168.2.8	185.146.87.128	PASV
Jul 25, 2024 21:18:23.522793055 CEST	21	62220	185.146.87.128	192.168.2.8	227 Entering Passive Mode (185,146,87,128,213,75)
Jul 25, 2024 21:18:23.528932095 CEST	62220	21	192.168.2.8	185.146.87.128	STOR PW_user-414408_2024_07_25_15_18_19.html
Jul 25, 2024 21:18:24.136720896 CEST	21	62220	185.146.87.128	192.168.2.8	150 Accepted data connection
Jul 25, 2024 21:18:24.370178938 CEST	21	62220	185.146.87.128	192.168.2.8	226-File successfully transferred 226-File successfully transferred226 0.213 seconds (measured here), 1.47 Kbytes per second

Target ID:	0
Start time:	15:17:09
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_35.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_35.exe"
Imagebase:	0x60000
File size:	1'062'923 bytes
MD5 hash:	292B38EF1365EE19EF46925535305891
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2112490398.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2122076409.00000000053C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2119612704.0000000003909000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2119612704.0000000003909000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2119612704.0000000003A30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2119612704.0000000003A30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2119612704.0000000003A30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:17:46
Start date:	25/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xd30000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2660172800.000000000309E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2657339981.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2657339981.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2660172800.0000000003051000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2660172800.0000000003051000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	18.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	7.5%
Total number of Nodes:	120
Total number of Limit Nodes:	12

Executed Functions

Function 072F1C4F Relevance: 5.6, Instructions: 5642
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2125397684.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72f0000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cce852190240311bff037433d9aa06c62db6dad4876163f525d7ea5b64b89a1e
Instruction ID: ce690b3f02506e8a43c6cc77ff4e392d25d9454d7caba5394012638daa351b5d
Opcode Fuzzy Hash: cce852190240311bff037433d9aa06c62db6dad4876163f525d7ea5b64b89a1e
Instruction Fuzzy Hash: F0C32B70A15219CFCB58EF79E9996ACBBF2BB89200F4045EAD048A7350EF355E84CF45

Function 072F1C68 Relevance: 5.6, Instructions: 5633
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2125397684.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72f0000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65c555d4f514ac27340891ece71609e956ebe9af3965a0872c841303aa3a4803
Instruction ID: 4ae4321719e30a065605a682bd39f0d619dd634136db3f1f730d28532f7738c7
Opcode Fuzzy Hash: 65c555d4f514ac27340891ece71609e956ebe9af3965a0872c841303aa3a4803
Instruction Fuzzy Hash: 56C32B70A15219CFCB58EF79E9996ACBBF2BB89200F4045EAD048A7350EF355E84CF45

Function 05CD22B8 Relevance: 5.2, Instructions: 5170
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2123891257.0000000005CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cd0000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd699cda37de317f60e1aef6ae90360c6277b6902ff4bde4730cc3e140efa16
Instruction ID: b222cfbabe508c8e12bf8bd4a6cc4d51f5ec7e0ac4cb01f22c2e4ac691a8bbee
Opcode Fuzzy Hash: 0bd699cda37de317f60e1aef6ae90360c6277b6902ff4bde4730cc3e140efa16
Instruction Fuzzy Hash: 38B31970A15218CFCB18EF79DA996ACBBF2FB84200F4485EAD488A7250DF315D84CF95

Function 0277A248 Relevance: 2.7, Strings: 2, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Q+(i, xrefs: 0277A387
Q+(i, xrefs: 0277A395

Memory Dump Source

Source File: 00000000.00000002.2112415454.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2770000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID: Q+(i$Q+(i
API String ID: 0-3998099878
Opcode ID: ccb0391ae4d2ba4cfa211ba1074c725bd53f332ff2bcc4a1d6925cece8949450
Instruction ID: b9b31f97c78dd1a32c91ba8c2f399156a3f50f8005d826b0009f4492f288b050
Opcode Fuzzy Hash: ccb0391ae4d2ba4cfa211ba1074c725bd53f332ff2bcc4a1d6925cece8949450
Instruction Fuzzy Hash: E181DEB4D01259CFDF04CFA9C9846AEFBB2BB89310F24942AD816BB354DB345981CF94

Function 027728E0 Relevance: 2.7, Strings: 2, Instructions: 167
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Q!, xrefs: 02772B2F
Q!, xrefs: 02772B3D

Memory Dump Source

Source File: 00000000.00000002.2112415454.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2770000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID: Q!$Q!
API String ID: 0-2963764794
Opcode ID: 4f078689653d4d9bf39f20ef483ff66fd2d2f271abb3e2e348b5919a0d9c38d9
Instruction ID: c406cbd16c0a8d31d0e35b527edee4cc39be8dd4c1f1893be79c8768e0d1ec07
Opcode Fuzzy Hash: 4f078689653d4d9bf39f20ef483ff66fd2d2f271abb3e2e348b5919a0d9c38d9
Instruction Fuzzy Hash: 5F71F274E00208DFDB04DFE5D5856AEBFB2BF89300F24942AE816A7354EB346985CF91

Function 02779BA8 Relevance: 1.7, APIs: 1, Instructions: 164
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessAsUserW.KERNELBASE(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 02779D13

Memory Dump Source

Source File: 00000000.00000002.2112415454.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2770000_LisectAVT_2403002A_35.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 1ff6fc612e404246c27ecf05847d18c2d95ea49af9085ecbc8eed049a10ae48b
Instruction ID: cb4f321f350867966c12369e2e5faafc1468e1f820ec1e385b0bf2d4b5fe7150
Opcode Fuzzy Hash: 1ff6fc612e404246c27ecf05847d18c2d95ea49af9085ecbc8eed049a10ae48b
Instruction Fuzzy Hash: AD510771901229DFDF24CF99C840BDEBBB5BF48304F1484AAE909B7250DB71AA85DF90

Function 027728D0 Relevance: 1.4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

Q!, xrefs: 02772B3D

Memory Dump Source

Source File: 00000000.00000002.2112415454.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2770000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID: Q!
API String ID: 0-1344094416
Opcode ID: 4b3cea85e8eb0b00f0f76ed2252cb07506553ee6a7638c3ef0046b185027ee17
Instruction ID: f03e4208d94131ec2ef782e13056f3d8c2d1ccf5a1a1095ec9e4da1ebf87be7f
Opcode Fuzzy Hash: 4b3cea85e8eb0b00f0f76ed2252cb07506553ee6a7638c3ef0046b185027ee17
Instruction Fuzzy Hash: A6710074E00208DFDB08DFE5D5856AEBFB2BF89300F24856AE816A7355EB305985CF90

Function 07308C31 Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

<, xrefs: 07308D65

Memory Dump Source

Source File: 00000000.00000002.2125451980.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: f32ddb799643009eaefdcc7be8d1f00e7482863e84fc374ece4d3f3b8f6c0ade
Instruction ID: 181e10fbd5e97bf8ec07e1e44372a71d99cf6772190180f9203b5b6f2be478f7
Opcode Fuzzy Hash: f32ddb799643009eaefdcc7be8d1f00e7482863e84fc374ece4d3f3b8f6c0ade
Instruction Fuzzy Hash: 996174B5D00619CFDB58CFAAC9446DDBBF2AF88301F14C5AAD409AB364EB345A85CF50

Function 05A410AC Relevance: 1.3, Instructions: 1264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122700750.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a40000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a47f6c5296411685593c7d203a3b30d287afa04f25466b0351976ab33a06d2ea
Instruction ID: b10011d0d10d3a8bb18dcbfa96e45c3e10cd089c2a16019c6bd53f3f90e1d9ab
Opcode Fuzzy Hash: a47f6c5296411685593c7d203a3b30d287afa04f25466b0351976ab33a06d2ea
Instruction Fuzzy Hash: D8B22834A1021ACFCB18FFB8D9997AEBBB1BF89300F4045A9E449A7250DE395D85CF51

Function 00E67978 Relevance: 1.0, Instructions: 980COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa0c6c25e2900918b9e3bef4c0674de39cebedaf053eb751366af7461afc9480
Instruction ID: 554c6bbf9a6636c47956a2f59a08767b170c4d6776af692f45e157a5b0fb2ab4
Opcode Fuzzy Hash: aa0c6c25e2900918b9e3bef4c0674de39cebedaf053eb751366af7461afc9480
Instruction Fuzzy Hash: 8A927030644209CFCB14CF68E984AAEBBF2FF88354F159659E455EB2A1DB30ED41CB51

Function 05CE2488 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123954330.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ce0000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2341912dab4ac788c811ead08ff52b781b5b89673df2f55d667ac083142e1e31
Instruction ID: 9f1005aacbaca9688c8caa9194212fd27727d9d730d911e5b72624f96b2bbdd4
Opcode Fuzzy Hash: 2341912dab4ac788c811ead08ff52b781b5b89673df2f55d667ac083142e1e31
Instruction Fuzzy Hash: A8526F34A003058FCB14DF68C844B99B7B2BFC9314F2586A9D5586F3A2DB71AD86CF81

Function 05CE2483 Relevance: .6, Instructions: 581COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123954330.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ce0000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9bd4a2922696acdea5a9896ac259479694eb30243c2f15493f876ec558ec207
Instruction ID: 4ac9a0fdb268738ac796abc42c0f3b21634531b9e952d8f9457b4ec2b463aa5a
Opcode Fuzzy Hash: a9bd4a2922696acdea5a9896ac259479694eb30243c2f15493f876ec558ec207
Instruction Fuzzy Hash: 41526F34A003458FCB14DF68C844B99B7B2FFC9314F2586A9D5586F3A2DB71A986CF81

Function 0730C80D Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125451980.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34e687652b5b45369c8d722b153c786f7b16cdd4f1029a897a96c22da495baf1
Instruction ID: 31cb5b32af2c3c944a807effc4900062042e7898f832fe4d7cd00f05b9457afa
Opcode Fuzzy Hash: 34e687652b5b45369c8d722b153c786f7b16cdd4f1029a897a96c22da495baf1
Instruction Fuzzy Hash: 68C15CB0D1420ACFEB04CFA5C4915AEFBB6FF89300F14955AD416AB255D7349942CFD4

Function 02774AFB Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112415454.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2770000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f6812a13f3496ea66813df5054e29a80bb0d7236191c592859669360e701c5e
Instruction ID: f670e82cfd9de71067f17ec8b214914fbf303fa1213f4bcfc1528276160af81f
Opcode Fuzzy Hash: 3f6812a13f3496ea66813df5054e29a80bb0d7236191c592859669360e701c5e
Instruction Fuzzy Hash: BED10574E04269CFCB64CF65C9847D9FBB6BB89300F10D9EAD40AAB214DB709A85CF40

Function 0730C848 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125451980.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b29a27e07058090c456c2d9cb042b12cd188b08ab72c31984f93f6608ba2bbb
Instruction ID: 462cf12aa5a55da9877478c126214423aa56f29b6a673bfad6874768b10c5110
Opcode Fuzzy Hash: 8b29a27e07058090c456c2d9cb042b12cd188b08ab72c31984f93f6608ba2bbb
Instruction Fuzzy Hash: 65C139B0D1020ADFEB14CF95C4919AEFBB6FF89301F209659D416AB254D734A942CFE4

Function 00E69CD8 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeddb7fb34f9a20d0b8fb3269b57d10c8c503a5887d44288a2b6c3d44b155f52
Instruction ID: 4f0f01e13b6fe2f470570dd3ed3b15dc6a4f2715d7df229cfadcf0e5d9125f8e
Opcode Fuzzy Hash: eeddb7fb34f9a20d0b8fb3269b57d10c8c503a5887d44288a2b6c3d44b155f52
Instruction Fuzzy Hash: 69818034B042198BDB48DFB5A85477E77B7BFC8750B19852AE406E7285CF388C029B91

Function 0730A80F Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125451980.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 495df3f54ce8788f55c15956621077f4b07ebc97519e0e3832e48e204603ef07
Instruction ID: 712f31a4de6b36597318ad4791fc968201c10211210861c96df0ebaa47c67653
Opcode Fuzzy Hash: 495df3f54ce8788f55c15956621077f4b07ebc97519e0e3832e48e204603ef07
Instruction Fuzzy Hash: 3781E2B4E112498FDB08CFA9D994A9EFFB2FF89300F24802AD819AB355D7345905CF91

Function 0730B180 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125451980.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fb3b7683e0a5816a1e3ce555e3790eb379159bfb8ebf8b2c1a01614a877420d
Instruction ID: 30dbcba45445abd6f400b19dbeb7db98a1910c9f40b4d177202104f735e81dab
Opcode Fuzzy Hash: 9fb3b7683e0a5816a1e3ce555e3790eb379159bfb8ebf8b2c1a01614a877420d
Instruction Fuzzy Hash: 168119B4E1520A8FDB08CFA5C951AAEFBF6FF89340F24806AD419A7354D7349A41CF94

Function 0730A840 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125451980.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f6c11e901750ed24823b504d29854cda66e0eab357d443e2ce042554786db28
Instruction ID: 98d0973867b9ae2b1c875a678d24dac6aec6cc494bad3425a06f18acc7ced0af
Opcode Fuzzy Hash: 3f6c11e901750ed24823b504d29854cda66e0eab357d443e2ce042554786db28
Instruction Fuzzy Hash: 7A71B3B4E102198FDB08CFEAD954AAEFBB6FF89301F10802AD519AB354DB745906CF51

Function 0730AF69 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125451980.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2918a214711f5154fea0dc04a0432882045c8dcd6c5627f8f94d07c1b8a9c1ba
Instruction ID: 9ac8d92cd434ba3bce77be46e519f0f93d93875406bcf6da119a52128c24880d
Opcode Fuzzy Hash: 2918a214711f5154fea0dc04a0432882045c8dcd6c5627f8f94d07c1b8a9c1ba
Instruction Fuzzy Hash: 8C510CF0E152098FEB08CF96D950AAEFBF6EF89301F24C06AD419A7254D7348A41CF95

Function 02774048 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112415454.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2770000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c69b8a45ea66a950c4524f750041caa52b9b54f373cdc0d881d53420e709d1cc
Instruction ID: e47004cb89fb9bfe5edc1436d856f2a6deca23a6be2641f7f8ca8d8addeba5ec
Opcode Fuzzy Hash: c69b8a45ea66a950c4524f750041caa52b9b54f373cdc0d881d53420e709d1cc
Instruction Fuzzy Hash: 8A4112B4D1520A9BCF04CFA6D9516AEFBB6BB99300F10982AD521B6214D7784642CFA4

Function 02774038 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112415454.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2770000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 572ae0218dfc15bee3f76370e8e03196b00855718239e3a3a7861c087705cff9
Instruction ID: 957ae81535833eec6a47969d9a6886c5974fcbbdbfa2a314aa49aeb2a0907a79
Opcode Fuzzy Hash: 572ae0218dfc15bee3f76370e8e03196b00855718239e3a3a7861c087705cff9
Instruction Fuzzy Hash: 024146B4D0520A9FCF08CFA6D8516AEBFB2FB99310F10982AD511B7210D7784642CFA0

