Edit tour

Windows Analysis Report
LisectAVT_2403002A_257.exe

Overview

General Information

Sample name:	LisectAVT_2403002A_257.exe
Analysis ID:	1482377
MD5:	3914d1fe5113895ff467bcd01994037c
SHA1:	f2f0e0e2bf57589a3880cfaf109d149ea27673a9
SHA256:	b2060f6a5e17d27bb2413bc95ec71fb942151dd2984917831d64c6aa7120efc2
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

LisectAVT_2403002A_257.exe (PID: 4372 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_257.exe" MD5: 3914D1FE5113895FF467BCD01994037C)

RegSvcs.exe (PID: 2136 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_257.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.ionos.es", "Username": "sevialup@sevialup.es", "Password": "Pula0001*"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.3357003020.0000000003018000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3357003020.0000000002FEE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2142927939.0000000002E40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2142927939.0000000002E40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2142927939.0000000002E40000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33677:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33753:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33879:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000002.00000002.3356004037.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3356004037.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3357003020.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3357003020.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: LisectAVT_2403002A_257.exe PID: 4372	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: LisectAVT_2403002A_257.exe PID: 4372	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 2136	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 2136	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.LisectAVT_2403002A_257.exe.2e40000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.LisectAVT_2403002A_257.exe.2e40000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.LisectAVT_2403002A_257.exe.2e40000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33677:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33753:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33879:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3355b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33677:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33753:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33879:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.LisectAVT_2403002A_257.exe.2e40000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.LisectAVT_2403002A_257.exe.2e40000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.LisectAVT_2403002A_257.exe.2e40000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3175b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31877:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31953:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a79:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 213.165.67.102, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 2136, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49712

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.114.59.183 - Destination IP: 192.168.2.6

Timestamp:	2024-07-25T21:58:10.317324+0200
SID:	2022930
Source Port:	443
Destination Port:	49720
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.114.59.183 - Destination IP: 192.168.2.6

Timestamp:	2024-07-25T21:57:32.750606+0200
SID:	2022930
Source Port:	443
Destination Port:	49714
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002A_257.exe

Avira: detected

Found malware configuration

Source: 2.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.ionos.es", "Username": "sevialup@sevialup.es", "Password": "Pula0001*"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: LisectAVT_2403002A_257.exe

Joe Sandbox ML: detected

Source: LisectAVT_2403002A_257.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: LisectAVT_2403002A_257.exe, 00000000.00000003.2138985594.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_257.exe, 00000000.00000003.2140243885.00000000037B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: LisectAVT_2403002A_257.exe, 00000000.00000003.2138985594.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_257.exe, 00000000.00000003.2140243885.00000000037B0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_000CDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_000CDBBE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_0009C2A2 FindFirstFileExW,	0_2_0009C2A2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_000D68EE FindFirstFileW,FindClose,	0_2_000D68EE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_000D698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_000D698F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_000CD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_000CD076
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_000CD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_000CD3A9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_000D9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_000D9642
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_000D979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_000D979D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_000D9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_000D9B2B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_000D5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_000D5C97

Source: global traffic

TCP traffic: 192.168.2.6:49712 -> 213.165.67.102:587

Source: Joe Sandbox View

IP Address: 213.165.67.102 213.165.67.102

Source: Joe Sandbox View

ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE

Source: global traffic

TCP traffic: 192.168.2.6:49712 -> 213.165.67.102:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

Code function: 0_2_000DCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_000DCE44

Source: global traffic

DNS traffic detected: DNS query: smtp.ionos.es

Source: RegSvcs.exe, 00000002.00000002.3357003020.0000000002FEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3356288203.0000000001177000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3358591525.0000000006240000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3356467262.0000000001239000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.geotrust.com/GeoTrustTLSRSACAG1.crt0
Source: RegSvcs.exe, 00000002.00000002.3357003020.0000000002FEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3356288203.0000000001177000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3358591525.0000000006240000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3356467262.0000000001239000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdp.geotrust.com/GeoTrustTLSRSACAG1.crl0v
Source: RegSvcs.exe, 00000002.00000002.3357003020.0000000002FEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3356288203.0000000001177000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3358591525.0000000006240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0=
Source: RegSvcs.exe, 00000002.00000002.3357003020.0000000002FEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3356288203.0000000001177000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3358591525.0000000006240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0B
Source: RegSvcs.exe, 00000002.00000002.3357003020.0000000002FEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp.ionos.es
Source: RegSvcs.exe, 00000002.00000002.3357003020.0000000002FEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3356288203.0000000001177000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3358591525.0000000006240000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3356467262.0000000001239000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://status.geotrust.com0
Source: RegSvcs.exe, 00000002.00000002.3357003020.0000000002FEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3356288203.0000000001177000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3358591525.0000000006240000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3356467262.0000000001239000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: RegSvcs.exe, 00000002.00000002.3358591525.0000000006240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.micr.
Source: LisectAVT_2403002A_257.exe, 00000000.00000002.2142927939.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3356004037.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: RegSvcs.exe, 00000002.00000002.3357003020.0000000002FEE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3356288203.0000000001177000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3358591525.0000000006240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.LisectAVT_2403002A_257.exe.2e40000.1.raw.unpack, 0V85.cs

.Net Code: _8P4pVTg9Q

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

Code function: 0_2_000DEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_000DEAFF

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

Code function: 0_2_000DED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_000DED6A

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

0_2_000DEAFF

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

Code function: 0_2_000CAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_000CAA57

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

Code function: 0_2_000F9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_000F9576

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.LisectAVT_2403002A_257.exe.2e40000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_257.exe.2e40000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.2142927939.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: LisectAVT_2403002A_257.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: LisectAVT_2403002A_257.exe, 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8842b352-4
Source: LisectAVT_2403002A_257.exe, 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_fbb17c85-6
Source: LisectAVT_2403002A_257.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_13b4d033-6
Source: LisectAVT_2403002A_257.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_e7591aef-f

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

Code function: 0_2_000CD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_000CD5EB

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

Code function: 0_2_000C1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_000C1201

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

Code function: 0_2_000CE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_000CE8F6

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_000D2046	0_2_000D2046
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_00068060	0_2_00068060
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_000C8298	0_2_000C8298
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_0009E4FF	0_2_0009E4FF
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_0009676B	0_2_0009676B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_000F4873	0_2_000F4873
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_0008CAA0	0_2_0008CAA0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_0006CAF0	0_2_0006CAF0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_0007CC39	0_2_0007CC39
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_00096DD9	0_2_00096DD9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_0007B119	0_2_0007B119
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_000691C0	0_2_000691C0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_00081394	0_2_00081394
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_0008781B	0_2_0008781B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_00067920	0_2_00067920
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_0007997D	0_2_0007997D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_00087A4A	0_2_00087A4A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_00087CA7	0_2_00087CA7
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_000B3CD5	0_2_000B3CD5
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_000EBE44	0_2_000EBE44
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_00099EEE	0_2_00099EEE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_014F3790	0_2_014F3790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_013C9370	2_2_013C9370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_013C9BE8	2_2_013C9BE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_013C4A98	2_2_013C4A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_013CCEB8	2_2_013CCEB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_013C3E80	2_2_013C3E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_013C41C8	2_2_013C41C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_064656A0	2_2_064656A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06463F10	2_2_06463F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0646BCA8	2_2_0646BCA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0646DCB8	2_2_0646DCB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06462AF8	2_2_06462AF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06469A90	2_2_06469A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06468B3A	2_2_06468B3A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06460040	2_2_06460040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06464FC0	2_2_06464FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_06463218	2_2_06463218

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: String function: 00080A30 appears 46 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: String function: 0007F9F2 appears 40 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: String function: 00069CB3 appears 31 times

Source: LisectAVT_2403002A_257.exe, 00000000.00000003.2139715857.0000000003733000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs LisectAVT_2403002A_257.exe
Source: LisectAVT_2403002A_257.exe, 00000000.00000003.2139880965.00000000038DD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs LisectAVT_2403002A_257.exe
Source: LisectAVT_2403002A_257.exe, 00000000.00000002.2142927939.0000000002E40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename13bf9a69-5794-4e60-83fc-a9c1956f6617.exe4 vs LisectAVT_2403002A_257.exe

Source: LisectAVT_2403002A_257.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.LisectAVT_2403002A_257.exe.2e40000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.LisectAVT_2403002A_257.exe.2e40000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.2142927939.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 0.2.LisectAVT_2403002A_257.exe.2e40000.1.raw.unpack, 4Cl.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_257.exe.2e40000.1.raw.unpack, 4Cl.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.LisectAVT_2403002A_257.exe.2e40000.1.raw.unpack, 5jodGRGeKF.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_257.exe.2e40000.1.raw.unpack, 5jodGRGeKF.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_257.exe.2e40000.1.raw.unpack, 33JmeoXaqT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_257.exe.2e40000.1.raw.unpack, 33JmeoXaqT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_257.exe.2e40000.1.raw.unpack, 33JmeoXaqT.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_257.exe.2e40000.1.raw.unpack, 33JmeoXaqT.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@1/1

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

Code function: 0_2_000D37B5 GetLastError,FormatMessageW,

0_2_000D37B5

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_000C10BF AdjustTokenPrivileges,CloseHandle,		0_2_000C10BF
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_000C16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_000C16C3

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

Code function: 0_2_000D51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_000D51CD

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

Code function: 0_2_000EA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_000EA67C

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

Code function: 0_2_000D648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_000D648E

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

Code function: 0_2_000642A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_000642A2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

File created: C:\Users\user\AppData\Local\Temp\autC2E3.tmp

Jump to behavior

Source: LisectAVT_2403002A_257.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe "C:\Users\user\Desktop\LisectAVT_2403002A_257.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\LisectAVT_2403002A_257.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\LisectAVT_2403002A_257.exe"	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: LisectAVT_2403002A_257.exe

Static file information: File size 1167880 > 1048576

Source: LisectAVT_2403002A_257.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: LisectAVT_2403002A_257.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: LisectAVT_2403002A_257.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: LisectAVT_2403002A_257.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: LisectAVT_2403002A_257.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: LisectAVT_2403002A_257.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: LisectAVT_2403002A_257.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: LisectAVT_2403002A_257.exe, 00000000.00000003.2138985594.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_257.exe, 00000000.00000003.2140243885.00000000037B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: LisectAVT_2403002A_257.exe, 00000000.00000003.2138985594.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_257.exe, 00000000.00000003.2140243885.00000000037B0000.00000004.00001000.00020000.00000000.sdmp

Source: LisectAVT_2403002A_257.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: LisectAVT_2403002A_257.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: LisectAVT_2403002A_257.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: LisectAVT_2403002A_257.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: LisectAVT_2403002A_257.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

Code function: 0_2_000642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000642DE

Source: LisectAVT_2403002A_257.exe

Static PE information: real checksum: 0x12d069 should be: 0x12d071

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

Code function: 0_2_00080A76 push ecx; ret

0_2_00080A89

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_0007F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0007F98E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_000F1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_000F1C41

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97430

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

API/Special instruction interceptor: Address: 14F33B4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 6056			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1218			Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

API coverage: 3.9 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_000CDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_000CDBBE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_0009C2A2 FindFirstFileExW,	0_2_0009C2A2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_000D68EE FindFirstFileW,FindClose,	0_2_000D68EE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_000D698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_000D698F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_000CD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_000CD076
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_000CD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_000CD3A9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_000D9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_000D9642
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_000D979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_000D979D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_000D9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_000D9B2B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_000D5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_000D5C97

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

Code function: 0_2_000642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000642DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.3358591525.0000000006240000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

Code function: 0_2_000DEAA2 BlockInput,

0_2_000DEAA2

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

Code function: 0_2_00092622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00092622

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

Code function: 0_2_000642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000642DE

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_00084CE8 mov eax, dword ptr fs:[00000030h]	0_2_00084CE8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_014F3620 mov eax, dword ptr fs:[00000030h]	0_2_014F3620
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_014F3680 mov eax, dword ptr fs:[00000030h]	0_2_014F3680
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_014F1ED0 mov eax, dword ptr fs:[00000030h]	0_2_014F1ED0

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

Code function: 0_2_000C0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_000C0B62

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_00092622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00092622
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_0008083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0008083F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_000809D5 SetUnhandledExceptionFilter,	0_2_000809D5
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_00080C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00080C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: E5C008

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

0_2_000C1201

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

Code function: 0_2_000A2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_000A2BA5

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

Code function: 0_2_000CB226 SendInput,keybd_event,

0_2_000CB226

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

Code function: 0_2_000E22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_000E22DA

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\LisectAVT_2403002A_257.exe"

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

0_2_000C0B62

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

Code function: 0_2_000C1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_000C1663

Source: LisectAVT_2403002A_257.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: LisectAVT_2403002A_257.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

Code function: 0_2_00080698 cpuid

0_2_00080698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

Code function: 0_2_000D8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_000D8195

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

Code function: 0_2_000BD27A GetUserNameW,

0_2_000BD27A

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

Code function: 0_2_0009B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0009B952

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe

Code function: 0_2_000642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000642DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.LisectAVT_2403002A_257.exe.2e40000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_257.exe.2e40000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3357003020.0000000003018000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3357003020.0000000002FEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2142927939.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3356004037.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3357003020.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_257.exe PID: 4372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2136, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: LisectAVT_2403002A_257.exe	Binary or memory string: WIN_81
Source: LisectAVT_2403002A_257.exe	Binary or memory string: WIN_XP
Source: LisectAVT_2403002A_257.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: LisectAVT_2403002A_257.exe	Binary or memory string: WIN_XPe
Source: LisectAVT_2403002A_257.exe	Binary or memory string: WIN_VISTA
Source: LisectAVT_2403002A_257.exe	Binary or memory string: WIN_7
Source: LisectAVT_2403002A_257.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 0.2.LisectAVT_2403002A_257.exe.2e40000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_257.exe.2e40000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2142927939.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3356004037.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3357003020.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_257.exe PID: 4372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2136, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.LisectAVT_2403002A_257.exe.2e40000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_257.exe.2e40000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3357003020.0000000003018000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3357003020.0000000002FEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2142927939.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3356004037.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3357003020.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_257.exe PID: 4372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2136, type: MEMORYSTR

Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_000E1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_000E1204
Source: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe	Code function: 0_2_000E1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_000E1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	138 System Information Discovery	Distributed Component Object Model	121 Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	331 Security Software Discovery	SSH	3 Clipboard Data	11 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	221 Virtualization/Sandbox Evasion	Cached Domain Credentials	221 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LisectAVT_2403002A_257.exe	100%	Avira	TR/AVI.AgentTesla.xoryu
LisectAVT_2403002A_257.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://account.dyn.com/	0%	URL Reputation	safe
http://www.micr.	0%	Avira URL Cloud	safe
http://smtp.ionos.es	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
smtp.ionos.es	213.165.67.102	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.micr.	RegSvcs.exe, 00000002.00000002.3358591525.0000000006240000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.dyn.com/	LisectAVT_2403002A_257.exe, 00000000.00000002.2142927939.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3356004037.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://smtp.ionos.es	RegSvcs.exe, 00000002.00000002.3357003020.0000000002FEE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
213.165.67.102	smtp.ionos.es	Germany		8560	ONEANDONE-ASBrauerstrasse48DE	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482377
Start date and time:	2024-07-25 21:56:23 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002A_257.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 51 Number of non-executed functions: 295
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: LisectAVT_2403002A_257.exe

Simulations

Behavior and APIs

Time	Type	Description
15:57:17	API Interceptor	36x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
213.165.67.102	60yQVZ67vj.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Nowe zam#U00f3wienie nr 201030019.exe	Get hash	malicious	AgentTesla	Browse
	Barotse.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse
	SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.16905.957.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	Quotation-ZX6350ZA Drilling Cum Milling Machine.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse
	factra.exe	Get hash	malicious	AgentTesla	Browse
	factura.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.18349.20671.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	PE20230509100837_OFERTA.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	FIYAT.bat.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
smtp.ionos.es	USyhqVZT33vX26Y.exe	Get hash	malicious	AgentTesla	Browse	213.165.67.118
	60yQVZ67vj.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	213.165.67.102
	JUSTIFICANTE PAGO FACTURA.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	213.165.67.118
	Nowe zam#U00f3wienie nr 201030019.exe	Get hash	malicious	AgentTesla	Browse	213.165.67.102
	pago.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	213.165.67.118
	Barotse.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	213.165.67.102
	biliecrypt.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	213.165.67.118
	Zapytanie ofertowe (7427-23 ROCKFIN).exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	213.165.67.118
	Tepanec.vbe	Get hash	malicious	AgentTesla, GuLoader	Browse	213.165.67.118
	9oDrWfhX1I.exe	Get hash	malicious	AgentTesla	Browse	213.165.67.118

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ONEANDONE-ASBrauerstrasse48DE	LisectAVT_2403002A_87.exe	Get hash	malicious	FormBook	Browse	217.160.0.157
	LisectAVT_2403002B_136.dll	Get hash	malicious	Emotet	Browse	82.165.152.127
	LisectAVT_2403002B_302.exe	Get hash	malicious	Bdaejec, Emotet	Browse	82.223.70.24
	LisectAVT_2403002B_466.exe	Get hash	malicious	FormBook	Browse	217.76.156.252
	LisectAVT_2403002C_62.dll	Get hash	malicious	Emotet	Browse	87.106.46.107
	IIMG_00172424.exe	Get hash	malicious	FormBook	Browse	217.160.230.215
	eqqjbbjMlt.elf	Get hash	malicious	Unknown	Browse	217.160.0.226
	zkGOUJOnmc.elf	Get hash	malicious	Unknown	Browse	88.208.252.9
	Fzfee1Lgc2.elf	Get hash	malicious	Unknown	Browse	217.160.0.225
	gUJak0onLk.elf	Get hash	malicious	Unknown	Browse	217.160.0.116

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_257.exe
File Type:	data
Category:	dropped
Size (bytes):	151658
Entropy (8bit):	7.916239388646582
Encrypted:	false
SSDEEP:	3072:ah7ACv2Pfv2OG+uMbu4EjnTiTgVHhi44T58nXH9PAjPqqcM+9DBt9l4fu8NFcZuv:CbO7GLMbVEjTDVBi44TmXHlAv5+9t/mF
MD5:	1AC262408D5AAD3655787205F589A7BB
SHA1:	70C190BB7613C4FB6B95A0DBB013B6324419330C
SHA-256:	CD80A2832847BE58B303C6083173DC735952E7D5A9D45A1F351132035F4EA512
SHA-512:	52DE5B3298CF53A333906D829A9D4E242D5700AFBABB9D104A2AA20AB5258A53D1CAA2A9062FC4C25987D247DBB990D2E578CF45831F56F52DC2EF10C1710CFF
Malicious:	false
Reputation:	low
Preview:	EA06.....X...}..E.Q...6.qO.L..J..9.Pi...@.X..g.....k......X..=.z.....j0.U..1.."T9$.ME.U/.)l.Q.Y....!.V..H-......kE".M..,f.....s....[.H..5..(...rsX..M...lE....Z...~k`....P......>l.5......4...Y.c.L.......(..`....cw....@..B..._6..C...~@..E.e3...v..`D@.;v..gs ......Uo%.oW..,\|1).ZIo..)s..b.@..3...$...P.....fq..Pfr.uR.9...:Z...Z.B<.....!G..,>:....\......7..+T.E.E..k..........o....`..t..M......g0...Y/=.m....z.]O...G...7...P.;(..!L.yy.wwQ..N.s......x~.....4.K...Z....{1...M.B.4YG.U..\|d....i...\|./L~...l.T.$f?..Kz..rwj.Q..Y.?".I$R..kGX..v.L......l~.D.Q....g3...n.Y}..............p.. ..H.7....'..).....c7.....XU@....a).,9..M+....e_n8.Et...=)gw..h..,NZ.I..-.K.S.....Y...-.K........V8.Z.o.O...X\".F.Wk..D.aZ....2.N...*...U.M...V.......>_.7.zt1I.2J.......8\|j......w........'=......(.)..wT.D..$.$.M&..:#.........;.j..G.R.s..j.J.S.....77..t.J...G..@.=..2.........(..Js..VjtYL.gR.Zd.y.J.N..-u.=.Wg.<).j.......s.e..o.Qh.Y.fqK.^o......Pi.8.O]F...;...3.S. ..b=Z.....

C:\Users\user\AppData\Local\Temp\autC332.tmp

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_257.exe
File Type:	data
Category:	dropped
Size (bytes):	9974
Entropy (8bit):	7.603836919500672
Encrypted:	false
SSDEEP:	192:Q09SJLZ7jNO7shoLZnEUZ0r5Tl/sQrV7uDtkLNjSUVJj0CPna67Tr4qVBQnjfppF:z9SJtjiZEUGpECduOL8UVPv+mCjfNfv
MD5:	C8AF2C7A15AE9C811A2C9D20CFE4CA49
SHA1:	AE546CE73367C3CFE437EFAB60026352F8AD8731
SHA-256:	FA1F4BCD1CB8C05EBCB11B3D93ECC55D2E795A61E5B85CE8F05B7805767D125D
SHA-512:	2AC743C8B6EA7358F77BF4325946BCC3EC8E6A6958E98754E85DCB4EE82F750B8CBEE53FBF4F5145DDD9BE2BD88EB7A1C3DF929ED340EAF4ED122735EC683BDF
Malicious:	false
Reputation:	low
Preview:	EA06..t..L&.[...e....;..`....y...b.......s8..&...j.%.$.m8..Sp.N.g.....m.X@..K...c.$....lL.`..Ng6)...l.I...b....4..,S@..l.l.-z..f.6\|v...Qc.0.......q4.Y..k..h......c ._..p.1....qa.H....9..$l.3..Y@.6...$.a5.H.f@.....\|3....fs9..%d.M...5...&.@.@.K.I.....Y.x>9.....Y.j.;.......j.;-....Y@j.9.....K,..1...'.`....\|.....,S`..N,`...H.......\|....F. ,_...c3..........;..:&.>_L.n....f.G_T......\|.).......&.....8...&V....ia...=.....Y......&..`.l..\|.[.....Yl ....ab...,@....ib........h.._..@...3\|.P.o.ac.....+.....N.i\|sk....8..4\|.0...c....7....k ..7.X..TD....M&`....g....,,`....>.Y...$.@&....L&.P.....32.\|&.G%......h...,..33.%.....BS...Nf......f.4.L,.9."....Bvp.Y...ffS{$..d..,.@8@.......@.3d.L..k4.h..M.B:.Y...fg6.;.ab....98.L..:.....of.L.*..Fp........36.Y&.k,.b...' !...,t.33.4.c2.X.M....#......j.d...[..%3.....c....M'6...ic....!..,..3 k..p....@...L&..........., ....#......f.8.X..K..`....zn........0{.k7....!..,...S.%..9..J@^@.G'.......aa.M..)LM@B:.Y...ffS...r....@...N@.:.....n..Mf@....

C:\Users\user\AppData\Local\Temp\cunili

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_257.exe
File Type:	ASCII text, with very long lines (29698), with no line terminators
Category:	dropped
Size (bytes):	29698
Entropy (8bit):	3.5689281317480894
Encrypted:	false
SSDEEP:	768:G3i/mmQPGXVuVLFOA0AYwp5JX6j4LIkl1WfnS1uLphM:UieBPG8JFO1yuLDM
MD5:	BEAA74AD21C7C26C0F58F9E72CCF49E7
SHA1:	280F44865230FD78CDF540AF8B84CB9F38E05884
SHA-256:	81601445F8BF97DCC4463C2266C84A40BCE7C31FB5371EECA91D22220E123F82
SHA-512:	68896A49F0A560A000EA14BD715C1BD4EC3C661887815EB7DCF9ED3D5FB8F114ED5F1FAFE3E0A4981783F0DA29748A5C6B83ADC4210F09543ED6D6D825537D96
Malicious:	false
Reputation:	low
Preview:	x055b8ce18cecc20000065758bb6000000669854489b560000006698d468ab27000000669855888be6000000669854a89b560000006698d4c8abc6000000669855e88b33000000669854099b230000006698d429abe2000000669855498b46000000669854699bc60000006698d489abc6000000669855a9330c669854c99be60000006698d844ffffffab4700000066985964ffffff8b4600000066985884ffffff9bc60000006698d8a4ffffffabc6000000669859c4ffffff8be2000000669858e4ffffff9b460000006698d805ffffffabc600000066985925ffffff8bc600000066985845ffffff339c6698d865ffffffab570000006698550d8b370000006698542d9b560000006698d44dab270000006698556d8b330000006698548d9b230000006698d4adabe2000000669855cd8b46000000669854ed9bc60000006698d40eabc60000006698552e330c6698544e9b160000006698d886ffffffab46000000669859a6ffffff8b67000000669858c6ffffff9b160000006698d8e6ffffffab0700000066985907ffffff8b9600000066985827ffffff9b330000006698d847ffffffab2300000066985967ffffff8be200000066985887ffffff9b460000006698d8a7ffffffabc6000000669859c7ffffff8bc6000000669858e7ffffff339c6698d408ab370000006698550a8b86

C:\Users\user\AppData\Local\Temp\thixophobia

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_257.exe
File Type:	data
Category:	dropped
Size (bytes):	240128
Entropy (8bit):	6.7262216217277
Encrypted:	false
SSDEEP:	6144:WkRLHKvNHU/2bxQmpGqg+EALjLeatDmLRjOAN:WkRLqliQx/pGELPRyRjOm
MD5:	7C878DF05DAF41BFAF8EC603B78E9120
SHA1:	B2EDBCBE50537CC9D4C13F6CA85F69F606B1B20F
SHA-256:	D083142DED8924C28B6784360FE78ACA546DCA4EE93BF4B7FAFE43D3B2F1104B
SHA-512:	AC914B287604E58B437B78A89286849F0B73D8C860AE816C36A8CC3004761F8A331DF5091C92F5DF015C9CEF28E23064260E7E22CE8555F2479AD93A4F775499
Malicious:	false
Reputation:	low
Preview:	.c.AOCFETGGX..8O.3VDA7W9.ALCFEPGGXYY8O23VDA7W9XALCFEPGGXYY8O.3VDO(.7X.E.g.Q..y.1Q<.C$+&E6Tx"--($g%=y+M!.Z8d.x..5.(&hH]McXYY8O23..A7.8[A.[. PGGXYY8O.3TEJ6\9X.OCFMPGGXYY..13VdA7W.[ALC.EPgGXY[8O63VDA7W9\ALCFEPGGX]Y8M23VDA7U9..LCVEPWGXYY(O2#VDA7W9HALCFEPGGXYY..13.DA7W.[A.FFEPGGXYY8O23VDA7W9X.OCJEPGGXYY8O23VDA7W9XALCFEPGGXYY8O23VDA7W9XALCFEPGGXYY8o23^DA7W9XALCFEXgGX.Y8O23VDA7W9v5);2EPGs.ZY8o23V.B7W;XALCFEPGGXYY8O.3V$oE$K;ALC.@PGG.ZY8I23V.B7W9XALCFEPGGX.Y8..A3(.TW9TALCF.SGGZYY8.13VDA7W9XALCFE.GG.YY8O23VDA7W9XALCV.SGGXYYpO23TDD7..ZAHrGESGGXXY8I23VDA7W9XALCFEPGGXYY8O23VDA7W9XALCFEPGGXYY8O23VD\......}.8nM%_...(.0..R..@..C.S.+S...5....fBQ..A.Lv..N...:.;S=@.....t#M4^/./vVY./.....vM...E(....'k.!4..m...{....J$....-..Q\;j G'U=o." $"..Z.X8O23.......%;..}DHFmK@.....u%/o...8EPG#XYYJO237DA7.9XA#CFE>GGX'Y8OL3VD.7W9.ALCqEPGbXYYUO23rDA7)9XA.>IJ...1*..O23VDt....,.....p..oI.Lh4\|..]....C..H/...t...X.\..O.'Ee..@F^]\:H60ZyO\|...`NGB@R@C[Ud6...e....a..7...".%8O23VD.7W.XAL..E.GGX.Y.O..VDA..9.A.C...G