Function 0730B938 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125451980.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e779dfe6b4a2bfc5277710a1da88ee8bdc842e56d1cc186e0169f06d784cdaf
Instruction ID: f71ace7aea3965df7e757f039a2efe35833a9b54322de39f4d95e788fd60b936
Opcode Fuzzy Hash: 7e779dfe6b4a2bfc5277710a1da88ee8bdc842e56d1cc186e0169f06d784cdaf
Instruction Fuzzy Hash: 893105B1E006198BEB18CFAAD8553DEFFF6AFC9310F14C06AD409A6264DB740956CF90

Function 072FA6E8 Relevance: 2.1, Strings: 1, Instructions: 883
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 072FAB9C

Memory Dump Source

Source File: 00000000.00000002.2125397684.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72f0000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 706ae89ccf282aec1bdee1cf576dfebc9477ecc033ec8bc953283fa65a55d4ac
Instruction ID: ff29b60cf526041514eeaa8637b6a589729563851720ca997c6400389a5a1165
Opcode Fuzzy Hash: 706ae89ccf282aec1bdee1cf576dfebc9477ecc033ec8bc953283fa65a55d4ac
Instruction Fuzzy Hash: 5E626C70A14209CFCB08BFB9E99969DBBB2BB49310F40897AE445E7364DF389C45CB51

Function 072FABE5 Relevance: 1.8, Strings: 1, Instructions: 510COMMON

Download Yara Rule

Strings

@, xrefs: 072FAB9C

Memory Dump Source

Source File: 00000000.00000002.2125397684.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72f0000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: d7c99fa90c097c23e5865a25bd36c96d81ec39cb8b34590760f57a1aa3948003
Instruction ID: d3e5f60589aa09e49fa8d239f3a1375fa86e61257969cb29903c9a4dd298966c
Opcode Fuzzy Hash: d7c99fa90c097c23e5865a25bd36c96d81ec39cb8b34590760f57a1aa3948003
Instruction Fuzzy Hash: DD129EB0E19249CFCB14AF78E95969CBFB1BF4A310F4448AAD445E73A1EB384C45CB61

Function 05A481B0 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 05A48406

Memory Dump Source

Source File: 00000000.00000002.2122700750.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a40000_LisectAVT_2403002A_35.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5beb8c7fea8aca027c00a44b91c9cbdd9c5c1a18839dc4113b4c379fb5c20e56
Instruction ID: f419b99f51bc825fb6d2326ddd9635a30a7d62e64938aa9c26224a97cc515b9d
Opcode Fuzzy Hash: 5beb8c7fea8aca027c00a44b91c9cbdd9c5c1a18839dc4113b4c379fb5c20e56
Instruction Fuzzy Hash: D7715770A00B058FDB24DFAAE544B6AB7F1FF88200F10892ED456D7A50DB78E849CF91

Function 05A4E9C5 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05A4EAE2

Memory Dump Source

Source File: 00000000.00000002.2122700750.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a40000_LisectAVT_2403002A_35.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4b0818a5bec961f9cd7211be97c37a9e6db1a3e6344ab96884d128015740362a
Instruction ID: cd85ce11dafff9c3de314c3bd690bcf4fae742fe46eb319ad83317a2e6f4481c
Opcode Fuzzy Hash: 4b0818a5bec961f9cd7211be97c37a9e6db1a3e6344ab96884d128015740362a
Instruction Fuzzy Hash: 6951DEB1C00359DFDB14CF99D884ADEBBF5BF88310F24862AE819AB210D7759885CF91

Function 05A4E9D0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05A4EAE2

Memory Dump Source

Source File: 00000000.00000002.2122700750.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a40000_LisectAVT_2403002A_35.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 24a2e281a8502685ef85e6f8158abcc2096b2e0aa248e0332b622fd4272e480f
Instruction ID: c462b00c889808a6a2b10eb0a092a1aee775ade38ab901aaaec64df4603d0472
Opcode Fuzzy Hash: 24a2e281a8502685ef85e6f8158abcc2096b2e0aa248e0332b622fd4272e480f
Instruction Fuzzy Hash: 1B41A0B1D10359DFDB14CF9AD884ADEBBF5BF88310F24812AE819AB210D775A845CF91

Function 05A31080 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05A31141

Memory Dump Source

Source File: 00000000.00000002.2122655296.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a30000_LisectAVT_2403002A_35.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 1b4f6ab3c0397580a6e78b39fddf7d2907b52939de82ede45afc835e3060f427
Instruction ID: 474df62ca76734555c62a47442b12c805c4ba2c4d022b29c7bdde0e1129cf714
Opcode Fuzzy Hash: 1b4f6ab3c0397580a6e78b39fddf7d2907b52939de82ede45afc835e3060f427
Instruction Fuzzy Hash: 614106B4A00249DFDB14CF99C849EAAFBF5FB88314F24845DE519AB321D375A841CBA0

Function 027749D3 Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2112415454.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2770000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b55b37886b8059975daf1a97239a4f07c7653ac62158620439eead14dcadae9b
Instruction ID: 090863b9fc4fb26c1134fc31ab0cb142cc30dacf6b21322211286eaad229b6f2
Opcode Fuzzy Hash: b55b37886b8059975daf1a97239a4f07c7653ac62158620439eead14dcadae9b
Instruction Fuzzy Hash: B931E2718093899FCF12CF69C8517DBBFF4AF1A214F14809AD484AB252D3389948CFA2

Function 07309B11 Relevance: 1.6, APIs: 1, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07309BC3

Memory Dump Source

Source File: 00000000.00000002.2125451980.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_LisectAVT_2403002A_35.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f5a6fdf5726118555b7c3df62fe660ef67f54d1c41682b896bca464d8b5358a6
Instruction ID: 410d263ca4d0e673cbeaf645a7368e7d2e8a7380a247c94aa4675d1fbe9c52fc
Opcode Fuzzy Hash: f5a6fdf5726118555b7c3df62fe660ef67f54d1c41682b896bca464d8b5358a6
Instruction Fuzzy Hash: B0318CB580038ACFDB11CFA9D484BDEBFF0EB49320F24845AE458A7242C378A544CFA1

Function 0277C1C8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0277C258

Memory Dump Source

Source File: 00000000.00000002.2112415454.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2770000_LisectAVT_2403002A_35.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 423a53bf3d2ebca9e44476a558ffa609baafd7f9491e7ff8f7cda387874bf0f7
Instruction ID: 62a8fbac93fdd79d7deebfd62161ae5da414835e2a770d17f8256c4d4105a21a
Opcode Fuzzy Hash: 423a53bf3d2ebca9e44476a558ffa609baafd7f9491e7ff8f7cda387874bf0f7
Instruction Fuzzy Hash: 74212272900349DFDB10CFAAD881BEEBBF5FF48310F14842AE919A7240C7799940CBA4

Function 0277B780 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0277B7FE

Memory Dump Source

Source File: 00000000.00000002.2112415454.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2770000_LisectAVT_2403002A_35.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 13a35b4e3a7910d8e3669b15c8f04e985bf231f3c99614935a3e3c74248e376b
Instruction ID: 8873234996ab15bc8720a2dcae62baf21d847b8390dbc98750451712eca0259a
Opcode Fuzzy Hash: 13a35b4e3a7910d8e3669b15c8f04e985bf231f3c99614935a3e3c74248e376b
Instruction Fuzzy Hash: 79212771D003099FDB10DFAAC485BEEBBF4EF88314F14842AD519A7241DB789945CFA5

Function 0277C948 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0277C9C6

Memory Dump Source

Source File: 00000000.00000002.2112415454.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2770000_LisectAVT_2403002A_35.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c1d330157f5c4dfe697369cac043e784f654cd5373c976909ba54bd7c1789754
Instruction ID: 85bb02ef6c193075035f29adbf183723b976e6c6121304f076869423b27093a1
Opcode Fuzzy Hash: c1d330157f5c4dfe697369cac043e784f654cd5373c976909ba54bd7c1789754
Instruction Fuzzy Hash: 48214771D003098FDB10DFAAC4857EEBBF4EF88214F14842ED459A7240CB78A944CFA5

Function 05A4A680 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05A4A707

Memory Dump Source

Source File: 00000000.00000002.2122700750.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a40000_LisectAVT_2403002A_35.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 185931a3a7ed385739532eac5674ee2ef10acac1aef7f39621d28456d820f9d8
Instruction ID: c164da8a0f6c1aaa246960335d69eb078933d2f4c9a106c0c85834028465b002
Opcode Fuzzy Hash: 185931a3a7ed385739532eac5674ee2ef10acac1aef7f39621d28456d820f9d8
Instruction Fuzzy Hash: 1321D5B5900248DFDB10CFAAD884ADEFBF9FB48310F14841AE919A7351D374A944CF65

Function 05A4A67E Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05A4A707

Memory Dump Source

Source File: 00000000.00000002.2122700750.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a40000_LisectAVT_2403002A_35.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e9ed866613dbe94d826cc187421f397536b2dd8861be2bbf99cb95f5f7e09dad
Instruction ID: 0ce76f2bcbf35dbf722a9484bae329da0b8e4888ca5891b1b7ac4ce671b108b3
Opcode Fuzzy Hash: e9ed866613dbe94d826cc187421f397536b2dd8861be2bbf99cb95f5f7e09dad
Instruction Fuzzy Hash: FB21E2B5900248DFDB10CFAAD984ADEBBF5FB48310F14841AE918B3311D378A940CF61

Function 05A47C10 Relevance: 1.6, APIs: 1, Instructions: 61libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,05A48481,00000800,00000000,00000000), ref: 05A48692

Memory Dump Source

Source File: 00000000.00000002.2122700750.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a40000_LisectAVT_2403002A_35.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 50be2d254753d2ce0f7520b6de6a7b176b8d4d48f9c058cbd3a4189ac78e3ebe
Instruction ID: 4d82f1fead9972363d8e70626b7eadc031b7530482eb74b8fd3d014c0074ee07
Opcode Fuzzy Hash: 50be2d254753d2ce0f7520b6de6a7b176b8d4d48f9c058cbd3a4189ac78e3ebe
Instruction Fuzzy Hash: B52168B18043898FDB20DFAAD844ADEFBF4AF88210F14805ED459AB211C3789505CFA6

Function 0277C6C0 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 0277C737

Memory Dump Source

Source File: 00000000.00000002.2112415454.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2770000_LisectAVT_2403002A_35.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 2004476632ab8bf70825ebafed32d8b19a77aaae3a0c0d4f6a83b1266f2706c7
Instruction ID: 5151064ea1658cac80be4bbba6d31c13f26e6429a4b169b2627a9fce343695da
Opcode Fuzzy Hash: 2004476632ab8bf70825ebafed32d8b19a77aaae3a0c0d4f6a83b1266f2706c7
Instruction Fuzzy Hash: 7B211571800349DFDB10DFAAC885BEEBBF5EF48320F14842AD519A7240CB799941DFA1

Function 05CD9BBB Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 05CD9C30

Memory Dump Source

Source File: 00000000.00000002.2123891257.0000000005CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cd0000_LisectAVT_2403002A_35.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: f6ce38b451fbffc8d4481b3f6f66ad40f7eae5a1fe3478b4850cb482c4bd0895
Instruction ID: 844d77a50807a48ea2452cb2f19b6bff71a50f22e040474481e326d0d6c1c17b
Opcode Fuzzy Hash: f6ce38b451fbffc8d4481b3f6f66ad40f7eae5a1fe3478b4850cb482c4bd0895
Instruction Fuzzy Hash: 5E2136B5C0065A9BDB14CF9AC445B9EFBF4BB48320F15852AD919B7240D338A940CFA5

Function 027727D0 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0277284B

Memory Dump Source

Source File: 00000000.00000002.2112415454.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2770000_LisectAVT_2403002A_35.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 75d4f5ea9cea3ed6405ffb2d533672cb8e669ceb4da57517a851ab4e105b0330
Instruction ID: 18b097f85987087679b438013250b4c5f78746f63dc886d68a2c00be236403fc
Opcode Fuzzy Hash: 75d4f5ea9cea3ed6405ffb2d533672cb8e669ceb4da57517a851ab4e105b0330
Instruction Fuzzy Hash: 9721F4B5900649DFDB10CF9AC585BDEBBF4FB48310F14802AE858A7251D374A644CFA1

Function 05CD9BC0 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 05CD9C30

Memory Dump Source

Source File: 00000000.00000002.2123891257.0000000005CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cd0000_LisectAVT_2403002A_35.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 6a6d6ea851dd3340423e479c582ef82f67c22792c60dc451fab2f7b4cb623bc1
Instruction ID: 6af52ae44a926b22c0342fab41a3cbaede3e62946fc2bc7c44d9cc928c5a3856
Opcode Fuzzy Hash: 6a6d6ea851dd3340423e479c582ef82f67c22792c60dc451fab2f7b4cb623bc1
Instruction Fuzzy Hash: 6E1144B5C0065A9BDB14CF9AC445B9EFBF4BF48320F14852AD918B7240D338AA40CFA5

Function 07309B50 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07309BC3

Memory Dump Source

Source File: 00000000.00000002.2125451980.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_LisectAVT_2403002A_35.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 27ff00547692ca449356233f9ffdcd71cc0f4b5bc1463706b552f2af85f7bd27
Instruction ID: 28211ad22723945fc2a373d05f17397692dd2fea7e093d5d50c2fc6c6c1e4c70
Opcode Fuzzy Hash: 27ff00547692ca449356233f9ffdcd71cc0f4b5bc1463706b552f2af85f7bd27
Instruction Fuzzy Hash: 4721F6B5900649DFDB10DF9AC885BDEFBF4FB48320F14842AE958A7251D378A944CFA1

Function 027727D8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0277284B

Memory Dump Source

Source File: 00000000.00000002.2112415454.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2770000_LisectAVT_2403002A_35.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 5e3df1014626d190a47650995c19351de6f2f54a13e2152403d38589b38ffdc8
Instruction ID: f7d6cf83601ab4bbeef66397f92c709430c6b59112705182fc330b727c632637
Opcode Fuzzy Hash: 5e3df1014626d190a47650995c19351de6f2f54a13e2152403d38589b38ffdc8
Instruction Fuzzy Hash: A82114B5900249DFDB10CF9AC485BDEFBF4FB48320F10802AE968A7251D378A944CFA1

Function 05A48620 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,05A48481,00000800,00000000,00000000), ref: 05A48692

Memory Dump Source

Source File: 00000000.00000002.2122700750.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a40000_LisectAVT_2403002A_35.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: cc9f476a4ea8118c65b38eed1a12c88176fa49517d9f901027df406dc389eadc
Instruction ID: 76b334ae90f5465fc42cb37f8afd0902020fd82c878c8f86cc0ff83efe447c18
Opcode Fuzzy Hash: cc9f476a4ea8118c65b38eed1a12c88176fa49517d9f901027df406dc389eadc
Instruction Fuzzy Hash: 6A1126B6C04249CFDB10CF9AD484BDEFBF5EB88310F14842AD819A7210C379A945CFA5

Function 05A47C28 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,05A48481,00000800,00000000,00000000), ref: 05A48692

Memory Dump Source

Source File: 00000000.00000002.2122700750.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a40000_LisectAVT_2403002A_35.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c7789324725ab3e9f6f144778e0e9d68f4754c9bb6852cac0a06666dd6fe0f3b
Instruction ID: 45698c6ad274c14e341059f4d4d5834f93f887dad224be266d088fefab4631b6
Opcode Fuzzy Hash: c7789324725ab3e9f6f144778e0e9d68f4754c9bb6852cac0a06666dd6fe0f3b
Instruction Fuzzy Hash: AD1112B68003499FDB10DF9AD844B9EFBF5EB88310F14842AE919A7200C379A945CFA5

Function 0277BE50 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0277BEBE

Memory Dump Source

Source File: 00000000.00000002.2112415454.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2770000_LisectAVT_2403002A_35.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a4abddc399bb888d826e5c0282ae9f19d921c6ad49d5b1672555182a4bd59b82
Instruction ID: 0819d108c6f23a57df552050fcb624b7d2fcd3de20d13c1e6034526635c2b10c
Opcode Fuzzy Hash: a4abddc399bb888d826e5c0282ae9f19d921c6ad49d5b1672555182a4bd59b82
Instruction Fuzzy Hash: 271123729003499FDB10DFAAC845BDFBBF5AF88324F24881AE519A7250C775A940CFA1

Function 0277CBD0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0277CC32

Memory Dump Source

Source File: 00000000.00000002.2112415454.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2770000_LisectAVT_2403002A_35.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b1b541525d2890ef3c16d345b04fc78cc68aec2eaa796ab0bf1db33cd0cb1c7f
Instruction ID: 8df0febe05553c04bf23521b7e3bcdaba6ce8d8058e51c39946fe71685a668c4
Opcode Fuzzy Hash: b1b541525d2890ef3c16d345b04fc78cc68aec2eaa796ab0bf1db33cd0cb1c7f
Instruction Fuzzy Hash: 22113671D003488FDB24DFAAD84579FFBF5AB88224F24841AD519A7240CB79A940CFA5

Function 027749C0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0277D27D

Memory Dump Source

Source File: 00000000.00000002.2112415454.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2770000_LisectAVT_2403002A_35.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 463c00d2c92b4575e3839744e4fb4cbe01aacc4ef76a7678fe3711a4adf431bc
Instruction ID: 452d83ff2498fc538fbf12c64f25500a24180bfaa35c19f3bb54d7114ced8530
Opcode Fuzzy Hash: 463c00d2c92b4575e3839744e4fb4cbe01aacc4ef76a7678fe3711a4adf431bc
Instruction Fuzzy Hash: C211E0B5800348DFDB20DF9AD545BDEBBF8EB58320F10845AE918A7210C375A944CFA1

Function 05A483A0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 05A48406

Memory Dump Source

Source File: 00000000.00000002.2122700750.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a40000_LisectAVT_2403002A_35.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 50af84813268cbb65f58bc8f8fbdf60f9b74c2a19e2306a72a105b347f7994e5
Instruction ID: 5fdd5bd413890877bcae7fe02e0b1fd38167d662f3bbe4a3233a3d16ee017de6
Opcode Fuzzy Hash: 50af84813268cbb65f58bc8f8fbdf60f9b74c2a19e2306a72a105b347f7994e5
Instruction Fuzzy Hash: 0311E0B5C007498FDB10DF9AD844BDEFBF4AB88220F14842AD529B7210C379A545CFA1

Function 00E6AB80 Relevance: .7, Instructions: 703COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 659ae38eb6e107345c54fcccc643cb23158f0a6b297cc9a7de77199546e40ec6
Instruction ID: c4521f67c0939ba7369702fb887b844a417600a673c18e8bd890d5164faa0428
Opcode Fuzzy Hash: 659ae38eb6e107345c54fcccc643cb23158f0a6b297cc9a7de77199546e40ec6
Instruction Fuzzy Hash: 82520F34A0031CCFEB559BA8D860BAEBB72FF94300F1080A9D11AAB391DF355E859F51

Function 072F9F96 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125397684.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72f0000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4754a9fc8ec326d30ac64e324eef5da4c0872ecfd332457a650d4c5648ed62aa
Instruction ID: bf1cebfb1b40282c968df5f9289093a09692b29b5f5f737383bfb418ea743d75
Opcode Fuzzy Hash: 4754a9fc8ec326d30ac64e324eef5da4c0872ecfd332457a650d4c5648ed62aa
Instruction Fuzzy Hash: 8BE12170B18351CFCB05ABB8E85925D7BF2BF8A210F4185BAD485EB3A1DB3C9805C761

Function 072F9380 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125397684.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72f0000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2630e65d12fd1a8fd78f696b27441372873d5176cf790134e11dd81e1da5ea1
Instruction ID: 46f463a899fcfc9065fcbce32333969f478e174cb2c3c67bc836848cb956062d
Opcode Fuzzy Hash: b2630e65d12fd1a8fd78f696b27441372873d5176cf790134e11dd81e1da5ea1
Instruction Fuzzy Hash: 1DC1DF71B14216CFCB04BFB8E88E22DBBF1BB89210F414979D881E7354DE39A845C791

Function 00E687B8 Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e3ea3adf8dee58c382069b7b452c326cc3fb200c0fd551d28986606843483f
Instruction ID: 02afc71a4db3487ec5436f61f17ba643540c7d646142a08c1b162a293a0abd3e
Opcode Fuzzy Hash: 45e3ea3adf8dee58c382069b7b452c326cc3fb200c0fd551d28986606843483f
Instruction Fuzzy Hash: FAE13E75A40204CFCB05CFA8D98499DBBF2FF89355B5A8199E455BB362CB30EC41CBA4

Function 072FA6D7 Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125397684.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72f0000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f4c903604425043fb31090f048fdabd4f73f6be69907f12b693db9b735697c4
Instruction ID: 017afe3ea5312066f2b8871f772ce175bdf5ff4858683b6ac523f227147d3a90
Opcode Fuzzy Hash: 0f4c903604425043fb31090f048fdabd4f73f6be69907f12b693db9b735697c4
Instruction Fuzzy Hash: ECC19170B14205CFCB08BFB9E89956DBBF2BB8A214F418879E445E7360DE39A805CB50

Function 00E6B778 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec8a3c1ad71934b832e803de364d355df3ee1ab2e8650c34ee28302f879032d9
Instruction ID: 49d5a1c4005bc78ac0c8e98547c6258fdb7b42c5fa6f89fb1b80a64c240597b8
Opcode Fuzzy Hash: ec8a3c1ad71934b832e803de364d355df3ee1ab2e8650c34ee28302f879032d9
Instruction Fuzzy Hash: 8EB171303841018FDB299B79E99477D3796EF95784F1950AAE102DF3B2EB29CCC29741

Function 072FA004 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125397684.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72f0000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bbe54da5779acf36925bcffcf01b02418c6dff781f7804ad04367f13d1caee0
Instruction ID: c079a74c938913801932b77c1b4971fe39b2a81d65deab8a93ceedf3731f3773
Opcode Fuzzy Hash: 1bbe54da5779acf36925bcffcf01b02418c6dff781f7804ad04367f13d1caee0
Instruction Fuzzy Hash: DBB1CF70B14215CFCB04BBB8E8996AD7BF2FF8A214F418579D485EB3A0DB399806C751

Function 072FA047 Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125397684.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72f0000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31052a84c96533a7fcfc7177d7c45ed935c2b424e8ff2eea8510d4f6b197c8d3
Instruction ID: 0c5250c8e1acb44130209cd7341e2c56f9b8ec68334f119eb8d1766ebf1bf96d
Opcode Fuzzy Hash: 31052a84c96533a7fcfc7177d7c45ed935c2b424e8ff2eea8510d4f6b197c8d3
Instruction Fuzzy Hash: DFB1BE70B14215CFCB04BBB8E89D66D7BF2BF8A214B418979D445EB390DB39A805C761

Function 072F9337 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125397684.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72f0000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b6dd2cb91bd38783589fc9d9c321e32fd6b25ac1a0fd9148d916c3dffbefb62
Instruction ID: ecf94510b37b53d5ddd3a6e3b0a8c592f3959c2d3b9674c4143cf750a194b918
Opcode Fuzzy Hash: 8b6dd2cb91bd38783589fc9d9c321e32fd6b25ac1a0fd9148d916c3dffbefb62
Instruction Fuzzy Hash: 94A1D171B14212CFCB04BFB8E89926DBBF1EB89610F4448BAD481D7390DE39A845C791

Function 00E663A0 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f64319ef65fc319a98604f1bb56bceb9adda2a39377e6b90fe1bd707432e9ece
Instruction ID: 7aab3c4d78d1debd50b76c36df9de3618e9671e5e647aeeb7a04e2828f6cb688
Opcode Fuzzy Hash: f64319ef65fc319a98604f1bb56bceb9adda2a39377e6b90fe1bd707432e9ece
Instruction Fuzzy Hash: 98A1D1307402089FDB15AFA4E858B6E7BA6FBC8394F148429E506EB395CF70DD41DB90

Function 072F9373 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125397684.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72f0000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0b065919596e478c1950541d3f47bb72806054cdc0a39a6952e8f11b2203b95
Instruction ID: 35405b62d80215775fc25f27b10b539ff82cf1c9c93753913cd07753ee039eab
Opcode Fuzzy Hash: b0b065919596e478c1950541d3f47bb72806054cdc0a39a6952e8f11b2203b95
Instruction Fuzzy Hash: 4691C071B14616CFCB04BFB8E89D26DBBF1EB89210F444979D881D7390DE39A849C7A1

Function 072FC548 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125397684.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72f0000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0414121e6a0a965c2fc46df44ecb4c47beba49ad1c4fafaf924d92468e8e211
Instruction ID: 516c0ef94657d237c85e309c5b714343990d62c4a87af3ff759cdb3cb1fdbb3b
Opcode Fuzzy Hash: a0414121e6a0a965c2fc46df44ecb4c47beba49ad1c4fafaf924d92468e8e211
Instruction Fuzzy Hash: EB91B370B2420ACFC704FBB9E99966EB7F2BF89610F408979D441A7354EB399C44C7A1

Function 00E68C80 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 436a2120e4ee8282bf46eec44b0ab5179128cae6eaa9132e4ff6fcd6c10222ad
Instruction ID: 742871f0c254d1d5c7d9de7b5a0d33584086b44f655275270b6462424742d046
Opcode Fuzzy Hash: 436a2120e4ee8282bf46eec44b0ab5179128cae6eaa9132e4ff6fcd6c10222ad
Instruction Fuzzy Hash: C291A430A40209CFCB14DF68E984B9DBBB1FF84354F1581A9E855AB3A2CB31ED41CB91

Function 00E6BB56 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f14eaba4912e2ad070a121372b7d07ef4c4c40baa1460a7b31af36dbf776a93f
Instruction ID: 5fc109e1a791c41f0941a252e5a1caac6485bc0aeafdb3ef358e8f161b94be83
Opcode Fuzzy Hash: f14eaba4912e2ad070a121372b7d07ef4c4c40baa1460a7b31af36dbf776a93f
Instruction Fuzzy Hash: E5718F313842108FDB149B39E454B69B7A6AF84794B1950BAE805EB3B2DF35CCC1D750

Function 072FC20C Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125397684.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72f0000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c1950a47e032603fba844cbd5241fcf98cf28e598bdde7184af474723e02758
Instruction ID: 5db9626cf73dfe83fd53fede68e0b46843f4bb319a3264e12bf661c7c9ef0e7b
Opcode Fuzzy Hash: 6c1950a47e032603fba844cbd5241fcf98cf28e598bdde7184af474723e02758
Instruction Fuzzy Hash: 7171D330B14206CFC704FBB9E99A66EBBF2BB85610F41457AD444E7354DE389C48C3A1

Function 00E666A0 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 910be014f93c8e339f65f16d81ff956cad75cd76ecf3557d85f09f10e6c09c3b
Instruction ID: 2167e55daa72caa240aa97bc74d53a5cbdfba2fbf232cb8f37227e1ec958cfb5
Opcode Fuzzy Hash: 910be014f93c8e339f65f16d81ff956cad75cd76ecf3557d85f09f10e6c09c3b
Instruction Fuzzy Hash: BB6102303542048FDB199B79E85473E7BA2AFC8398F24952EE442DB3A1DF74DC41A790

Function 00E6C22F Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 280645be78e7e42d6d7da42c867697550a4f3bb1f64027da9bd13b57f942e9ec
Instruction ID: dbb9dcca4fe00f2cdf75ea0e5aa3ec1bf0693f4b51dda7e7b873d94a05c52cac
Opcode Fuzzy Hash: 280645be78e7e42d6d7da42c867697550a4f3bb1f64027da9bd13b57f942e9ec
Instruction Fuzzy Hash: C35103303843044FD7289A7DAC54B7A77A7AFC5750F2981A9E196EB3E5CE30DC0183A5

Function 00E6A831 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1add83e48815b0edaded0e54ca6f6117eb8463117dec2830059b60b31ee2e798
Instruction ID: 8ea7cd01ae53e25873884371d28cbe3cc8956b0765b74aa58a72f6dc16b27594
Opcode Fuzzy Hash: 1add83e48815b0edaded0e54ca6f6117eb8463117dec2830059b60b31ee2e798
Instruction Fuzzy Hash: DE51B531B441018FD714DF39E99896A7BE5EF8579432E50BAE41AEB262DB30DC01CF51

Function 00E66AE0 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef566152b8723f2bc7fad907581ae8a27cd53769aba2c12f41b9e69de0a93843
Instruction ID: 8c83463a69029f9efb5ca5c21b32ca001762d939dfa9ca66c5e8c5020e860f7f
Opcode Fuzzy Hash: ef566152b8723f2bc7fad907581ae8a27cd53769aba2c12f41b9e69de0a93843
Instruction Fuzzy Hash: 19617E34A90A05DFCB14CF69E8889A9FBB2FF89344B259169D442FB361D731EC41CB61

Function 00E6BDD1 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c14cc7f5a7561be9797598d45f2d896be80cae07fe8812d79e19be445818fb8a
Instruction ID: cdfd74d1ab8a15676f92c270f7a744bfa432247c5c315809e08f0c7dd469b066
Opcode Fuzzy Hash: c14cc7f5a7561be9797598d45f2d896be80cae07fe8812d79e19be445818fb8a
Instruction Fuzzy Hash: 0351D3317442488FDB29AB756C6427E3AE76FC1780318546AE407EB3E2DF28CC86A751