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.03692986877142
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LisectAVT_2403002A_257.exe
File size:	1'167'880 bytes
MD5:	3914d1fe5113895ff467bcd01994037c
SHA1:	f2f0e0e2bf57589a3880cfaf109d149ea27673a9
SHA256:	b2060f6a5e17d27bb2413bc95ec71fb942151dd2984917831d64c6aa7120efc2
SHA512:	056c7f88c2ab836e7399c67b95d2d03d04f7e3bb02ef7b0ffdab5a5ba7990bf016d9ee27d44ac591f514af674d55abf58adb462256606963653457c6b47f75ea
SSDEEP:	24576:YqDEvCTbMWu7rQYlBQcBiT6rprG8aF83aszMg15alQt3d:YTvC/MTQYxsWR7aFwfMgzK
TLSH:	4B45BF0273D1C062FF9B92334B5AF6515BBC6A260123E61F13A81D79BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66015722 [Mon Mar 25 10:51:14 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F7DA1275553h
jmp 00007F7DA1274E5Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F7DA127503Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F7DA127500Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F7DA1277BFDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F7DA1277C48h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F7DA1277C31h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x46670	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11b000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x46670	0x46800	63b2ca37ebb01b7916630f593036862d	False	0.9061807402482269	data	7.8450347333184345	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11b000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x3d938	data			1.0003409775747771
RT_GROUP_ICON	0x11a0f0	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x11a168	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x11a17c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x11a190	0x14	data	English	Great Britain	1.25
RT_VERSION	0x11a1a4	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x11a280	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T21:58:10.317324+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49720	20.114.59.183	192.168.2.6
2024-07-25T21:57:32.750606+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49714	20.114.59.183	192.168.2.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 21:57:18.677875996 CEST	49712	587	192.168.2.6	213.165.67.102
Jul 25, 2024 21:57:18.684581995 CEST	587	49712	213.165.67.102	192.168.2.6
Jul 25, 2024 21:57:18.684925079 CEST	49712	587	192.168.2.6	213.165.67.102
Jul 25, 2024 21:57:19.674895048 CEST	587	49712	213.165.67.102	192.168.2.6
Jul 25, 2024 21:57:19.676285028 CEST	587	49712	213.165.67.102	192.168.2.6
Jul 25, 2024 21:57:19.676378012 CEST	49712	587	192.168.2.6	213.165.67.102
Jul 25, 2024 21:57:19.689269066 CEST	49712	587	192.168.2.6	213.165.67.102
Jul 25, 2024 21:57:19.715593100 CEST	587	49712	213.165.67.102	192.168.2.6
Jul 25, 2024 21:57:19.902532101 CEST	587	49712	213.165.67.102	192.168.2.6
Jul 25, 2024 21:57:19.902760983 CEST	49712	587	192.168.2.6	213.165.67.102
Jul 25, 2024 21:57:19.908590078 CEST	587	49712	213.165.67.102	192.168.2.6
Jul 25, 2024 21:57:20.097316980 CEST	587	49712	213.165.67.102	192.168.2.6
Jul 25, 2024 21:57:20.139909983 CEST	49712	587	192.168.2.6	213.165.67.102
Jul 25, 2024 21:57:20.360167027 CEST	49712	587	192.168.2.6	213.165.67.102
Jul 25, 2024 21:57:20.365725994 CEST	587	49712	213.165.67.102	192.168.2.6
Jul 25, 2024 21:57:20.553894043 CEST	587	49712	213.165.67.102	192.168.2.6
Jul 25, 2024 21:57:20.553947926 CEST	587	49712	213.165.67.102	192.168.2.6
Jul 25, 2024 21:57:20.553961992 CEST	587	49712	213.165.67.102	192.168.2.6
Jul 25, 2024 21:57:20.554096937 CEST	49712	587	192.168.2.6	213.165.67.102
Jul 25, 2024 21:57:20.557436943 CEST	49712	587	192.168.2.6	213.165.67.102
Jul 25, 2024 21:57:20.564028978 CEST	587	49712	213.165.67.102	192.168.2.6
Jul 25, 2024 21:57:20.755285025 CEST	587	49712	213.165.67.102	192.168.2.6
Jul 25, 2024 21:57:20.796000004 CEST	49712	587	192.168.2.6	213.165.67.102
Jul 25, 2024 21:57:20.952133894 CEST	49712	587	192.168.2.6	213.165.67.102
Jul 25, 2024 21:57:20.957027912 CEST	587	49712	213.165.67.102	192.168.2.6
Jul 25, 2024 21:57:21.142819881 CEST	587	49712	213.165.67.102	192.168.2.6
Jul 25, 2024 21:57:21.167432070 CEST	49712	587	192.168.2.6	213.165.67.102
Jul 25, 2024 21:57:21.174547911 CEST	587	49712	213.165.67.102	192.168.2.6
Jul 25, 2024 21:57:21.363312006 CEST	587	49712	213.165.67.102	192.168.2.6
Jul 25, 2024 21:57:21.388716936 CEST	49712	587	192.168.2.6	213.165.67.102
Jul 25, 2024 21:57:21.393826962 CEST	587	49712	213.165.67.102	192.168.2.6
Jul 25, 2024 21:57:21.614000082 CEST	587	49712	213.165.67.102	192.168.2.6
Jul 25, 2024 21:57:21.614320040 CEST	49712	587	192.168.2.6	213.165.67.102
Jul 25, 2024 21:57:21.619246960 CEST	587	49712	213.165.67.102	192.168.2.6
Jul 25, 2024 21:57:21.819484949 CEST	587	49712	213.165.67.102	192.168.2.6
Jul 25, 2024 21:57:21.819727898 CEST	49712	587	192.168.2.6	213.165.67.102
Jul 25, 2024 21:57:21.824521065 CEST	587	49712	213.165.67.102	192.168.2.6
Jul 25, 2024 21:57:22.015018940 CEST	587	49712	213.165.67.102	192.168.2.6
Jul 25, 2024 21:57:22.015754938 CEST	49712	587	192.168.2.6	213.165.67.102
Jul 25, 2024 21:57:22.020870924 CEST	587	49712	213.165.67.102	192.168.2.6
Jul 25, 2024 21:57:22.207551003 CEST	587	49712	213.165.67.102	192.168.2.6
Jul 25, 2024 21:57:22.208197117 CEST	49712	587	192.168.2.6	213.165.67.102
Jul 25, 2024 21:57:22.208256960 CEST	49712	587	192.168.2.6	213.165.67.102
Jul 25, 2024 21:57:22.208307028 CEST	49712	587	192.168.2.6	213.165.67.102
Jul 25, 2024 21:57:22.208307028 CEST	49712	587	192.168.2.6	213.165.67.102
Jul 25, 2024 21:57:22.213155031 CEST	587	49712	213.165.67.102	192.168.2.6
Jul 25, 2024 21:57:22.213207006 CEST	587	49712	213.165.67.102	192.168.2.6
Jul 25, 2024 21:57:22.213217020 CEST	587	49712	213.165.67.102	192.168.2.6
Jul 25, 2024 21:57:22.213439941 CEST	587	49712	213.165.67.102	192.168.2.6
Jul 25, 2024 21:57:22.541827917 CEST	587	49712	213.165.67.102	192.168.2.6
Jul 25, 2024 21:57:22.592876911 CEST	49712	587	192.168.2.6	213.165.67.102
Jul 25, 2024 21:58:58.671369076 CEST	49712	587	192.168.2.6	213.165.67.102
Jul 25, 2024 21:58:58.700340033 CEST	587	49712	213.165.67.102	192.168.2.6
Jul 25, 2024 21:58:58.889653921 CEST	587	49712	213.165.67.102	192.168.2.6
Jul 25, 2024 21:58:58.889969110 CEST	587	49712	213.165.67.102	192.168.2.6
Jul 25, 2024 21:58:58.890149117 CEST	49712	587	192.168.2.6	213.165.67.102
Jul 25, 2024 21:58:58.893179893 CEST	49712	587	192.168.2.6	213.165.67.102

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 21:57:18.657232046 CEST	63072	53	192.168.2.6	1.1.1.1
Jul 25, 2024 21:57:18.665592909 CEST	53	63072	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 25, 2024 21:57:18.657232046 CEST	192.168.2.6	1.1.1.1	0xef97	Standard query (0)	smtp.ionos.es	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 21:57:18.665592909 CEST	1.1.1.1	192.168.2.6	0xef97	No error (0)	smtp.ionos.es		213.165.67.102	A (IP address)	IN (0x0001)	false
Jul 25, 2024 21:57:18.665592909 CEST	1.1.1.1	192.168.2.6	0xef97	No error (0)	smtp.ionos.es		213.165.67.118	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jul 25, 2024 21:57:19.674895048 CEST	587	49712	213.165.67.102	192.168.2.6	220 kundenserver.de (mreue009) Nemesis ESMTP Service ready
Jul 25, 2024 21:57:19.676285028 CEST	587	49712	213.165.67.102	192.168.2.6	220 kundenserver.de (mreue009) Nemesis ESMTP Service ready
Jul 25, 2024 21:57:19.689269066 CEST	49712	587	192.168.2.6	213.165.67.102	EHLO 965543
Jul 25, 2024 21:57:19.902532101 CEST	587	49712	213.165.67.102	192.168.2.6	250-kundenserver.de Hello 965543 [8.46.123.33] 250-8BITMIME 250-SIZE 141557760 250 STARTTLS
Jul 25, 2024 21:57:19.902760983 CEST	49712	587	192.168.2.6	213.165.67.102	STARTTLS
Jul 25, 2024 21:57:20.097316980 CEST	587	49712	213.165.67.102	192.168.2.6	220 OK

Target ID:	0
Start time:	15:57:12
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_257.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_257.exe"
Imagebase:	0x60000
File size:	1'167'880 bytes
MD5 hash:	3914D1FE5113895FF467BCD01994037C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2142927939.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2142927939.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.2142927939.0000000002E40000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:57:14
Start date:	25/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_257.exe"
Imagebase:	0xc60000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3357003020.0000000003018000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3357003020.0000000002FEE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3356004037.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3356004037.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3357003020.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3357003020.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	2.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	53

Executed Functions

Function 000642DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0006430D

Part of subcall function 00066B57: _wcslen.LIBCMT ref: 00066B6A

GetCurrentProcess.KERNEL32(?,000FCB64,00000000,?,?), ref: 00064422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00064429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00064454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00064466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00064474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0006447B
GetSystemInfo.KERNEL32(?,?,?), ref: 000644A0

Strings

|O, xrefs: 000A36F8
kernel32.dll, xrefs: 0006444F
GetNativeSystemInfo, xrefs: 00064460

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 8b599484bb2bf9591ef3fb18f2395f0aa92ecacd85e3bfe5eaeb8ce81fd8f349
Instruction ID: c6359a1f82cf08c9295fbc6271acf4550ce653ec4f2e099f55adde3b5abd5ba0
Opcode Fuzzy Hash: 8b599484bb2bf9591ef3fb18f2395f0aa92ecacd85e3bfe5eaeb8ce81fd8f349
Instruction Fuzzy Hash: C2A1956290E3C4FFDB21C7AA7C425E97FE57B27360B089899E04197F22D63445C8DB21

Function 000642A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,000650AA,?,?,00000000,00000000), ref: 000642B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,000650AA,?,?,00000000,00000000), ref: 000642C9
LoadResource.KERNEL32(?,00000000,?,?,000650AA,?,?,00000000,00000000,?,?,?,?,?,?,00064F20), ref: 000A35BE
SizeofResource.KERNEL32(?,00000000,?,?,000650AA,?,?,00000000,00000000,?,?,?,?,?,?,00064F20), ref: 000A35D3
LockResource.KERNEL32(000650AA,?,?,000650AA,?,?,00000000,00000000,?,?,?,?,?,?,00064F20,?), ref: 000A35E6

Strings

SCRIPT, xrefs: 000642BF

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 2a4ca5d373e7583968060b8d87c8a25dddc7a4fa1b4110980ceb43cc9023bdc7
Instruction ID: e2539644af72f15dff569fe1b50a9fe29805b8d65a7cc6cb7eb380a800419acb
Opcode Fuzzy Hash: 2a4ca5d373e7583968060b8d87c8a25dddc7a4fa1b4110980ceb43cc9023bdc7
Instruction Fuzzy Hash: 10117C70600705BFE7218BA5DD59F277BBAEFC5B51F204169F502D6650DB71DC10D620

Function 000A2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00062B6B

Part of subcall function 00063A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00131418,?,00062E7F,?,?,?,00000000), ref: 00063A78

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00122224), ref: 000A2C10
ShellExecuteW.SHELL32(00000000,?,?,00122224), ref: 000A2C17

Strings

runas, xrefs: 000A2C0B

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 5d869aca280e8e29fac6efce2e81aa949d7fc88bbca41ad77f5fa8598bfae7a0
Instruction ID: 1f2526f55df31a70251de8b92e99a578934708b2c60dbb055270adbc58abcd53
Opcode Fuzzy Hash: 5d869aca280e8e29fac6efce2e81aa949d7fc88bbca41ad77f5fa8598bfae7a0
Instruction Fuzzy Hash: 3711D031208345AAD714FF64E992DFEB7ABEB91350F44242DF082631A3CF358A49D752

Function 000CDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,000A5222), ref: 000CDBCE
GetFileAttributesW.KERNELBASE(?), ref: 000CDBDD
FindFirstFileW.KERNELBASE(?,?), ref: 000CDBEE
FindClose.KERNEL32(00000000), ref: 000CDBFA

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 591735301761d066620ae417100c2a2dfa168140172e7b3a17932b33a26ec48f
Instruction ID: 6f767ab30114d38744b3bc4a2d8ef3f633eef9a38828fe363c56c58aff1a79eb
Opcode Fuzzy Hash: 591735301761d066620ae417100c2a2dfa168140172e7b3a17932b33a26ec48f
Instruction Fuzzy Hash: 76F0A03081091997A2206B78AE4EDBE37AC9F42334B10471BF836C24E0EBB46D54D695

Function 0006D730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0006D807
timeGetTime.WINMM ref: 0006DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0006DB28
TranslateMessage.USER32(?), ref: 0006DB7B
DispatchMessageW.USER32(?), ref: 0006DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0006DB9F
Sleep.KERNEL32(0000000A), ref: 0006DBB1

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 1e66d342dd3a33540984a3aaf7a7b27cdf5b2ee6e395c1f7c0bac50ff7c6aad0
Instruction ID: 2aff4dbb402eb4f464dec889ccb07b51f91aa032e7b505c1767939863464e60f
Opcode Fuzzy Hash: 1e66d342dd3a33540984a3aaf7a7b27cdf5b2ee6e395c1f7c0bac50ff7c6aad0
Instruction Fuzzy Hash: D542CF30A08342EFE778DF24C895BEABBE2BF45314F14855EE45587292D774E884CB92

Function 00062CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00062D07
RegisterClassExW.USER32(00000030), ref: 00062D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00062D42
InitCommonControlsEx.COMCTL32(?), ref: 00062D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00062D6F
LoadIconW.USER32(000000A9), ref: 00062D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00062D94

Strings

AutoIt v3 GUI, xrefs: 00062D23
TaskbarCreated, xrefs: 00062D37
+, xrefs: 00062CF0
0, xrefs: 00062CE9

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 26dd48e92892e5d5951564e612277ee86ca950ce4d55417a764c2c44113b5183
Instruction ID: d8d36a910b84bf86fa48a31c86953110f8d03bdb1c6fe08f612a6cb12dbcd1ba
Opcode Fuzzy Hash: 26dd48e92892e5d5951564e612277ee86ca950ce4d55417a764c2c44113b5183
Instruction Fuzzy Hash: D521E5B190130CEFEB00DFA4E94ABEDBBB4FB08714F00411AF611A66A0D7B91584DF91

Function 000A065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000A039A: CreateFileW.KERNELBASE(00000000,00000000,?,000A0704,?,?,00000000,?,000A0704,00000000,0000000C), ref: 000A03B7

GetLastError.KERNEL32 ref: 000A076F
__dosmaperr.LIBCMT ref: 000A0776
GetFileType.KERNELBASE(00000000), ref: 000A0782
GetLastError.KERNEL32 ref: 000A078C
__dosmaperr.LIBCMT ref: 000A0795
CloseHandle.KERNEL32(00000000), ref: 000A07B5
CloseHandle.KERNEL32(?), ref: 000A08FF
GetLastError.KERNEL32 ref: 000A0931
__dosmaperr.LIBCMT ref: 000A0938

Strings

H, xrefs: 000A08BD

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: a999af693105eb449328c735bb3cff253d57066c5432399703a9b1b6d299df9a
Instruction ID: b1469f564de403fbac038a1e9673a1aad26c6eb2645f121a277913fe7318ba78
Opcode Fuzzy Hash: a999af693105eb449328c735bb3cff253d57066c5432399703a9b1b6d299df9a
Instruction Fuzzy Hash: D9A12632A041098FDF19AFB8DC52BAE3BE4AB0B320F140159F855DB292DB359D12DB91

Function 0006344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00063A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00131418,?,00062E7F,?,?,?,00000000), ref: 00063A78

Part of subcall function 00063357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00063379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0006356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 000A318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 000A31CE
RegCloseKey.ADVAPI32(?), ref: 000A3210
_wcslen.LIBCMT ref: 000A3277
_wcslen.LIBCMT ref: 000A3286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00063560
\Include\, xrefs: 00063527
\, xrefs: 000A328C
Include, xrefs: 000A3184, 000A31C5

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 88f59b3d20d1f92fe300579965f040f6b9ef2b1aa3abf2b18d8b50973d878661
Instruction ID: 98b8aecdd0f28912988c2c8cf32993ed1a29b32057b10239b3f56ac054ff559c
Opcode Fuzzy Hash: 88f59b3d20d1f92fe300579965f040f6b9ef2b1aa3abf2b18d8b50973d878661
Instruction Fuzzy Hash: C971D1715043059ED314FF65EC82DABBBE8FF89350F40042EF585975A1EB349A88CB62

Function 00062B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00062B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00062B9D
LoadIconW.USER32(00000063), ref: 00062BB3
LoadIconW.USER32(000000A4), ref: 00062BC5
LoadIconW.USER32(000000A2), ref: 00062BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00062BEF
RegisterClassExW.USER32(?), ref: 00062C40

Part of subcall function 00062CD4: GetSysColorBrush.USER32(0000000F), ref: 00062D07
Part of subcall function 00062CD4: RegisterClassExW.USER32(00000030), ref: 00062D31
Part of subcall function 00062CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00062D42
Part of subcall function 00062CD4: InitCommonControlsEx.COMCTL32(?), ref: 00062D5F
Part of subcall function 00062CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00062D6F
Part of subcall function 00062CD4: LoadIconW.USER32(000000A9), ref: 00062D85
Part of subcall function 00062CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00062D94

Strings

0, xrefs: 00062C0F
AutoIt v3, xrefs: 00062C2F
#, xrefs: 00062C16

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 00c8e786db7e40c4eeacb95750e5d3dfca4e5e5866fa754167cf913a3a21b574
Instruction ID: dfa93bb7c03da94197192668eccb04794364d0a6a92331c07058fc0cc59ceddb
Opcode Fuzzy Hash: 00c8e786db7e40c4eeacb95750e5d3dfca4e5e5866fa754167cf913a3a21b574
Instruction Fuzzy Hash: 89212C71E00318BBEB109FA6ED55AA97FB5FB48B60F00001AE504A6AA0D7B51584DF90

Function 00063170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0006316A,?,?), ref: 000631D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0006316A,?,?), ref: 00063204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00063227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0006316A,?,?), ref: 00063232
CreatePopupMenu.USER32 ref: 00063246
PostQuitMessage.USER32(00000000), ref: 00063267

Strings

TaskbarCreated, xrefs: 0006322D

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 0b6490b7f52f96c25ba7c7a78b003051af4f95b2c34ab536e53041048bbf4c03
Instruction ID: 9186eeb6fc40990bc4019ef443752a2ce1e23e2339f38e3fb43af4861f302d8e
Opcode Fuzzy Hash: 0b6490b7f52f96c25ba7c7a78b003051af4f95b2c34ab536e53041048bbf4c03
Instruction Fuzzy Hash: 24410E31244205B7EB246B78DD5EBBD3A9BEB07354F040125F901DA592C7759A80D7E1

Function 00098D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d33aaebb4cccd3b9f1e34185cff1252f56ad2ea69816f129d42e3e244a19cd11
Instruction ID: fffd72a36da3ef3754a8c7603a0989029613889a4479d15fba5cce04ba16a5f2
Opcode Fuzzy Hash: d33aaebb4cccd3b9f1e34185cff1252f56ad2ea69816f129d42e3e244a19cd11
Instruction Fuzzy Hash: 99C1D074904249AFDF21EFACC855BEDBBF4BF4A310F044099E468A7392D7309941EB61

Function 014F2770 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 014F2841
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 014F2A67

Memory Dump Source

Source File: 00000000.00000002.2142893759.00000000014F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 56d4a07515a69c217c6e9093a4c978e985ec34eac0ef6790ae7a8c87854d9146
Instruction ID: 40a6f2aa64d7d731a2cd60b95d5ddf5cbf0a23e8627ac25e29471434654b244b
Opcode Fuzzy Hash: 56d4a07515a69c217c6e9093a4c978e985ec34eac0ef6790ae7a8c87854d9146
Instruction Fuzzy Hash: 2DA1F670E00209EBDB14CFA4C994FEEBBB5BF48304F20855EE605AB391D7B59A45CB64

Function 00062C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00062C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00062CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00061CAD,?), ref: 00062CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00061CAD,?), ref: 00062CCF

Strings

AutoIt v3, xrefs: 00062C89, 00062C8E, 00062C8F
edit, xrefs: 00062CAC

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 64dcad21201eb9fde687a6105487188297ed0332c15d80f07968198b4336ebde
Instruction ID: c3093791d62daa382d200a98c3cf2b510e2ea513e52713be12125324284c5e0a
Opcode Fuzzy Hash: 64dcad21201eb9fde687a6105487188297ed0332c15d80f07968198b4336ebde
Instruction Fuzzy Hash: B1F0DA755443987AFB311717AC0DEB77EBDE7C6F60B00005AFA00A79A0C6651894EEB0

Function 0006DFD0 Relevance: 10.2, APIs: 2, Strings: 3, Instructions: 1414COMMON

Download Yara Rule

Strings

H, xrefs: 0006E0DC, 0006E289, 0006E418, 0006E4C0
@, xrefs: 0006E0E6, 0006E293, 0006E422, 0006E4CE
Variable must be of type 'Object'., xrefs: 000B32B7

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID:
String ID: @$H$Variable must be of type 'Object'.
API String ID: 0-1412995245
Opcode ID: 9f4a6ebed1b2f77e305edc5f6593e22df2d3bd3cbae6da843639a413ffaa0256
Instruction ID: f9baf74adc9726ebcbafc5bb9c7d987e6ee19b3c5d8c29a50b6e926a8e3a0bb6
Opcode Fuzzy Hash: 9f4a6ebed1b2f77e305edc5f6593e22df2d3bd3cbae6da843639a413ffaa0256
Instruction Fuzzy Hash: 3DC28B79A00355CFCB24DF58C884AADB7F2BF09310F248569E906AB392D775EE41CB91

Function 014F24E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 170
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 014F2664
VirtualAlloc.KERNELBASE(00000000,000000FF,00003000,00000004), ref: 014F2699
ReadFile.KERNELBASE(000000FF,00000000,000000FF,?,00000000), ref: 014F26BC
ExitProcess.KERNEL32(00000000), ref: 014F271D

Strings

W9XALCFEPGGXYY8O23VDA7, xrefs: 014F26C7, 014F26CA

Memory Dump Source

Source File: 00000000.00000002.2142893759.00000000014F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: File$AllocCreateExitProcessReadVirtual
String ID: W9XALCFEPGGXYY8O23VDA7
API String ID: 1333605300-1334338727
Opcode ID: caf40082cf5f2754b39d0d479040dbf2b45ceb0effa6aaf49fd6903d82ef9d71
Instruction ID: 9899e2aa38bcfff07037c822823e404d00651f8c20650712396f23ea34ff527d
Opcode Fuzzy Hash: caf40082cf5f2754b39d0d479040dbf2b45ceb0effa6aaf49fd6903d82ef9d71
Instruction Fuzzy Hash: 6B617F70D04249DBEB11DBB4C858BEEBBB9AF19304F04419DE608BB3C1D7BA5A44CB65

Function 000D2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000D2C05
DeleteFileW.KERNEL32(?), ref: 000D2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 000D2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000D2CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000D2CC0

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 95c42e0a75e32d0d1472074e7ca7ccda5d534d2d08441d08b0094bc538120c7b
Instruction ID: a4d1aba422adb25d5d8367737e81e128272ea1936ae635c3082745d578b4674b
Opcode Fuzzy Hash: 95c42e0a75e32d0d1472074e7ca7ccda5d534d2d08441d08b0094bc538120c7b
Instruction Fuzzy Hash: 4CB12C71D00219ABDF21EBA4CC85EEEB7BDEF59350F1040A6F509E6252EB349A448F61

Function 00063B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00063B0F,SwapMouseButtons,00000004,?), ref: 00063B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00063B0F,SwapMouseButtons,00000004,?), ref: 00063B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00063B0F,SwapMouseButtons,00000004,?), ref: 00063B83

Strings

Control Panel\Mouse, xrefs: 00063B3E

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: b05fabd71d859aa951cb680d13713b3e391c7c7b7cb155e6812a97e49393a52f
Instruction ID: facf77da32edc9b9249a70a978f6cfbb62547afb99ea5f8960fb44b22de5098f
Opcode Fuzzy Hash: b05fabd71d859aa951cb680d13713b3e391c7c7b7cb155e6812a97e49393a52f
Instruction Fuzzy Hash: 66115AB1510208FFEB208FA4DC45EEEB7BDEF01740B105459AA01D7110D7319E40A7A0

Function 014F1300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 014F1B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 014F1B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 014F1B73

Memory Dump Source

Source File: 00000000.00000002.2142893759.00000000014F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: e733957529af6e45a9970993b3126d24b4c627d0c98d0703371c929c9dc0e71a
Instruction ID: c1fe968707112636cad1471e52527d1291f96f55b5e6fa946e9d209d4b8f28b0
Opcode Fuzzy Hash: e733957529af6e45a9970993b3126d24b4c627d0c98d0703371c929c9dc0e71a
Instruction Fuzzy Hash: 9662EA30A14258DBEB24CFA4C850BDEB776EF58700F1091A9D20DEB3A4E7759E81CB59

Function 00063923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 000A33A2

Part of subcall function 00066B57: _wcslen.LIBCMT ref: 00066B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00063A04

Strings

Line: , xrefs: 000A33EB

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: b9ccbfccb49b4b6c8d31b52c37253195ce72dd5429e4933d7e1399b6ca3871a5
Instruction ID: 39c5b8685173fc9f0df08ce3524bd6a2153c26af8d28062d0b84cb616675679a
Opcode Fuzzy Hash: b9ccbfccb49b4b6c8d31b52c37253195ce72dd5429e4933d7e1399b6ca3871a5
Instruction Fuzzy Hash: 4331C171408314AAD721EB20DC46BEFB7D9AB41720F04492EF59A935D2DB709B48CBD2

Function 0007FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00080668

Part of subcall function 000832A4: RaiseException.KERNEL32(?,?,?,0008068A,?,00131444,?,?,?,?,?,?,0008068A,00061129,00128738,00061129), ref: 00083304

__CxxThrowException@8.LIBVCRUNTIME ref: 00080685

Strings

Unknown exception, xrefs: 00080692

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: a3d794a527b2f14a4f51b08f424f794caecab64aff030142b0ad4ee85cc7c2b7
Instruction ID: 6b71e6c7eb67c3451b7fd6ef7c359c1c2f40f075ee3f7f1bdd182cb9fc0c5319
Opcode Fuzzy Hash: a3d794a527b2f14a4f51b08f424f794caecab64aff030142b0ad4ee85cc7c2b7
Instruction Fuzzy Hash: 86F0C23490020EB7CB50B664E846CEE7BAD7F40710B608531B9A8965D2EF71EA29C794

Function 000D3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 000D302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 000D3044

Strings

aut, xrefs: 000D3038

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 50f56ceee93c81fb4dfb8308073d9bf8d853e7cd645a21f7b431b31fbe82c571
Instruction ID: 3a1421bae82cd2b63e75b90ea1f79ab6b30817f37541cc53b7b522f1a4d5f1c6
Opcode Fuzzy Hash: 50f56ceee93c81fb4dfb8308073d9bf8d853e7cd645a21f7b431b31fbe82c571
Instruction Fuzzy Hash: 8AD05E72500328A7EA60E7A4AD0EFDB3A6CDB04750F0002A1B655E20D2DAB49984CAD0

Function 000E7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 000E82F5
TerminateProcess.KERNEL32(00000000), ref: 000E82FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 000E84DD

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 7124ec0abaf358e41959657162d9b0b9bdd5e8a62ea9e30626b979b29acad9de
Instruction ID: 580df235167cb9589f1e69017a87448906c1a3e61577c738fdb509f0a21a892c
Opcode Fuzzy Hash: 7124ec0abaf358e41959657162d9b0b9bdd5e8a62ea9e30626b979b29acad9de
Instruction Fuzzy Hash: 9D127A71A083419FD724DF28C484B6ABBE5FF88314F04895DE8899B392DB31E945CF92

Function 00095AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b81ab1bfe54fbded514bf2d498db6a40bf65152640d55496a00f968052a1c2b
Instruction ID: c263a12af8bfb4a917051ddc8aed913079f585aa74f5a25da840385092cae846
Opcode Fuzzy Hash: 5b81ab1bfe54fbded514bf2d498db6a40bf65152640d55496a00f968052a1c2b
Instruction Fuzzy Hash: A651A2B1D0060AAFDF22AFA6CC45EFEBBF8AF05312F140059F405A7292D7319941EB61

Function 000610F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00061BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00061BF4
Part of subcall function 00061BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00061BFC
Part of subcall function 00061BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00061C07
Part of subcall function 00061BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00061C12
Part of subcall function 00061BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00061C1A
Part of subcall function 00061BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00061C22

Part of subcall function 00061B4A: RegisterWindowMessageW.USER32(00000004,?,000612C4), ref: 00061BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0006136A
OleInitialize.OLE32 ref: 00061388
CloseHandle.KERNEL32(00000000,00000000), ref: 000A24AB

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 356e755f865c01312cbbcfc3eb3d495090f6d8d07d73202bf934b0db6005dac3
Instruction ID: 203759ccfbbd13da43f9adf183a004184a734934d665c1dd9edac0de74d07f60
Opcode Fuzzy Hash: 356e755f865c01312cbbcfc3eb3d495090f6d8d07d73202bf934b0db6005dac3
Instruction Fuzzy Hash: 4571EDB5905304AFD384EF79EE46AA53AE1FB8A340718862ED10AD7B62EB704481CF54

Function 000654C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 0006556D
SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 0006557D

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: f774260e1c77e0561ce404ea983297dacc4d6e4a0576265ba27207a5459212fa
Instruction ID: 507b01b03b5573bd8fe4bbf63a183654814302763ae6630c48d5b61c1d09c450
Opcode Fuzzy Hash: f774260e1c77e0561ce404ea983297dacc4d6e4a0576265ba27207a5459212fa
Instruction Fuzzy Hash: 1A313A71A00A09EFDB14CF68CC85B9DB7B6FB48315F14862AE91A97240D771FE94CB90

Function 000986AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,000985CC,?,00128CC8,0000000C), ref: 00098704
GetLastError.KERNEL32(?,000985CC,?,00128CC8,0000000C), ref: 0009870E
__dosmaperr.LIBCMT ref: 00098739

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: ac9406c61b962bff76ac9560c55ab5645426ad65b5a7be09ccec0606a1d26898
Instruction ID: 4a80f3c467ffa39655b5c3d4291d042eb861f2d533b86f23b0626d00dcb6de20
Opcode Fuzzy Hash: ac9406c61b962bff76ac9560c55ab5645426ad65b5a7be09ccec0606a1d26898
Instruction Fuzzy Hash: 3C016B3360422027DEA16234AC45BBE67C94B83775F398119F9489F2D3DEA0CD81F390

Function 000D2FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,000D2CD4,?,?,?,00000004,00000001), ref: 000D2FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,000D2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 000D3006
CloseHandle.KERNEL32(00000000,?,000D2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 000D300D

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: ad0a7fa437579432909e73a4de139fbd233bd4a0dc705d50271632309f411127
Instruction ID: 9fc1648511e5bb3f97e36b27661d78142f010c8fa36c04e4388c4707e5fa810d
Opcode Fuzzy Hash: ad0a7fa437579432909e73a4de139fbd233bd4a0dc705d50271632309f411127
Instruction Fuzzy Hash: 23E0863228031477F2301755BD0EF9B3E5CE786B71F114214F719B51D046A41611E2A8

Function 00071310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 000717F6

Strings

CALL, xrefs: 000717C6

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 59f18857edd408bd2330f1ba749dd64e0b74bcae712f65169cffdcdb36516d89
Instruction ID: 559440a2d9929b49c1a85086f1ea81353d5bd752b2d3b0075b19ab2fc9c1a0ec
Opcode Fuzzy Hash: 59f18857edd408bd2330f1ba749dd64e0b74bcae712f65169cffdcdb36516d89
Instruction Fuzzy Hash: 5A227C70A08241DFC764DF18C490AAABBF1BF85314F14891DF49A8B3A2D73AE945CB56

Function 000D6EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000D6F6B

Part of subcall function 00064ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00131418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00064EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 000D6F5A, 000D6F63

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: d340d6b35f9a4081ddcaeeaa5490c930defea7a58f1d77e0873b71ff97840421
Instruction ID: 509355b7045c475879f9e2ac852e77767b840c35742f0cfb725578c087a917f1
Opcode Fuzzy Hash: d340d6b35f9a4081ddcaeeaa5490c930defea7a58f1d77e0873b71ff97840421
Instruction Fuzzy Hash: 72B194311087018FC714EF20C4919AEB7E6AF94314F54496DF49A973A2EF31ED45CBA2

Function 00062DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 000A2C8C

Part of subcall function 00063AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00063A97,?,?,00062E7F,?,?,?,00000000), ref: 00063AC2

Part of subcall function 00062DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00062DC4

Strings

X, xrefs: 000A2C5A

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 59e107f04db63f82a8c8ed6f8b880d0451e9a8faa7ae91d545baea45543c542f
Instruction ID: d2d1961fe7e9d829bc3b9dfca98fd98f6b5784088bc6ddbe3638c2c3461f8256
Opcode Fuzzy Hash: 59e107f04db63f82a8c8ed6f8b880d0451e9a8faa7ae91d545baea45543c542f
Instruction Fuzzy Hash: 1E21A571A002989FDB41EF94D845BEE7BF9AF49314F008069E445B7282DBB45A89CFA1

Function 000D2557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 000D2587

Strings

EA06, xrefs: 000D25B9

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 08475a289011389f542fbf0c625787c7d223095f7490a5d24a2590bd85e044b9
Instruction ID: c96ebfbd4b5380d2a1e3803a18d91a7f82ca389e758a1cbd40177d935becb0ea
Opcode Fuzzy Hash: 08475a289011389f542fbf0c625787c7d223095f7490a5d24a2590bd85e044b9
Instruction Fuzzy Hash: DE01B5729042687EDF68D7A8C856EEEBBF8DB15301F00459AF192D21C2E5B4E6088B70

Function 00063837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00063908

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: a31d642f4edf280de886e5e04d8b830eab51420b42b5608236598ea80504f771
Instruction ID: a850b440bbe9a3619ccdf3ea13f50fc56265be07183dada6453968e0ce844a9e
Opcode Fuzzy Hash: a31d642f4edf280de886e5e04d8b830eab51420b42b5608236598ea80504f771
Instruction Fuzzy Hash: 1131A2715047019FE760DF64D885BDBBBE8FB49718F00092EF59A83641EB71AA44CB92

Function 00065745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0006949C,?,00008000), ref: 00065773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0006949C,?,00008000), ref: 000A4052

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4421cedd3224b5804243edd96b32f90ca1d537bc732510067365c37661085157
Instruction ID: 9ea46fcd5132b5e0e47c9fe4f9a3646d49b10bc2327f287b83ec215d867e8887
Opcode Fuzzy Hash: 4421cedd3224b5804243edd96b32f90ca1d537bc732510067365c37661085157
Instruction Fuzzy Hash: 2E01B530145725B6E3700A6ADC0EF977F99EF067B1F108300BA9D6E1E0CBB45854DB90

Function 0006B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0006BB4E

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: b59dcf0b9ac8d62ac7bc35e66a561287d34b2b057980b362a1a362bfb61307c7
Instruction ID: 987e8a07f705246393c8431151a6fbd7786b716c2e1b586f7cffe88a2aca9c05
Opcode Fuzzy Hash: b59dcf0b9ac8d62ac7bc35e66a561287d34b2b057980b362a1a362bfb61307c7
Instruction Fuzzy Hash: A7328CB4A042099FDB24DF58C894AFEB7FAFF44314F148059E905AB262D774EE81CB91

Function 014F12FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 014F1B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 014F1B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 014F1B73

Memory Dump Source

Source File: 00000000.00000002.2142893759.00000000014F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: f062d9386360323abe608eb8aa61f53b926788e5bce96864e9f45577f6f52855
Instruction ID: 64f5842a3766c994098223ae5c88d5e3f61994e4b44b600f2f4dfef17eade513
Opcode Fuzzy Hash: f062d9386360323abe608eb8aa61f53b926788e5bce96864e9f45577f6f52855
Instruction Fuzzy Hash: E312DD24E24658C6EB24DF64D8507DEB232EF68300F1091ED910DEB7A5E77A4E81CF5A

Function 00064ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00064E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00064EDD,?,00131418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00064E9C
Part of subcall function 00064E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00064EAE
Part of subcall function 00064E90: FreeLibrary.KERNEL32(00000000,?,?,00064EDD,?,00131418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00064EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00131418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00064EFD

Part of subcall function 00064E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,000A3CDE,?,00131418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00064E62
Part of subcall function 00064E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00064E74
Part of subcall function 00064E59: FreeLibrary.KERNEL32(00000000,?,?,000A3CDE,?,00131418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00064E87

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: c8e46108c020f06a31b29267c31d166a6a302fff70223f1e26c4ab0ba073abbc
Instruction ID: 7e2c7104d10f636b6c809cf786075810377e912ab366331dfb342de72cbcc50e
Opcode Fuzzy Hash: c8e46108c020f06a31b29267c31d166a6a302fff70223f1e26c4ab0ba073abbc
Instruction Fuzzy Hash: EA110632600305EADF25FF60DD03FED77A6AF40711F20842EF542AA1C2EE719A059790

Function 00098402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00098440

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 4e505ee72b159acc426d3fc9a282f99128fb7e1a8fa113a6c2a2693e0b3fe4b6
Instruction ID: c3fdd3d615a688de8de4faa8f2975942c11c845e8a106ffd7a3eb728ecbd1728
Opcode Fuzzy Hash: 4e505ee72b159acc426d3fc9a282f99128fb7e1a8fa113a6c2a2693e0b3fe4b6
Instruction Fuzzy Hash: 7611487590410AAFCF05DF58E9409DE7BF8EF49300F108069F808AB312DA30DA11DBA4

Function 00069A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,0006543F,?,00010000,00000000,00000000,00000000,00000000), ref: 00069A9C

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 88e90410ae8144a733870a3f33c33d649c043a19e0443aa5118030a515925de6
Instruction ID: 42425818e8af0af54d795cca25f409b1d35200c271f2aa3ccbcd44fd091b0ada
Opcode Fuzzy Hash: 88e90410ae8144a733870a3f33c33d649c043a19e0443aa5118030a515925de6
Instruction Fuzzy Hash: 9B1148352047059FEB20CF85C881B66B7FAEF44764F14C42EE99B8AA51C770B945CBA1

Function 0008E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
Instruction ID: 1b949e47a1256934ef6f2eb2c2759f40730878ede1dc5ead727e968d24012cfc
Opcode Fuzzy Hash: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
Instruction Fuzzy Hash: ADF02832511E14A6DB313A79DC05BDA3398BF623B4F140715F4E4932E3EB70D81297A5

Function 00093820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00131444,?,0007FDF5,?,?,0006A976,00000010,00131440,000613FC,?,000613C6,?,00061129), ref: 00093852

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e5f8ae9597de2272327417079a52e5b8446e6a3894b9d5e422a5341baef2f607
Instruction ID: b06ba5b5405872a4a0b7977363198cd00206147f123d79eec0666c5f7c8e171e
Opcode Fuzzy Hash: e5f8ae9597de2272327417079a52e5b8446e6a3894b9d5e422a5341baef2f607
Instruction Fuzzy Hash: 07E0ED3110032AA6EE313A779C05BEB36C9BF42BB0F050021BC8592892CF20DE01BAE0

Function 00094D7A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00094D9C

Part of subcall function 000929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0009D7D1,00000000,00000000,00000000,00000000,?,0009D7F8,00000000,00000007,00000000,?,0009DBF5,00000000), ref: 000929DE
Part of subcall function 000929C8: GetLastError.KERNEL32(00000000,?,0009D7D1,00000000,00000000,00000000,00000000,?,0009D7F8,00000000,00000007,00000000,?,0009DBF5,00000000,00000000), ref: 000929F0

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction ID: 17b10ea2a2f4b0e56e417bcfe2cd5e756d945dd59309ab8375c570617f56e436
Opcode Fuzzy Hash: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
Instruction Fuzzy Hash: 8CE092361013059F8B60CF6CD400AC2B7F4EF843207218529E89DD3311D331E812CB80

Function 00064F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00131418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00064F6D

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: c0de64c9454d74ab5cc963a3796040727a9670506bb94ca951ee1e443fce54f5
Instruction ID: b73462fc188383d305c63ebfce52c4080db66d5e765874ffea533c346e336824
Opcode Fuzzy Hash: c0de64c9454d74ab5cc963a3796040727a9670506bb94ca951ee1e443fce54f5
Instruction Fuzzy Hash: C4F03071105751CFDB789F64D490826B7E6BF14319310897EE1DA82511C7319854DF10

Function 00062DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00062DC4

Part of subcall function 00066B57: _wcslen.LIBCMT ref: 00066B6A

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: e509b3a4515f5216612b65e11097ba3dd7fb572ad1a1280d90f7587f153ffb6b
Instruction ID: a8803c46e7fe62a0bb01417db7a932782e9e7c6b0e17723f5f1c56f71e72e9f3
Opcode Fuzzy Hash: e509b3a4515f5216612b65e11097ba3dd7fb572ad1a1280d90f7587f153ffb6b
Instruction Fuzzy Hash: 69E0CD766001245BD71096989C06FEA77DDDFC8790F044071FD09D7249DA64AD80C550

Function 000D2693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 000D26B5

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: fa5af4fffeffd5ecac0ec39a0d57215a46f2463b662e192b1dfbb35b0c0ed1e6
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: 32E04FB0609B009FDF796A28A8517F677E89F49300F10086EF6DF92352E57268458A5D

Function 00062B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00063837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00063908

Part of subcall function 0006D730: GetInputState.USER32 ref: 0006D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00062B6B

Part of subcall function 000630F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0006314E

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: fb5af9261db772071e2f98182a357c9c44ed7f9686770b7a3ec92c0d53f38ca2
Instruction ID: ccedb85e711ee1ace04ac89a79bec06a42ab98051284080785677515937225a9
Opcode Fuzzy Hash: fb5af9261db772071e2f98182a357c9c44ed7f9686770b7a3ec92c0d53f38ca2
Instruction Fuzzy Hash: 39E0CD2170424417D608BB75A9525FDF75BDBD1351F40153EF542531A3DF2486498392

Function 000A039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,000A0704,?,?,00000000,?,000A0704,00000000,0000000C), ref: 000A03B7

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: db8aea35c084bd4fbe067827b866f576b951183b09f6d03bff2e6210aa37ebea
Instruction ID: 41149611b5a462ec4d09a4f7c1b7ea0394c293ec2afd034d004ff8e0f0d9fdad
Opcode Fuzzy Hash: db8aea35c084bd4fbe067827b866f576b951183b09f6d03bff2e6210aa37ebea
Instruction Fuzzy Hash: CFD06C3204010DBBEF028F84DD06EDA3BAAFB48714F014000BE1856020C736E831EB90

Function 00061CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00061CBC

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 2004d03bda4d9131a6e20b64999c718ad4c087389b9c210d0e5032a9a4f78d05
Instruction ID: 318e2ea09bc83740f5bb52c8b4975e162261ad084d134a6916cac357dcdeb45a
Opcode Fuzzy Hash: 2004d03bda4d9131a6e20b64999c718ad4c087389b9c210d0e5032a9a4f78d05
Instruction Fuzzy Hash: 0BC09236380308EFF2149B80BD4BF607764B348F11F048001F609AADE3C3B228A4EA50

Function 000D744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00065745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0006949C,?,00008000), ref: 00065773

GetLastError.KERNEL32(00000002,00000000), ref: 000D76DE

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 132673ba226ac0311a2a7bf8ea83ee5c018cdcb8e2ed0454b1761909f49c45f5
Instruction ID: bf651b1252520757f688eefc2499b7d3f0b5f55cdee1e72dc625b0516e49705a
Opcode Fuzzy Hash: 132673ba226ac0311a2a7bf8ea83ee5c018cdcb8e2ed0454b1761909f49c45f5
Instruction Fuzzy Hash: 418191306087019FC714EF28C491BADB7E2AF89314F44451EF88A5B392EB74ED45CBA2

Function 0007FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0007FD1F

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 511185563a55c086bd75eb9a13b7ab93e8dc250e306aa0c445c5659710e7e512
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 8A3112B4A0010ADBC769CF59D580979FBA2FF49300B24C2A5E809CB652D735EDC1CBC4

Function 014F29BB Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 014F2A67

Memory Dump Source

Source File: 00000000.00000002.2142893759.00000000014F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: a2f09042e8b8218b62577ab9939fd8ad4f1ab35591ca5a7ca790d0063d9bd37b
Instruction ID: eee05ad61abb2ba71a4c0f567d420fa0acee353b30a6302e57b2d8d7c5101c7e
Opcode Fuzzy Hash: a2f09042e8b8218b62577ab9939fd8ad4f1ab35591ca5a7ca790d0063d9bd37b
Instruction Fuzzy Hash: F5010035E40208EFEB64CBA4C954FDEBBB1AF44701F20819AE601A7391C7759E44DF50

Function 014F2300 Relevance: 1.3, APIs: 1, Instructions: 34sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 014F2312

Memory Dump Source

Source File: 00000000.00000002.2142893759.00000000014F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14f0000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: dce1e67ee7a905aee1ad479c7a3e30644d0bd5a7b1fbfaf3e5e7a496efc26c57
Instruction ID: 00dc13a5fc6df48e7d4efb0351dc6e0573165e2f45941431bbebd423ff07167d
Opcode Fuzzy Hash: dce1e67ee7a905aee1ad479c7a3e30644d0bd5a7b1fbfaf3e5e7a496efc26c57
Instruction Fuzzy Hash: 19F0B67594010EABCF00EFA4C9499EEBB74FF04311F504559EA1AA2280DB70AA518B61

Non-executed Functions

Function 000F9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00079BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00079BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 000F961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 000F965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 000F969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000F96C9
SendMessageW.USER32 ref: 000F96F2
GetKeyState.USER32(00000011), ref: 000F978B
GetKeyState.USER32(00000009), ref: 000F9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 000F97AE
GetKeyState.USER32(00000010), ref: 000F97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000F97E9
SendMessageW.USER32 ref: 000F9810
SendMessageW.USER32(?,00001030,?,000F7E95), ref: 000F9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 000F992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 000F9941
SetCapture.USER32(?), ref: 000F994A
ClientToScreen.USER32(?,?), ref: 000F99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 000F99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 000F99D6
ReleaseCapture.USER32 ref: 000F99E1
GetCursorPos.USER32(?), ref: 000F9A19
ScreenToClient.USER32(?,?), ref: 000F9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 000F9A80
SendMessageW.USER32 ref: 000F9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 000F9AEB
SendMessageW.USER32 ref: 000F9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 000F9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 000F9B4A
GetCursorPos.USER32(?), ref: 000F9B68
ScreenToClient.USER32(?,?), ref: 000F9B75
GetParent.USER32(?), ref: 000F9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 000F9BFA
SendMessageW.USER32 ref: 000F9C2B
ClientToScreen.USER32(?,?), ref: 000F9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 000F9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 000F9CDE
SendMessageW.USER32 ref: 000F9D01
ClientToScreen.USER32(?,?), ref: 000F9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 000F9D82

Part of subcall function 00079944: GetWindowLongW.USER32(?,000000EB), ref: 00079952

GetWindowLongW.USER32(?,000000F0), ref: 000F9E05

Strings

F, xrefs: 000F9D07
@GUI_DRAGID, xrefs: 000F997D

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: ba70f2a6a3a69507cbcba5e84a69af82ebe2d17d54c8406509d14d65dab85022
Instruction ID: d38a0c9a65d1bdb40c61afc30472a818877fb91709e0942e2e99e68ed88117bc
Opcode Fuzzy Hash: ba70f2a6a3a69507cbcba5e84a69af82ebe2d17d54c8406509d14d65dab85022
Instruction Fuzzy Hash: DD427A34208208AFE724DF28CD44FBABBE5FF49714F140619F699C7AA1D731A894EB51

Function 000F4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 000F48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 000F4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 000F4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 000F494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 000F495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 000F497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 000F49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 000F49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 000F4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 000F4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 000F4A7E
IsMenu.USER32(?), ref: 000F4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 000F4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 000F4B20
GetWindowLongW.USER32(?,000000F0), ref: 000F4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 000F4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 000F4C82
wsprintfW.USER32 ref: 000F4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 000F4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 000F4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 000F4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 000F4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 000F4D5A

Strings

%d/%02d/%02d, xrefs: 000F4CA8

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: e0b869c0cc10af4129e60d9d2bb099abe441857b23a2bd3fe9fbc2e00b50ef31
Instruction ID: ef74fbad20ca12ff20a39aa433fca20e189288e4181368f37a77a2102ea4a79d
Opcode Fuzzy Hash: e0b869c0cc10af4129e60d9d2bb099abe441857b23a2bd3fe9fbc2e00b50ef31
Instruction Fuzzy Hash: 1C12C071600258ABFB248F28CC49FBF7BF8AF45710F104129FA19DA6A1DB789945EB50

Function 0007F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0007F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000BF474
IsIconic.USER32(00000000), ref: 000BF47D
ShowWindow.USER32(00000000,00000009), ref: 000BF48A
SetForegroundWindow.USER32(00000000), ref: 000BF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 000BF4AA
GetCurrentThreadId.KERNEL32 ref: 000BF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 000BF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 000BF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 000BF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 000BF4DE
SetForegroundWindow.USER32(00000000), ref: 000BF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 000BF4F6
keybd_event.USER32(00000012,00000000), ref: 000BF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 000BF50B
keybd_event.USER32(00000012,00000000), ref: 000BF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 000BF519
keybd_event.USER32(00000012,00000000), ref: 000BF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 000BF528
keybd_event.USER32(00000012,00000000), ref: 000BF52D
SetForegroundWindow.USER32(00000000), ref: 000BF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 000BF557

Strings

Shell_TrayWnd, xrefs: 000BF46F

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 340f25de7cf9897a02492f2871ce0cf3218b23575583505e2850ec2f47d620c7
Instruction ID: 9ee355b21ce7ed8cffc86381280c1335b99eebc16788e15f94889c19dfc4467c
Opcode Fuzzy Hash: 340f25de7cf9897a02492f2871ce0cf3218b23575583505e2850ec2f47d620c7
Instruction Fuzzy Hash: 53313D71A4021DBAFB306BB55D4AFBF7EACEB44B50F100065FA01E61D1C7B55D50EAA0

Function 000C1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 000C16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000C170D
Part of subcall function 000C16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000C173A
Part of subcall function 000C16C3: GetLastError.KERNEL32 ref: 000C174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 000C1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 000C12A8
CloseHandle.KERNEL32(?), ref: 000C12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 000C12D1
GetProcessWindowStation.USER32 ref: 000C12EA
SetProcessWindowStation.USER32(00000000), ref: 000C12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 000C1310

Part of subcall function 000C10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,000C11FC), ref: 000C10D4
Part of subcall function 000C10BF: CloseHandle.KERNEL32(?,?,000C11FC), ref: 000C10E9

Strings

, xrefs: 000C125A
winsta0, xrefs: 000C12CC
default, xrefs: 000C130B

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 2c1ef905f5684ff950ee3a351f6f49d1a3e1c644c05b48b75cfa0e6681a7af4b
Instruction ID: 89b11667d1b2fa65a61795a9a043c0643597b8acdfcc6395d86bf94e1dbdbde1
Opcode Fuzzy Hash: 2c1ef905f5684ff950ee3a351f6f49d1a3e1c644c05b48b75cfa0e6681a7af4b
Instruction Fuzzy Hash: ED81CC71900209AFEF259FA4DD4AFEE7BB9EF06700F14416DFA10E61A2D7348A54DB60

Function 000C0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000C10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 000C1114
Part of subcall function 000C10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,000C0B9B,?,?,?), ref: 000C1120
Part of subcall function 000C10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,000C0B9B,?,?,?), ref: 000C112F
Part of subcall function 000C10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,000C0B9B,?,?,?), ref: 000C1136
Part of subcall function 000C10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 000C114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 000C0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 000C0C00
GetLengthSid.ADVAPI32(?), ref: 000C0C17
GetAce.ADVAPI32(?,00000000,?), ref: 000C0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 000C0C6D
GetLengthSid.ADVAPI32(?), ref: 000C0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 000C0C8C
HeapAlloc.KERNEL32(00000000), ref: 000C0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 000C0CB4
CopySid.ADVAPI32(00000000), ref: 000C0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 000C0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 000C0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 000C0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000C0D45
HeapFree.KERNEL32(00000000), ref: 000C0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000C0D55
HeapFree.KERNEL32(00000000), ref: 000C0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000C0D65
HeapFree.KERNEL32(00000000), ref: 000C0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 000C0D78
HeapFree.KERNEL32(00000000), ref: 000C0D7F

Part of subcall function 000C1193: GetProcessHeap.KERNEL32(00000008,000C0BB1,?,00000000,?,000C0BB1,?), ref: 000C11A1
Part of subcall function 000C1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,000C0BB1,?), ref: 000C11A8
Part of subcall function 000C1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,000C0BB1,?), ref: 000C11B7

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 673c4ec6f8e7e4f2d032dd4f56ef4739613175efacd4bf017867e330144c0d4a
Instruction ID: 99cba2df4b57c87cd6dd0e2230a124d3ad24e2ddd71c597fd84b7e6d74fc3ba5
Opcode Fuzzy Hash: 673c4ec6f8e7e4f2d032dd4f56ef4739613175efacd4bf017867e330144c0d4a
Instruction Fuzzy Hash: EC716BB290020AEBEF10DFE4DD45FEEBBB8BF05700F044619E915A61A1DB75AA05CB60

Function 000DEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(000FCC08), ref: 000DEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 000DEB37
GetClipboardData.USER32(0000000D), ref: 000DEB43
CloseClipboard.USER32 ref: 000DEB4F
GlobalLock.KERNEL32(00000000), ref: 000DEB87
CloseClipboard.USER32 ref: 000DEB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 000DEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 000DEBC9
GetClipboardData.USER32(00000001), ref: 000DEBD1
GlobalLock.KERNEL32(00000000), ref: 000DEBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 000DEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 000DEC38
GetClipboardData.USER32(0000000F), ref: 000DEC44
GlobalLock.KERNEL32(00000000), ref: 000DEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 000DEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 000DEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 000DECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 000DECF3
CountClipboardFormats.USER32 ref: 000DED14
CloseClipboard.USER32 ref: 000DED59

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 21f4ec9a84719784238e78812f27ec2c7d100d0f8020ac97800a9d1bb2de7ee6
Instruction ID: 8dee16d1150cd2d1e4c11625e1d40333b6618658bb2ff12efd82f3ceeeddb601
Opcode Fuzzy Hash: 21f4ec9a84719784238e78812f27ec2c7d100d0f8020ac97800a9d1bb2de7ee6
Instruction Fuzzy Hash: 5B61BB34204346AFE310EF20C985F7A77E9AF84714F14451AF4469B7A2CB35E90ADBB2

Function 000D698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 000D69BE
FindClose.KERNEL32(00000000), ref: 000D6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 000D6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 000D6A75

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 000D6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 000D6ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 000D6B6A
%4d, xrefs: 000D6BB1
%02d, xrefs: 000D6C00, 000D6C0A, 000D6C5A, 000D6CAA, 000D6CFA, 000D6D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 000D6B32
%03d, xrefs: 000D6DA2

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 4cf2ff653543b6c95535f2210211d89cf6a9325e3ad36a639ce918e324c23e13
Instruction ID: 539d0a041c449ac8d9bda9a0bcaf52053f84a8586e3c6ccae19bc52b95554fc7
Opcode Fuzzy Hash: 4cf2ff653543b6c95535f2210211d89cf6a9325e3ad36a639ce918e324c23e13
Instruction Fuzzy Hash: 91D16271508340AFD310DBA4C982EBBB7EDAF88704F44491EF589C7292EB75DA44CB62

Function 000D9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 000D9663
GetFileAttributesW.KERNEL32(?), ref: 000D96A1
SetFileAttributesW.KERNEL32(?,?), ref: 000D96BB
FindNextFileW.KERNEL32(00000000,?), ref: 000D96D3
FindClose.KERNEL32(00000000), ref: 000D96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 000D96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 000D974A
SetCurrentDirectoryW.KERNEL32(00126B7C), ref: 000D9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 000D9772
FindClose.KERNEL32(00000000), ref: 000D977F
FindClose.KERNEL32(00000000), ref: 000D978F

Strings

*.*, xrefs: 000D96F5

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: d531a5883e50283951751d6124379b7b97f090b544ad3dfd7b026e44480964db
Instruction ID: 4cd30cd136b59770ebce24b4ba3522f9f0c5a9c022d6b21ceb1e2dfc009be65a
Opcode Fuzzy Hash: d531a5883e50283951751d6124379b7b97f090b544ad3dfd7b026e44480964db
Instruction Fuzzy Hash: 5531D03264431D6AEF54EFB4ED09EEE37ECAF09321F144156E904E22A0DB38DA44CB20

Function 000D979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 000D97BE
FindNextFileW.KERNEL32(00000000,?), ref: 000D9819
FindClose.KERNEL32(00000000), ref: 000D9824
FindFirstFileW.KERNEL32(*.*,?), ref: 000D9840
SetCurrentDirectoryW.KERNEL32(?), ref: 000D9890
SetCurrentDirectoryW.KERNEL32(00126B7C), ref: 000D98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 000D98B8
FindClose.KERNEL32(00000000), ref: 000D98C5
FindClose.KERNEL32(00000000), ref: 000D98D5

Part of subcall function 000CDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 000CDB00

Strings

*.*, xrefs: 000D983B

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 41bd78e9c49234e9bd703bf749ce31b09be315a8f48c3cbce9dfabb91a513bdb
Instruction ID: ac792e752ebf0ca934bd0f847e6560a1bcfab7d5500b2039ba941fd388f96144
Opcode Fuzzy Hash: 41bd78e9c49234e9bd703bf749ce31b09be315a8f48c3cbce9dfabb91a513bdb
Instruction Fuzzy Hash: 5B31D23254031D6AEF14EFA4EC49EEE77ACAF06721F144156E850A22E1DF34DA44EB70