Function 00E6A1F8 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d381b0016e840165860acb0b4f18e0edb4ed31d14e751598726436a28ff11a80
Instruction ID: f383a87b358fd91eae510c99e719465350598fcdd262c7c3267e3306932ba1e0
Opcode Fuzzy Hash: d381b0016e840165860acb0b4f18e0edb4ed31d14e751598726436a28ff11a80
Instruction Fuzzy Hash: 2A51F2717842148FDB159F64E854BAE7BE2FF85348F088469E805BB3A2DB75CC01DB92

Function 00E68610 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1815234f6926f7a775a999ce9b42f3e93f285f37895c61642ff882738e60a5cb
Instruction ID: 834b5cff2ceca3041bfa91a075dd170fdd4eb1b3a6606746d3d74aeccaa0ee51
Opcode Fuzzy Hash: 1815234f6926f7a775a999ce9b42f3e93f285f37895c61642ff882738e60a5cb
Instruction Fuzzy Hash: 8341BD357042048FDB189BA8E954AAE7BB6BFC9750F24416AE506E73A1CE309C028B91

Function 00E6BFF0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c83892323c2a524982894ed3329ce0ac4e7adeee0d11e6454a6610857f6114f7
Instruction ID: 2eda835eb17fa910da0d7713a38e6b1cf463fd8030b04d0de915b0acb1480911
Opcode Fuzzy Hash: c83892323c2a524982894ed3329ce0ac4e7adeee0d11e6454a6610857f6114f7
Instruction Fuzzy Hash: 62510734A402048FCB44DF69D498AADBBF2BF8D354F2580A9E855EB3A2CB759C41CF50

Function 00E690E1 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53f7a69ee1aaac45440bceb5c3d25018b73389c696147df6954237eca96dc201
Instruction ID: a6f2fd0c855d1665ea11c112a7e10b2f9e9c2d2b2863e624920a0259fd2d90bb
Opcode Fuzzy Hash: 53f7a69ee1aaac45440bceb5c3d25018b73389c696147df6954237eca96dc201
Instruction Fuzzy Hash: 1241AE35B06213AFDB215BB57C0836EBAD56FC2350B25847AD445E7292DF39CD46C780

Function 00E65053 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c1b2ce34bb87e2f8e65e38c43ac81916aa4c29646d2d5868f83000365cca41
Instruction ID: 5c907d9faa4b0cf1cea9611e29ae9e5807f813279c79854cccca8baf6677a76c
Opcode Fuzzy Hash: e8c1b2ce34bb87e2f8e65e38c43ac81916aa4c29646d2d5868f83000365cca41
Instruction Fuzzy Hash: EC412436B406058FCB149BB8E8546AE77E2BFC9744F15856AE406EB3A1EF30CC01DB91

Function 00E6A630 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e17efe73f83c5c2531573cabe9bdb0f1a392d6029c7851fc5b85459ab5d71a4c
Instruction ID: a750d8c561b84bb92774c45ef67b285daafb8f186e6b5c7bc831e30ed0bfa3a2
Opcode Fuzzy Hash: e17efe73f83c5c2531573cabe9bdb0f1a392d6029c7851fc5b85459ab5d71a4c
Instruction Fuzzy Hash: 72417E74A442058FCB14DF68E888AAE7BB1BF48754F18006AE516EB3B1C730DD40DFA2

Function 00E6D588 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 886b4d32c7cdae8a78611b0666b8e11984ffe2abb0a02b9e6d13ee5ce0691317
Instruction ID: 6a232f2b9c3083b19e37acedf44addd0fe563468a64cbc0451120dd4838b8ef8
Opcode Fuzzy Hash: 886b4d32c7cdae8a78611b0666b8e11984ffe2abb0a02b9e6d13ee5ce0691317
Instruction Fuzzy Hash: 9741F5317482589FCB159F68EC5466E3BE2EF85394B458069F80ADB3A2CB34DC41DBA1

Function 072F09FF Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125397684.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72f0000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77710973267988db6c6f3edf02ea15371283fc8e709469fef122455f343546a8
Instruction ID: 935fc6355ccca41ea689b48354f59d414816e1928df0c11b61285d6106a6d524
Opcode Fuzzy Hash: 77710973267988db6c6f3edf02ea15371283fc8e709469fef122455f343546a8
Instruction Fuzzy Hash: 3E31D630718211CFCB08BBB9E8A9A6E7BF6BFCA614B11446AE445DB352DE398C05C351

Function 00E64F22 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5e1be7539ae2aac1625c2cef1d67f2df977407716051c385860069acecd5f97
Instruction ID: 52536b39e1560aa52b1233768eecbe1896f6724aee01951cca66e5d3133f39a9
Opcode Fuzzy Hash: f5e1be7539ae2aac1625c2cef1d67f2df977407716051c385860069acecd5f97
Instruction Fuzzy Hash: E931C371B843118FDB149B78A814A3A3BE6BF8A750B1594B9E506EF3E1DE71CC01C791

Function 00E6AA61 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91c713e5ba6289f26533ad17819bffe3415f3883d1dcd7c89b766013a622081a
Instruction ID: 3bfeab586081c8a7056d2200c1777c4562c407118e4a67338c9bc1bb50743a12
Opcode Fuzzy Hash: 91c713e5ba6289f26533ad17819bffe3415f3883d1dcd7c89b766013a622081a
Instruction Fuzzy Hash: 16214730B442408BDB151779A8A077E3793AFC5788F1C903AD402EB3A1EA65CC82EB42

Function 00E655E0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c55a22c8b926d7838a2f718691b475e75573e427a280c8597b116166feecd399
Instruction ID: 5e3ad73b7b00276ab3dfe9da05c3b621ea2a484125a4b49de955255e1d7fce92
Opcode Fuzzy Hash: c55a22c8b926d7838a2f718691b475e75573e427a280c8597b116166feecd399
Instruction Fuzzy Hash: 003162317046099FCF05AFA8E85466E7BA2FB88354F50C029F9059B3A5CB35DD51FB90

Function 072F0A18 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125397684.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72f0000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b0af860a26b2b312cc4b389513390447597d6cd78e8328b965166f561d69d40
Instruction ID: 15e49c624eb001ae0e0b502205b0ea99b5707fee5226d531189b6892bfea7d43
Opcode Fuzzy Hash: 9b0af860a26b2b312cc4b389513390447597d6cd78e8328b965166f561d69d40
Instruction Fuzzy Hash: 3D21BF30714115CFCB08BBBDE899A2E7BEABFC9614B40486AE445DB351CE3A9C058391

Function 00E6A978 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25aa6f23c46ed6ee5b55cdeada101a7950dff70b19bb3bfa0e7f028165a8828e
Instruction ID: e435c997f963bdfd8700d82e3c8702bdc2005ee068fbc1e7c0567f3454f684ad
Opcode Fuzzy Hash: 25aa6f23c46ed6ee5b55cdeada101a7950dff70b19bb3bfa0e7f028165a8828e
Instruction Fuzzy Hash: 8221A231B481458FCB14DFA5B984ABB7BE9AB85788B2D9437E451FB241DB30CC40DB62

Function 00E668F0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2cf3892bd371df7a562c73ffb8a1f4f71a6934eba9cc296504f3df2b36cd3d
Instruction ID: d6c85c84bc2d8051aff9f1a91db0875787bed9b4cb43fdb852526898257e22c8
Opcode Fuzzy Hash: 5f2cf3892bd371df7a562c73ffb8a1f4f71a6934eba9cc296504f3df2b36cd3d
Instruction Fuzzy Hash: B42125317546118FC7159B78D86492EBBA2FFC63947158179DC46EB3A5CE31DC02CB80

Function 072FC10F Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125397684.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72f0000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5995c58a0acaaf4af8c671734d670a200324713e32e3613b46117c50a103e85b
Instruction ID: 413b76ac2cd8e2ce68edcd25bf9159652f77758155249dadd87b7f3f1e1c6df5
Opcode Fuzzy Hash: 5995c58a0acaaf4af8c671734d670a200324713e32e3613b46117c50a103e85b
Instruction Fuzzy Hash: 9021B031718211CFC704BBB8EC9966F7BE5FB89224F80497AD449D3390DA399805C3A1

Function 00E6BD10 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4338a6f85eaacd2b6207c194499f22eb0f07c27ac8b16e5a8f18292db05c135
Instruction ID: b84a30c779a490c2128e7df16bfd8c6f5be0ca9ea8ede8fae5c2aab30c2b7f95
Opcode Fuzzy Hash: e4338a6f85eaacd2b6207c194499f22eb0f07c27ac8b16e5a8f18292db05c135
Instruction Fuzzy Hash: 4B218E7A7405108FC7149B2DE884A2AB7E6AFC8B64B19407AE805EF372DF71DC41CB90

Function 0099D290 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111400735.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99d000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f62645828c6ac103cc16f0a04931cdbad91f7270c733c47da54c7c5a2d71247
Instruction ID: 1fbbca088657d01cf696b25640faaf13751fd33e14aac74777cce01e7595fb40
Opcode Fuzzy Hash: 9f62645828c6ac103cc16f0a04931cdbad91f7270c733c47da54c7c5a2d71247
Instruction Fuzzy Hash: F2213472504304EFDF14DF18D9C1B2ABFA5FB98319F24C569E8090B246C33AD856CBA2

Function 072FC120 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125397684.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72f0000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f22f58f507fa99dc7813a0915b43f2cf7ff7c2997f8767ab53927bfaeb339b98
Instruction ID: 8f54af59cd3271627c7c1c8515b313850dcd62df5fcfa5bb50f3d9d8fe75bb99
Opcode Fuzzy Hash: f22f58f507fa99dc7813a0915b43f2cf7ff7c2997f8767ab53927bfaeb339b98
Instruction Fuzzy Hash: 95119D31B14215CBC704BBF9EC9966F77AAFB89224F80893AE409D3354DE39981583A0

Function 009AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111461641.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ad000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db15c0e6116d1ce2da704969bc636ef2cc28e548ee43df795c4d48ca86b1c2e2
Instruction ID: 2712e1a7df6c75b0b008ce81cd0edeb124150dc52e5a6f0c6af3f3c8df715742
Opcode Fuzzy Hash: db15c0e6116d1ce2da704969bc636ef2cc28e548ee43df795c4d48ca86b1c2e2
Instruction Fuzzy Hash: CD213771504304DFDB14DF24D9C0B26BB65FB85314F20C96DD80A4B646C33AD807CAA2

Function 009AD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111461641.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ad000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28582ff7895609351d9efabacdc079fadeb17fdc6b582aaf5c3c7ee4089ae214
Instruction ID: 0cdb05c14788b61bcbb850cde70df489c56f7dfd5cdc56566eb0a1a60631e47a
Opcode Fuzzy Hash: 28582ff7895609351d9efabacdc079fadeb17fdc6b582aaf5c3c7ee4089ae214
Instruction Fuzzy Hash: 47212971504304EFDB05DF54D9C0B25BB65FB85318F24C96DEC0A4B652C33AD846CBA2

Function 00E6C3D8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 008f218828f8083bd04a969f7a2d7fd83c4fd95cc225a980453eda5ea72d4641
Instruction ID: af99188f373c07bdc943f2f3e58c863fd70f47e4fca1dfd5d61e3bab3ea653e9
Opcode Fuzzy Hash: 008f218828f8083bd04a969f7a2d7fd83c4fd95cc225a980453eda5ea72d4641
Instruction Fuzzy Hash: 2311C6313043295FE328DABF6860B7B22CB7FC8B94F354479A486DB394DE65CC4192A1

Function 00E64E58 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ed57b514619983b644e0269d135f47c36b10e5ba4c3238254b01846263c167
Instruction ID: 5f661f5de0257501928048c10140e34b4889d0190cc9584ad1979b65021a7c2a
Opcode Fuzzy Hash: 82ed57b514619983b644e0269d135f47c36b10e5ba4c3238254b01846263c167
Instruction Fuzzy Hash: AC11B475B001088FDB589BBDAC1826E76A7BBC83A1B144139E406DB3E0DE358D0187D0

Function 00E64E48 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56c6663bb7701e3f70186889d3ef70ae26aa0ea016117e5e72680de3e91d93f4
Instruction ID: 40c7eb16c96b99fb0d449bcf9ded7223425aecf14d68e1e9e6954591b6b95d64
Opcode Fuzzy Hash: 56c6663bb7701e3f70186889d3ef70ae26aa0ea016117e5e72680de3e91d93f4
Instruction Fuzzy Hash: 8E117DB6F481044FCB148BBD6C152AE7AA7BBC53A0B58113AD055DB3E5EE318D06D7A0

Function 00E655D1 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb5c3cc3a227a535d39cc8828a2b7f1567c52324a1c3d8b2f18a0c4c2ec317c6
Instruction ID: a185f03d5b6d8c1edbfbb28a416cb620c47297a3fecba281a8f99062105af60b
Opcode Fuzzy Hash: bb5c3cc3a227a535d39cc8828a2b7f1567c52324a1c3d8b2f18a0c4c2ec317c6
Instruction Fuzzy Hash: 4021D532749648DFCB019F68E85476E3BA1FF85358F448069F805DB2AACB34DD14EBA1

Function 00E68600 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4b7398563bdfbd09f216534f94b8291b9ecc3e135a157b761506906899c1750
Instruction ID: dcd63ec14cfaabb87a1c53cca62462b8aa70a3773adc3ced6139d2719afa4e28
Opcode Fuzzy Hash: e4b7398563bdfbd09f216534f94b8291b9ecc3e135a157b761506906899c1750
Instruction Fuzzy Hash: 8B21723AB051089FCB148FA5DD88BDEBBB6BF8C350F144169E516A72A0CA719C11CB91

Function 00E6FF28 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d170ccc387af65a0689ee36de6c5c071b05dbb9aa39785dbc9bf52f0ec41af27
Instruction ID: 64ce752fb37bfa25f7f1a9b6b4721f2c85966b48eb585fbcc79f005d7bb31619
Opcode Fuzzy Hash: d170ccc387af65a0689ee36de6c5c071b05dbb9aa39785dbc9bf52f0ec41af27
Instruction Fuzzy Hash: B411BE317406159FD729DA69E844FAAB3A6BF85708F008639E109DB360DF34EC05CBE0

Function 072FC0CF Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125397684.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72f0000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17895757a6f178ae75a2fe42e052642bbda2cebfc8fa0432ab745560e32cdf8a
Instruction ID: 64f56033a700c19b05b046034c0a431311eb4814748a7b2b724c963f14f11ade
Opcode Fuzzy Hash: 17895757a6f178ae75a2fe42e052642bbda2cebfc8fa0432ab745560e32cdf8a
Instruction Fuzzy Hash: 3E11CE71B24215CFCB04BBF8EC9A26EB7E1FB89224F804A7AD445D3350DE3D98598391