Function 000EBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000EB6AE,?,?), ref: 000EC9B5
Part of subcall function 000EC998: _wcslen.LIBCMT ref: 000EC9F1
Part of subcall function 000EC998: _wcslen.LIBCMT ref: 000ECA68
Part of subcall function 000EC998: _wcslen.LIBCMT ref: 000ECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000EBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 000EBFA9
RegCloseKey.ADVAPI32(00000000), ref: 000EBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 000EC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 000EC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 000EC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 000EC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 000EC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 000EC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 000EC382
RegCloseKey.ADVAPI32(00000000), ref: 000EC38F

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 62f04753f41235cb7e644ac44491d128f2dd9196ce00ea7440637acceb4eb111
Instruction ID: 370e105da0ccc8f71510ff68171c63c4ffbadd8b80dadcd20989d79af8b35781
Opcode Fuzzy Hash: 62f04753f41235cb7e644ac44491d128f2dd9196ce00ea7440637acceb4eb111
Instruction Fuzzy Hash: F40280716042409FD714CF29C895E6ABBE5EF89308F18C49DF84ADB2A2DB31ED46CB51

Function 000D8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 000D8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 000D8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 000D8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000D8310
SetCurrentDirectoryW.KERNEL32(?), ref: 000D8324
SetCurrentDirectoryW.KERNEL32(?), ref: 000D8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 000D838C
SetCurrentDirectoryW.KERNEL32(?), ref: 000D8395

Strings

*.*, xrefs: 000D839B

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 40165f448e50cf6c847f6bfc450c46327205a6970be519006f39fe107c7d12f6
Instruction ID: ab4c40caf1ddd633a8dc3b0b18d23c99661469f58c52d8a551403b642814f9e4
Opcode Fuzzy Hash: 40165f448e50cf6c847f6bfc450c46327205a6970be519006f39fe107c7d12f6
Instruction Fuzzy Hash: B3616C725043459FD710EF60C845DAEB3E9FF89310F04892EF98987252EB35E945CBA2

Function 000CD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00063AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00063A97,?,?,00062E7F,?,?,?,00000000), ref: 00063AC2

Part of subcall function 000CE199: GetFileAttributesW.KERNEL32(?,000CCF95), ref: 000CE19A

FindFirstFileW.KERNEL32(?,?), ref: 000CD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 000CD1DD
MoveFileW.KERNEL32(?,?), ref: 000CD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 000CD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 000CD237

Part of subcall function 000CD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,000CD21C,?,?), ref: 000CD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 000CD253
FindClose.KERNEL32(00000000), ref: 000CD264

Strings

\*.*, xrefs: 000CD0CD, 000CD0D6, 000CD0EB

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: b16376f046aca2a0a0324629834053af444c291dedff94702adea2495c20bbb5
Instruction ID: 82dce3869e9da4197bb77667a94906c82dd17ca4062e988e35938d5195e6b1ca
Opcode Fuzzy Hash: b16376f046aca2a0a0324629834053af444c291dedff94702adea2495c20bbb5
Instruction Fuzzy Hash: 96614D3180110DAFDF15EBE0DA52EEDB7BAAF65300F64416AE40177192EB319F09DB61

Function 000DED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 000DED91
EmptyClipboard.USER32 ref: 000DED97
GlobalAlloc.KERNEL32(00000002,?), ref: 000DEDAC
CloseClipboard.USER32 ref: 000DEEA3

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 317e5ad39c814e1a4bcc92136797f77842fa1df6ab5bd3e64b778a01980154bd
Instruction ID: 984f44f56aa1a5985bc2a534235f0423ed5098b6bb28aa52390430bc2361ffd4
Opcode Fuzzy Hash: 317e5ad39c814e1a4bcc92136797f77842fa1df6ab5bd3e64b778a01980154bd
Instruction Fuzzy Hash: 03417C35204651AFE720EF15D889F69BBE5EF44328F14809AE45A8FB62C775EC41CBA0

Function 000CE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 000C16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000C170D
Part of subcall function 000C16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000C173A
Part of subcall function 000C16C3: GetLastError.KERNEL32 ref: 000C174A

ExitWindowsEx.USER32(?,00000000), ref: 000CE932

Strings

, xrefs: 000CE95C
@, xrefs: 000CE925
SeShutdownPrivilege, xrefs: 000CE902
, xrefs: 000CE920

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 9c9116b46554bb843b6461d4c3a143e4be68285d14af18767141384c6b829c94
Instruction ID: dc663f1290ad2aa9510d50fb84a62b2bdfea06833dc60f6cfa8aa354e68e7c78
Opcode Fuzzy Hash: 9c9116b46554bb843b6461d4c3a143e4be68285d14af18767141384c6b829c94
Instruction Fuzzy Hash: B301D672610215ABFBA427B4DC86FFF729CE715750F154529F902E21D2DAB45C809294

Function 000E1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 000E1276
WSAGetLastError.WSOCK32 ref: 000E1283
bind.WSOCK32(00000000,?,00000010), ref: 000E12BA
WSAGetLastError.WSOCK32 ref: 000E12C5
closesocket.WSOCK32(00000000), ref: 000E12F4
listen.WSOCK32(00000000,00000005), ref: 000E1303
WSAGetLastError.WSOCK32 ref: 000E130D
closesocket.WSOCK32(00000000), ref: 000E133C

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 397b7726241c24737325c37a6fa3da767b212d9c18eabc96c9cc5c27e4f063e8
Instruction ID: e3a723002625293c2daaeb27a932969abcf18137e99c8e498c9b57e195dcdda6
Opcode Fuzzy Hash: 397b7726241c24737325c37a6fa3da767b212d9c18eabc96c9cc5c27e4f063e8
Instruction Fuzzy Hash: 1441B1306001409FE710DF25C989BA9BBE6AF46318F18808CD9569F2A2C771ED82CBA1

Function 0009E4FF Relevance: 11.9, APIs: 1, Strings: 5, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0009E645

Strings

1#IND, xrefs: 0009F83D
1#INF, xrefs: 0009F852
InitializeCriticalSectionEx, xrefs: 0009E608, 0009E699, 0009EA92
1#QNAN, xrefs: 0009F84B
1#SNAN, xrefs: 0009F844

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN$InitializeCriticalSectionEx
API String ID: 4168288129-2709433496
Opcode ID: 16d7d01367fc4a2f52f1244774e61aa175d758f7d3ce0d28262ade52ae14471a
Instruction ID: 2986584407253bc8c9137bb5bb920c869429f8de2c2f63f220ed60daa6c79a1e
Opcode Fuzzy Hash: 16d7d01367fc4a2f52f1244774e61aa175d758f7d3ce0d28262ade52ae14471a
Instruction Fuzzy Hash: E9C23771E086298BDF65CE28DD407EAB7F5EB88305F1441EAD84DE7241E778AE819F40

Function 0009B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0009B9D4
_free.LIBCMT ref: 0009B9F8
_free.LIBCMT ref: 0009BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00103700), ref: 0009BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0013121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0009BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00131270,000000FF,?,0000003F,00000000,?), ref: 0009BC36
_free.LIBCMT ref: 0009BD4B

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: a5140ae1ae9c8cbf075dfeaf5a58252d0aae202cbb58f487c3aa270571ce72a1
Instruction ID: ea323843b196b7f2844e387ef5a2b56ce03ce2c0a240622f4c1b36bb996607dd
Opcode Fuzzy Hash: a5140ae1ae9c8cbf075dfeaf5a58252d0aae202cbb58f487c3aa270571ce72a1
Instruction Fuzzy Hash: 1AC11871904209AFDF20DF68AE51BEE7BE9EF41330F24415AE494D7292EB709E41E750

Function 000CD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00063AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00063A97,?,?,00062E7F,?,?,?,00000000), ref: 00063AC2

Part of subcall function 000CE199: GetFileAttributesW.KERNEL32(?,000CCF95), ref: 000CE19A

FindFirstFileW.KERNEL32(?,?), ref: 000CD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 000CD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 000CD481
FindClose.KERNEL32(00000000), ref: 000CD498
FindClose.KERNEL32(00000000), ref: 000CD4A1

Strings

\*.*, xrefs: 000CD3F2

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: e03bab36ec86eb389272f412c86c8b52610d6a1ddd97ab8212d7e0804245bb38
Instruction ID: a81c27d024a06f23b58acd3110508e794df1a4fae87fbc10f778306a0c854bb1
Opcode Fuzzy Hash: e03bab36ec86eb389272f412c86c8b52610d6a1ddd97ab8212d7e0804245bb38
Instruction Fuzzy Hash: EB316D310083459FD204EF64D992DEFB7E9AF92314F444A2EF5D593192EB30AA09DB63

Function 000D648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000D64DC
CoInitialize.OLE32(00000000), ref: 000D6639
CoCreateInstance.OLE32(000FFCF8,00000000,00000001,000FFB68,?), ref: 000D6650
CoUninitialize.OLE32 ref: 000D68D4

Strings

.lnk, xrefs: 000D64BA, 000D6524, 000D65E0

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 3c5a9b33a3b0d53803a235a8a155fff08c534245c594234a5aa0eaf7148ddeb4
Instruction ID: 0b58ef0853a3ec2f490006a0e575fdb8a297629e7fcde381142124acf53c35ac
Opcode Fuzzy Hash: 3c5a9b33a3b0d53803a235a8a155fff08c534245c594234a5aa0eaf7148ddeb4
Instruction Fuzzy Hash: 22D14A71508301AFD314EF24C881EABB7E9FF94704F10496DF5958B292DB72E945CBA2

Function 000E22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 000E22E8

Part of subcall function 000DE4EC: GetWindowRect.USER32(?,?), ref: 000DE504

GetDesktopWindow.USER32 ref: 000E2312
GetWindowRect.USER32(00000000), ref: 000E2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 000E2355
GetCursorPos.USER32(?), ref: 000E2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 000E23DF

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: ad0961d3f34b5713daf31856e4561034ee2139533460d1851a696075293ee074
Instruction ID: 455dbcb345bfb56f3bf63ee202068376b15fee4e743e9f72ac274f1fa1f7e840
Opcode Fuzzy Hash: ad0961d3f34b5713daf31856e4561034ee2139533460d1851a696075293ee074
Instruction Fuzzy Hash: 0B319072504355AFE720DF65C845FABB7EAFB84714F000A19F585A7191DA34EA08CB92

Function 000D9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 000D9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 000D9C8B

Part of subcall function 000D3874: GetInputState.USER32 ref: 000D38CB
Part of subcall function 000D3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000D3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 000D9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 000D9C75

Strings

*.*, xrefs: 000D9B5D

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: be2d274ebec4f140db655a4ead4e792ac91aae6d17c637a5e021313ebbac20c7
Instruction ID: 885f057a618bfb4e4fe57ee8581fe7a139dfc1b565f093aea77ff538643d8f5f
Opcode Fuzzy Hash: be2d274ebec4f140db655a4ead4e792ac91aae6d17c637a5e021313ebbac20c7
Instruction Fuzzy Hash: 47414F7194420AAFDF55DFA4C986AEEBBF9EF05310F244156E805A32A1EB309E44DF60

Function 00068060 Relevance: 8.7, Strings: 6, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 0006813C
VUUU, xrefs: 0006843C
InitializeCriticalSectionEx, xrefs: 000A5D4D
VUUU, xrefs: 000683E8
VUUU, xrefs: 000683FA
VUUU, xrefs: 000A5DF0

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID:
String ID: ERCP$InitializeCriticalSectionEx$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1173862840
Opcode ID: dcd8a0eb6d0d43ab74cb2a70fa40d0425cd9bf102215818377d3ec7aeb799e1d
Instruction ID: cf7df658f090f75b13ba696962110d55a1f25132d5f179c5b91eb7f797b19107
Opcode Fuzzy Hash: dcd8a0eb6d0d43ab74cb2a70fa40d0425cd9bf102215818377d3ec7aeb799e1d
Instruction Fuzzy Hash: E9A26171E0061ACBDF74CF98C8447AEB7B2BF55310F2482A9E855A7285EB719D81CF50

Function 0007997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00079BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00079BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00079A4E
GetSysColor.USER32(0000000F), ref: 00079B23
SetBkColor.GDI32(?,00000000), ref: 00079B36

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 9caaf4e777bbd3b5b8ce4430d31a9242b1fbb45e7a0936b28cf38014bae1b005
Instruction ID: 191e9b81f70052c5d4d2431726cb99c4c06d176ef15e3e9b360118a7fa4767c1
Opcode Fuzzy Hash: 9caaf4e777bbd3b5b8ce4430d31a9242b1fbb45e7a0936b28cf38014bae1b005
Instruction Fuzzy Hash: FAA12B70A09444BEE7789A3C8C49EFF36DDDB82300F158109F50AD6E96CA299D41D3BB

Function 000E1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000E304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 000E307A
Part of subcall function 000E304E: _wcslen.LIBCMT ref: 000E309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 000E185D
WSAGetLastError.WSOCK32 ref: 000E1884
bind.WSOCK32(00000000,?,00000010), ref: 000E18DB
WSAGetLastError.WSOCK32 ref: 000E18E6
closesocket.WSOCK32(00000000), ref: 000E1915

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 59813e497c0ad983522a893126d38f5b19def7201e049a12c2b10909f8660482
Instruction ID: 213a71e7d58db44aa0c9aae58abc7057be08d6e5c41b7fabf9b7d6a82b534185
Opcode Fuzzy Hash: 59813e497c0ad983522a893126d38f5b19def7201e049a12c2b10909f8660482
Instruction Fuzzy Hash: E651C871A002109FE710AF24C986FBA77E59F44718F488198F95AAF3D3CB75AD41CB91

Function 000F1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 000F1CC0
IsWindowEnabled.USER32 ref: 000F1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 000F1CDB
IsIconic.USER32 ref: 000F1CE9
IsZoomed.USER32 ref: 000F1CF7

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: cedf78897d6cc0591bb2acecf1f89c895247e1346f2d19d5d441fdbb19fbf4fc
Instruction ID: d3b31f4764c08602803eeefee6f30489702852a455543d135f5815e07eedc183
Opcode Fuzzy Hash: cedf78897d6cc0591bb2acecf1f89c895247e1346f2d19d5d441fdbb19fbf4fc
Instruction Fuzzy Hash: 7C2194317402189FE7208F1AD844FBA7BE5AF95314B198068E949CBB52C775EC42EBD0

Function 000EA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000EA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 000EA6BA

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

Process32NextW.KERNEL32(00000000,?), ref: 000EA79C
CloseHandle.KERNEL32(00000000), ref: 000EA7AB

Part of subcall function 0007CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,000A3303,?), ref: 0007CE8A

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: a27ee10d8205934eb5b41579d08b5e78deca6849fb4f3223af74b5b68887af86
Instruction ID: 4afa78eb29e5863d217058f809ad188370dcfa8cd70ebf82d9578ffe3efe312a
Opcode Fuzzy Hash: a27ee10d8205934eb5b41579d08b5e78deca6849fb4f3223af74b5b68887af86
Instruction Fuzzy Hash: A0517F715083009FD310EF24C986EABBBE9FF89754F40491DF589A7292EB30E904CB92

Function 000CAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 000CAAAC
SetKeyboardState.USER32(00000080), ref: 000CAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 000CAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 000CAB88

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 435df1b7de0acc35fabe5d2d625a8f3b81f8030b408eff74d79d0fe01007bc33
Instruction ID: c1a5f2d7f5c8e115e8c2f04196adc9809e5aa5bbd1bb3f221e002f7ed717d930
Opcode Fuzzy Hash: 435df1b7de0acc35fabe5d2d625a8f3b81f8030b408eff74d79d0fe01007bc33
Instruction Fuzzy Hash: 2231E270B4020CAEFF358B648805FFE7BEAAB46324F04421EF181961E2D7798D81D762

Function 000DCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 000DCE89
GetLastError.KERNEL32(?,00000000), ref: 000DCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 000DCEFE

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 75c4ea66fc3cb902c78d5a9e96dc900d7539102acf3d32e34ecf9f36afc958ff
Instruction ID: c2dd3ceca9166025fd0ccf89bc29d5a34474788f837f7f1b603e0bc452e64089
Opcode Fuzzy Hash: 75c4ea66fc3cb902c78d5a9e96dc900d7539102acf3d32e34ecf9f36afc958ff
Instruction Fuzzy Hash: 40218CB15007069BFB709FA5C949FAA77FCEB40354F10442AE54692252E774EE04DB60

Function 000C8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 000C82AA

Strings

(, xrefs: 000C82F0
|, xrefs: 000C82DA

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 5ab000fbae00e9d901c2b267d27b6ff89ff1bb607d33ea309107e35ff72c5255
Instruction ID: 181afc78e4bfc6222a5eaa5bbc88df52e923f098819cd6b841901af488bcdfb3
Opcode Fuzzy Hash: 5ab000fbae00e9d901c2b267d27b6ff89ff1bb607d33ea309107e35ff72c5255
Instruction Fuzzy Hash: 31322474A006059FCB28CF59C481EAAB7F0FF48710B15C56EE59ADB7A1EB70E981CB44

Function 000D5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 000D5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 000D5D17
FindClose.KERNEL32(?), ref: 000D5D5F

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 72e9ddaf5d2810f5d49efaaca598634ed28655cb5f615372f15f05ac60866508
Instruction ID: 7cea5feb5a7634448883777b79065e5204ff43d0f28b4e293182a304c7337b1b
Opcode Fuzzy Hash: 72e9ddaf5d2810f5d49efaaca598634ed28655cb5f615372f15f05ac60866508
Instruction Fuzzy Hash: 3E516B346047019FD724DF28C895E9AB7E5FF49314F14855EE99A8B3A2CB30E944CFA1

Function 00092622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0009271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00092724
UnhandledExceptionFilter.KERNEL32(?), ref: 00092731

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: bf2d2557ed2fcd3d47bec9bb611c596ebc1e921d927748d15550fb6647b812b4
Instruction ID: 96f47c2d2d7a1ef56f16663b0b2e59438169357262879e3030b6c2ec088e15b8
Opcode Fuzzy Hash: bf2d2557ed2fcd3d47bec9bb611c596ebc1e921d927748d15550fb6647b812b4
Instruction Fuzzy Hash: A931C47490121CABCB61EF64DD89BDCB7B8BF08310F5041EAE41CA6261E7349F858F45

Function 000D51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000D51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 000D5238
SetErrorMode.KERNEL32(00000000), ref: 000D52A1

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 08b77644ea7269eaf4e9eee847253d0f5d1fb496e6cc631f9ae884441ca4a780
Instruction ID: 2c0c5c19635e3fc66ad5ea605cf1c9638ed4a1d8df34dda8d2f47579cc310f2f
Opcode Fuzzy Hash: 08b77644ea7269eaf4e9eee847253d0f5d1fb496e6cc631f9ae884441ca4a780
Instruction Fuzzy Hash: F8314F75A00618DFEB00DF54D884EADBBF5FF49314F048099E8459B352DB35E859CBA0

Function 000C16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0007FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00080668
Part of subcall function 0007FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00080685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 000C170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 000C173A
GetLastError.KERNEL32 ref: 000C174A

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: dda1f872ea9df3fea93972da155341ccf880ec4de860fdfa2711df32c472d475
Instruction ID: 392ff9293fd5f55981b827c900ac0403a6de9e00004dc8d5198faae8cc609d9d
Opcode Fuzzy Hash: dda1f872ea9df3fea93972da155341ccf880ec4de860fdfa2711df32c472d475
Instruction Fuzzy Hash: 8511C1B2904309FFE7289F54DC86EBEB7F9EB04714B20852EE05653642EB74BC41CA24

Function 000CD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 000CD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 000CD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 000CD650

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 14b47b39a7964273eced40cb0e61d781e04b67ee5bfb12849fe81e1accbe89ce
Instruction ID: 4a58703c9d992e7930742f376963d6bb117c3ca7b6abdd80abcd8693ba2f3603
Opcode Fuzzy Hash: 14b47b39a7964273eced40cb0e61d781e04b67ee5bfb12849fe81e1accbe89ce
Instruction Fuzzy Hash: FD115E75E05228BFEB208F99DD45FAFBBBCEB45B50F108126F904E7290D6704A05DBA1

Function 000C1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 000C168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 000C16A1
FreeSid.ADVAPI32(?), ref: 000C16B1

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: a1f9368ddfc40c84b23dff9e263fdfa6b2bc6722a9ec45554b579d1818e5ae76
Instruction ID: 621977cabbe41a6ae6a743e64bfd8e06a3dcb5bac600b66656b4dc3259cc6eb1
Opcode Fuzzy Hash: a1f9368ddfc40c84b23dff9e263fdfa6b2bc6722a9ec45554b579d1818e5ae76
Instruction Fuzzy Hash: 76F0F47195030DFBEB00DFE49D8AEAEBBBCEB08604F504965E501E2181E774AA44AA54

Function 00084CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(000928E9,?,00084CBE,000928E9,001288B8,0000000C,00084E15,000928E9,00000002,00000000,?,000928E9), ref: 00084D09
TerminateProcess.KERNEL32(00000000,?,00084CBE,000928E9,001288B8,0000000C,00084E15,000928E9,00000002,00000000,?,000928E9), ref: 00084D10
ExitProcess.KERNEL32 ref: 00084D22

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: bab83bffbee25bd3e92e4caa718f59c00e68a0fb4e11e81d9f1b43f3be8f2263
Instruction ID: 3084b8cd93d8c8bb1dd5a306335c81b34f98c80223f27841dc33ee027a87a58b
Opcode Fuzzy Hash: bab83bffbee25bd3e92e4caa718f59c00e68a0fb4e11e81d9f1b43f3be8f2263
Instruction Fuzzy Hash: D7E0B631000249ABEF12BF54DE0AEA87B69FB41781B118014FC458A523CB39EE52EB80

Function 0009C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0009C36C

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 10b188fd2f04c6b438188ef4c902a20357b077ba32f756f2d09e57835e4977df
Instruction ID: e6105664e3256ce732c17fe2fb74b02e49565e877424c77a728e49db53b151b3
Opcode Fuzzy Hash: 10b188fd2f04c6b438188ef4c902a20357b077ba32f756f2d09e57835e4977df
Instruction Fuzzy Hash: FC415972900219AFDF209FB9CC49EFB77B8EB84354F508269F905D7181E6709E81DB50

Function 000BD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 000BD28C

Strings

X64, xrefs: 000BD2A8

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 46f5805e800b5f5798ae0220ec6e94f143d3be294e85154961aabc655a7a8a3a
Instruction ID: 247d95a0f2b31d74838529e23838ef7141df8abfd1ce46155a456797dea9d65d
Opcode Fuzzy Hash: 46f5805e800b5f5798ae0220ec6e94f143d3be294e85154961aabc655a7a8a3a
Instruction Fuzzy Hash: 0BD0C9B480111DEADBA4CB90DC88DDDB37CBF14305F104156F106A2000DB3495499F10

Function 0008CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 29cde46933aa7bb624500aa062cd77bd7a2238d4d0ff4cc321f469628b447f35
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 12021D71E002199BEF14DFA9C880AADFBF1FF48314F25816AD959E7381D731AA41CB94

Function 000D68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 000D6918
FindClose.KERNEL32(00000000), ref: 000D6961

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 85b6f78e63b1ffe3f4c0449e1519d0705a9a5759bfe9c8f475da7004715cc3c8
Instruction ID: 6952b18bf5f4cb01bd72a5fca13304366ae46aee1c0751aded6122a2c354c561
Opcode Fuzzy Hash: 85b6f78e63b1ffe3f4c0449e1519d0705a9a5759bfe9c8f475da7004715cc3c8
Instruction Fuzzy Hash: 8811B1316042009FD710CF69C485E26FBE5EF85328F04C6AAE4698F7A2C731EC05CB90

Function 000D37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,000E4891,?,?,00000035,?), ref: 000D37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,000E4891,?,?,00000035,?), ref: 000D37F4

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: f44fa82065c751b92ddc9b946d0bffc2de274b6bcf09be0cb9598997540ef5d4
Instruction ID: 17b26037f7921bfdc6e0cad277ddca3bbbc7563481d30f83fda1c8ac9b0d3f31
Opcode Fuzzy Hash: f44fa82065c751b92ddc9b946d0bffc2de274b6bcf09be0cb9598997540ef5d4
Instruction Fuzzy Hash: 4EF0E5B06053292AF76017A68C4EFEB3AAEEFC5771F000176F509E2281D9609904C6B1

Function 000CB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 000CB25D
keybd_event.USER32(?,7694C0D0,?,00000000), ref: 000CB270

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: c1347a2e14c29b37c8fdb018026a14645fc3cafc3dff7228eb83a5a08b717281
Instruction ID: 51d3a6c3e72e01c07ba612f3fa4497118846e17a20c599713f5d0b0cf21a4cd0
Opcode Fuzzy Hash: c1347a2e14c29b37c8fdb018026a14645fc3cafc3dff7228eb83a5a08b717281
Instruction Fuzzy Hash: B7F01D7180424DABEB159FA0C806BBE7BB4FF04305F048409F955A5191C7799615DF94

Function 000C10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,000C11FC), ref: 000C10D4
CloseHandle.KERNEL32(?,?,000C11FC), ref: 000C10E9

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: c09fcc72cf856569bc8774d33832add3e50675b1056f953c39e9468a4bf7cc1c
Instruction ID: 593dc31bd57ffdf6db1a3b403dac96c224342a4d7a8cd519154333c38bd3f9c6
Opcode Fuzzy Hash: c09fcc72cf856569bc8774d33832add3e50675b1056f953c39e9468a4bf7cc1c
Instruction Fuzzy Hash: BFE04F32008601AEF7252B11FC06EB777E9EF04310B20C82DF4A5804B2DB666C90EB14

Function 0006CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 000B0C40

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: b929a50a92bcce546c3e668df3905536ecc29e3dfc2d67f9b2a16aa461ad6c27
Instruction ID: 3f882226f239e8ff16ed649c53ea3d0aa67c58cbbbcc5a12e8b0293427ee37fa
Opcode Fuzzy Hash: b929a50a92bcce546c3e668df3905536ecc29e3dfc2d67f9b2a16aa461ad6c27
Instruction Fuzzy Hash: 89327B70900218DBEF24DF94C895EFEB7F6BF05304F148069E846AB292DB75AE45CB61

Function 0009676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00096766,?,?,00000008,?,?,0009FEFE,00000000), ref: 00096998

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 1e90d12c447a882d350bbaf2b3ade43a984e3a90c647213ee80a08b0e2a4b081
Instruction ID: 9a9d07b6e440b7df855eb82a3a18f13cf62b2794ee6324c6e9e0cf184288ef68
Opcode Fuzzy Hash: 1e90d12c447a882d350bbaf2b3ade43a984e3a90c647213ee80a08b0e2a4b081
Instruction Fuzzy Hash: F8B14D31610608DFDB55CF28C48AB697BE0FF45364F258658E8DACF2A2C736E991DB40

Function 0007B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 000B851F

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 0777d823b97bbe710da9b2eea452c9ec8615bc9d671fea94d33cb119a65719d7
Instruction ID: 53cd8489faed839cd07c0389ad37100a7365783b5315ed3c78aa7d67fe29939d
Opcode Fuzzy Hash: 0777d823b97bbe710da9b2eea452c9ec8615bc9d671fea94d33cb119a65719d7
Instruction Fuzzy Hash: EC124E75D002299BDB64CF58C880BEEB7F5FF48710F1481AAE849EB255DB349E81CB94

Function 000DEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 000DEABD

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: ae2bbd4a868d375b5e759bf15650146b9ab79637f45c5012a18f4325faab0d7f
Instruction ID: 560da8ee33b9763c731e3c641685ca5a716b34970dadd01c73b5c90a7818eecc
Opcode Fuzzy Hash: ae2bbd4a868d375b5e759bf15650146b9ab79637f45c5012a18f4325faab0d7f
Instruction Fuzzy Hash: 7BE01A352002059FD710EF59D805E9AB7E9AF98760F008426FC4ACB361DAB0A8408BA1

Function 000809D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,000803EE), ref: 000809DA

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: eb0f5914a9866e346aea32dff7f9475537b0796591344ebbf20d714d33f6c369
Instruction ID: 820885584be73e34c6f71c34ba06810163f0d6d2bec6a9327cbebc0697d875b0
Opcode Fuzzy Hash: eb0f5914a9866e346aea32dff7f9475537b0796591344ebbf20d714d33f6c369
Instruction Fuzzy Hash:

Function 0008781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0008798B

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 305dfaf2723ad298949231ffe37864b3f3699bae7b704d338be082f9b52eb745
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 0951876168C605DBDBB8B528889D7FE27C9BB52340F380519D8CEC728BDE11DE01D356

Function 00096DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c582be2d4a999d8662b23a53c39b312b7d9d07f9d73e8b0bd819b65980b51ee9
Instruction ID: 9402268de7ca0780ddd0e3e6b4973dab0d3e8b67ffef5a1324ab3768ee5cc1bd
Opcode Fuzzy Hash: c582be2d4a999d8662b23a53c39b312b7d9d07f9d73e8b0bd819b65980b51ee9
Instruction Fuzzy Hash: D0321022D69F014DDB639634C826336A289AFB73C5F15C727E81AB5DAAEB68C4C35100

Function 0007CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca318286f86f82065b77761c74078de282c6765a67eafd54a5583afeb16d4c13
Instruction ID: 3859228072f3359a5516a06c8353becd8918ec99f967fd313663d43e056e6a44
Opcode Fuzzy Hash: ca318286f86f82065b77761c74078de282c6765a67eafd54a5583afeb16d4c13
Instruction Fuzzy Hash: B3321131A041498BFF79CE28C494EFD7BE1EB45304F28816AD89EDB291D638DD81DB15

Function 00067920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a9236796557482abd4f06875c21f19b162f9b17798c80409b357ee429d7c2b6
Instruction ID: ec06d49e47680fea428538503241e32c484b08e6518d46523af9ef00024c9b30
Opcode Fuzzy Hash: 8a9236796557482abd4f06875c21f19b162f9b17798c80409b357ee429d7c2b6
Instruction Fuzzy Hash: 7C22A170A0460ADFDF14CFA4C841AEEB7F6FF45304F244529E816A7291EB369E55CB50

Function 000691C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24e6b00ef9b85687069981e9ccc634a06ee2090193ec66b3952108b29af53cec
Instruction ID: 054a4f28060d2985f5074859b563fad4ceeec9de643c0e792b6f2eac6a98f4fe
Opcode Fuzzy Hash: 24e6b00ef9b85687069981e9ccc634a06ee2090193ec66b3952108b29af53cec
Instruction Fuzzy Hash: BB02E8B0E0010AEFDB14DF94D881AAEB7F5FF55300F108169E816DB291EB35AE61CB95

Function 00087A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d00c14408736b1724a3ccb21657218e844f0f8e774a424725ff0071b2c7f8ba6
Instruction ID: 316e4bcc2e1583f3181bb749df70f70dc502ede74f9526dd490bde8cc968f894
Opcode Fuzzy Hash: d00c14408736b1724a3ccb21657218e844f0f8e774a424725ff0071b2c7f8ba6
Instruction Fuzzy Hash: A961692120870956DAB8B9288895BFE73D6FF91700F74491DE9CEDB28AD711DE42C316

Function 00087CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15726f61a10e7e3db59f0da2d38642a71ce9ec85542465b6499422a5b3df0322
Instruction ID: f7f9cd2b01816eaac0dcd986fe490867b3bdb18b6b0c744d7f561ee3d0e3312d
Opcode Fuzzy Hash: 15726f61a10e7e3db59f0da2d38642a71ce9ec85542465b6499422a5b3df0322
Instruction Fuzzy Hash: 92618C3120CB0992DEB879284851BFF23E8BF56700F704859E8CFDB28AEA12DD428355

Function 000B3CD5 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c57d04380a6f299b0d0c92591149f13f98c7553b7371ed7216d569b6a9f6110
Instruction ID: 38f5b7d8a2dd187647045011facc20ddeda3ca4b7e84aad01fa691d6c991153a
Opcode Fuzzy Hash: 5c57d04380a6f299b0d0c92591149f13f98c7553b7371ed7216d569b6a9f6110
Instruction Fuzzy Hash: 52719F79409690EFDB26CF24D4E1A91BFE1FF1732072948EEC4864B196D275A94ACF02

Function 000D2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 187c48b708d69bf16c9edc36c9298f675d53c76baf12f458ccaf62de94ea82a6
Instruction ID: 445698f5ce4bb1775b7de4aa40201f9dbcf8530b220633455dc323dac4a5426b
Opcode Fuzzy Hash: 187c48b708d69bf16c9edc36c9298f675d53c76baf12f458ccaf62de94ea82a6
Instruction Fuzzy Hash: 0C21E7322206118BD728CF79C82367E77E5AB64320F14862EE4A7C37D1DE35A944CB90

Function 000E2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 000E2B30
DeleteObject.GDI32(00000000), ref: 000E2B43
DestroyWindow.USER32 ref: 000E2B52
GetDesktopWindow.USER32 ref: 000E2B6D
GetWindowRect.USER32(00000000), ref: 000E2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 000E2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 000E2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000E2CF8
GetClientRect.USER32(00000000,?), ref: 000E2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 000E2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000E2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000E2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000E2D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000E2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000E2D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000E2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000E2DA8
GlobalFree.KERNEL32(00000000), ref: 000E2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000E2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,000FFC38,00000000), ref: 000E2DDB
GlobalFree.KERNEL32(00000000), ref: 000E2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 000E2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 000E2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000E2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 000E303F

Strings

static, xrefs: 000E2D3A, 000E2E91
DISPLAY, xrefs: 000E2EA2
, xrefs: 000E2FC5
AutoIt v3, xrefs: 000E2CF2

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 101c91f8870e8657f3bc178f72c512a39f2ddf3c7ab2309dbd8756557cf83458
Instruction ID: d7628dbb8f86f7cec6f975fa7825f25f05d80437ceafb1fcc17d0d18b4a28b66
Opcode Fuzzy Hash: 101c91f8870e8657f3bc178f72c512a39f2ddf3c7ab2309dbd8756557cf83458
Instruction Fuzzy Hash: 1F028C71900209AFEB14DF64CD89EAE7BB9FF49310F108158F915AB2A1DB74AD41CB60

Function 000F70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 000F712F
GetSysColorBrush.USER32(0000000F), ref: 000F7160
GetSysColor.USER32(0000000F), ref: 000F716C
SetBkColor.GDI32(?,000000FF), ref: 000F7186
SelectObject.GDI32(?,?), ref: 000F7195
InflateRect.USER32(?,000000FF,000000FF), ref: 000F71C0
GetSysColor.USER32(00000010), ref: 000F71C8
CreateSolidBrush.GDI32(00000000), ref: 000F71CF
FrameRect.USER32(?,?,00000000), ref: 000F71DE
DeleteObject.GDI32(00000000), ref: 000F71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 000F7230
FillRect.USER32(?,?,?), ref: 000F7262
GetWindowLongW.USER32(?,000000F0), ref: 000F7284

Part of subcall function 000F73E8: GetSysColor.USER32(00000012), ref: 000F7421
Part of subcall function 000F73E8: SetTextColor.GDI32(?,?), ref: 000F7425
Part of subcall function 000F73E8: GetSysColorBrush.USER32(0000000F), ref: 000F743B
Part of subcall function 000F73E8: GetSysColor.USER32(0000000F), ref: 000F7446
Part of subcall function 000F73E8: GetSysColor.USER32(00000011), ref: 000F7463
Part of subcall function 000F73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 000F7471
Part of subcall function 000F73E8: SelectObject.GDI32(?,00000000), ref: 000F7482
Part of subcall function 000F73E8: SetBkColor.GDI32(?,00000000), ref: 000F748B
Part of subcall function 000F73E8: SelectObject.GDI32(?,?), ref: 000F7498
Part of subcall function 000F73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 000F74B7
Part of subcall function 000F73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 000F74CE
Part of subcall function 000F73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 000F74DB

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 36434c86f23035921c20dd3298b062bf16973067456a2b18e9d4ebdc4adc760c
Instruction ID: 22519edc74d48086d000fa10338f6325f6e3965e6b4ecdafe221f67775d395eb
Opcode Fuzzy Hash: 36434c86f23035921c20dd3298b062bf16973067456a2b18e9d4ebdc4adc760c
Instruction Fuzzy Hash: 80A1C172008309BFE7509F64CD49EBB7BE9FB49320F100A18FA66964E1D734E944EB52

Function 000E2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 000E273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 000E286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 000E28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 000E28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 000E2900
GetClientRect.USER32(00000000,?), ref: 000E290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 000E2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 000E2964
GetStockObject.GDI32(00000011), ref: 000E2974
SelectObject.GDI32(00000000,00000000), ref: 000E2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 000E2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 000E2991
DeleteDC.GDI32(00000000), ref: 000E299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 000E29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 000E29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 000E2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 000E2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 000E2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 000E2A77
GetStockObject.GDI32(00000011), ref: 000E2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 000E2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 000E2A97

Strings

static, xrefs: 000E294F, 000E2A71
DISPLAY, xrefs: 000E295A
AutoIt v3, xrefs: 000E28F8
msctls_progress32, xrefs: 000E2A13

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 65e61cb6849c2f75301c069a6164506a85bf62d3dd1e03fac5d855bb8323dc99
Instruction ID: 20209462d3ceabded246566417186b92deb497a154142e7341d62e0d424bedd1
Opcode Fuzzy Hash: 65e61cb6849c2f75301c069a6164506a85bf62d3dd1e03fac5d855bb8323dc99
Instruction Fuzzy Hash: CEB14CB1A00219BFEB14DFA9DD4AFAE7BA9FB08710F004115F915E7691DB74AD40CBA0

Function 000D4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000D4AED
GetDriveTypeW.KERNEL32(?,000FCB68,?,\\.\,000FCC08), ref: 000D4BCA
SetErrorMode.KERNEL32(00000000,000FCB68,?,\\.\,000FCC08), ref: 000D4D36

Strings

CDROM, xrefs: 000D4BFB
SSD, xrefs: 000D4C4A
Unknown, xrefs: 000D4BED, 000D4C83
RAID, xrefs: 000D4CBB
RAMDisk, xrefs: 000D4BF4
SSA, xrefs: 000D4CA6
Removable, xrefs: 000D4C10, 000D4C15
MMC, xrefs: 000D4CDE
1394, xrefs: 000D4C9F
Virtual, xrefs: 000D4CE5
FileBackedVirtual, xrefs: 000D4CEC
SCSI, xrefs: 000D4C8A
SAS, xrefs: 000D4CC9
Network, xrefs: 000D4C02
PhysicalDrive, xrefs: 000D4B76
ATA, xrefs: 000D4C98
iSCSI, xrefs: 000D4CC2
USB, xrefs: 000D4CB4
\\.\, xrefs: 000D4B3F
SATA, xrefs: 000D4CD0
Fibre, xrefs: 000D4CAD
Fixed, xrefs: 000D4C09
ATAPI, xrefs: 000D4C91

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: baa598966388443c64fff41edb959f730c35a92c32a2e3ba559d1818bfccabe4
Instruction ID: 2f0026448c6ac44b1640b44569a20bea6a04d4c3eab69ceae9db3d40612606ef
Opcode Fuzzy Hash: baa598966388443c64fff41edb959f730c35a92c32a2e3ba559d1818bfccabe4
Instruction Fuzzy Hash: 6A61EF30616309DBCB94DF64DA82DBC77B2AF04304B209017F806AB792DB36ED55DB61

Function 000F73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 000F7421
SetTextColor.GDI32(?,?), ref: 000F7425
GetSysColorBrush.USER32(0000000F), ref: 000F743B
GetSysColor.USER32(0000000F), ref: 000F7446
CreateSolidBrush.GDI32(?), ref: 000F744B
GetSysColor.USER32(00000011), ref: 000F7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 000F7471
SelectObject.GDI32(?,00000000), ref: 000F7482
SetBkColor.GDI32(?,00000000), ref: 000F748B
SelectObject.GDI32(?,?), ref: 000F7498
InflateRect.USER32(?,000000FF,000000FF), ref: 000F74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 000F74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 000F74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 000F752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 000F7554
InflateRect.USER32(?,000000FD,000000FD), ref: 000F7572
DrawFocusRect.USER32(?,?), ref: 000F757D
GetSysColor.USER32(00000011), ref: 000F758E
SetTextColor.GDI32(?,00000000), ref: 000F7596
DrawTextW.USER32(?,000F70F5,000000FF,?,00000000), ref: 000F75A8
SelectObject.GDI32(?,?), ref: 000F75BF
DeleteObject.GDI32(?), ref: 000F75CA
SelectObject.GDI32(?,?), ref: 000F75D0
DeleteObject.GDI32(?), ref: 000F75D5
SetTextColor.GDI32(?,?), ref: 000F75DB
SetBkColor.GDI32(?,?), ref: 000F75E5

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: ac51f6777488533f861a49c3d8fa7ae8e09b2d3dec364f8d5be6de8a4c6000cf
Instruction ID: cfc5bdc1b14fb54e51f7cea196144c962becd633dc748c4ae6e5d4f4a6487ec0
Opcode Fuzzy Hash: ac51f6777488533f861a49c3d8fa7ae8e09b2d3dec364f8d5be6de8a4c6000cf
Instruction Fuzzy Hash: D3618E7290421CAFEB009FA4DC49EEE7FB9FB09720F104111FA15AB6A1D774A940EB90

Function 000F0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 000F1128
GetDesktopWindow.USER32 ref: 000F113D
GetWindowRect.USER32(00000000), ref: 000F1144
GetWindowLongW.USER32(?,000000F0), ref: 000F1199
DestroyWindow.USER32(?), ref: 000F11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 000F11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000F120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 000F121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 000F1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 000F1245
IsWindowVisible.USER32(00000000), ref: 000F12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 000F12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 000F12D0
GetWindowRect.USER32(00000000,?), ref: 000F12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 000F130E
GetMonitorInfoW.USER32(00000000,?), ref: 000F1328
CopyRect.USER32(?,?), ref: 000F133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 000F13AA

Strings

(, xrefs: 000F131B
tooltips_class32, xrefs: 000F11E6
0, xrefs: 000F10D3

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 964ec4fe5bb170a9dbaed4eaa9f283f73e5da6277a425fc338c397b0f69fa52e
Instruction ID: 673479bdb99ad518948c8442292b5dd0b3e1e01b2137d91ce90b1dd119cc9dac
Opcode Fuzzy Hash: 964ec4fe5bb170a9dbaed4eaa9f283f73e5da6277a425fc338c397b0f69fa52e
Instruction Fuzzy Hash: 9CB1BE71608345EFE740DF64C985BAEBBE5FF84310F008918FA999B6A2C770E844DB91

Function 000F0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 000F02E5
_wcslen.LIBCMT ref: 000F031F
_wcslen.LIBCMT ref: 000F0389
_wcslen.LIBCMT ref: 000F03F1
_wcslen.LIBCMT ref: 000F0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 000F04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 000F0504

Part of subcall function 0007F9F2: _wcslen.LIBCMT ref: 0007F9FD

Part of subcall function 000C223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 000C2258
Part of subcall function 000C223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 000C228A

Strings

GETTEXT, xrefs: 000F03EC, 000F0407
FINDITEM, xrefs: 000F0627
SELECTALL, xrefs: 000F0515
GETSELECTED, xrefs: 000F05E1
SELECTINVERT, xrefs: 000F057E
GETSELECTEDCOUNT, xrefs: 000F0470, 000F048B
DESELECT, xrefs: 000F059C
VIEWCHANGE, xrefs: 000F0675
SELECTCLEAR, xrefs: 000F052D
GETITEMCOUNT, xrefs: 000F0316, 000F0337
SELECT, xrefs: 000F0548
GETSUBITEMCOUNT, xrefs: 000F0384, 000F039F
ISSELECTED, xrefs: 000F04DD

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 17711198222a6506370710324516bac1bc67d67ee2dbf6e59faec5dae4e6a59b
Instruction ID: 7e48068109e82e37c87bd5f816efe4f254147b0821cde1903a4d2f9412ac1551
Opcode Fuzzy Hash: 17711198222a6506370710324516bac1bc67d67ee2dbf6e59faec5dae4e6a59b
Instruction Fuzzy Hash: 76E1DF312086058FC724DF24C5509BFB3E6BF88714B14896CF99AABAA3DB30ED45DB41

Function 00078891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00078968
GetSystemMetrics.USER32(00000007), ref: 00078970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0007899B
GetSystemMetrics.USER32(00000008), ref: 000789A3
GetSystemMetrics.USER32(00000004), ref: 000789C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 000789E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 000789F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00078A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00078A3C
GetClientRect.USER32(00000000,000000FF), ref: 00078A5A
GetStockObject.GDI32(00000011), ref: 00078A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00078A81

Part of subcall function 0007912D: GetCursorPos.USER32(?), ref: 00079141
Part of subcall function 0007912D: ScreenToClient.USER32(00000000,?), ref: 0007915E
Part of subcall function 0007912D: GetAsyncKeyState.USER32(00000001), ref: 00079183
Part of subcall function 0007912D: GetAsyncKeyState.USER32(00000002), ref: 0007919D

SetTimer.USER32(00000000,00000000,00000028,000790FC), ref: 00078AA8

Strings

AutoIt v3 GUI, xrefs: 00078A20

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: c3b7c40f47090e6293771597e461110ca8a0d7afd8c055225b8795e69222a40e
Instruction ID: d14e83c08e62703599884cf038dde5ef0c7b773403b37ec260adcdfb4a266524
Opcode Fuzzy Hash: c3b7c40f47090e6293771597e461110ca8a0d7afd8c055225b8795e69222a40e
Instruction Fuzzy Hash: E7B16E71A40209AFEB14DF68CD49BEE3BB5FB48314F108229FA15A7290DB38E841CF55

Function 000C0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000C10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 000C1114
Part of subcall function 000C10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,000C0B9B,?,?,?), ref: 000C1120
Part of subcall function 000C10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,000C0B9B,?,?,?), ref: 000C112F
Part of subcall function 000C10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,000C0B9B,?,?,?), ref: 000C1136
Part of subcall function 000C10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 000C114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 000C0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 000C0E29
GetLengthSid.ADVAPI32(?), ref: 000C0E40
GetAce.ADVAPI32(?,00000000,?), ref: 000C0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 000C0E96
GetLengthSid.ADVAPI32(?), ref: 000C0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 000C0EB5
HeapAlloc.KERNEL32(00000000), ref: 000C0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 000C0EDD
CopySid.ADVAPI32(00000000), ref: 000C0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 000C0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 000C0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 000C0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000C0F6E
HeapFree.KERNEL32(00000000), ref: 000C0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000C0F7E
HeapFree.KERNEL32(00000000), ref: 000C0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000C0F8E
HeapFree.KERNEL32(00000000), ref: 000C0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 000C0FA1
HeapFree.KERNEL32(00000000), ref: 000C0FA8

Part of subcall function 000C1193: GetProcessHeap.KERNEL32(00000008,000C0BB1,?,00000000,?,000C0BB1,?), ref: 000C11A1
Part of subcall function 000C1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,000C0BB1,?), ref: 000C11A8
Part of subcall function 000C1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,000C0BB1,?), ref: 000C11B7

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 8fe13c1fc9392e31292a5ab33a1e538cab0e8c2c31361faf739a33fcf3e06fec
Instruction ID: ec1df0fdc3102c65c7858c2ca3311fdc45f154e196fe6c1c7e39141020caea43
Opcode Fuzzy Hash: 8fe13c1fc9392e31292a5ab33a1e538cab0e8c2c31361faf739a33fcf3e06fec
Instruction Fuzzy Hash: D4716D7290020AEBEF20DFA4DD49FEEBBB8BF05300F044129F919E6591D7359A56DB60

Function 000EC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000EC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,000FCC08,00000000,?,00000000,?,?), ref: 000EC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 000EC5A4
_wcslen.LIBCMT ref: 000EC5F4
_wcslen.LIBCMT ref: 000EC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 000EC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 000EC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 000EC84D
RegCloseKey.ADVAPI32(?), ref: 000EC881
RegCloseKey.ADVAPI32(00000000), ref: 000EC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 000EC960

Strings

REG_SZ, xrefs: 000EC644
REG_EXPAND_SZ, xrefs: 000EC5CD
REG_MULTI_SZ, xrefs: 000EC6F5
REG_QWORD, xrefs: 000EC8C3
REG_BINARY, xrefs: 000EC913
REG_DWORD, xrefs: 000EC804

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 825c7eb33b00a7f0e93a0372da7d347ed88e1e5d6bd2f96cf2d787a7aac55c62
Instruction ID: 285c72c3aaedce2642d1fcb30028d61677138ba3f1c42547965f36b330e27088
Opcode Fuzzy Hash: 825c7eb33b00a7f0e93a0372da7d347ed88e1e5d6bd2f96cf2d787a7aac55c62
Instruction Fuzzy Hash: F91267352046419FE714DF15C981E6AB7E5EF88314F14889DF88AAB3A2DB31ED42CB81

Function 000F091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 000F09C6
_wcslen.LIBCMT ref: 000F0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 000F0A54
_wcslen.LIBCMT ref: 000F0A8A
_wcslen.LIBCMT ref: 000F0B06
_wcslen.LIBCMT ref: 000F0B81

Part of subcall function 0007F9F2: _wcslen.LIBCMT ref: 0007F9FD

Part of subcall function 000C2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000C2BFA

Strings

ISCHECKED, xrefs: 000F0CE1
GETTEXT, xrefs: 000F0C97
COLLAPSE, xrefs: 000F0B01, 000F0B1C
GETSELECTED, xrefs: 000F0C4E
GETTOTALCOUNT, xrefs: 000F09F2, 000F0A17
CHECK, xrefs: 000F0A85, 000F0AA0
UNCHECK, xrefs: 000F0D3E
EXPAND, xrefs: 000F0BF8
GETITEMCOUNT, xrefs: 000F0C1E
SELECT, xrefs: 000F0D11
EXISTS, xrefs: 000F0B7C, 000F0B97

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: eb127003bb8d780797e6a11bc524d802bb4d5ba05b2d44351ce48fc4f2dcc8ba
Instruction ID: 1d854d7373cfd91c3df370097b322d549512f45db5f04adc4b280bd5240a5d0f
Opcode Fuzzy Hash: eb127003bb8d780797e6a11bc524d802bb4d5ba05b2d44351ce48fc4f2dcc8ba
Instruction Fuzzy Hash: F4E199312087058FC724DF24C45097AB7E2BF98318B54895DF99AABBA3D730ED45DB82

Function 000EC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,000EB6AE,?,?), ref: 000EC9B5
_wcslen.LIBCMT ref: 000EC9F1
_wcslen.LIBCMT ref: 000ECA68
_wcslen.LIBCMT ref: 000ECA9E
_wcslen.LIBCMT ref: 000ECAF9
_wcslen.LIBCMT ref: 000ECB2F
_wcslen.LIBCMT ref: 000ECB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 000ECA62, 000ECA67
HKEY_CLASSES_ROOT, xrefs: 000ECAF3, 000ECAF8
HKCR, xrefs: 000ECB29, 000ECB2E
HKCC, xrefs: 000ECBAC
HKEY_USERS, xrefs: 000ECBDF
HKEY_CURRENT_USER, xrefs: 000ECBBD
HKLM, xrefs: 000ECA98, 000ECA9D
HKEY_CURRENT_CONFIG, xrefs: 000ECB79, 000ECB7E
HKU, xrefs: 000ECBF0
HKCU, xrefs: 000ECBCE

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 1e10131bbbf0c2fb635fc9bb7be5dd9005ccac253cd6c47f0a84324815bf1700
Instruction ID: ab2594c214014c5a960aef2aab58e1d929e5b37887dfe94dccabb184c073e817
Opcode Fuzzy Hash: 1e10131bbbf0c2fb635fc9bb7be5dd9005ccac253cd6c47f0a84324815bf1700
Instruction Fuzzy Hash: 4571F7326001AA8FEB20DE7ED941DFF33D5AB60754F290125F866B7285E732CD468391

Function 000F833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000F835A
_wcslen.LIBCMT ref: 000F836E
_wcslen.LIBCMT ref: 000F8391
_wcslen.LIBCMT ref: 000F83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 000F83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,000F5BF2), ref: 000F844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 000F8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 000F84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 000F8501
FreeLibrary.KERNEL32(?), ref: 000F850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 000F851D
DestroyIcon.USER32(?,?,?,?,?,000F5BF2), ref: 000F852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 000F8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 000F8555

Strings

.exe, xrefs: 000F8388
.dll, xrefs: 000F83AB
.icl, xrefs: 000F8368

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: a01b4469da88869610042da644b3ec5454a2833984d21ba581d353459ebcc025
Instruction ID: b00df35e8d22467cb814445270cfd1a51e2596d96e0071ea1c7e5df7285ed4ad
Opcode Fuzzy Hash: a01b4469da88869610042da644b3ec5454a2833984d21ba581d353459ebcc025
Instruction Fuzzy Hash: 9061F27150061ABBEB24DF64CC46FFE77A8BF04B10F108609FA15D65D1DB74AA90E7A0

Function 00067778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-start, xrefs: 0006785F, 000678B1
', xrefs: 000A5169
#ce, xrefs: 000678ED
Bad directive syntax error, xrefs: 000A519A
Unterminated group of comments, xrefs: 000A528C
#requireadmin, xrefs: 000677FF
", xrefs: 000A5153
#include-once, xrefs: 0006782F
#include, xrefs: 00067847
#comments-end, xrefs: 000678D9
#cs, xrefs: 00067873, 000678C5
#pragma compile, xrefs: 000677D3
#OnAutoItStartRegister, xrefs: 00067817
Cannot parse #include, xrefs: 000A5279
#notrayicon, xrefs: 000677E7

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 96b494dbb71f9924de66b023a721077fa54e0565585d24f9c95811006b25a5ec
Instruction ID: 8c86347b08d987c1864fbf628c28316896facb2badd8cdd9742344f0c26aecb6
Opcode Fuzzy Hash: 96b494dbb71f9924de66b023a721077fa54e0565585d24f9c95811006b25a5ec
Instruction Fuzzy Hash: 5881F571A44609BBDB20AF60DC42FFE37AABF15304F144025FA09AB197EB70DA11D7A5

Function 000C5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 000C5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 000C5A40
SetWindowTextW.USER32(?,?), ref: 000C5A57
GetDlgItem.USER32(?,000003EA), ref: 000C5A6C
SetWindowTextW.USER32(00000000,?), ref: 000C5A72
GetDlgItem.USER32(?,000003E9), ref: 000C5A82
SetWindowTextW.USER32(00000000,?), ref: 000C5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 000C5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 000C5AC3
GetWindowRect.USER32(?,?), ref: 000C5ACC
_wcslen.LIBCMT ref: 000C5B33
SetWindowTextW.USER32(?,?), ref: 000C5B6F
GetDesktopWindow.USER32 ref: 000C5B75
GetWindowRect.USER32(00000000), ref: 000C5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 000C5BD3
GetClientRect.USER32(?,?), ref: 000C5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 000C5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 000C5C2F

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: c81d47ba99ff59526675f19a528d58a3d2d1c977124353c80dbbce883d321905
Instruction ID: 2d28bcb995bfb254691666952ad613e2e246c228332e15f6a94fa81f0016bf65
Opcode Fuzzy Hash: c81d47ba99ff59526675f19a528d58a3d2d1c977124353c80dbbce883d321905
Instruction Fuzzy Hash: F8714A35900B09AFEB20DFA9CE86FAEBBF5FB48705F10451CE142A25A0D775B984DB50

Function 000DFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 000DFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 000DFE32
LoadCursorW.USER32(00000000,00007F00), ref: 000DFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 000DFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 000DFE53
LoadCursorW.USER32(00000000,00007F01), ref: 000DFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 000DFE69
LoadCursorW.USER32(00000000,00007F88), ref: 000DFE74
LoadCursorW.USER32(00000000,00007F80), ref: 000DFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 000DFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 000DFE95
LoadCursorW.USER32(00000000,00007F85), ref: 000DFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 000DFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 000DFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 000DFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 000DFECC
GetCursorInfo.USER32(?), ref: 000DFEDC
GetLastError.KERNEL32 ref: 000DFF1E

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: ec2c86f87262b80eee3d53d61ac8c8d31e9ae85f86866b9e630b06e770a469b0
Instruction ID: 052911642649d9028b9141fa204e5ef63a46bba1ff67ea2ea72bbce23b0a9887
Opcode Fuzzy Hash: ec2c86f87262b80eee3d53d61ac8c8d31e9ae85f86866b9e630b06e770a469b0
Instruction Fuzzy Hash: 92412570D0431AAADB509FB68C85C6EBFE9FF04754B50853AE11DE7281DB789901CEA1

Function 000800C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 000800C6

Part of subcall function 000800ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0013070C,00000FA0,417DAC6A,?,?,?,?,000A23B3,000000FF), ref: 0008011C
Part of subcall function 000800ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,000A23B3,000000FF), ref: 00080127
Part of subcall function 000800ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,000A23B3,000000FF), ref: 00080138
Part of subcall function 000800ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0008014E
Part of subcall function 000800ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0008015C
Part of subcall function 000800ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0008016A
Part of subcall function 000800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00080195
Part of subcall function 000800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 000801A0

___scrt_fastfail.LIBCMT ref: 000800E7

Part of subcall function 000800A3: __onexit.LIBCMT ref: 000800A9

Strings

WakeAllConditionVariable, xrefs: 00080162
kernel32.dll, xrefs: 00080133
InitializeConditionVariable, xrefs: 00080148
SleepConditionVariableCS, xrefs: 00080154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00080122

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 666afee78a928513938ba1da29213c5200eb440b56eb5ba40ab8914e9685a135
Instruction ID: 5cf030e546f76d2305568f0837647127feca41eb3f941213fbd9878b18f4a536
Opcode Fuzzy Hash: 666afee78a928513938ba1da29213c5200eb440b56eb5ba40ab8914e9685a135
Instruction Fuzzy Hash: DE212932A4171A6BFB617B64AC0AF7D33D4FF46B60F000135FA8196A92DB789C04DB94

Function 000C30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000C318D
_wcslen.LIBCMT ref: 000C31F8

Strings

INSTANCE, xrefs: 000C3453
NAME, xrefs: 000C3335, 000C3346
CLASS, xrefs: 000C3188, 000C31A5
REGEXPCLASS, xrefs: 000C3255, 000C3266
TEXT, xrefs: 000C347C
CLASSNN, xrefs: 000C31F3, 000C3204

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 5737b464f98fc3fd0d4eb3d3adc8fe2843bff176fc94c09efff2b75c1a728099
Instruction ID: 13739b1d0fa8921cb07245cb7ba8c562b5a2dd69b78c1e2881a6fc7c56202b20
Opcode Fuzzy Hash: 5737b464f98fc3fd0d4eb3d3adc8fe2843bff176fc94c09efff2b75c1a728099
Instruction Fuzzy Hash: 4DE1C132A10526ABCB689FA8C481FEEBBB5BF54710F54C11DE456B7241DB30AF858790