Function 00E67380 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c9cbe5b96a7b29c2ecdbbee8e39000e82765367421672fae39e4b10c88403a5
Instruction ID: cef453fd5cdffe5cffe947722833d6975d542b753be2a52dcc5dbad65a32f203
Opcode Fuzzy Hash: 7c9cbe5b96a7b29c2ecdbbee8e39000e82765367421672fae39e4b10c88403a5
Instruction Fuzzy Hash: 9F21AC319042089FCB20CF54D948BAABFF1EB48359F04C66EE4AAAB651D7749D44CFA0

Function 009AD006 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111461641.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ad000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a297d9648d5616edf592652d7f7dca654faf2c9257ca9ff2c258d7690e00612
Instruction ID: 8d2205bcb0014dd2f4f2165ec54acd189158010e266247e740b9c0799ddab4fe
Opcode Fuzzy Hash: 0a297d9648d5616edf592652d7f7dca654faf2c9257ca9ff2c258d7690e00612
Instruction Fuzzy Hash: 5821A175509380DFDB12CF20D994715BF71EB46314F28C5DAD8498F697C33A980ACBA2

Function 00E6A050 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d7e9da83df538f4e642b0962275ab6a4e400ffb33771ec51f3eb2d6d83458fe
Instruction ID: fc809609a60a02a74aab92db719bdbe361fc27e72e0fe5a61491e2fca0c300e7
Opcode Fuzzy Hash: 8d7e9da83df538f4e642b0962275ab6a4e400ffb33771ec51f3eb2d6d83458fe
Instruction Fuzzy Hash: 9811E231A492498FCB119F68E8946AA3FA1EF45394F085039FC05EB252CB35CD54DFE2

Function 0099D28B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111400735.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99d000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
Instruction ID: 268af2475f3ffb48d7fefcd675fdd987c791ef253c775ab41235202a514ac623
Opcode Fuzzy Hash: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
Instruction Fuzzy Hash: 0311D376504240DFCF15CF14D9C5B1ABF71FB98314F24C5A9D8090B656C33AD85ACBA2

Function 00E6A060 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b33294796ccb64fa33c87f1116a9374643367b4e6d90d054e1f433bdb2e5893d
Instruction ID: afe691186b4461198b1b9c1226008227a535d594d6cc8875a6ab5dee9caa1c79
Opcode Fuzzy Hash: b33294796ccb64fa33c87f1116a9374643367b4e6d90d054e1f433bdb2e5893d
Instruction Fuzzy Hash: BF11C231A401099FCB519F68E884AAA7BA5FF443A4F045039FD05BB251DB32DD60EFE1

Function 009AD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111461641.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ad000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
Instruction ID: 70e052cf074abddaf927c0dd891dc43dec4f359951deafaf17ce3012162af1b1
Opcode Fuzzy Hash: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
Instruction Fuzzy Hash: 22118B75904280DFDB15CF10D5C4B15FBA1FB85314F24C6A9DC4A4BAA6C33AD84ACBA2

Function 00E69208 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 634d5753afe8d4d2d536358c8ad6078c526d1308fe038fcd4f1668f9cb2d6f72
Instruction ID: 9288ed979ed75270dd01f3d06e0bd4dc6bccd82c8ee1338db460e6c0e9fbc6c9
Opcode Fuzzy Hash: 634d5753afe8d4d2d536358c8ad6078c526d1308fe038fcd4f1668f9cb2d6f72
Instruction Fuzzy Hash: F301B176E40229AFCB10ABF9F8141AEBBA8FF84751B014126D805F7261EB34DD51CBD1

Function 072FC0D3 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125397684.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72f0000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 067c106c1d56d0d89713fd7965ec76e7063503cb2d47ad77cc5c6943e314e2cb
Instruction ID: d0569c59ec8a65c29e8ba38dbcdff10c185d42f47b61ddc761fa2685471ba610
Opcode Fuzzy Hash: 067c106c1d56d0d89713fd7965ec76e7063503cb2d47ad77cc5c6943e314e2cb
Instruction Fuzzy Hash: AC018B3040E3D68FC7038B749C659E67F71EE4320434946DBC092CF5A3EA39080AC762

Function 0099D7D1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111400735.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99d000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4bf5693ef1f07c09a5c0410f11ff4b7d8d5bfbd159bef26954ca074528922e4
Instruction ID: 0824acf2f503d28b5edfa3f326680fa314c4f649fd58839506091a7d6fa27a79
Opcode Fuzzy Hash: c4bf5693ef1f07c09a5c0410f11ff4b7d8d5bfbd159bef26954ca074528922e4
Instruction Fuzzy Hash: 5F01A271506344ABEB204B6EDDC4B67BBDCFF85760F18C45AED090A283C3789844CAB2

Function 0099D7D0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111400735.000000000099D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0099D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_99d000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1175c3c1628e8926c8db393875adfef88488da85a1b4ed64f17fa554a73c932
Instruction ID: ee0dfc201ffda1f0c9796c0b6a9f6d4052dadc0fefef660740951e68a1e8aa7e
Opcode Fuzzy Hash: e1175c3c1628e8926c8db393875adfef88488da85a1b4ed64f17fa554a73c932
Instruction Fuzzy Hash: B1F06D71405344AFEB208E1AD9C4B62FFECEB95774F18C55AED084E283C2799C44CAB1

Function 072F91D1 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125397684.00000000072F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72f0000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d69cded4e6d6909febc84941457e3cb800a98c2f4915b41ae365baef91b1c908
Instruction ID: e352f731f41175888ee0abedc6f343f0902c9399d377d44a41f4758c12a8ab68
Opcode Fuzzy Hash: d69cded4e6d6909febc84941457e3cb800a98c2f4915b41ae365baef91b1c908
Instruction Fuzzy Hash: F7F09AB150E3869FD7229BB0AC285143F35AF5222931D01EED186CA0F3DB79E406CB22

Function 00E6B5E0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5ccd95d8c40d6234dede19ba2e5c3ea97078d68d765f50ad4e233a23309f987
Instruction ID: a83273c83a13cbe4d2b3fe0b49ac92c1e14190098c081f98c2c555b4f556416e
Opcode Fuzzy Hash: a5ccd95d8c40d6234dede19ba2e5c3ea97078d68d765f50ad4e233a23309f987
Instruction Fuzzy Hash: 4CD05E7398D1A02ED321515A78489BF5F98C6D13B8F2506BFF49AD2142D5424C8142A5

Function 00E6B5E8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 8c9df776e32ec80882357d3b54db432f6c69896325dab1fd038a9a8f31ae90f3
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 45C0123354C1242A9224104EBC409A7664CC2C13F8A210137F51CD320094425C8101E4

Function 00E6A3A8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4f15b69d62dcd624301fdff07e89e5c8c4befe52f1fe27ff245e9c0d8457890
Instruction ID: a14ca8b7af4c7f95d2de7300e556b96653664a6d35573bfeeb6f5e4af795fc4f
Opcode Fuzzy Hash: d4f15b69d62dcd624301fdff07e89e5c8c4befe52f1fe27ff245e9c0d8457890
Instruction Fuzzy Hash: B6E0C23800D3C94FDB03A7F6ACD95893F71AAC22043088697D4058B067CA781846CB51

Function 00E6A3B8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2ebcf59a7da19404d358bef2fc0cfd66e9608a55046f07237bde2dad2179040
Instruction ID: 7c7dc57348fc7414119bac7d260c3b099d7a4e3272750838334095253768eacb
Opcode Fuzzy Hash: c2ebcf59a7da19404d358bef2fc0cfd66e9608a55046f07237bde2dad2179040
Instruction Fuzzy Hash: EFC0123000830D8FDA05F7F9F8C559A336AB6C46147449920A8090A12AEF74394586D1

Function 00E6A1D2 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111902032.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe104a865f242a8bec3ae2273d2157280b951069220505be30eb521f526f49e
Instruction ID: 1be7ee2ce0ab7e9177aa68a54e58e84bc49ec508df603047a891eda6a721e97a
Opcode Fuzzy Hash: 4fe104a865f242a8bec3ae2273d2157280b951069220505be30eb521f526f49e
Instruction Fuzzy Hash: 04B0123330410C8BC300AF94F4084CA3310E7C02327208133E2058005447329427AB90

Non-executed Functions

Function 05A4ADFC Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

`, xrefs: 05A4ADFC

Memory Dump Source

Source File: 00000000.00000002.2122700750.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a40000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-4168407445
Opcode ID: fc8eb5d393961a5694ba67cfd13a9936ef010c7d6aafe1b8d866664b47e66938
Instruction ID: 292c11c427c76d188c25d45a131006d2a7eae295c99ff6ccb70462fcfd98d602
Opcode Fuzzy Hash: fc8eb5d393961a5694ba67cfd13a9936ef010c7d6aafe1b8d866664b47e66938
Instruction Fuzzy Hash: 75A15C32A012198FCF05DFB4C9549AEB7B3FFC4310B25856AE816AB261EB75E945CF40

Function 0730D6F0 Relevance: 1.5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

L~, xrefs: 0730D7DE

Memory Dump Source

Source File: 00000000.00000002.2125451980.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID: L~
API String ID: 0-3876828424
Opcode ID: 8f35c8d0fb2a4b592a5fe26ca5f9f2f9082b1d55c4b10a826690d4b52c504013
Instruction ID: 7630ee49e59f3304a66e1a878abe700bcf030a7bff1f64109592ac87ba5a2c56
Opcode Fuzzy Hash: 8f35c8d0fb2a4b592a5fe26ca5f9f2f9082b1d55c4b10a826690d4b52c504013
Instruction Fuzzy Hash: 629134B4E21219CFCB04CFA9C58499EFBF6FF89310F249419D009AB660D734AA02CF95

Function 0730D6E0 Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

L~, xrefs: 0730D7DE

Memory Dump Source

Source File: 00000000.00000002.2125451980.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID: L~
API String ID: 0-3876828424
Opcode ID: c636265b0e7c0c83aec65a7be4ad7382fe37d53c0acde5db44edb63dda5788ee
Instruction ID: e24ec04b122510cb6cf7e3562e4bd8a3e247deb34bdd75f7d6aa7788708e5a09
Opcode Fuzzy Hash: c636265b0e7c0c83aec65a7be4ad7382fe37d53c0acde5db44edb63dda5788ee
Instruction Fuzzy Hash: 1F9137B4E25219CFCB04CF99C58499EFBF6FF89210F24841AD009AB764D730AA02CF94

Function 07300040 Relevance: .7, Instructions: 746COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125451980.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d51df7a7870ad58fc26ea5a0f451487764eafe0219abaec254af219ae83a04
Instruction ID: ea09a1d7611b742a9d4cf3f16cf1c4e3c9c9ae944188948bfa8d6ddd3a53b495
Opcode Fuzzy Hash: 89d51df7a7870ad58fc26ea5a0f451487764eafe0219abaec254af219ae83a04
Instruction Fuzzy Hash: E732E270A043458FCB09EFB9C8A965DBFF2FF8A204F15856AD045DB262DF399805CB91

Function 07300007 Relevance: .6, Instructions: 572COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125451980.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 881c34dceeb6a21d3bf90a2300bfbe4b73b8e427aadab8bb92c78073b315d1b3
Instruction ID: 631e7996084003696b1028918d5fb6d364d02610cc201974aabf39beeee087de
Opcode Fuzzy Hash: 881c34dceeb6a21d3bf90a2300bfbe4b73b8e427aadab8bb92c78073b315d1b3
Instruction Fuzzy Hash: A022C171B10215CFCB08EFB9D89959EBBF2FF89304F51862AE005AB255DF399845CB90

Function 0277E390 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112415454.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2770000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 062eeb1ea9dd0e710e29f9767ce4fa782b48775c71c9a44d3972ca2e7b96f282
Instruction ID: a2db06b4f0c14e55fe60351ab8467119c1a6ffa360f10ffd6d4c880a3aa6d555
Opcode Fuzzy Hash: 062eeb1ea9dd0e710e29f9767ce4fa782b48775c71c9a44d3972ca2e7b96f282
Instruction Fuzzy Hash: 1DF19B307007448BEF2AEB79C954B6EB7E6AFC9704F5484ADD1468B2A1DF35E802CB51

Function 05CEC3B0 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123954330.0000000005CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ce0000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29d4a87d3785d907e26f3a413063b44ab1010804b4fe59fa3c3a831bf7046d53
Instruction ID: 871d2e78dd3af8c47f62019870977105ca2acdf253352894d6ad0ed635613a65
Opcode Fuzzy Hash: 29d4a87d3785d907e26f3a413063b44ab1010804b4fe59fa3c3a831bf7046d53
Instruction Fuzzy Hash: FAA1A570B002149FEB18E7B9885477F62EBAFC9600F648579E00ADB784CF789D428BD1

Function 05A4CD20 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122700750.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a40000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cad0400a6db4b450a47e3dc43b43b10846b951e3474e58be1b6de5cadea22de4
Instruction ID: 9ae36450cabaff79ab732aa82cb332c3927310ce381d371d4429efeee4aa26ed
Opcode Fuzzy Hash: cad0400a6db4b450a47e3dc43b43b10846b951e3474e58be1b6de5cadea22de4
Instruction Fuzzy Hash: E0129EF04107468EE7289F66ED4D1893BB1EB85318B58422BD2613A2F5D7B9118FCFC6

Function 0277EE10 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112415454.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2770000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4467c340159dcee0cc45c74590ea7160a3c10763541c658f7f24c979b1025685
Instruction ID: 88bbc84e09d21ab56874f609423ffc9d47e876ecfafebd1a2c23df8a38fb8423
Opcode Fuzzy Hash: 4467c340159dcee0cc45c74590ea7160a3c10763541c658f7f24c979b1025685
Instruction Fuzzy Hash: 41D1C234A00605CFDB08DF69C698EA9B7F1BF8D705F2580A8E406AB761DB31AD41CF61

Function 05CDD1FB Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123891257.0000000005CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cd0000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16df990c7fe4aad5a923f29fd57b7fb1d8b9b4f49eab8d87ceb2a22994c8037d
Instruction ID: c5c4bdba01389e02ea1687a4dc7d5a54dda625800ca3c9f2b67d26988be89a79
Opcode Fuzzy Hash: 16df990c7fe4aad5a923f29fd57b7fb1d8b9b4f49eab8d87ceb2a22994c8037d
Instruction Fuzzy Hash: EBD1D635C2075ACACB10EBA8D9916ADB771FFD5304F508B9AE0493B211EF706AC4CB91

Function 05CDD200 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2123891257.0000000005CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5cd0000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 798f6a7dbc8f61788846c6a75b1990228e45c187a2dcd89e3ec3470e18be857d
Instruction ID: f1bfc380dda45c41a971c92030b06f46ac5eb4b98545b5caaf6bae7e06664567
Opcode Fuzzy Hash: 798f6a7dbc8f61788846c6a75b1990228e45c187a2dcd89e3ec3470e18be857d
Instruction Fuzzy Hash: 22D1D635C2075ACACB10EBA8D9916ADB771FFD5304F508B9AE0493B211EF706AC4CB91