Function 000D44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,000FCC08), ref: 000D4527
_wcslen.LIBCMT ref: 000D453B
_wcslen.LIBCMT ref: 000D4599
_wcslen.LIBCMT ref: 000D45F4
_wcslen.LIBCMT ref: 000D463F
_wcslen.LIBCMT ref: 000D46A7

Part of subcall function 0007F9F2: _wcslen.LIBCMT ref: 0007F9FD

GetDriveTypeW.KERNEL32(?,00126BF0,00000061), ref: 000D4743

Strings

cdrom, xrefs: 000D458F, 000D4594
network, xrefs: 000D469D, 000D46A2
ramdisk, xrefs: 000D46F1
all, xrefs: 000D4531, 000D4536
unknown, xrefs: 000D4708
removable, xrefs: 000D45EA, 000D45EF
fixed, xrefs: 000D4635, 000D463A

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 61d89ddd80a0b656c778f3076108dd7d71e28d5b3d29a51376210efef7c5e920
Instruction ID: f2c3122a08852b6988992ecd27e8ca6642ce4ba4bdb75af3675368e695f91d0f
Opcode Fuzzy Hash: 61d89ddd80a0b656c778f3076108dd7d71e28d5b3d29a51376210efef7c5e920
Instruction Fuzzy Hash: D5B1C0316083029FC720DF28D890AAEB7E5AFA5764F50491EF49AD7396D730D944CBA2

Function 000EAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000EB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 000EB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 000EB1D4
_wcslen.LIBCMT ref: 000EB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 000EB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 000EB236
_wcslen.LIBCMT ref: 000EB332

Part of subcall function 000D05A7: GetStdHandle.KERNEL32(000000F6), ref: 000D05C6

_wcslen.LIBCMT ref: 000EB34B
_wcslen.LIBCMT ref: 000EB366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 000EB3B6
GetLastError.KERNEL32(00000000), ref: 000EB407
CloseHandle.KERNEL32(?), ref: 000EB439
CloseHandle.KERNEL32(00000000), ref: 000EB44A
CloseHandle.KERNEL32(00000000), ref: 000EB45C
CloseHandle.KERNEL32(00000000), ref: 000EB46E
CloseHandle.KERNEL32(?), ref: 000EB4E3

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: d11ef884e0cdf42057f1448c6802dae1d35f6bd3cc0e1553a302df4a034e5e07
Instruction ID: fe510c94873d0e5b08e4f2f2d87c6e61935faebec5258eefd362340f90112c43
Opcode Fuzzy Hash: d11ef884e0cdf42057f1448c6802dae1d35f6bd3cc0e1553a302df4a034e5e07
Instruction Fuzzy Hash: F0F1BE716083409FD724EF25C891BAFBBE1AF85314F14855DF899AB2A2DB31EC44CB52

Function 0006326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00131990), ref: 000A2F8D
GetMenuItemCount.USER32(00131990), ref: 000A303D
GetCursorPos.USER32(?), ref: 000A3081
SetForegroundWindow.USER32(00000000), ref: 000A308A
TrackPopupMenuEx.USER32(00131990,00000000,?,00000000,00000000,00000000), ref: 000A309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 000A30A9

Strings

0, xrefs: 0006327D

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 7df604a78376cedb70bbfc999d93982101a978bd2da9d243aad6b5fd79a701e3
Instruction ID: 586a74c1467212343fa90cf33eb9b0f48c4f9407a0c6043360d6449606852bb7
Opcode Fuzzy Hash: 7df604a78376cedb70bbfc999d93982101a978bd2da9d243aad6b5fd79a701e3
Instruction Fuzzy Hash: F1712930644206BEFB319F68CC5AFAEBFA5FF01324F204226F5156A1E1C7B1A954DB90

Function 000F6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 000F6DEB

Part of subcall function 00066B57: _wcslen.LIBCMT ref: 00066B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 000F6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 000F6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000F6E94
DestroyWindow.USER32(?), ref: 000F6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00060000,00000000), ref: 000F6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000F6EFD
GetDesktopWindow.USER32 ref: 000F6F16
GetWindowRect.USER32(00000000), ref: 000F6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 000F6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 000F6F4D

Part of subcall function 00079944: GetWindowLongW.USER32(?,000000EB), ref: 00079952

Strings

0, xrefs: 000F6D98
tooltips_class32, xrefs: 000F6E58, 000F6EDD

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 4ba337036b97152313cbeb7c173d84eedb6060b5241df5869b8a876ebfce1dd0
Instruction ID: f4d391576c918c40954889be62b9ff2b2d749c79e6556aad4081c3aa9983d0f5
Opcode Fuzzy Hash: 4ba337036b97152313cbeb7c173d84eedb6060b5241df5869b8a876ebfce1dd0
Instruction Fuzzy Hash: 94717C71104248AFEB21CF18DC44FBABBE9FB89304F08042DFA8987661C775AD49EB11

Function 000F911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00079BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00079BB2

DragQueryPoint.SHELL32(?,?), ref: 000F9147

Part of subcall function 000F7674: ClientToScreen.USER32(?,?), ref: 000F769A
Part of subcall function 000F7674: GetWindowRect.USER32(?,?), ref: 000F7710
Part of subcall function 000F7674: PtInRect.USER32(?,?,000F8B89), ref: 000F7720

SendMessageW.USER32(?,000000B0,?,?), ref: 000F91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 000F91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 000F91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 000F9225
SendMessageW.USER32(?,000000B0,?,?), ref: 000F923E
SendMessageW.USER32(?,000000B1,?,?), ref: 000F9255
SendMessageW.USER32(?,000000B1,?,?), ref: 000F9277
DragFinish.SHELL32(?), ref: 000F927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 000F9371

Strings

@GUI_DROPID, xrefs: 000F929E
@GUI_DRAGFILE, xrefs: 000F9320
@GUI_DRAGID, xrefs: 000F92E9

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 4cdf60fe743c86bd26700a88f5ed895536a82e71be68c4bba656bff419468942
Instruction ID: 627552209be8d4c8592517e0e8ccd90908cfbdf7fd7c88bedfd67dfcc263a2c1
Opcode Fuzzy Hash: 4cdf60fe743c86bd26700a88f5ed895536a82e71be68c4bba656bff419468942
Instruction Fuzzy Hash: 0C618971108304AFD701EF60DD85EAFBBE9EF88750F00092EF595925A1DB709A49DB52

Function 000DC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 000DC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 000DC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 000DC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 000DC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 000DC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 000DC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000DC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 000DC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 000DC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 000DC5F0
InternetCloseHandle.WININET(00000000), ref: 000DC5FB

Strings

, xrefs: 000DC575

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 618f39c9e2f0ba45b3dcd1dc4a17dddf7c2289020e35db0739875ccc857eab65
Instruction ID: 1adfc3c0c3fa835b4401dc18e593c113278179b9b18c3e0d1d2415a520f12a1c
Opcode Fuzzy Hash: 618f39c9e2f0ba45b3dcd1dc4a17dddf7c2289020e35db0739875ccc857eab65
Instruction Fuzzy Hash: F65138B150070AAFFB219F609989EBA7BFCEB08744F00441AB94696610DB34E944EB70

Function 000F856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 000F8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 000F85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 000F85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 000F85BA
GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 000F85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 000F85D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 000F85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 000F85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 000F85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,000FFC38,?), ref: 000F8611
GlobalFree.KERNEL32(00000000), ref: 000F8621
GetObjectW.GDI32(?,00000018,?), ref: 000F8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 000F8671
DeleteObject.GDI32(?), ref: 000F8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 000F86AF

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: f698e9ae40ff09ec0afbaf0737729b9730d0eea3c99aa1698479af11b47c9e5a
Instruction ID: aa0f6b5011b8f1a8808dd4976714367a9d8c86ab45d42577eaad7820b0ec21ac
Opcode Fuzzy Hash: f698e9ae40ff09ec0afbaf0737729b9730d0eea3c99aa1698479af11b47c9e5a
Instruction Fuzzy Hash: C5410975600208AFEB11DFA5CD49EBA7BB8FF89B51F108058F905EB660DB349901EB60

Function 000D14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 000D1502
VariantCopy.OLEAUT32(?,?), ref: 000D150B
VariantClear.OLEAUT32(?), ref: 000D1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 000D15FB
VarR8FromDec.OLEAUT32(?,?), ref: 000D1657
VariantInit.OLEAUT32(?), ref: 000D1708
SysFreeString.OLEAUT32(?), ref: 000D178C
VariantClear.OLEAUT32(?), ref: 000D17D8
VariantClear.OLEAUT32(?), ref: 000D17E7
VariantInit.OLEAUT32(00000000), ref: 000D1823

Strings

Default, xrefs: 000D16AF
%4d%02d%02d%02d%02d%02d, xrefs: 000D1625

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: e8f9bda64c81e5804dc6d6f71f2fd434003c8f92c5096d34810b990827673b47
Instruction ID: 60329311489bdfc1d384d07ba6dec3227ae5940a4a7fd35d71add03bfd17ac1f
Opcode Fuzzy Hash: e8f9bda64c81e5804dc6d6f71f2fd434003c8f92c5096d34810b990827673b47
Instruction Fuzzy Hash: 3AD1CC71A00A05EBEB209F65E885BFDB7B6BF45700F108056E416AB695DF38EC40DBA1

Function 000EB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

Part of subcall function 000EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000EB6AE,?,?), ref: 000EC9B5
Part of subcall function 000EC998: _wcslen.LIBCMT ref: 000EC9F1
Part of subcall function 000EC998: _wcslen.LIBCMT ref: 000ECA68
Part of subcall function 000EC998: _wcslen.LIBCMT ref: 000ECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000EB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000EB772
RegDeleteValueW.ADVAPI32(?,?), ref: 000EB80A
RegCloseKey.ADVAPI32(?), ref: 000EB87E
RegCloseKey.ADVAPI32(?), ref: 000EB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 000EB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 000EB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 000EB922
FreeLibrary.KERNEL32(00000000), ref: 000EB983
RegCloseKey.ADVAPI32(00000000), ref: 000EB994

Strings

advapi32.dll, xrefs: 000EB8ED
RegDeleteKeyExW, xrefs: 000EB8FE

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: fee6280d4bbda68d65ae2d1fa985d5fedd7fd843fc23bb64564fafabc23f746e
Instruction ID: 4c26cccb72d9a364ba08cd74033091a40efb836fb55eb82e1e54b4655ca90701
Opcode Fuzzy Hash: fee6280d4bbda68d65ae2d1fa985d5fedd7fd843fc23bb64564fafabc23f746e
Instruction Fuzzy Hash: 96C1AC30208241AFE720DF15C495F6ABBE5BF84308F14849CE49A9B7A3CB75EC46CB91

Function 000E255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 000E25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 000E25E8
CreateCompatibleDC.GDI32(?), ref: 000E25F4
SelectObject.GDI32(00000000,?), ref: 000E2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 000E266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 000E26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 000E26D0
SelectObject.GDI32(?,?), ref: 000E26D8
DeleteObject.GDI32(?), ref: 000E26E1
DeleteDC.GDI32(?), ref: 000E26E8
ReleaseDC.USER32(00000000,?), ref: 000E26F3

Strings

(, xrefs: 000E268D

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 22f61c1cced434682bd234e23d7756a586d96bad44e04b103065fa14a8202976
Instruction ID: c1db3acf8eeeb616bbb184c28fd64c2ed86dbea4ef802e0718f5315eab22bde2
Opcode Fuzzy Hash: 22f61c1cced434682bd234e23d7756a586d96bad44e04b103065fa14a8202976
Instruction Fuzzy Hash: 4E611175D00209EFDF04CFA8C985EAEBBB9FF48300F208529E955A7250D734A951DFA0

Function 0009DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0009DAA1

Part of subcall function 0009D63C: _free.LIBCMT ref: 0009D659
Part of subcall function 0009D63C: _free.LIBCMT ref: 0009D66B
Part of subcall function 0009D63C: _free.LIBCMT ref: 0009D67D
Part of subcall function 0009D63C: _free.LIBCMT ref: 0009D68F
Part of subcall function 0009D63C: _free.LIBCMT ref: 0009D6A1
Part of subcall function 0009D63C: _free.LIBCMT ref: 0009D6B3
Part of subcall function 0009D63C: _free.LIBCMT ref: 0009D6C5
Part of subcall function 0009D63C: _free.LIBCMT ref: 0009D6D7
Part of subcall function 0009D63C: _free.LIBCMT ref: 0009D6E9
Part of subcall function 0009D63C: _free.LIBCMT ref: 0009D6FB
Part of subcall function 0009D63C: _free.LIBCMT ref: 0009D70D
Part of subcall function 0009D63C: _free.LIBCMT ref: 0009D71F
Part of subcall function 0009D63C: _free.LIBCMT ref: 0009D731

_free.LIBCMT ref: 0009DA96

Part of subcall function 000929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0009D7D1,00000000,00000000,00000000,00000000,?,0009D7F8,00000000,00000007,00000000,?,0009DBF5,00000000), ref: 000929DE
Part of subcall function 000929C8: GetLastError.KERNEL32(00000000,?,0009D7D1,00000000,00000000,00000000,00000000,?,0009D7F8,00000000,00000007,00000000,?,0009DBF5,00000000,00000000), ref: 000929F0

_free.LIBCMT ref: 0009DAB8
_free.LIBCMT ref: 0009DACD
_free.LIBCMT ref: 0009DAD8
_free.LIBCMT ref: 0009DAFA
_free.LIBCMT ref: 0009DB0D
_free.LIBCMT ref: 0009DB1B
_free.LIBCMT ref: 0009DB26
_free.LIBCMT ref: 0009DB5E
_free.LIBCMT ref: 0009DB65
_free.LIBCMT ref: 0009DB82
_free.LIBCMT ref: 0009DB9A

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 2d9f63288a56c09878782a5a310584c8bb788f4aaccf8a9d76ed390055043066
Instruction ID: d7d0c5c6b1a32dff7a208a500923ea75f75dbff2d4b5eb0591e0c95c4c0986ab
Opcode Fuzzy Hash: 2d9f63288a56c09878782a5a310584c8bb788f4aaccf8a9d76ed390055043066
Instruction Fuzzy Hash: 1E318D31684305EFEF61AA39E845B9AB7E9FF10320F51441AE488D7192DF31EC50E760

Function 000C365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 000C369C
_wcslen.LIBCMT ref: 000C36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 000C3797
GetClassNameW.USER32(?,?,00000400), ref: 000C380C
GetDlgCtrlID.USER32(?), ref: 000C385D
GetWindowRect.USER32(?,?), ref: 000C3882
GetParent.USER32(?), ref: 000C38A0
ScreenToClient.USER32(00000000), ref: 000C38A7
GetClassNameW.USER32(?,?,00000100), ref: 000C3921
GetWindowTextW.USER32(?,?,00000400), ref: 000C395D

Strings

%s%u, xrefs: 000C3734

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 6273feb5cd925072d5aff5e60ed01520298e874d10cb1705f5e49e8c5e09ce72
Instruction ID: 32ddb1a9c937f25c311f5e1e7af4038873214222d3b83d4af3279b462d76d6b2
Opcode Fuzzy Hash: 6273feb5cd925072d5aff5e60ed01520298e874d10cb1705f5e49e8c5e09ce72
Instruction Fuzzy Hash: 6291AC71214606AFDB18DF24C885FEEB7E8FF44350F00862DF999D2191DB34AA49CB91

Function 000C4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 000C4994
GetWindowTextW.USER32(?,?,00000400), ref: 000C49DA
_wcslen.LIBCMT ref: 000C49EB
CharUpperBuffW.USER32(?,00000000), ref: 000C49F7
_wcsstr.LIBVCRUNTIME ref: 000C4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 000C4A64
GetWindowTextW.USER32(?,?,00000400), ref: 000C4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 000C4AE6
GetClassNameW.USER32(?,?,00000400), ref: 000C4B20
GetWindowRect.USER32(?,?), ref: 000C4B8B

Strings

ThumbnailClass, xrefs: 000C4A6F, 000C4AF1

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 15f865f23e250ba49c35ebe1a7a62e5e79a9abdd77b03dc2b0da926635fb724d
Instruction ID: f8f97fbdf640933fe6fc64aaf5a468dc59df8afec25700833933fb3749579753
Opcode Fuzzy Hash: 15f865f23e250ba49c35ebe1a7a62e5e79a9abdd77b03dc2b0da926635fb724d
Instruction Fuzzy Hash: 8E9189710082099BEB04DF14C995FAE77E8FF84314F04846DFD859A1A6DB34ED45CBA2

Function 000F8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00079BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00079BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 000F8D5A
GetFocus.USER32 ref: 000F8D6A
GetDlgCtrlID.USER32(00000000), ref: 000F8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 000F8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 000F8ECF
GetMenuItemCount.USER32(?), ref: 000F8EEC
GetMenuItemID.USER32(?,00000000), ref: 000F8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 000F8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 000F8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 000F8FA1

Strings

0, xrefs: 000F8E9F

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 3b12c9d1b1b0e54b75f20a0f757f8b2a13448ef3d4eb2a76a12526810bbdd8c7
Instruction ID: 1b91bd8aa92e753608a4ca9d844d213c8a9cf8d1036e7d3bff338b7b6520eefb
Opcode Fuzzy Hash: 3b12c9d1b1b0e54b75f20a0f757f8b2a13448ef3d4eb2a76a12526810bbdd8c7
Instruction Fuzzy Hash: 8781BF71508309AFE710CF14C885AFB7BE9FF88714F048969FA8597A92DB30D944EB61

Function 000CDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 000CDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 000CDC46
_wcslen.LIBCMT ref: 000CDC50
_wcsstr.LIBVCRUNTIME ref: 000CDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 000CDCBC

Strings

DefaultLangCodepage, xrefs: 000CDD1F
%u.%u.%u.%u, xrefs: 000CDD9A
StringFileInfo\, xrefs: 000CDC8F
04090000, xrefs: 000CDCF2
\VarFileInfo\Translation, xrefs: 000CDCB4

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 0bb1055556d93335e3e58e1c85dbd58487dad77f2c0cf1fda13ae73ef2fc71cd
Instruction ID: d9c283249cf0dbb8d71689849a15fb7631800bc7894fd59ba18ae465e638d65c
Opcode Fuzzy Hash: 0bb1055556d93335e3e58e1c85dbd58487dad77f2c0cf1fda13ae73ef2fc71cd
Instruction Fuzzy Hash: 0B412F329402097AEB10B7649C47FFF37ACEF52710F10406AFA05A6193EB789900ABA5

Function 000ECC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 000ECC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 000ECC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 000ECD48

Part of subcall function 000ECC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 000ECCAA
Part of subcall function 000ECC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 000ECCBD
Part of subcall function 000ECC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 000ECCCF
Part of subcall function 000ECC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 000ECD05
Part of subcall function 000ECC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 000ECD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 000ECCF3

Strings

advapi32.dll, xrefs: 000ECCB8
RegDeleteKeyExW, xrefs: 000ECCC9

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 3882e3098319d5f2d12e415f55823434b2468e7521a841772c0d4023344fa277
Instruction ID: d72f8a90ab629d0ee761858e796009bface85f40a4144e55e4a37614d0486e62
Opcode Fuzzy Hash: 3882e3098319d5f2d12e415f55823434b2468e7521a841772c0d4023344fa277
Instruction Fuzzy Hash: 56316E7190112DBFFB208B55DC89EFFBBBCEF56750F000165E905E2240DB359A46EAA0

Function 000D3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 000D3D40
_wcslen.LIBCMT ref: 000D3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 000D3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 000D3DBE
RemoveDirectoryW.KERNEL32(?), ref: 000D3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 000D3E55
CloseHandle.KERNEL32(00000000), ref: 000D3E60
CloseHandle.KERNEL32(00000000), ref: 000D3E6B

Strings

\, xrefs: 000D3D77
:, xrefs: 000D3D82
\??\%s, xrefs: 000D3D5B

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: fc83bd37a5d6367295aa968982adf02719dee8431114fde50ba197312c1f231c
Instruction ID: d961ceb6f1f2246b25a5c3ed87146e0c76672d1aa24b8c2eabeb5f5c660e907e
Opcode Fuzzy Hash: fc83bd37a5d6367295aa968982adf02719dee8431114fde50ba197312c1f231c
Instruction Fuzzy Hash: 3B319071900209AAEB209BA0EC49FEF37BDEF89740F1041B6F509D61A1E7749744DB35

Function 000CE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 000CE6B4

Part of subcall function 0007E551: timeGetTime.WINMM(?,?,000CE6D4), ref: 0007E555

Sleep.KERNEL32(0000000A), ref: 000CE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 000CE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 000CE727
SetActiveWindow.USER32 ref: 000CE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 000CE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 000CE773
Sleep.KERNEL32(000000FA), ref: 000CE77E
IsWindow.USER32 ref: 000CE78A
EndDialog.USER32(00000000), ref: 000CE79B

Strings

BUTTON, xrefs: 000CE719

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 18315aafac8813e4df2ff8cbb35c3d1c9646c56b804a85d372e91d38b4471e33
Instruction ID: 733b16c5bc21965c62021ac0f2ee5715c86d6982bf6858469c523e61a9736367
Opcode Fuzzy Hash: 18315aafac8813e4df2ff8cbb35c3d1c9646c56b804a85d372e91d38b4471e33
Instruction Fuzzy Hash: C42193B1204688AFFB106F61ED8BF3D3BA9FB55748F205428F905C19B1DB75AC50EA24

Function 000CE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 000CEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 000CEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000CEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 000CEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 000CEAA7

Strings

open , xrefs: 000CEA0C
status PlayMe mode, xrefs: 000CEA58
play PlayMe wait, xrefs: 000CEA91
alias PlayMe, xrefs: 000CEA36
play PlayMe, xrefs: 000CEAA2
close PlayMe, xrefs: 000CEA6E, 000CEA9B

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: b9d68b2756fbaab2a56aadb3259eda695fa2758bf3d0f766257291599c1886d7
Instruction ID: 7c8b8aa7fb3f90a4834e22ddd7ea3f64c0295763229398b0667d0a5f62c803c3
Opcode Fuzzy Hash: b9d68b2756fbaab2a56aadb3259eda695fa2758bf3d0f766257291599c1886d7
Instruction Fuzzy Hash: B2115631A902697DDB20A7A1ED4AEFF6ABCEFD2B04F4004297411A20D1EF705E55C9B1

Function 000C5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 000C5CE2
GetWindowRect.USER32(00000000,?), ref: 000C5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 000C5D59
GetDlgItem.USER32(?,00000002), ref: 000C5D69
GetWindowRect.USER32(00000000,?), ref: 000C5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 000C5DCF
GetDlgItem.USER32(?,000003E9), ref: 000C5DDD
GetWindowRect.USER32(00000000,?), ref: 000C5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 000C5E31
GetDlgItem.USER32(?,000003EA), ref: 000C5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 000C5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 000C5E67

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 7b0618807ee4b930a0e3a4954fde7c4aeeb9f0f0caca823a53c20b6de58f06b0
Instruction ID: 39c358436396f98840f90bcb39e76d0b15c089951f899cb717e99a26ed229dd4
Opcode Fuzzy Hash: 7b0618807ee4b930a0e3a4954fde7c4aeeb9f0f0caca823a53c20b6de58f06b0
Instruction Fuzzy Hash: 47511F74A00609AFEF18CF68DD8AEAE7BB5EB48301F108129F516E7690D774AE40CB50

Function 00078BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00078F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00078BE8,?,00000000,?,?,?,?,00078BBA,00000000,?), ref: 00078FC5

DestroyWindow.USER32(?), ref: 00078C81
KillTimer.USER32(00000000,?,?,?,?,00078BBA,00000000,?), ref: 00078D1B
DestroyAcceleratorTable.USER32(00000000), ref: 000B6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00078BBA,00000000,?), ref: 000B69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00078BBA,00000000,?), ref: 000B69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00078BBA,00000000), ref: 000B69D4
DeleteObject.GDI32(00000000), ref: 000B69E6

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 28429eec086bfa4135487b7968a80e5d5f4992b6a7fa9a0ff8442b79301c88ca
Instruction ID: 143f5e96b093a366e5a00d450dcc162938261167eadd394dcbd0eb1d77abe640
Opcode Fuzzy Hash: 28429eec086bfa4135487b7968a80e5d5f4992b6a7fa9a0ff8442b79301c88ca
Instruction Fuzzy Hash: 7D618C30901604EFEB369F14CA4DB69B7F1FB40316F14C52CE04696960CB3AAC90DF99

Function 00079838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00079944: GetWindowLongW.USER32(?,000000EB), ref: 00079952

GetSysColor.USER32(0000000F), ref: 00079862

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 66d2515bac2e371a6a372811da64def18010c74089f1134e49c0bda37970b474
Instruction ID: 671ec7624e915adc744c59630204c3d02d11f8e87e90366b027a600d80f22073
Opcode Fuzzy Hash: 66d2515bac2e371a6a372811da64def18010c74089f1134e49c0bda37970b474
Instruction Fuzzy Hash: E441F631504644AFEB709F389C85BB937A5FB47330F148655F9AA872E1CB399C41DB21

Function 000C96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,000AF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 000C9717
LoadStringW.USER32(00000000,?,000AF7F8,00000001), ref: 000C9720

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,000AF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 000C9742
LoadStringW.USER32(00000000,?,000AF7F8,00000001), ref: 000C9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 000C9866

Strings

^ ERROR, xrefs: 000C97FB
Error: , xrefs: 000C981D
Line %d (File "%s"):, xrefs: 000C978F
Line %d:, xrefs: 000C97A0
%s (%d) : ==> %s: %s %s, xrefs: 000C984A

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 6247d1d697fb8b8bc912d38871cb4386145d268d0fb28fc6cf5daa18b23049b1
Instruction ID: f0ac505f02d032746b3a6c1e739b2d9da27c6c6d6c93579a14e0847a431caf40
Opcode Fuzzy Hash: 6247d1d697fb8b8bc912d38871cb4386145d268d0fb28fc6cf5daa18b23049b1
Instruction Fuzzy Hash: 5C412C72900219AADB04FBE0DE86EEE7779AF55340F500065F60572193EF356F48DBA1

Function 000C06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00066B57: _wcslen.LIBCMT ref: 00066B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 000C07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 000C07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 000C07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 000C0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 000C082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 000C0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 000C083C

Strings

SOFTWARE\Classes\, xrefs: 000C070E
\CLSID, xrefs: 000C0724
\IPC$, xrefs: 000C0784

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 6a6fa81569f80bf2f5969dd91ca88d547cb0f5ac1c847775defa9603d8f545fe
Instruction ID: 73c71e3e9ca68248b9a53350dcb8598b9d7e2b9cdc380b4bd89c57db31f611a3
Opcode Fuzzy Hash: 6a6fa81569f80bf2f5969dd91ca88d547cb0f5ac1c847775defa9603d8f545fe
Instruction Fuzzy Hash: 84410572D10229EBDF15EBA4DC95DEDB7B9BF04750B144129E901B3161EB30AE44CBA0

Function 000E3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000E3C5C
CoInitialize.OLE32(00000000), ref: 000E3C8A
CoUninitialize.OLE32 ref: 000E3C94
_wcslen.LIBCMT ref: 000E3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 000E3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 000E3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 000E3F0E
CoGetObject.OLE32(?,00000000,000FFB98,?), ref: 000E3F2D
SetErrorMode.KERNEL32(00000000), ref: 000E3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 000E3FC4
VariantClear.OLEAUT32(?), ref: 000E3FD8

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 5672c61ff86f33d746930f266fefde7e5367904eb5c5345c5a3b01e14993cf6c
Instruction ID: 07c174fa1d719bb0fb9902718885c917794c3b6d3661ab77721ca1591226420b
Opcode Fuzzy Hash: 5672c61ff86f33d746930f266fefde7e5367904eb5c5345c5a3b01e14993cf6c
Instruction Fuzzy Hash: 69C176716083459FD700DF29C88896BBBE9FF89744F10492DF98AAB251DB31EE05CB52

Function 000D7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 000D7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 000D7B8F
SHGetDesktopFolder.SHELL32(?), ref: 000D7BA3
CoCreateInstance.OLE32(000FFD08,00000000,00000001,00126E6C,?), ref: 000D7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 000D7C74
CoTaskMemFree.OLE32(?,?), ref: 000D7CCC
SHBrowseForFolderW.SHELL32(?), ref: 000D7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 000D7D7A
CoTaskMemFree.OLE32(00000000), ref: 000D7D81
CoTaskMemFree.OLE32(00000000), ref: 000D7DD6
CoUninitialize.OLE32 ref: 000D7DDC

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 32c618507c16f18738fff6a522139f24f865f342c7f45a0bf01dec54dab1b73f
Instruction ID: 67da072f517c7347a5a22a7401b7da7cd181228d0a9a09468a86d7c6dca4fb2c
Opcode Fuzzy Hash: 32c618507c16f18738fff6a522139f24f865f342c7f45a0bf01dec54dab1b73f
Instruction Fuzzy Hash: 34C12D75A04209AFDB14DF64C884DAEBBF9FF48314B148499E41ADB762DB30ED45CBA0

Function 000F541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 000F5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000F5515
CharNextW.USER32(00000158), ref: 000F5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 000F5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 000F559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000F55AC

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 34bcb4a352540d674ed30dff3dd01b7be3c55ea408a4e3f61d3bae0bd8bb1c2d
Instruction ID: 9ab7ee73c36cdde67d16e8040b42caa58bed30b707f6c7ea6733b3375b7a76af
Opcode Fuzzy Hash: 34bcb4a352540d674ed30dff3dd01b7be3c55ea408a4e3f61d3bae0bd8bb1c2d
Instruction Fuzzy Hash: F7618F30904A0CABEF20DF54CC85DFE7BB9EB05726F108145FB25A6A91D7749A81EB60

Function 000BFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 000BFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 000BFB08
VariantInit.OLEAUT32(?), ref: 000BFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 000BFB3A
VariantCopy.OLEAUT32(?,?), ref: 000BFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 000BFBA1
VariantClear.OLEAUT32(?), ref: 000BFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 000BFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000BFBCC
VariantClear.OLEAUT32(?), ref: 000BFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000BFBE9

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: b343301f4ab0491ae70aed872085c2e349ba40fb2c3d88c12346b7d9972dbd37
Instruction ID: d8e38264d2beb17aad53dd7f773d4f17b9627e1837448b383460944d09a930c8
Opcode Fuzzy Hash: b343301f4ab0491ae70aed872085c2e349ba40fb2c3d88c12346b7d9972dbd37
Instruction Fuzzy Hash: 4C416E35A0021A9FEB04DF64CC55DFEBBB9EF48344F008469E945A7261CB74A945CBA0

Function 000C9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 000C9CA1
GetAsyncKeyState.USER32(000000A0), ref: 000C9D22
GetKeyState.USER32(000000A0), ref: 000C9D3D
GetAsyncKeyState.USER32(000000A1), ref: 000C9D57
GetKeyState.USER32(000000A1), ref: 000C9D6C
GetAsyncKeyState.USER32(00000011), ref: 000C9D84
GetKeyState.USER32(00000011), ref: 000C9D96
GetAsyncKeyState.USER32(00000012), ref: 000C9DAE
GetKeyState.USER32(00000012), ref: 000C9DC0
GetAsyncKeyState.USER32(0000005B), ref: 000C9DD8
GetKeyState.USER32(0000005B), ref: 000C9DEA

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4552de8713b46880cd65f46af759cc469b40f1439983da9d060db10a42350351
Instruction ID: 37b2f7724dcb869f7f8286ecbb70fe251f2a4bea7986f0e53b9a0055929ddd58
Opcode Fuzzy Hash: 4552de8713b46880cd65f46af759cc469b40f1439983da9d060db10a42350351
Instruction Fuzzy Hash: BF41D674504BC969FFB08760984CBBDBEE06F21344F04805EDAC7665C2DBE49AC8D7A2

Function 000E055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 000E05BC
inet_addr.WSOCK32(?), ref: 000E061C
gethostbyname.WSOCK32(?), ref: 000E0628
IcmpCreateFile.IPHLPAPI ref: 000E0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 000E06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 000E06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 000E07B9
WSACleanup.WSOCK32 ref: 000E07BF

Strings

Ping, xrefs: 000E0676

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 34f7c96628d74149d9d9d89a8e364d8b6933d4685988396f55d779460d5bc998
Instruction ID: 3f98e7ea25e59592b6a4fbc160ec26ea65da01ce914571be4ff8f968a9317f5c
Opcode Fuzzy Hash: 34f7c96628d74149d9d9d89a8e364d8b6933d4685988396f55d779460d5bc998
Instruction Fuzzy Hash: D691B1359082419FD320CF16C989F1ABBE1AF44318F1485A9F4A99B6A2C7B4FD85CF91

Function 000E8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 000E8CF3

Part of subcall function 000C8E54: _wcslen.LIBCMT ref: 000C8E77

_wcslen.LIBCMT ref: 000E8D4E
_wcslen.LIBCMT ref: 000E8D9C
_wcslen.LIBCMT ref: 000E8DDC
_wcslen.LIBCMT ref: 000E8E6E

Strings

stdcall, xrefs: 000E8DD6, 000E8DDB
cdecl, xrefs: 000E8D48, 000E8D4D
none, xrefs: 000E8E65, 000E8E6A
winapi, xrefs: 000E8D96, 000E8D9B

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: ad28ebaab82d9db2b37cd199f9348df43f260023ee17c78228c001355bcf214a
Instruction ID: db27ed321ceef7795368ea492a46a5382f04e184ebeb38d33aa1a0d78cb1ade3
Opcode Fuzzy Hash: ad28ebaab82d9db2b37cd199f9348df43f260023ee17c78228c001355bcf214a
Instruction Fuzzy Hash: DB51AF31A045569FCB24DF69C9409BEB3E6BF64320B218229E46AF73C5DB31DE40C790

Function 000E372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 000E3774
CoUninitialize.OLE32 ref: 000E377F
CoCreateInstance.OLE32(?,00000000,00000017,000FFB78,?), ref: 000E37D9
IIDFromString.OLE32(?,?), ref: 000E384C
VariantInit.OLEAUT32(?), ref: 000E38E4
VariantClear.OLEAUT32(?), ref: 000E3936

Strings

Failed to create object, xrefs: 000E37E4, 000E389A
Invalid parameter, xrefs: 000E3865
NULL Pointer assignment, xrefs: 000E381E

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 10d04dd581e74f99b8956035cf35eeb74aa1f64272317d617aff664c2d31a345
Instruction ID: 4aafdd736c371f65dce06bbdd9df900a5c225322b15366021fa7a432a23c0741
Opcode Fuzzy Hash: 10d04dd581e74f99b8956035cf35eeb74aa1f64272317d617aff664c2d31a345
Instruction Fuzzy Hash: 5F61AF70608341AFD320DF55C949FAEBBE8AF45714F100859F585A7292CB70EE48CB92

Function 000D3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 000D33CF

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 000D33F0

Strings

"%s" (%d) : ==> %s:, xrefs: 000D3522
Error: , xrefs: 000D34D1
^ ERROR , xrefs: 000D349E
Line %d (File "%s"):, xrefs: 000D3443, 000D345C
"%s" (%d) : ==> %s:%s%s, xrefs: 000D3504
Incorrect parameters to object property !, xrefs: 000D34AB

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: eff92f4db08c180fc7eb31ad19dcf7573c16dd10a2fdc15c824a27f30193df1b
Instruction ID: 6f0a48279e499d551550a185b144d60b88a428c5fc5f228ba8b3290e81f19194
Opcode Fuzzy Hash: eff92f4db08c180fc7eb31ad19dcf7573c16dd10a2fdc15c824a27f30193df1b
Instruction Fuzzy Hash: DE518C32900219BADF15EBA0DE46EEEB7B9EF14340F104065F505721A2EB352F98DBA1

Function 000CB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 000CB5FC
_wcslen.LIBCMT ref: 000CB608
_wcslen.LIBCMT ref: 000CB64D
_wcslen.LIBCMT ref: 000CB68C
_wcslen.LIBCMT ref: 000CB6C7

Strings

REMOVE, xrefs: 000CB602, 000CB607
KEYS, xrefs: 000CB647, 000CB64C
APPEND, xrefs: 000CB6C1, 000CB6C6
EXISTS, xrefs: 000CB686, 000CB68B

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 7433c7778581a41331a8f614f478a5ce8163d0df55fee62c486cc83bc3d010a9
Instruction ID: 7c890118b19e01840755e2ae0c249e5c13a88215fda12cd8aa90aca90e418ac3
Opcode Fuzzy Hash: 7433c7778581a41331a8f614f478a5ce8163d0df55fee62c486cc83bc3d010a9
Instruction Fuzzy Hash: 7D41B432A000279BCB606F7DC992ABE77E5AB60754F25422DE865D7284E739CD81C790

Function 000D5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000D53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 000D5416
GetLastError.KERNEL32 ref: 000D5420
SetErrorMode.KERNEL32(00000000,READY), ref: 000D54A7

Strings

NOTREADY, xrefs: 000D544B
INVALID, xrefs: 000D5459
READY, xrefs: 000D5460, 000D5468
READONLY, xrefs: 000D5452
UNKNOWN, xrefs: 000D5444

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: e08c8aed124256721fdb98d4d95e870b831fead112eff71627bd3576ca67ff68
Instruction ID: e12d01d3106e2f16fc1b20c64f141463091d214df9407c54bdc08b9ca1512bc5
Opcode Fuzzy Hash: e08c8aed124256721fdb98d4d95e870b831fead112eff71627bd3576ca67ff68
Instruction Fuzzy Hash: 1931A235A006089FD750DF68C985EEA7BF4EF4530AF14806AE805DB392D770DD82CBA2

Function 000F3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 000F3C79
SetMenu.USER32(?,00000000), ref: 000F3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000F3D10
IsMenu.USER32(?), ref: 000F3D24
CreatePopupMenu.USER32 ref: 000F3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 000F3D5B
DrawMenuBar.USER32 ref: 000F3D63

Strings

0, xrefs: 000F3C54
F, xrefs: 000F3D4E

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: d290fae132313d49a56bffedb5da8cf674f5a509bce9b6ed6108e1725cb52247
Instruction ID: 487e6150eba5a419b90389469b6826481ed0def72d50a4782cce193d1c14ea29
Opcode Fuzzy Hash: d290fae132313d49a56bffedb5da8cf674f5a509bce9b6ed6108e1725cb52247
Instruction Fuzzy Hash: 04418874A01209EFEB14DF64E844EEA7BF5FF49320F140028EA46A7760D730AA10EF90

Function 000F3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 000F3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 000F3AA0
GetWindowLongW.USER32(?,000000F0), ref: 000F3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 000F3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 000F3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 000F3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 000F3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 000F3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 000F3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 000F3C13

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: e332aea036a71daaa1d1e7002d3e0ee106d2715db31236c14bd69dd41e55a140
Instruction ID: 81f22ef1d527b922de69a81e46765b3b73c17702c7c59cc5998405d74a4ab783
Opcode Fuzzy Hash: e332aea036a71daaa1d1e7002d3e0ee106d2715db31236c14bd69dd41e55a140
Instruction Fuzzy Hash: 1B615A75900248AFDB10DFA8CC81EFE77F8EB09714F104199FA15E72A2D774AA85EB50

Function 00092C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00092C94

Part of subcall function 000929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0009D7D1,00000000,00000000,00000000,00000000,?,0009D7F8,00000000,00000007,00000000,?,0009DBF5,00000000), ref: 000929DE
Part of subcall function 000929C8: GetLastError.KERNEL32(00000000,?,0009D7D1,00000000,00000000,00000000,00000000,?,0009D7F8,00000000,00000007,00000000,?,0009DBF5,00000000,00000000), ref: 000929F0

_free.LIBCMT ref: 00092CA0
_free.LIBCMT ref: 00092CAB
_free.LIBCMT ref: 00092CB6
_free.LIBCMT ref: 00092CC1
_free.LIBCMT ref: 00092CCC
_free.LIBCMT ref: 00092CD7
_free.LIBCMT ref: 00092CE2
_free.LIBCMT ref: 00092CED
_free.LIBCMT ref: 00092CFB

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 76290656d0924c6988d6a14fa68065e2dafbdc28ea24ba198b538050e83ace79
Instruction ID: 2a92286bcfd8d667dbaeafd5aceaf0ac068a282f7ae9677fdb001fe547bdb63d
Opcode Fuzzy Hash: 76290656d0924c6988d6a14fa68065e2dafbdc28ea24ba198b538050e83ace79
Instruction Fuzzy Hash: D3114076510108BFCF02EF94D982CDD3BA9FF05350F9145A5FA889B222DA31EA50AB90

Function 00061410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00061459
OleUninitialize.OLE32(?,00000000), ref: 000614F8
UnregisterHotKey.USER32(?), ref: 000616DD
DestroyWindow.USER32(?), ref: 000A24B9
FreeLibrary.KERNEL32(?), ref: 000A251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 000A254B

Strings

close all, xrefs: 00061454

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 388808edc2409da25446b07e6588a2d866bcec0558f47ffe32bc4846083fd451
Instruction ID: f66c2cc64fd26c922195a8aa7ef5f13403fe0541366eda1c6727592e66fe72f2
Opcode Fuzzy Hash: 388808edc2409da25446b07e6588a2d866bcec0558f47ffe32bc4846083fd451
Instruction Fuzzy Hash: 41D19031B01212CFDB29EF69C599EA9F7A5BF05700F1841ADE44A6B252DB30ED12CF51

Function 000D7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 000D7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 000D7FC1
GetFileAttributesW.KERNEL32(?), ref: 000D7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 000D8005
SetCurrentDirectoryW.KERNEL32(?), ref: 000D8017
SetCurrentDirectoryW.KERNEL32(?), ref: 000D8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 000D80B0

Strings

*.*, xrefs: 000D8066

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 0e3278437197dfd1beab94652897e75a31d7cce046a7075ae066e7b492344d30
Instruction ID: 6e3d2a15cdda8e9434d3e90aa5680ca5d50ff4538f9763104020c4636e5bf49b
Opcode Fuzzy Hash: 0e3278437197dfd1beab94652897e75a31d7cce046a7075ae066e7b492344d30
Instruction Fuzzy Hash: A3819E725083419BDB64EF14C844AAEB7E9BF88314F54486FF889C7351EB34DD458B62

Function 00065BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00065C7A

Part of subcall function 00065D0A: GetClientRect.USER32(?,?), ref: 00065D30
Part of subcall function 00065D0A: GetWindowRect.USER32(?,?), ref: 00065D71
Part of subcall function 00065D0A: ScreenToClient.USER32(?,?), ref: 00065D99

GetDC.USER32 ref: 000A46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 000A4708
SelectObject.GDI32(00000000,00000000), ref: 000A4716
SelectObject.GDI32(00000000,00000000), ref: 000A472B
ReleaseDC.USER32(?,00000000), ref: 000A4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 000A47C4

Strings

U, xrefs: 000A4693

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: bdd404fcfb433f482cf76a6b76fecb8ff8354ee13bffb6038a5c87ede394b551
Instruction ID: ddaea051ceab56f886917b9825d9cbf904aaeb4975178434924bf7080608e8db
Opcode Fuzzy Hash: bdd404fcfb433f482cf76a6b76fecb8ff8354ee13bffb6038a5c87ede394b551
Instruction Fuzzy Hash: D771EE38404249DFCF618FA4CD85AFE7BF2FF8A321F144269E9555A2A6C7B08881DF50

Function 000D359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 000D35E4

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

LoadStringW.USER32(00132390,?,00000FFF,?), ref: 000D360A

Strings

"%s" (%d) : ==> %s:, xrefs: 000D3742
^ ERROR, xrefs: 000D36C9
Error: , xrefs: 000D36EF
Line %d (File "%s"):, xrefs: 000D366B
"%s" (%d) : ==> %s:%s%s, xrefs: 000D3724

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 6338928ba708ffdc78cf0af376d44e27e93e38d08febdce66d165e17c22ef862
Instruction ID: b5e659b2adf2626a2d3e9400ba86f07ffdf651ff7ac7cafc32b7711004c43605
Opcode Fuzzy Hash: 6338928ba708ffdc78cf0af376d44e27e93e38d08febdce66d165e17c22ef862
Instruction Fuzzy Hash: 11517E72800219BBDF14EBA0DD42EEEBB79EF14310F144125F505726A2EB316B99DFA1

Function 000F8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00079BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00079BB2

Part of subcall function 0007912D: GetCursorPos.USER32(?), ref: 00079141
Part of subcall function 0007912D: ScreenToClient.USER32(00000000,?), ref: 0007915E
Part of subcall function 0007912D: GetAsyncKeyState.USER32(00000001), ref: 00079183
Part of subcall function 0007912D: GetAsyncKeyState.USER32(00000002), ref: 0007919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 000F8B6B
ImageList_EndDrag.COMCTL32 ref: 000F8B71
ReleaseCapture.USER32 ref: 000F8B77
SetWindowTextW.USER32(?,00000000), ref: 000F8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 000F8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 000F8CFF

Strings

@GUI_DROPID, xrefs: 000F8C51
@GUI_DRAGFILE, xrefs: 000F8C9A

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 5a1c657167f8eff615d0a9f44f162c2578d48e72cbe0738af1a19bd1a11040ba
Instruction ID: 7856e2ab25867f9cf8292df7e747583223df62dc9d9c5bf5b69879f1b89d58e3
Opcode Fuzzy Hash: 5a1c657167f8eff615d0a9f44f162c2578d48e72cbe0738af1a19bd1a11040ba
Instruction Fuzzy Hash: 3E517C70204208AFE700DF14DD56FBA77E5FB88714F40052DFA56976E2CB749944DBA2

Function 000DC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 000DC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000DC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 000DC2CA
GetLastError.KERNEL32 ref: 000DC322
SetEvent.KERNEL32(?), ref: 000DC336
InternetCloseHandle.WININET(00000000), ref: 000DC341

Strings

, xrefs: 000DC2BB

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: a9b52b0aa5c00eeb543829157ee48a9a2184e0b8eee91a922a83eef4df793583
Instruction ID: b454627e3b21f0773ba6c6f6d949786e33b63362148220d1e5b9fd17961493d3
Opcode Fuzzy Hash: a9b52b0aa5c00eeb543829157ee48a9a2184e0b8eee91a922a83eef4df793583
Instruction Fuzzy Hash: F3317AB1604309AFFB61AF648989EBB7AFCEB49740B14851EB44692701DB34DE04DB70

Function 000C989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,000A3AAF,?,?,Bad directive syntax error,000FCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 000C98BC
LoadStringW.USER32(00000000,?,000A3AAF,?), ref: 000C98C3

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 000C9987

Strings

., xrefs: 000C996D
Line %d (File "%s"):, xrefs: 000C992D
Error: , xrefs: 000C9955
Line %d:, xrefs: 000C9912
%s (%d) : ==> %s.: %s %s, xrefs: 000C98F1

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 4eaf1d5d055f395780b834af82dfefc73f5e7730b8b2f92ba917003d7d86f8ca
Instruction ID: a7920d79a49a727380e7d4df7d46f3012ed4da97a4eb4d6983303e6bc1473153
Opcode Fuzzy Hash: 4eaf1d5d055f395780b834af82dfefc73f5e7730b8b2f92ba917003d7d86f8ca
Instruction Fuzzy Hash: 9C217E3180025EABDF11AF90CC0AEFE777AFF18700F044469F519660A2EB359A28DB50

Function 000C209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000C20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 000C20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 000C214D

Strings

largeicons, xrefs: 000C20E1
details, xrefs: 000C20FB
smallicons, xrefs: 000C2115
list, xrefs: 000C212F
SHELLDLL_DefView, xrefs: 000C20CC

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 611fe14b9cde8d70aee4a339e5ca3512fbaa502835a84b2e032aaf86ca8c0888
Instruction ID: 9a558171fded584989d3df3bf4f6e89642619c4c96bea5a2cd3e360b43f88851
Opcode Fuzzy Hash: 611fe14b9cde8d70aee4a339e5ca3512fbaa502835a84b2e032aaf86ca8c0888
Instruction Fuzzy Hash: 6B11E376688717B9FA153720AC07EEE379DDB25324B20002AFF04A94E2EAB568115A14

Function 0009CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0009CEB7
_free.LIBCMT ref: 0009CF22
_free.LIBCMT ref: 0009CF48
_free.LIBCMT ref: 0009CF71
_free.LIBCMT ref: 0009CFA9
_free.LIBCMT ref: 0009CFDA
_free.LIBCMT ref: 0009D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0009D09C
_free.LIBCMT ref: 0009D0B5

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 7f789ce0e169f7b0cff0c6c6d416129a1f9933589fd88aa951bd248266c174c5
Instruction ID: f6966bb917b27f0ef6cdf494cd71f0a3b75f5471c102680e00f8f0ec2b274bb7
Opcode Fuzzy Hash: 7f789ce0e169f7b0cff0c6c6d416129a1f9933589fd88aa951bd248266c174c5
Instruction Fuzzy Hash: 64612771D04305AFEF22AFB498A1EAE7BE5EF05350F04417EF94597282D7319E41A790

Function 000F50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 000F5186
ShowWindow.USER32(?,00000000), ref: 000F51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 000F51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 000F51D1

Part of subcall function 000F6FBA: DeleteObject.GDI32(00000000), ref: 000F6FE6

GetWindowLongW.USER32(?,000000F0), ref: 000F520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 000F521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 000F524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 000F5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 000F5296

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: bf95b114f3e301f4c7e10d4dda69e051b70c165c8fb1ad695ed97dd89d9f6314
Instruction ID: d63fcd1eead2bb6ec94486abae67cfa48236bf0500dc34223573bb7e75c46e53
Opcode Fuzzy Hash: bf95b114f3e301f4c7e10d4dda69e051b70c165c8fb1ad695ed97dd89d9f6314
Instruction Fuzzy Hash: 21516F30A44A0CBEEF749F24CC46BF93BA5BB46322F148211F71596AE1D775A980FB41

Function 00078B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 000B6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 000B68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 000B68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 000B68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 000B68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00078874,00000000,00000000,00000000,000000FF,00000000), ref: 000B6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 000B691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00078874,00000000,00000000,00000000,000000FF,00000000), ref: 000B692D

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: edff9fb1b806dcbd48aae1c384061ab0365b18b08597674f6b7310b6c3d43ee2
Instruction ID: b165e86b027da736bcbdbd4e34f434e533cfa79f54e1bf5c77fa3d1824f69288
Opcode Fuzzy Hash: edff9fb1b806dcbd48aae1c384061ab0365b18b08597674f6b7310b6c3d43ee2
Instruction Fuzzy Hash: A7519E70A00209EFEB20CF25CC56FAA77F5FB58750F108528F90A976A0DB79E990DB54

Function 000DC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 000DC182
GetLastError.KERNEL32 ref: 000DC195
SetEvent.KERNEL32(?), ref: 000DC1A9

Part of subcall function 000DC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 000DC272
Part of subcall function 000DC253: GetLastError.KERNEL32 ref: 000DC322
Part of subcall function 000DC253: SetEvent.KERNEL32(?), ref: 000DC336
Part of subcall function 000DC253: InternetCloseHandle.WININET(00000000), ref: 000DC341

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 81893a8725a321198f0a10e8052dc7b8e6023ddb2e854670b79a599d01e4ae6b
Instruction ID: d0afd9c99ed5c1ee167c6170de5f9ff9652030718fe65aec899ba5938f694f43
Opcode Fuzzy Hash: 81893a8725a321198f0a10e8052dc7b8e6023ddb2e854670b79a599d01e4ae6b
Instruction Fuzzy Hash: 7D318771200746AFFB219FA59D44EBABBE8FF58300B10442EF95682B10C734E814EBB0

Function 000C25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 000C3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 000C3A57
Part of subcall function 000C3A3D: GetCurrentThreadId.KERNEL32 ref: 000C3A5E
Part of subcall function 000C3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,000C25B3), ref: 000C3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 000C25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 000C25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 000C25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 000C25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 000C2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 000C2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 000C260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 000C2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 000C2627

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 02bb191f170a84eb2b6f4e2daf3906520f79ec36da68dd70e9933b25e1461949
Instruction ID: 128f0a8a8c1117ee11d026120ea2d5a447f9bd89c6e3ff81abb3132a3ba911fa
Opcode Fuzzy Hash: 02bb191f170a84eb2b6f4e2daf3906520f79ec36da68dd70e9933b25e1461949
Instruction Fuzzy Hash: 9D01D430394614BBFB2067689C8BFAD3F59EF4EB12F100005F318AE0E1C9F26454DA6A

Function 000C1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,000C1449,?,?,00000000), ref: 000C180C
HeapAlloc.KERNEL32(00000000,?,000C1449,?,?,00000000), ref: 000C1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,000C1449,?,?,00000000), ref: 000C1828
GetCurrentProcess.KERNEL32(?,00000000,?,000C1449,?,?,00000000), ref: 000C1830
DuplicateHandle.KERNEL32(00000000,?,000C1449,?,?,00000000), ref: 000C1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,000C1449,?,?,00000000), ref: 000C1843
GetCurrentProcess.KERNEL32(000C1449,00000000,?,000C1449,?,?,00000000), ref: 000C184B
DuplicateHandle.KERNEL32(00000000,?,000C1449,?,?,00000000), ref: 000C184E
CreateThread.KERNEL32(00000000,00000000,000C1874,00000000,00000000,00000000), ref: 000C1868

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 1e6a0e7e95339cf56a3c99f0e307e0928c99cd03da2a062ada0d83c4c0e28368
Instruction ID: 76c1bc2ba56e79069575a6b4e8aa348a934c7b0d6613fa237c0c9edb1368051b
Opcode Fuzzy Hash: 1e6a0e7e95339cf56a3c99f0e307e0928c99cd03da2a062ada0d83c4c0e28368
Instruction Fuzzy Hash: 9301BF75240308BFF710AB65DD4EF6B3B6CFB8AB11F004411FA05DB591CA749814DB60

Function 000EA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 000CD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 000CD501
Part of subcall function 000CD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 000CD50F
Part of subcall function 000CD4DC: CloseHandle.KERNEL32(00000000), ref: 000CD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 000EA16D
GetLastError.KERNEL32 ref: 000EA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 000EA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 000EA268
GetLastError.KERNEL32(00000000), ref: 000EA273
CloseHandle.KERNEL32(00000000), ref: 000EA2C4

Strings

SeDebugPrivilege, xrefs: 000EA18F

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 687319be0b0ae0758fbefa4120c623caa8018ac8861f20776ffaa4319ad02a88
Instruction ID: 326c41b075802b17bbb71217ce41a463ce3c509777426151852bcc2d42697e65
Opcode Fuzzy Hash: 687319be0b0ae0758fbefa4120c623caa8018ac8861f20776ffaa4319ad02a88
Instruction Fuzzy Hash: 5961B3302042819FE720DF19C494F69BBE1AF49318F14849CE5669BBA3C776FD45CB92

Function 000F3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 000F3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 000F393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 000F3954
_wcslen.LIBCMT ref: 000F3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 000F39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 000F39F4

Strings

SysListView32, xrefs: 000F38F7

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 60a15a3ad3425bf3a7dbd7fca1a1a3c8cedac37b843acd64cd01b2a851b06b87
Instruction ID: 6d5f540cc8c78d114ee5dde2bf4089d2cf5035820b470eae4ea0c38afbc78d38
Opcode Fuzzy Hash: 60a15a3ad3425bf3a7dbd7fca1a1a3c8cedac37b843acd64cd01b2a851b06b87
Instruction Fuzzy Hash: 22419171A0431DABEB219F64CC45FFA77A9EF08360F100526FA58E7681D7B59980DB90

Function 000CBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000CBCFD
IsMenu.USER32(00000000), ref: 000CBD1D
CreatePopupMenu.USER32 ref: 000CBD53
GetMenuItemCount.USER32(00BD46E8), ref: 000CBDA4
InsertMenuItemW.USER32(00BD46E8,?,00000001,00000030), ref: 000CBDCC

Strings

0, xrefs: 000CBCA8
2, xrefs: 000CBD37

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 3526c8a78bdb911d8af74a28913069108a463fe8ebd78911d19d2b37648540b4
Instruction ID: 09e73ad90dc644931f8b150bdd97323a3cc1c305e5034beeac02f1ff51382eef
Opcode Fuzzy Hash: 3526c8a78bdb911d8af74a28913069108a463fe8ebd78911d19d2b37648540b4
Instruction Fuzzy Hash: D551AD70A002099BEB20DFA8D986FAEBBF8BF45314F14415DE403AB291E7709945CB61

Function 000CC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 000CC913

Strings

question, xrefs: 000CC8CC
blank, xrefs: 000CC895
stop, xrefs: 000CC8E4
warning, xrefs: 000CC8FC
info, xrefs: 000CC8B4

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: f453c1d8da6e451a5bb42858eb4ac87eea8637758698575042731881b462b398
Instruction ID: e9075b018c98722f342678c93caebb63c076c6217e7bf0088334cd6f8dd873dd
Opcode Fuzzy Hash: f453c1d8da6e451a5bb42858eb4ac87eea8637758698575042731881b462b398
Instruction Fuzzy Hash: DF11D831689317BAF715AB54EC83EAE77ECDF15354B10002EF508A61C2E7B49D005365

Function 000CDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 000CDE42
gethostname.WSOCK32(?,00000100), ref: 000CDE5C
gethostbyname.WSOCK32(?), ref: 000CDE69
inet_ntoa.WSOCK32(?), ref: 000CDEAB
_strcat.LIBCMT ref: 000CDEB9
WSACleanup.WSOCK32 ref: 000CDEDE

Strings

0.0.0.0, xrefs: 000CDE87

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 6cf746a5339a719c5b84146c190eda9128953febc2c5fdee8d2a8cf482d75a56
Instruction ID: ece1bb6fd445cc75eb34ca900adf210df9cc2d1a0cb3a5028020a584bd347ff3
Opcode Fuzzy Hash: 6cf746a5339a719c5b84146c190eda9128953febc2c5fdee8d2a8cf482d75a56
Instruction Fuzzy Hash: 40110A31904219ABEB307B60DC0AEEF77ACEF15710F01017EF54596092EF748A81DB50

Function 000BD3A2 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 000BD3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 000BD3BF
FreeLibrary.KERNEL32(00000000), ref: 000BD3E5
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 000BD3FC

Strings

GetSystemWow64DirectoryW, xrefs: 000BD3B9
kernel32.dll, xrefs: 000BD3A8
X64, xrefs: 000BD2A8

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: GetSystemWow64DirectoryW$X64$kernel32.dll
API String ID: 582185067-2904798639
Opcode ID: 30caa3151f93f63e5f1eb40bff59d70236e7117ac6da25d1913328f2798b59e2
Instruction ID: bc0a877df13bdc34b7eba30e4ee42ba0ad8b35e55db3f3aad868adec327a3932
Opcode Fuzzy Hash: 30caa3151f93f63e5f1eb40bff59d70236e7117ac6da25d1913328f2798b59e2
Instruction Fuzzy Hash: 37F0E23090626A9BE7B197108C6AEFDB3B4BF11B01F448056F506F6485EB38CE04EA91

Function 000CED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 000CED2A
_wcslen.LIBCMT ref: 000CED3B
_wcslen.LIBCMT ref: 000CED79
_wcslen.LIBCMT ref: 000CEDAF
_wcslen.LIBCMT ref: 000CEDDF
_wcslen.LIBCMT ref: 000CEDEF
_wcslen.LIBCMT ref: 000CEE2B
_wcslen.LIBCMT ref: 000CEE5A

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: e6371d1536a0d33f5cafa55a46e8796a52c5eca4068aae29a77ab67bea31efed
Instruction ID: 00b23b219f6b92b5c790a3965da5f739f7943b5287b0a525c2b135ca3dc2fbe6
Opcode Fuzzy Hash: e6371d1536a0d33f5cafa55a46e8796a52c5eca4068aae29a77ab67bea31efed
Instruction Fuzzy Hash: 0241AE65C1021876CB21FBB4C88AACFB7A8BF45310F518567E558E3163FB34E245C3A6

Function 0007F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,000B682C,00000004,00000000,00000000), ref: 0007F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,000B682C,00000004,00000000,00000000), ref: 000BF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,000B682C,00000004,00000000,00000000), ref: 000BF454

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 8beb0ec998f0f324a9e4c6f781aadc856fa896f9345cb3249221d17cb1befd35
Instruction ID: b67242572c9e913c7055813a985d78ca34acbce10d0ef9b618141bcab77c97cb
Opcode Fuzzy Hash: 8beb0ec998f0f324a9e4c6f781aadc856fa896f9345cb3249221d17cb1befd35
Instruction Fuzzy Hash: 4C413B31A08782BAD7749B2DCD88BBA7BD1AB46314F14C03CE24F97961D73DA880DB15

Function 000F2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 000F2D1B
GetDC.USER32(00000000), ref: 000F2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 000F2D2E
ReleaseDC.USER32(00000000,00000000), ref: 000F2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 000F2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 000F2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,000F5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 000F2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 000F2DE1

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: b48e38698d4c889d3db7d90ce746633e8824a06cc99f31d2cf72deed20215822
Instruction ID: bb9c701ff679e24327cf50dffe508709624f66b0a8d9c894201849ec1a5caa97
Opcode Fuzzy Hash: b48e38698d4c889d3db7d90ce746633e8824a06cc99f31d2cf72deed20215822
Instruction Fuzzy Hash: 1F318972201618BBFB218F50CC8AFFB3BA9EF09711F044055FE08DA691C6799C51DBA0

Function 000C5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 000C5637
_memcmp.LIBVCRUNTIME ref: 000C5659
_memcmp.LIBVCRUNTIME ref: 000C5671
_memcmp.LIBVCRUNTIME ref: 000C5684
_memcmp.LIBVCRUNTIME ref: 000C569E
_memcmp.LIBVCRUNTIME ref: 000C56B1
_memcmp.LIBVCRUNTIME ref: 000C56C9
_memcmp.LIBVCRUNTIME ref: 000C56E4

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 6af4736030a158defcaa53f32d1fe17e9cf703f2979664c4a99ccab5bb434f6a
Instruction ID: f73cc7be015d95434fa8950ce827164efe902ab3ecec7ff6d2c4df9cc6b5b6b0
Opcode Fuzzy Hash: 6af4736030a158defcaa53f32d1fe17e9cf703f2979664c4a99ccab5bb434f6a
Instruction Fuzzy Hash: 6921C87564091977961467109E82FFE279CAF51386B440028FE045B982F760FE9192E9

Function 000E4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 000E5007
NULL Pointer assignment, xrefs: 000E502E, 000E5383

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: e6b9fbf5edd035cf1155ab371a1ffecd85d2da9217afd2f402952e77397c2300
Instruction ID: 54933f895f0ec7daab6c3eae8e251f3f827a479321c9064d4b07c409e54baab2
Opcode Fuzzy Hash: e6b9fbf5edd035cf1155ab371a1ffecd85d2da9217afd2f402952e77397c2300
Instruction Fuzzy Hash: 6BD1B071A0064A9FDF14CFA9CC81BAEB7F5BF48348F148869E915AB281E770DD41CB90

Function 000A1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,000A17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 000A15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,000A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 000A1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,000A17FB,?,000A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 000A16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,000A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 000A16FB

Part of subcall function 00093820: RtlAllocateHeap.NTDLL(00000000,?,00131444,?,0007FDF5,?,?,0006A976,00000010,00131440,000613FC,?,000613C6,?,00061129), ref: 00093852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,000A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 000A1777
__freea.LIBCMT ref: 000A17A2
__freea.LIBCMT ref: 000A17AE

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: f3decf5d0ddeac115bc80596d3ea9901ddb5d9ad15c87a00158f4a515ae5100f
Instruction ID: b32e8208960b75c82d9b759bbe7982b6fe8a4f487db6e54045fa4d17aae75ec2
Opcode Fuzzy Hash: f3decf5d0ddeac115bc80596d3ea9901ddb5d9ad15c87a00158f4a515ae5100f
Instruction Fuzzy Hash: B191D471E046169ADF249EF4CC81EEE7BF5AF4A350F184669E812E7181EB35DD40CBA0

Function 000E4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000E4648
VariantInit.OLEAUT32(?), ref: 000E4749
VariantClear.OLEAUT32(?), ref: 000E4753
VariantClear.OLEAUT32(?), ref: 000E47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 000E45D8, 000E4706, 000E47BE
Incorrect Object type in FOR..IN loop, xrefs: 000E472C

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: b6e01956c476d67300509b75d466c9a24af285e21f5d36fb384bbb125f1da6c4
Instruction ID: cb8676c66d283ab4557208ac1fda00c06a81965c10dbc5ad5460e058ff4b186a
Opcode Fuzzy Hash: b6e01956c476d67300509b75d466c9a24af285e21f5d36fb384bbb125f1da6c4
Instruction Fuzzy Hash: 88919171A04259AFDF20CFA6D884FAEBBB8EF86710F108559F545BB281D7709941CFA0

Function 000D1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 000D125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 000D1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 000D12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 000D12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 000D135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 000D13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 000D1430

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 3461052dcd49f250d2c3fcfc760cf760fc02b84ef7fc0ae09d9a9085c028773a
Instruction ID: 3b00364bc861af0cce5fd3ca0d87d86b17b16d35efa633dbfb7a7342dfad6a25
Opcode Fuzzy Hash: 3461052dcd49f250d2c3fcfc760cf760fc02b84ef7fc0ae09d9a9085c028773a
Instruction Fuzzy Hash: 0391BF75A00309AFEB109F98C885BFE77B5FF45315F14402AE940E7392DB79A941CBA0

Function 0007948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 053fd052c4c73b2ae9dbb2fade18b0c8910e4bff198070400431f232e83fddf2
Instruction ID: f26430baad7efe5f8c47ed458cce450babcca2afe669ea27467eac55d9a28e26
Opcode Fuzzy Hash: 053fd052c4c73b2ae9dbb2fade18b0c8910e4bff198070400431f232e83fddf2
Instruction Fuzzy Hash: FF913A71D00219EFCB50CFA9CC84AEEBBB8FF89320F148555E519B7251D778AA42CB64

Function 000E3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000E396B
CharUpperBuffW.USER32(?,?), ref: 000E3A7A
_wcslen.LIBCMT ref: 000E3A8A
VariantClear.OLEAUT32(?), ref: 000E3C1F

Part of subcall function 000D0CDF: VariantInit.OLEAUT32(00000000), ref: 000D0D1F
Part of subcall function 000D0CDF: VariantCopy.OLEAUT32(?,?), ref: 000D0D28
Part of subcall function 000D0CDF: VariantClear.OLEAUT32(?), ref: 000D0D34

Strings

AUTOIT.ERROR, xrefs: 000E3A80, 000E3A85
Incorrect Parameter format, xrefs: 000E39A6, 000E3BA1

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 478ade5b82f11134afe43e0d0f405efd1efb539945b9b5f0dbe5edd313a945f9
Instruction ID: f7d1c5acd85a86b57cd5dc7687feee0b6002de5240a18f55b552440d454257ea
Opcode Fuzzy Hash: 478ade5b82f11134afe43e0d0f405efd1efb539945b9b5f0dbe5edd313a945f9
Instruction Fuzzy Hash: 959199746083419FC710DF25C48596ABBE5FF89314F14886EF88AAB352DB30EE45CB82

Function 000E4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 000C000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,000BFF41,80070057,?,?,?,000C035E), ref: 000C002B
Part of subcall function 000C000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000BFF41,80070057,?,?), ref: 000C0046
Part of subcall function 000C000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000BFF41,80070057,?,?), ref: 000C0054
Part of subcall function 000C000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000BFF41,80070057,?), ref: 000C0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 000E4C51
_wcslen.LIBCMT ref: 000E4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 000E4DCF
CoTaskMemFree.OLE32(?), ref: 000E4DDA

Strings

NULL Pointer assignment, xrefs: 000E4E23, 000E4E52

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 63db3e3af52cf3e98a5c399f709661a645066cb5b23f7d3c36c7208b0222931a
Instruction ID: 2656ed5b1807cf1cedf63579eb9f8ff72bdb815acfa0323be7c5c034293e0ef8
Opcode Fuzzy Hash: 63db3e3af52cf3e98a5c399f709661a645066cb5b23f7d3c36c7208b0222931a
Instruction Fuzzy Hash: F0911471D0025DAFDF14DFA5C891AEEB7B9BF08310F10816AE915B7292EB709A44CF60

Function 000F20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 000F2183
GetMenuItemCount.USER32(00000000), ref: 000F21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 000F21DD
_wcslen.LIBCMT ref: 000F2213
GetMenuItemID.USER32(?,?), ref: 000F224D
GetSubMenu.USER32(?,?), ref: 000F225B

Part of subcall function 000C3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 000C3A57
Part of subcall function 000C3A3D: GetCurrentThreadId.KERNEL32 ref: 000C3A5E
Part of subcall function 000C3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,000C25B3), ref: 000C3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 000F22E3

Part of subcall function 000CE97B: Sleep.KERNEL32 ref: 000CE9F3

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 59dafe5784f95128efafac80ef44300c09cde189c21d4bf9537d003ef5d20a70
Instruction ID: 617d9e8ae037ca6870b69dd9cc96c3e13b9ec5d61cd1e4f088f3b207425c67be
Opcode Fuzzy Hash: 59dafe5784f95128efafac80ef44300c09cde189c21d4bf9537d003ef5d20a70
Instruction Fuzzy Hash: 65717D75A00209AFDB50DFA4C841ABEB7F1FF88310F148469E956EB752DB34AE41DB90

Function 000CAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 000CAEF9
GetKeyboardState.USER32(?), ref: 000CAF0E
SetKeyboardState.USER32(?), ref: 000CAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 000CAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 000CAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 000CAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 000CB020

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: adb2246e7acb0ba6ef7f3e8ec1f2b2dad9122eebf3c292130ca8bacbe7215fbd
Instruction ID: 9895525f88a06afe6bf614189fec8a9bb781e9b1a5bfb960e7a57a07a8c5d7a5
Opcode Fuzzy Hash: adb2246e7acb0ba6ef7f3e8ec1f2b2dad9122eebf3c292130ca8bacbe7215fbd
Instruction Fuzzy Hash: 2251C1A0A047D93DFB3643748C46FBE7EE95B06308F08848DE1D9858D3C3A8AC85D752

Function 000CACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 000CAD19
GetKeyboardState.USER32(?), ref: 000CAD2E
SetKeyboardState.USER32(?), ref: 000CAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 000CADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 000CADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 000CAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 000CAE38

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 79a715b89744106ca88965184ef3cf1cf3391222588b96004acf044648a2f9e9
Instruction ID: 56f398dd58d7ff33b6661d12c866fa701a37b839764596a28a72324de0c2dcda
Opcode Fuzzy Hash: 79a715b89744106ca88965184ef3cf1cf3391222588b96004acf044648a2f9e9
Instruction Fuzzy Hash: 3751A3A16447D93DFB3683248C55FBE7EE95B46308F08858DE1D6868C3D294AC84E7A2

Function 0009542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(000A3CD6,?,?,?,?,?,?,?,?,00095BA3,?,?,000A3CD6,?,?), ref: 00095470
__fassign.LIBCMT ref: 000954EB
__fassign.LIBCMT ref: 00095506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,000A3CD6,00000005,00000000,00000000), ref: 0009552C
WriteFile.KERNEL32(?,000A3CD6,00000000,00095BA3,00000000,?,?,?,?,?,?,?,?,?,00095BA3,?), ref: 0009554B
WriteFile.KERNEL32(?,?,00000001,00095BA3,00000000,?,?,?,?,?,?,?,?,?,00095BA3,?), ref: 00095584

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 37870b584d1e337984b1ba7cbe0f240d325e5bec892f33d38c17f11e3d3a4f3d
Instruction ID: 28d51ca54d3a8f9c0304d4d33d32fe8ec679cacdfc2adfa327cc2699fde2b424
Opcode Fuzzy Hash: 37870b584d1e337984b1ba7cbe0f240d325e5bec892f33d38c17f11e3d3a4f3d
Instruction Fuzzy Hash: 9B51C170A007099FDF11CFA8DC55AEEBBF9EF09301F15411AF995E7292D6309A41DB60

Function 00082D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00082D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00082D53
_ValidateLocalCookies.LIBCMT ref: 00082DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00082E0C
_ValidateLocalCookies.LIBCMT ref: 00082E61

Strings

csm, xrefs: 00082DF6

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 161ab8bd3e6f3ff910c5aa4e5963b324900e3eb18bbf3c6022a4954795439139
Instruction ID: 07344dc15064cc3b6a2385d368c0ed5bab03c38aa5a0d56b7d5ab96520a7adb4
Opcode Fuzzy Hash: 161ab8bd3e6f3ff910c5aa4e5963b324900e3eb18bbf3c6022a4954795439139
Instruction Fuzzy Hash: 61418034A00319ABCF10EF68C845AEEBFF5BF84324F148155E9956B392DB71AA15CBD0

Function 000E10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000E304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 000E307A
Part of subcall function 000E304E: _wcslen.LIBCMT ref: 000E309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 000E1112
WSAGetLastError.WSOCK32 ref: 000E1121
WSAGetLastError.WSOCK32 ref: 000E11C9
closesocket.WSOCK32(00000000), ref: 000E11F9

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 8bfa4c59a3b8f0c96e154190c69190e3b452978a00b8913a8a562c545d3c22a2
Instruction ID: ef5e8a9964eee13331b0a20f92c89cc25502731311104f06c04c674640ed1225
Opcode Fuzzy Hash: 8bfa4c59a3b8f0c96e154190c69190e3b452978a00b8913a8a562c545d3c22a2
Instruction Fuzzy Hash: 8741F631600248AFEB109F55C845FEDBBE9EF45364F148099FD15AB292C774AD41CBE0

Function 000CCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 000CDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000CCF22,?), ref: 000CDDFD

Part of subcall function 000CDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,000CCF22,?), ref: 000CDE16

lstrcmpiW.KERNEL32(?,?), ref: 000CCF45
MoveFileW.KERNEL32(?,?), ref: 000CCF7F
_wcslen.LIBCMT ref: 000CD005
_wcslen.LIBCMT ref: 000CD01B
SHFileOperationW.SHELL32(?), ref: 000CD061

Strings

\*.*, xrefs: 000CCFF3

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 030ef2e756bbf8fc04456df32c501be3a079d006349a1a581c1913eba05272c0
Instruction ID: 09abc57f0c499b5395d5affad0aab9c9465891b87654bbf4f730310ac4236f46
Opcode Fuzzy Hash: 030ef2e756bbf8fc04456df32c501be3a079d006349a1a581c1913eba05272c0
Instruction Fuzzy Hash: 394155719052185FEF52EBA4C981FDDB7F9AF18380F1000FEE549EB142EA34A645DB50

Function 000F2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 000F2E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 000F2E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 000F2E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 000F2EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 000F2EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 000F2EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 000F2F0B

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 8cc2eca06d7cc02a65baf8163ab7b97578198c46b4c934750e030d2524af7340
Instruction ID: ce13a7e6454489676bbb6fd1fbc0848cf7975661958a72664221dca6e8700015
Opcode Fuzzy Hash: 8cc2eca06d7cc02a65baf8163ab7b97578198c46b4c934750e030d2524af7340
Instruction Fuzzy Hash: 5731F230644258EFEB21CF58DD85FA537E5EB9A714F250164FA00CFAB2CB71A884EB41

Function 000C7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000C7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000C778F
SysAllocString.OLEAUT32(00000000), ref: 000C7792
SysAllocString.OLEAUT32(?), ref: 000C77B0
SysFreeString.OLEAUT32(?), ref: 000C77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 000C77DE
SysAllocString.OLEAUT32(?), ref: 000C77EC

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 5c33aaea12e7b101b3c3b6e6a4d70f3075ed6fa3d3fbd80158ab23a29257bd75
Instruction ID: 029338824832ec507194fa1c5b0e52f9a8143e968b74568654060c202c57b755
Opcode Fuzzy Hash: 5c33aaea12e7b101b3c3b6e6a4d70f3075ed6fa3d3fbd80158ab23a29257bd75
Instruction Fuzzy Hash: E2219F7660821DAFEB10DFA8CC89EBE73ECEB093647008129F918DB151D674AC45DB64

Function 000C77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000C7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 000C7868
SysAllocString.OLEAUT32(00000000), ref: 000C786B
SysAllocString.OLEAUT32 ref: 000C788C
SysFreeString.OLEAUT32 ref: 000C7895
StringFromGUID2.OLE32(?,?,00000028), ref: 000C78AF
SysAllocString.OLEAUT32(?), ref: 000C78BD

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: c70899d2efe4cf1d64bce00913f82a4972e0f25eb2a888d0db426d2a2e656cb6
Instruction ID: f9bc6802b59d89014c2ad53c53bf3383477c649c66134e3d5a1febf9b5702696
Opcode Fuzzy Hash: c70899d2efe4cf1d64bce00913f82a4972e0f25eb2a888d0db426d2a2e656cb6
Instruction Fuzzy Hash: BA214735604109AFEB109FA8DC89EBE77ECEB097607108129FA19CB1A1DA74DC45DB74

Function 000D04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 000D04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 000D052E

Strings

nul, xrefs: 000D0567

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 6f7fa8e8d60ea8fe373491dbd1496c416c79500d9b35a3e695fe0b71dc47d532
Instruction ID: d91b7bf40e79d725218d6b12f4fe9f2478040270d9300d49344ff9b953a0e60c
Opcode Fuzzy Hash: 6f7fa8e8d60ea8fe373491dbd1496c416c79500d9b35a3e695fe0b71dc47d532
Instruction Fuzzy Hash: 57217E75900705EBEB208F29EC05BAA77E4AF44764F204A1AECA5D72E4D7709950DF30

Function 000D05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 000D05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 000D0601

Strings

nul, xrefs: 000D0639

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: cbaa5f2447b46ddadb1b65d9e8a3b52eaad706c813b0826d3390ce50a99091ee
Instruction ID: 540e1a968e709220827f082d0bec9a5a433b0c708394faf17a24039230e61f9d
Opcode Fuzzy Hash: cbaa5f2447b46ddadb1b65d9e8a3b52eaad706c813b0826d3390ce50a99091ee
Instruction Fuzzy Hash: F5219F755003059BEB208F799C05FAA77E8AF85724F200A1AF8A5E33E0D770D960DB30

Function 000F40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0006600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0006604C
Part of subcall function 0006600E: GetStockObject.GDI32(00000011), ref: 00066060
Part of subcall function 0006600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0006606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 000F4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 000F411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 000F412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 000F4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 000F4145

Strings

Msctls_Progress32, xrefs: 000F40E3

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 586d78df47b0f862d1b562b40a07de3b8b943fddc58d1153b8845ada9d193131
Instruction ID: 2f8a98fd32757064f8e721a42a3786a631870df048f57943459d26f82cd7f4e1
Opcode Fuzzy Hash: 586d78df47b0f862d1b562b40a07de3b8b943fddc58d1153b8845ada9d193131
Instruction Fuzzy Hash: 79115EB215021DBEEB219E64CC86EE77F9DEF08798F014111BB18A6190CB769C61DBA4

Function 0009D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0009D7A3: _free.LIBCMT ref: 0009D7CC

_free.LIBCMT ref: 0009D82D

Part of subcall function 000929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0009D7D1,00000000,00000000,00000000,00000000,?,0009D7F8,00000000,00000007,00000000,?,0009DBF5,00000000), ref: 000929DE
Part of subcall function 000929C8: GetLastError.KERNEL32(00000000,?,0009D7D1,00000000,00000000,00000000,00000000,?,0009D7F8,00000000,00000007,00000000,?,0009DBF5,00000000,00000000), ref: 000929F0

_free.LIBCMT ref: 0009D838
_free.LIBCMT ref: 0009D843
_free.LIBCMT ref: 0009D897
_free.LIBCMT ref: 0009D8A2
_free.LIBCMT ref: 0009D8AD
_free.LIBCMT ref: 0009D8B8

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
Instruction ID: 6414fa889f79b1c35c057c22dc61fb2e7f1f718e586a86b7bb9d546d07d27c75
Opcode Fuzzy Hash: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
Instruction Fuzzy Hash: FA11DA71585B04BADE21FFF0CC47FCBBBDCAF05700F404826B29DA6593EA65B505A6A0

Function 000CDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 000CDA74
LoadStringW.USER32(00000000), ref: 000CDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 000CDA91
LoadStringW.USER32(00000000), ref: 000CDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 000CDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 000CDAB9

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: f7e45851d44b0cb55db124eee6c4c2b8c372b90f1fcde060df01d2d701e44c05
Instruction ID: 5110c3f0c7f217553cfd3d134c203e6d947d80a14219e6c97d33e740e3f7c3a9
Opcode Fuzzy Hash: f7e45851d44b0cb55db124eee6c4c2b8c372b90f1fcde060df01d2d701e44c05
Instruction Fuzzy Hash: D30162F250420C7FF710ABA09E8AEFB736CE708701F4004A6B746E2441E6789E849F75

Function 000D096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00BCDEB0,00BCDEB0), ref: 000D097B
EnterCriticalSection.KERNEL32(00BCDE90,00000000), ref: 000D098D
TerminateThread.KERNEL32(00000000,000001F6), ref: 000D099B
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 000D09A9
CloseHandle.KERNEL32(00000000), ref: 000D09B8
InterlockedExchange.KERNEL32(00BCDEB0,000001F6), ref: 000D09C8
LeaveCriticalSection.KERNEL32(00BCDE90), ref: 000D09CF

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 09d390f78b899b98fb64b022d90668c628d762fb92bc4d2a7a55dd5024b50ea8
Instruction ID: a5c7e6e353acd9ef5046fb52d61c35ce8bb47edb6a5a6d02cbec314b9857b4dc
Opcode Fuzzy Hash: 09d390f78b899b98fb64b022d90668c628d762fb92bc4d2a7a55dd5024b50ea8
Instruction Fuzzy Hash: A2F01D31442606BBF7815B94EF8AFE6BA25FF01702F401016F10190CA0C7789465EFA0

Function 000E1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 000E1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 000E1DE1
WSAGetLastError.WSOCK32 ref: 000E1DF2
htons.WSOCK32(?,?,?,?,?), ref: 000E1EDB
inet_ntoa.WSOCK32(?), ref: 000E1E8C

Part of subcall function 000C39E8: _strlen.LIBCMT ref: 000C39F2

Part of subcall function 000E3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,000DEC0C), ref: 000E3240

_strlen.LIBCMT ref: 000E1F35

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 8128899778d2d23aaa5901980386ee1ad2d44dd8d2ef9584b1dc548be7b8c9ce
Instruction ID: 0e3db3d262b1b854fb9d4b90052081d806cf0e55ab1955cd96d7ffac0b1930d7
Opcode Fuzzy Hash: 8128899778d2d23aaa5901980386ee1ad2d44dd8d2ef9584b1dc548be7b8c9ce
Instruction Fuzzy Hash: 25B1D070604380AFD324DF25C885FAA7BE5AF84318F54855CF45AAB2A3DB31ED42CB91

Function 00065D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00065D30
GetWindowRect.USER32(?,?), ref: 00065D71
ScreenToClient.USER32(?,?), ref: 00065D99
GetClientRect.USER32(?,?), ref: 00065ED7
GetWindowRect.USER32(?,?), ref: 00065EF8

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: fb6d9889591d960475f6dea4acb56b805b359489ba096895fda417d49d9d10a2
Instruction ID: aa03f9982a65679006b1db6da2c25d474d1c1081c5d4d38c9cc8e0faf5bd0eba
Opcode Fuzzy Hash: fb6d9889591d960475f6dea4acb56b805b359489ba096895fda417d49d9d10a2
Instruction Fuzzy Hash: 65B17C38A0074ADBDB24CFA8C8407EEB7F2FF58311F14851AE8A9D7250DB74AA51DB50

Function 000901B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 000900BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000900D6
__allrem.LIBCMT ref: 000900ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0009010B
__allrem.LIBCMT ref: 00090122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00090140

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: f394accbabf24b9944da4e7cc5d012b1c80cb0e1f290c7950c005efa3c165fb0
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: AC81F672A00706AFEB24AF78CC41BAFB3E9AF41764F24453AF551D7282E771D9009B90

Function 000961FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,000882D9,000882D9,?,?,?,0009644F,00000001,00000001,8BE85006), ref: 00096258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0009644F,00000001,00000001,8BE85006,?,?,?), ref: 000962DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 000963D8
__freea.LIBCMT ref: 000963E5

Part of subcall function 00093820: RtlAllocateHeap.NTDLL(00000000,?,00131444,?,0007FDF5,?,?,0006A976,00000010,00131440,000613FC,?,000613C6,?,00061129), ref: 00093852

__freea.LIBCMT ref: 000963EE
__freea.LIBCMT ref: 00096413

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 4d98f21e3b4518016ddbc239201b7e5635df458e8aec46c9d1d36b95560001c8
Instruction ID: 3423d912e83134e9d0718f2ba0260681061b253f8ae9be46a5ec02af30c19b99
Opcode Fuzzy Hash: 4d98f21e3b4518016ddbc239201b7e5635df458e8aec46c9d1d36b95560001c8
Instruction Fuzzy Hash: AD51F372600216ABEF268F64CC81EBF77A9EF45750F158229FC05D7141EB36DD50E660

Function 000EBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

Part of subcall function 000EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000EB6AE,?,?), ref: 000EC9B5
Part of subcall function 000EC998: _wcslen.LIBCMT ref: 000EC9F1
Part of subcall function 000EC998: _wcslen.LIBCMT ref: 000ECA68
Part of subcall function 000EC998: _wcslen.LIBCMT ref: 000ECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000EBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000EBD25
RegCloseKey.ADVAPI32(00000000), ref: 000EBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 000EBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 000EBDF3
RegCloseKey.ADVAPI32(?), ref: 000EBDFF

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 98aaca01a385070f800b5162a1aa6ea1f1d3ec91c29a78470a3a61bcd770b0ac
Instruction ID: 05bf31913281dd347cb04233db88b626abb0ed9ab3b5f9706ab581da9132d429
Opcode Fuzzy Hash: 98aaca01a385070f800b5162a1aa6ea1f1d3ec91c29a78470a3a61bcd770b0ac
Instruction Fuzzy Hash: A4817C30208281AFD714DF24C895E6BBBE5FF84308F14896CF5599B2A2DB31ED45CB92

Function 000BF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 000BF7B9
SysAllocString.OLEAUT32(00000001), ref: 000BF860
VariantCopy.OLEAUT32(000BFA64,00000000), ref: 000BF889
VariantClear.OLEAUT32(000BFA64), ref: 000BF8AD
VariantCopy.OLEAUT32(000BFA64,00000000), ref: 000BF8B1
VariantClear.OLEAUT32(?), ref: 000BF8BB

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: b2b17a0d0199fa1aa25fcc7535068449a0316251d2de2357b4110ab1bc3157d7
Instruction ID: 26ef948697f712e8dfac22128f8817d9aa31d5f6217eb006fa532faea49a5dde
Opcode Fuzzy Hash: b2b17a0d0199fa1aa25fcc7535068449a0316251d2de2357b4110ab1bc3157d7
Instruction Fuzzy Hash: 6B51C031600312BADF20AB65DC95BF9B3A9AF45710B209477E906DF292DB749C40CB96

Function 000D910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00067620: _wcslen.LIBCMT ref: 00067625

Part of subcall function 00066B57: _wcslen.LIBCMT ref: 00066B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 000D94E5
_wcslen.LIBCMT ref: 000D9506