Function 027779C0 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112415454.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2770000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c2535680d34261a5480404e1bade509b753edf7f9106d97946f708504d976fe
Instruction ID: f41c9822efbdd8ad0cfb4f624bc8a7e3523a19e21cb2f7557a3ce920e147263c
Opcode Fuzzy Hash: 4c2535680d34261a5480404e1bade509b753edf7f9106d97946f708504d976fe
Instruction Fuzzy Hash: C6A11670E15218CFDF08CFA9D985AADFBB6FB89300F14992AD50ABB254D7349901CF54

Function 027779B1 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112415454.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2770000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ac4b2dfb6d31c8a1925bf4c807bc3ffb5a716351cc78765389305a72015a8ec
Instruction ID: 24e1156335d3c182a4e7f1ff9eec55fe1b2c0764b61c7562652016d2fd54abc3
Opcode Fuzzy Hash: 4ac4b2dfb6d31c8a1925bf4c807bc3ffb5a716351cc78765389305a72015a8ec
Instruction Fuzzy Hash: 9BA134B0E05218CFDF08CFA9D945AADFBB2FB89300F14992AD40ABB254DB349941CF54

Function 05A4CD10 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122700750.0000000005A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5a40000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb5f9f67bbe22ba7f5372aeb5e23749123b5447b200bf4440ec4ab98c03f42bd
Instruction ID: 3377f84ab378ad927c5be351eb7dd157d54864c6494083b2253a70ed4a44363e
Opcode Fuzzy Hash: eb5f9f67bbe22ba7f5372aeb5e23749123b5447b200bf4440ec4ab98c03f42bd
Instruction Fuzzy Hash: EFC1C3B08107458EE728DFA6ED491997BB1FF85314B18422BD1613B2E4D7B9108FCF86

Function 0730EB80 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125451980.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3adf16a9285d866cd194317e707f4578d348974dac44d0288ad8a0dd12c17c6
Instruction ID: 92f7aa79d094eb28a288ea88302d639e20d11c7dbd02c83fec831f572efbb844
Opcode Fuzzy Hash: c3adf16a9285d866cd194317e707f4578d348974dac44d0288ad8a0dd12c17c6
Instruction Fuzzy Hash: 657149B4E19219CFDB08DFA9C5805DEFBF6FF8A210F24942AD409B7354D3309A418BA4

Function 0730EB90 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125451980.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bd36d6296c5447f69239a37d7f84e3cb8db215db611fa45e0b9273a0306392c
Instruction ID: 752a3aeeeca0f6d691c382b067d0e1acbd77eb65307760f9246a5d8e70f38552
Opcode Fuzzy Hash: 2bd36d6296c5447f69239a37d7f84e3cb8db215db611fa45e0b9273a0306392c
Instruction Fuzzy Hash: EF7128B4E19219CFDB04DFA9C5805DEFBF6FF8A210F24982AD419B7354D3309A418BA4

Function 0730E2E8 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125451980.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1306cd4ca6750c3ef50bd9be3173c21d46b59e7b6384389fcb03fec9df55a767
Instruction ID: f635204624cb249a4eb1657befc0ee29f2753d4b17d88e4fa1bc879a72b3d46e
Opcode Fuzzy Hash: 1306cd4ca6750c3ef50bd9be3173c21d46b59e7b6384389fcb03fec9df55a767
Instruction Fuzzy Hash: D77102F4E5421ACFDB04DFA9D5909AEFFB5FF89210F18885AD419A7250C330A982CF95

Function 0730E2D8 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125451980.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41ca7697daee42c410bc04d01c34d306ab0cf07ccd0535a664a6d8fbf149ceba
Instruction ID: a171c054d0b53f949d80fb4212961c9dc9762cbfa3b5ee103ed14b2bc9d948fa
Opcode Fuzzy Hash: 41ca7697daee42c410bc04d01c34d306ab0cf07ccd0535a664a6d8fbf149ceba
Instruction Fuzzy Hash: 886115F4E5424A8FDB04DFA9C5909AEFFB1FF49310F18889AD419A7251C334A982CF95

Function 0730E5DB Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125451980.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4727a86f492bc01c3b4865371617b35632fcb1cdbe0a5dcffa513212dbf5ff57
Instruction ID: ba2a072d432e7581733a3ed49d4133a2724d98d6e66c2255cf48ea729f30c9a8
Opcode Fuzzy Hash: 4727a86f492bc01c3b4865371617b35632fcb1cdbe0a5dcffa513212dbf5ff57
Instruction Fuzzy Hash: 1E6147B4E14209DFEB14DFA9D5915EEFBB5BF49300F14C86AD458AB280D3349A42CF94

Function 02770007 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112415454.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2770000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe3554b74ee124adfea827a27148e8dc56b4d6d4392079e5d82225254bafbbb6
Instruction ID: 16cf4e3d65ea67839b27f2668bdfee5084e6dc3e3b50cf5decfab608c925c928
Opcode Fuzzy Hash: fe3554b74ee124adfea827a27148e8dc56b4d6d4392079e5d82225254bafbbb6
Instruction Fuzzy Hash: B9516CB1E057588FEB19CF678D4528AFFF3AFC9200F18C1EA8549AA265EB3409458F11

Function 0730EFB3 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125451980.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c57df157f924a791904bd3eca8dbab8d84600750f21e555f4f2a37884c351e79
Instruction ID: 706e32e61e0e6d6eac86541a53337e2c0caffdc653a49893d765751061d6e0e0
Opcode Fuzzy Hash: c57df157f924a791904bd3eca8dbab8d84600750f21e555f4f2a37884c351e79
Instruction Fuzzy Hash: C341F8B5E012198FEB68CF6AC95079EFBF3BFC9200F14C1AAD409A7254D7304A458F91

Function 0730CC88 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125451980.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce5f23cda50f929b97a247ac7ffd2a992556bc8fb19965c048e29d23cfea2738
Instruction ID: 4855d2fec3cea9230c1a28f240b2618a2bb22ee5dd9ea55f8d3676bf22390089
Opcode Fuzzy Hash: ce5f23cda50f929b97a247ac7ffd2a992556bc8fb19965c048e29d23cfea2738
Instruction Fuzzy Hash: 604148B0E152098FDB44CF99C9505EEFBF2BF8A210F14A66AC419B7354D3309A42CFA4

Function 0730E958 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125451980.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: defbc9fb5a9eaa0543f4cec1ee8ad4d7279066104519e1815c7d59ddf835ac10
Instruction ID: d77f2ef17c78a02e8e4970c1136d37d334b2723f50cc507d33a36a60b27235a4
Opcode Fuzzy Hash: defbc9fb5a9eaa0543f4cec1ee8ad4d7279066104519e1815c7d59ddf835ac10
Instruction Fuzzy Hash: 3B4109B1E1020A9FEB48DFEAC5515AEFBF6BF89300F14D46AC419A7254D33496418F94

Function 0730E95C Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125451980.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fadd9b3b4eef7752b5791eec64973b457b7611475d9e7d4611871ed4c5eaf16
Instruction ID: 86cb11191b2a406ae542c74a60288b65621ca70dde68daec7cfec7d304773e41
Opcode Fuzzy Hash: 6fadd9b3b4eef7752b5791eec64973b457b7611475d9e7d4611871ed4c5eaf16
Instruction Fuzzy Hash: 5C4118B1E1060A8FEF48DFAAC5515AEFBF2BF89310F24C46AC419A7254D3389641CF94

Function 02770040 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112415454.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2770000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b46c52bacf757ef718164a1ea1d5008993e9100f635c9fcbd1e83795af5d144d
Instruction ID: 62aa1a8c938b2df6aadaba17cea95d2652eed691e9e7c5ef2a50df925bb04ad0
Opcode Fuzzy Hash: b46c52bacf757ef718164a1ea1d5008993e9100f635c9fcbd1e83795af5d144d
Instruction Fuzzy Hash: 26415CB1E116588BEB68CF6B8D4479EFBF7BFC9300F14C1BA850CA6215EB3009858E51

Function 02777BB9 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112415454.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2770000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15449c6b4503895c4e7445edfef5922bae568026837ef60fbd75e68ce29d3635
Instruction ID: bd0d9eae8f172779278d7ace46417f52c4ff2d59707fc2477561f7e627792fa9
Opcode Fuzzy Hash: 15449c6b4503895c4e7445edfef5922bae568026837ef60fbd75e68ce29d3635
Instruction Fuzzy Hash: D84106B4E05219CFDF58CFA9D945AAEFBB2FB89310F14982AD106B7254E7349901CF18

Function 07309C00 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2125451980.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7300000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31589a78b289a93ba9bf5fc4af6cb2b9b4f53583a6864ca4df15fab4ddba4a8d
Instruction ID: 69558c0799c085c79094d429f514cca6f3f2708b8e03c1f4afba6235ce7f0b83
Opcode Fuzzy Hash: 31589a78b289a93ba9bf5fc4af6cb2b9b4f53583a6864ca4df15fab4ddba4a8d
Instruction Fuzzy Hash: D631DDB1E056188FEB18CFABD95079EFBF7AFC9200F14C0AAD558A6254DB340A458F51

Function 02773210 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112415454.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2770000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f246c96a6d81f1b596f4eee7ae8cb39badb4b62e98b1447509a1c71b1584a8
Instruction ID: 81879757aeb256598304dbb6b82f27af31de9caa598ebecd2693ed8cd8962223
Opcode Fuzzy Hash: 90f246c96a6d81f1b596f4eee7ae8cb39badb4b62e98b1447509a1c71b1584a8
Instruction Fuzzy Hash: 402158B1E102198BDF08CFAAD8406EEFBF7AFC9210F14C17AD418B7254DB304A018B91

Function 02773200 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112415454.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2770000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 284f76bd2f985fff4180b1c2b162912d70ca42f5a8103f107ca46d764bd63dd2
Instruction ID: eb2fcb265d32c70755fbc1b4e81fce818f059d0890f26e8331b7541a6d4b2636
Opcode Fuzzy Hash: 284f76bd2f985fff4180b1c2b162912d70ca42f5a8103f107ca46d764bd63dd2
Instruction Fuzzy Hash: 49214DB1E116198FEB08CFAAC94169EFBF3AFC9210F14C17AD418B7264EB344A458F51

Function 02778378 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112415454.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2770000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7856b12700792df78b45104f2e7e1f3825cdaa2a61cd13f1dca67244d26208d3
Instruction ID: 7460368941a4db508118e551873f0bd1b87eb01bf75fdf749a1b0514630f6465
Opcode Fuzzy Hash: 7856b12700792df78b45104f2e7e1f3825cdaa2a61cd13f1dca67244d26208d3
Instruction Fuzzy Hash: A11126B1E116198BEB08CFABD94469EFBF7BBC8210F14C07AD518A7214DB305A118F62

Function 02772B80 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112415454.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2770000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6275c0a58b70641edddcfb05aa50dfd559f5e94b03f605badf5b708da1191a0
Instruction ID: 65d35fda06e75e8c5997968ab8873c57224102d45f6e3827843d35569e6162c7
Opcode Fuzzy Hash: c6275c0a58b70641edddcfb05aa50dfd559f5e94b03f605badf5b708da1191a0
Instruction Fuzzy Hash: 77112971E116199BDB18CFABD9406EEFBF7ABC9210F14C07AD418B7214DB305A058B54

Function 02773878 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112415454.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2770000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ac5783d8be7d3ecc6c8fe02fe8494b22947da52d7b762d2188c20537d812d9f
Instruction ID: 694e553cb6dbec202d32b15c575fa32c6176f4f3b7d3464f0d4da5629e0d4bea
Opcode Fuzzy Hash: 1ac5783d8be7d3ecc6c8fe02fe8494b22947da52d7b762d2188c20537d812d9f
Instruction Fuzzy Hash: 15112671E116199BDB18CFABD9416AEFBF7EFC8210F14C07AD418A7214DB305A158F61

Function 02776800 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112415454.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2770000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38c00f1b4adf9078978952a747be94d4b6786d13cd82bbea3f6881fd2df110c3
Instruction ID: e24e3b14e41aadcd07f804d05768b95af3e1fefe1241e55f2243d22c261403c0
Opcode Fuzzy Hash: 38c00f1b4adf9078978952a747be94d4b6786d13cd82bbea3f6881fd2df110c3
Instruction Fuzzy Hash: 71111471E116188BDB48CFABD9406AEFBFBAFC9210F14C03AD508B7218DB305A458F91

Function 027767F0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112415454.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2770000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 675c6998f8372bd1b3198e804ac1472df1fb3d42c908ed278c04d2d4555ac41a
Instruction ID: f5dde9a6f42093466807f608375809042f2995dc255c33deb61fa23f117102c5
Opcode Fuzzy Hash: 675c6998f8372bd1b3198e804ac1472df1fb3d42c908ed278c04d2d4555ac41a
Instruction Fuzzy Hash: B2216DB1E116198BDB48CF6AC94069EFBF7AFC9200F14C47AD408B7258D7304A46CF51

Function 02773869 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112415454.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2770000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4488ac1aa699fc4aa4f408a4ed5eccf1ca27338ccc12ca7422b661e5034a6c4
Instruction ID: 0135630cf455cdf8340ae5b47c00c83e76c0c713db090adeff1e5e02f554186f
Opcode Fuzzy Hash: c4488ac1aa699fc4aa4f408a4ed5eccf1ca27338ccc12ca7422b661e5034a6c4
Instruction Fuzzy Hash: BB216A71E112499FDB08CFABD94129EBBF3AFC9300F14C0BAD808E7214EA344A418F61

Function 02776798 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112415454.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2770000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d979d4d36882bfe79ecb76cef0230d58aa2d2dd8d735e965bf6d78235d794f56
Instruction ID: ac7bcb71aa4a6ce8bbc994616cb7846603fe7938ecf957a338d23e22999b48b6
Opcode Fuzzy Hash: d979d4d36882bfe79ecb76cef0230d58aa2d2dd8d735e965bf6d78235d794f56
Instruction Fuzzy Hash: F11137B1E116198BDB48CFAAC9416AEFBF7AFC8210F14C47AD508B7258DB304A46CF51

Function 02772B78 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2112415454.0000000002770000.00000040.00000800.00020000.00000000.sdmp, Offset: 02770000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2770000_LisectAVT_2403002A_35.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97c79ec435f73e07a796f8033d5dfeee5ded0232d74c4b37adf1699af5072f92
Instruction ID: 591847dcdc024a4f03035bccbca60451c6b32c65a75dfdd178930ee195f43976
Opcode Fuzzy Hash: 97c79ec435f73e07a796f8033d5dfeee5ded0232d74c4b37adf1699af5072f92
Instruction Fuzzy Hash: 221119B1E116198BDB1CCFAAD9416AEFBF3AFC9200F14C07AD818B7214EB304A458B54

Analysis Process: RegAsm.exePID: 756, Parent PID: 7756COMMON

Execution Graph

Execution Coverage:	12.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	21
Total number of Limit Nodes:	4

Executed Functions

Function 054D9BB0 Relevance: 2.9, Instructions: 2879COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a79402c93a2d56c7d3c7275c87a52e3ffe183a312176f37eec1bfac0d9d7261e
Instruction ID: 3801b8e0b638fb3d0d24253d16fc621fd1741b3f09ad3494d15d675d7a1d94b8
Opcode Fuzzy Hash: a79402c93a2d56c7d3c7275c87a52e3ffe183a312176f37eec1bfac0d9d7261e
Instruction Fuzzy Hash: 5763DB31D107198ADB11EB68C994AE9F7B1FF99300F11D6DAE45877221EB70AAC4CF81

Function 054DD060 Relevance: 2.3, Instructions: 2334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eef3da2b0b92e50b132a9c8676a609d9a2e0aa36ae0d3ce7975e277e99517e0f
Instruction ID: a726a9d5080f47f4fe1fc59ffd995ae51d9753f046df0b2a7cd87dea03b6a932
Opcode Fuzzy Hash: eef3da2b0b92e50b132a9c8676a609d9a2e0aa36ae0d3ce7975e277e99517e0f
Instruction Fuzzy Hash: F6332E31D106198EDB11EF68C890AEDF7B1FF99300F15C69AD449AB211EB30AAD5CB91

Function 054D9400 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5783ce4f5e162bb33f931f54874f0060dcd7060954878c79a6ffa9447788d901
Instruction ID: 89683e8c4ceaad4d3f135845f0d4f0705cfb230f80a362fd627c3195ee3c7c70
Opcode Fuzzy Hash: 5783ce4f5e162bb33f931f54874f0060dcd7060954878c79a6ffa9447788d901
Instruction Fuzzy Hash: 53323D35A002059FDB14DF68D494BAEBBB2FF89710F1485AAE905EB391DB35DC41CBA0

Function 054D4A58 Relevance: .3, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 511915b397d870b44372642c121eadb60f5a524caf738c0a39a7911db910300f
Instruction ID: a34dbe5aad7b74446de6bff1539e4adabc1993013ef9f5f120c32eccbe9abcd7
Opcode Fuzzy Hash: 511915b397d870b44372642c121eadb60f5a524caf738c0a39a7911db910300f
Instruction Fuzzy Hash: 8BB14B71E002098FDF10CFA9C9957EEFBF2BB88714F14812AD415AB354EBB59845CB91

Function 054D3E40 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32ccf5733ab5eb0e162b448cd3b8133073bcbaa9461308cc6cb132eecc7c5458
Instruction ID: fad6af16b6ce566c84d4aadce0b8fa830f1e7d1b0864c963ff1732898493f3e0
Opcode Fuzzy Hash: 32ccf5733ab5eb0e162b448cd3b8133073bcbaa9461308cc6cb132eecc7c5458
Instruction Fuzzy Hash: 19913A70E002099FDF10CFA9D9957EEFBF2BB88314F14852AE415A7394EB749845CBA1

Function 0641E0B8 Relevance: 1.6, APIs: 1, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.2665148959.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6410000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 202a8ceb9edeec364422dbeb89310d25116d8eddca4154711500174b9ff67458
Instruction ID: 5d81b8734e97ee6fe0f4eab12562a3f380bafa5925f246c774a7317511f65b5f
Opcode Fuzzy Hash: 202a8ceb9edeec364422dbeb89310d25116d8eddca4154711500174b9ff67458
Instruction Fuzzy Hash: E841F372E043958FCB15CFBAD8046EEBFF1AF89210F14856BD804AB251DB749845CBE1

Function 0641D4A8 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,0641E10A), ref: 0641E1F7

Memory Dump Source

Source File: 00000006.00000002.2665148959.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6410000_RegAsm.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 485486b31a6d10861c3d8318b32d60188febe484f74e3744f5f5a5f2691f0e45
Instruction ID: a5f7df7506afec28fe2123cf973d1781d08459d66ea2baae6bee3c658b921de5
Opcode Fuzzy Hash: 485486b31a6d10861c3d8318b32d60188febe484f74e3744f5f5a5f2691f0e45
Instruction Fuzzy Hash: 1C1130B1C006599BDB10CF9AC844B9EFBF4AB48220F14816AE818BB240D378A944CFE5

Function 0641E189 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,0641E10A), ref: 0641E1F7

Memory Dump Source

Source File: 00000006.00000002.2665148959.0000000006410000.00000040.00000800.00020000.00000000.sdmp, Offset: 06410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6410000_RegAsm.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 567998e22672fbf07d36cf139eadbdf5bc03b354d68ef26fba7622df7b08189c
Instruction ID: f8f36635c702d130415cd3fe57b8bc4e04117d9c3c523202669ae8bd50be0fa9
Opcode Fuzzy Hash: 567998e22672fbf07d36cf139eadbdf5bc03b354d68ef26fba7622df7b08189c
Instruction Fuzzy Hash: DF111AB1C0065A9BDB10CF9AD944BDEFBF4AF48324F14815AD814B7240D378A944CFA5

Function 054D7990 Relevance: .6, Instructions: 554
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd11ed13d09ec7b08ed917ab3ec14e92adb7fffe1a8176b1f8278dfa6cf0823f
Instruction ID: baf55fdeee4e0741df83ba430702833c5da20c777fa60e992c3bb24c388a614e
Opcode Fuzzy Hash: dd11ed13d09ec7b08ed917ab3ec14e92adb7fffe1a8176b1f8278dfa6cf0823f
Instruction Fuzzy Hash: 8F125F307102068BDB25DB7CE5A4AAE76E6FFC9204B50997EE006CB350DF39DC469B91

Function 054D4A4C Relevance: .3, Instructions: 261
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc446587a863daef569b4cce5eaeb0e777d9dc07ec344d6cd955e55f8be82a48
Instruction ID: c4b684d8b5cfe6c7eb515fd1a6cb68cde51b7fbbb60ea8802a8782ceb1fee7d1
Opcode Fuzzy Hash: fc446587a863daef569b4cce5eaeb0e777d9dc07ec344d6cd955e55f8be82a48
Instruction Fuzzy Hash: E4B13871E002098FDF10CFA8C9957EEFBF2BB48714F14812AD815AB354EBB59845CBA1

Function 054D93EC Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b21371821932bb383b4589a3134323fe8b892693ea718f5729bd4e00b3fed04
Instruction ID: 32ad45181003e526251d3cd401f64dac783d78b4a26eda505ec8f7ef852d413d
Opcode Fuzzy Hash: 7b21371821932bb383b4589a3134323fe8b892693ea718f5729bd4e00b3fed04
Instruction Fuzzy Hash: E5911A34A00205DFDB15DF68D594AADBBF2FF88710F14856AE806E7395DB35AC42CB60

Function 054D3E34 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e297ed187f1611412873afafcae970162567cbce8dafba0e83827b8131914ecf
Instruction ID: 75c2a2788622becb6e9080f3dfd54e869654315cc0ea8b3cc520a881b33c6d77
Opcode Fuzzy Hash: e297ed187f1611412873afafcae970162567cbce8dafba0e83827b8131914ecf
Instruction Fuzzy Hash: B4911670E002099FDF10CFA9D9957DEFBF2BB48314F14852AE415AB394EB749845CBA2

Function 054D47C4 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14618cdda2c1d5904ed034f4721664607792d22186eb5003a76f409d0b8fea49
Instruction ID: 00cc4c9a9a5971133d1210ada604dcc84134a7aeaa69c1a2bb083437b088ad18
Opcode Fuzzy Hash: 14618cdda2c1d5904ed034f4721664607792d22186eb5003a76f409d0b8fea49
Instruction Fuzzy Hash: 75814870E00249DFDF10CFA9D995BDEFBB1BF88314F14816AE415A7294EBB49841CB61

Function 054D47D0 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b530dab87e482c20c96042b6e85edfa4313bb47a622bdd1b3808df00511fe4
Instruction ID: e0a4d871b6e57f513a2074cad95a40d939910f12dcc37266cae2fd94f96fde09
Opcode Fuzzy Hash: e6b530dab87e482c20c96042b6e85edfa4313bb47a622bdd1b3808df00511fe4
Instruction Fuzzy Hash: A8714870E002499BDF14CFA9D8957DEFBF2BF88314F14816AE415A7354EBB49841CBA1

Function 054D6E92 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 234e31cd0e88f10f5ae8a5ad6626ef0a437d95791a5c7d44d2015c06291173cf
Instruction ID: 456b2328d4a9cf121d376735f05dc9d4c314cbeeb239db15f883feb294fd4586
Opcode Fuzzy Hash: 234e31cd0e88f10f5ae8a5ad6626ef0a437d95791a5c7d44d2015c06291173cf
Instruction Fuzzy Hash: 0441C370A002099FDB15DBA4C860BAEFBF2FF85350F15856BE415EB380EB75D8428B61

Function 054D6C96 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a64511faa098296e5c356a1388f4f22b0138d71de0ae4328a56dc035cf9540ef
Instruction ID: b7fab925e507acb34bdac9d2792c424b1dcb377e4d3c3695853ff5dd4caec487
Opcode Fuzzy Hash: a64511faa098296e5c356a1388f4f22b0138d71de0ae4328a56dc035cf9540ef
Instruction Fuzzy Hash: EF5115B0E002288FDB14CFA9D899BDEFBB1BF48314F15815AD819AB350D7749844CF64

Function 054D6CA0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2228d203d969ed45a0afdd37accb4b73387a036e68542a00f4e0868dcbe8840c
Instruction ID: 22d8ee58ad6c14e105ebc4e66ad51e0a9d9b00e4991ca0c74ab36c17e902ec29
Opcode Fuzzy Hash: 2228d203d969ed45a0afdd37accb4b73387a036e68542a00f4e0868dcbe8840c
Instruction Fuzzy Hash: 19510570E002288FDB14CFA9D858BDEFBB1BF48314F15816AD819AB351D774A844CBA5

Function 054D1110 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9855eb2cc765c9916f49ade5fffdd75974738ac0db0dfee76d1459b7d4146a90
Instruction ID: 80356bc2d56dd33128920846f0310c68fb8f439c534043a04409a23963368515
Opcode Fuzzy Hash: 9855eb2cc765c9916f49ade5fffdd75974738ac0db0dfee76d1459b7d4146a90
Instruction Fuzzy Hash: 6D51FA71201345CFDB16EF6CF885A863BAAFB9570470461B9D1006B266EB7C6D09CF82

Function 054D4F48 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 375d5a69a14112c70c9dcacca1e5f50937cf03d8583920012d190e644086b477
Instruction ID: 7c9861c5c2b4a092b1f1d4ce3fb9d0a36629d281b8e599515729923b0daa2961
Opcode Fuzzy Hash: 375d5a69a14112c70c9dcacca1e5f50937cf03d8583920012d190e644086b477
Instruction Fuzzy Hash: 5B413B31A002058FDB24DF69D458BEEB7F1EF88214F1144AAE406EB3A5DB799D05CBA1

Function 054DF665 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 240b05ea6a97772dfb9f8840cfca23b9c38a22fc8a7565f433ad01aaebfd76a0
Instruction ID: f401e8d73abd1a28fdb1e3665bd3190381605317a14150947cac92aea56a8517
Opcode Fuzzy Hash: 240b05ea6a97772dfb9f8840cfca23b9c38a22fc8a7565f433ad01aaebfd76a0
Instruction Fuzzy Hash: 4631C4317002069FDB699F74D564AEE7BA3BB85610B1485AAD407DB380DF39DC46C790

Function 054DF678 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fe570ec6aaac710ea6bbf84251688bd99db20f6b0b1e62bed1e3e0daf45e432
Instruction ID: fde0075e3a7620fb36ca585aa391cc110bfdb85f37a48df28c9b5a80c6ea1514
Opcode Fuzzy Hash: 0fe570ec6aaac710ea6bbf84251688bd99db20f6b0b1e62bed1e3e0daf45e432
Instruction Fuzzy Hash: F231D2307002069BDB699F78D564AEF77A3BB89610B24846AD407DB380EE35CC4687A0

Function 054D6F30 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 014e78050c7b9a75886013fa55bccd3ac07397ff87fbaa3e0eea4b5ece19b43d
Instruction ID: a402d929fef0b5709fe5e935da80c200529aae8c87c291bb05bf3ffa2d283d59
Opcode Fuzzy Hash: 014e78050c7b9a75886013fa55bccd3ac07397ff87fbaa3e0eea4b5ece19b43d
Instruction Fuzzy Hash: 04315E70E106099BDB24CFA5C464BEEFBB2FF45354F15856AE402EB384EB71A846CB50

Function 054D1138 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a81308753a430c6ee3b365ad3ee7288108b8ab3823f84daed08fda382478b30b
Instruction ID: 9c8d9ac9a3657a03b56fad61cf66cde11f2b722705818dc5573ce4ab18f0b9eb
Opcode Fuzzy Hash: a81308753a430c6ee3b365ad3ee7288108b8ab3823f84daed08fda382478b30b
Instruction Fuzzy Hash: 5341CA71211345CFCB1AEF6CF9849863BAAFB9570470462BDD1006B266EB7C6D09CF82

Function 054DF528 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 935175773e7d7391037faaaa7c5472ea0d275a860d4b5a62ff753a62ddc5b6d0
Instruction ID: d9b4daa64dded092ee200962d200c83ed6132dbac9b56e6a83adbc83e95cd85d
Opcode Fuzzy Hash: 935175773e7d7391037faaaa7c5472ea0d275a860d4b5a62ff753a62ddc5b6d0
Instruction Fuzzy Hash: 61314D34E106069BCB18CF68D4A4A9EBBF6FF89300F54856AE846E7351DF71E846CB50

Function 054D269C Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b795eefdc61928c3f91239e3f45d7d5dd8483f2f50556cfed62c2d85e17fbb6d
Instruction ID: ce9891ed69e6b05a16426688a9e626be8f1377407ad4b0934cfefed11c37ba94
Opcode Fuzzy Hash: b795eefdc61928c3f91239e3f45d7d5dd8483f2f50556cfed62c2d85e17fbb6d
Instruction Fuzzy Hash: 9741F2B4D00349DFDB10CFA9C994BDEBBF5BF48314F24802AE409AB250DB759946CB91

Function 054D92D7 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6f91d95dc59c8adfa97bc592221ce6109763edcd8f49ec1602f0d062f5ac45a
Instruction ID: 2e630883282ef80171649083e8651cb4f1414cb9737eb372ee29e2371c723226
Opcode Fuzzy Hash: d6f91d95dc59c8adfa97bc592221ce6109763edcd8f49ec1602f0d062f5ac45a
Instruction Fuzzy Hash: 69318530A0020A9BDB18CF55D494BEFFBB6FF89700F14865AE805E7380DB719842CBA0

Function 054DF538 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23ea30900ec41f8f40b3c95fbacf0007a19e4756d44b702fe302844807a290f2
Instruction ID: 76ae648b95ab284ca56f7291bd9267a495a4fd8bfb98f2f0197878fce3090342
Opcode Fuzzy Hash: 23ea30900ec41f8f40b3c95fbacf0007a19e4756d44b702fe302844807a290f2
Instruction Fuzzy Hash: 44314134E102059BCB14CF64D4A4ADEFBB2FF89300F14856AE806E7351DB71AC46CB50

Function 054D26A8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5dfba750259789d0db521eb1a774fa1516544a3ff6d49031f309d3c6bf90e43
Instruction ID: a388dd8e7557c5c58733e274664176b0302dd985fceaf015ced680bf0f249337
Opcode Fuzzy Hash: e5dfba750259789d0db521eb1a774fa1516544a3ff6d49031f309d3c6bf90e43
Instruction Fuzzy Hash: BE41E174D00349DFDB10CFA9C994ADEBBF5FF48314F14802AE819AB250DB75A945CB90

Function 054D5058 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95183fa66c5127d5a535622cc105ccae05f3cefdd0502d689ecea580f2806082
Instruction ID: aab571e9c15f5964d9c889e66484ef932d1f72d45a6898c8322128150501e421
Opcode Fuzzy Hash: 95183fa66c5127d5a535622cc105ccae05f3cefdd0502d689ecea580f2806082
Instruction Fuzzy Hash: C1310C30B002158BDB15EF65C5646EEB7B6BF49245F5004AED802AB790EF3ADC45CBA1

Function 054D5068 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2363fb9127cb6cf53bb174144941f4c61750e1d2eba46c4cecbb1b04ecbb3611
Instruction ID: a2e092c3b4847131410fa586ae94f9fc16faadf6c802498d20925cd9b9005902
Opcode Fuzzy Hash: 2363fb9127cb6cf53bb174144941f4c61750e1d2eba46c4cecbb1b04ecbb3611
Instruction Fuzzy Hash: F2310E307002158BDB15EF64C5646EEB3B6AF89245F5004BED802AB754DF3ADC45CBA1

Function 054D7049 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4da6afa6b6800c37ad2a28ca8a732d0119c7bbf25d550f25b30c4fc1e635cedf
Instruction ID: 6b2a0835b1de8a1d6bf0e1e84f52e87445f8717d10e7b1ad7712fdb0b1d2378f
Opcode Fuzzy Hash: 4da6afa6b6800c37ad2a28ca8a732d0119c7bbf25d550f25b30c4fc1e635cedf
Instruction Fuzzy Hash: B5313A34700214DFDB09ABB8E464B6E77A7FFC9704B6440A9E4069B3A4CF3A9C46DB51

Function 054D6B40 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6977d41d33ec534f9ca5fba526e72cbac543d20ec78bf196cbc492be280da97
Instruction ID: 62eefacf568eb53bef66fa4670846832b1998f7bc850e0075fa0180bf23c4259
Opcode Fuzzy Hash: b6977d41d33ec534f9ca5fba526e72cbac543d20ec78bf196cbc492be280da97
Instruction Fuzzy Hash: 39213B636082515FD3169778D8257EA7FB6EB83224B1542EBD094CB3D2DA19C84683A2

Function 054D92E8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14aefc1a2f853c642920af02adb49f0222918358ff248aa052333fd8ba9ce47d
Instruction ID: 745cace37ce279415b7e12f7adfe44c7cedbe08009c448a656ca915c5c086050
Opcode Fuzzy Hash: 14aefc1a2f853c642920af02adb49f0222918358ff248aa052333fd8ba9ce47d
Instruction Fuzzy Hash: 58216530E1020A9BDB15CF64D494ADEF7B6FF89700F14C66AE805EB381DB719841CBA0

Function 054D1660 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e197693d98a5b0f19f4f60591f0c04bb6488d340cd06902da45fc055a73be338
Instruction ID: ebd7732508fd632566c4669eb2408bb6c801ec97d5cf3ed4a717cba8fd1eec0a
Opcode Fuzzy Hash: e197693d98a5b0f19f4f60591f0c04bb6488d340cd06902da45fc055a73be338
Instruction Fuzzy Hash: B321C1306102018BEB11BB78E894BEBB35AF784240F1079B2E806C7361EB3DDC04CBA1

Function 054D91D8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f28d4ba5a76fa8d62f14f6852b52e9f63661bbc88a66c765353c3954c779084a
Instruction ID: 9ac180b287441d9251bca9c796b463e01b443303071653ee30d742759a0acd75
Opcode Fuzzy Hash: f28d4ba5a76fa8d62f14f6852b52e9f63661bbc88a66c765353c3954c779084a
Instruction Fuzzy Hash: 4C214175E002059BDB19CFA4C454AEEF7B2BF85310F14895AE815F7350EB719846CB50

Function 0151D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2659041744.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14866dc6273348f25d34f95b89a556d4ee8f0cb5f9031195439cc755c49db182
Instruction ID: e3ec72d8e9d005db1a49456076864b8b9c320208849ba1e0598cd04e153ea38f
Opcode Fuzzy Hash: 14866dc6273348f25d34f95b89a556d4ee8f0cb5f9031195439cc755c49db182
Instruction Fuzzy Hash: 8421D375504244EFEB16DF64D988B26BBA1FB84314F24C96DD8094F24AD33AD847CA62

Function 054D1838 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9164b6a960b29b3338e2e28a37f74a1772088613a8cdb5e464a2673cb41a151
Instruction ID: 91b828729745766855918d460241b6f58e526dc8d3dcaa204284b291f4c8d0ae
Opcode Fuzzy Hash: f9164b6a960b29b3338e2e28a37f74a1772088613a8cdb5e464a2673cb41a151
Instruction Fuzzy Hash: E6212E307002048FDB25DB74C968AEEB7F6AF49205F5015BED806AB3A1DB369D41CBA1

Function 054D1342 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e9b2b15a38223f150cac7671bbce226ec87cb48335168be06b4714c3887d4a6
Instruction ID: 23739c28f0951df0b1e1f8348d2b720a9d9b6b0e437628de8ac69aee9f112b32
Opcode Fuzzy Hash: 9e9b2b15a38223f150cac7671bbce226ec87cb48335168be06b4714c3887d4a6
Instruction Fuzzy Hash: 97219670A102418BFB355728E4A5BBAB656F706320F5024ABEC07C7781DF38D885C762

Function 054D91E8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 145f8721925ff41bc22eca4bab4f4d422d753f72ac811b8bb9df0a2d7967f6b7
Instruction ID: fd9c2297c05633d16a1bf242ab9c9a2ab41da508f2e67109352a9228ad2deedb
Opcode Fuzzy Hash: 145f8721925ff41bc22eca4bab4f4d422d753f72ac811b8bb9df0a2d7967f6b7
Instruction Fuzzy Hash: 19214535E002099BDB18CFA5C4649EEF7B6BF89310F148A5AE815F7341DB719945CB60

Function 054D1848 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4ac35eafe485b60e72e7759288eae0cd2dcced6a69d0d3ed89803e4bfa8711a
Instruction ID: 76d131a46f22dafb3670f02969c5eb0e7014707b1f67f2035630a381919ebc35
Opcode Fuzzy Hash: b4ac35eafe485b60e72e7759288eae0cd2dcced6a69d0d3ed89803e4bfa8711a
Instruction Fuzzy Hash: 8E21FC30B002048FDB24EB69D5646EEB7F6AF89245F5014BED806EB390DB359D45CBA1

Function 054D1670 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be5812837c425404daa732801036c198c0eaedb824a3f74b2a2cac96f6a27f88
Instruction ID: 8e53979eda3c33d7494f245a62a7305ee5bbc0902cc3680a44a31612ffc724fc
Opcode Fuzzy Hash: be5812837c425404daa732801036c198c0eaedb824a3f74b2a2cac96f6a27f88
Instruction Fuzzy Hash: 802162306002058BDB51AB78E894BABB35AF785650F1069B6E806DB351EB3DDC44CBA1

Function 054D4F58 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8043b148c7ea81a50afdc70672a4c10c908ae3b1f40476e938e395dfda5d6207
Instruction ID: b945cdae23cc019d7b678cabbcd78f9a14d156fb94cf441cf975d226524f6938
Opcode Fuzzy Hash: 8043b148c7ea81a50afdc70672a4c10c908ae3b1f40476e938e395dfda5d6207
Instruction Fuzzy Hash: 4D213B317002048FDB64DF78C568AAEB7F1FF89204B1004A9E402EB3A4DB759C04DBA1

Function 0151D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2659041744.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_151d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12bc154c7b8074d16a3dc11779da50116bf0e20b6eed4c604b5789d62de3ff66
Instruction ID: d69b38a16d9f1b3f83be764a181e681f57bd56dc36e00ddad35ee7a9961c7b3a
Opcode Fuzzy Hash: 12bc154c7b8074d16a3dc11779da50116bf0e20b6eed4c604b5789d62de3ff66
Instruction Fuzzy Hash: 15218B755093809FDB03CF24D994B15BF71FB46214F28C5EAD8498F6A7C33A984ACB62

Function 054D1780 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a11eccc60d8c3e7cd1924cff3b0159e72fb0e1511dc95d28e6646778c77e5a4
Instruction ID: a7bb051709cacaf83fa48ec548da5fefad9d0a50b2e6e4bc3a5561142ecd03de
Opcode Fuzzy Hash: 1a11eccc60d8c3e7cd1924cff3b0159e72fb0e1511dc95d28e6646778c77e5a4
Instruction Fuzzy Hash: 23110676F002019BCF009F759809A9F7BF9FB48660F14157AEA06E7300EE39C90187A1

Function 054D0848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37b8a4ed8de912934f79eb969258631d0066d55f57bdfc70c414a16d01f687f8
Instruction ID: 016e109de0ee875f25df6038930a63750842cd40daccc1d444ef37f471a64fdd
Opcode Fuzzy Hash: 37b8a4ed8de912934f79eb969258631d0066d55f57bdfc70c414a16d01f687f8
Instruction Fuzzy Hash: F5115830B003098BEF149B79D568BBBB396FB85264F1085BBE40ADF341EA65CC454BE1

Function 054D0838 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7d069744dd3554191479cb8e99ae15ec20ca60165a0705ff9a4ddc605c8275d
Instruction ID: ac76bd46d6aa4aeca66ef23876f695611e5b43b9b57942b53b4644b2bb70e822
Opcode Fuzzy Hash: b7d069744dd3554191479cb8e99ae15ec20ca60165a0705ff9a4ddc605c8275d
Instruction Fuzzy Hash: 381198306043058BEB145775D928BBB7756F741254F1048BBE40ADB341F965C8454BE1

Function 054D1447 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 696d6ddfb0caf556d02022e9730aee44348a859c81ee6cdb2610da46c1ec35c3
Instruction ID: b6846f91b1995dda5ed1b78d7f6f2b59d6f9814cb42f15a5f37c12ef4e076fd1
Opcode Fuzzy Hash: 696d6ddfb0caf556d02022e9730aee44348a859c81ee6cdb2610da46c1ec35c3
Instruction Fuzzy Hash: 64119171A002159FCB20EB79C8685EEFAE5EB48220F2404BED809E7305EA35C942C7A5

Function 054D1458 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a2979b1b7e563a3b7f20b0b2d581115701d37ed362452f5f430babb18ac3fdf
Instruction ID: e88fb0c85e0d7292dd9340e851507c1101767ce4c86c773058d15757ea730d37
Opcode Fuzzy Hash: 9a2979b1b7e563a3b7f20b0b2d581115701d37ed362452f5f430babb18ac3fdf
Instruction Fuzzy Hash: F8015E71A002159FCF11EFB985685EEFAE5EB48250F2404BED809E7305E635C942C7A5

Function 054D8178 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b821f0ac52ed36f79bd0dc00b959678d9f4486f522f20741b98f5992549b52a5
Instruction ID: 27b261c63d053a7c8f9a1fc1b157649adaa95ef0154ef25e9447b34453fd367a
Opcode Fuzzy Hash: b821f0ac52ed36f79bd0dc00b959678d9f4486f522f20741b98f5992549b52a5
Instruction Fuzzy Hash: 1101A73060034A9FCB05EBB8F9505DD37B5FF81200B0446F8C4415B292DF396E429781

Function 054D8188 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ee7930f0c5601e16f9de50d56fe0ea17e5f73b94efa6c5c0ac656536d5fb1a
Instruction ID: e30610e16632d534d40a77fe579da8c9da16da5c4774df5a79d41b5ecd0ca6ea
Opcode Fuzzy Hash: 58ee7930f0c5601e16f9de50d56fe0ea17e5f73b94efa6c5c0ac656536d5fb1a
Instruction Fuzzy Hash: 88F01930A00209DFDB05FFB8F9909DE77B9EB84200F5096B8C405A7251EE352E459B91

Non-executed Functions

Function 054D1A9D Relevance: 5.2, Strings: 4, Instructions: 169COMMON

Download Yara Rule

Strings

m^, xrefs: 054D1AFB
m^, xrefs: 054D1B1B
m^, xrefs: 054D1BCB
m^, xrefs: 054D1B7B

Memory Dump Source

Source File: 00000006.00000002.2663300822.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_RegAsm.jbxd

Similarity

API ID:
String ID: m^$m^$m^$m^
API String ID: 0-92939119
Opcode ID: 3c6c3786413e846197bb44c0bd05db94c627d44a4c217bf7360f36be4b260e25
Instruction ID: 6dfbd72301d2accde0a85f6c66b63b7a84d51eb34c865c3d13e162b72daae7f3
Opcode Fuzzy Hash: 3c6c3786413e846197bb44c0bd05db94c627d44a4c217bf7360f36be4b260e25
Instruction Fuzzy Hash: 5E41A74245E7E51FE30366BCAC717D62F649F9266AF0900D3D884CE193E64C488E82BB

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002A_35.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LisectAVT_2403002A_35.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
LisectAVT_2403002A_35.exe

Function 072F1C4F Relevance: 5.6, Instructions: 5642
COMMON

Function 072F1C68 Relevance: 5.6, Instructions: 5633
COMMON

Function 05CD22B8 Relevance: 5.2, Instructions: 5170
COMMON

Function 0277A248 Relevance: 2.7, Strings: 2, Instructions: 182
COMMON

Function 027728E0 Relevance: 2.7, Strings: 2, Instructions: 167
COMMON

Function 02779BA8 Relevance: 1.7, APIs: 1, Instructions: 164
processCOMMON

Function 072FA6E8 Relevance: 2.1, Strings: 1, Instructions: 883
COMMON

Function 05A481B0 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Function 05A4E9C5 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Function 05A4E9D0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 05A31080 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Function 027749D3 Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Application Log: Application Log Content, Cloud Storage: Cloud Storage Access, Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre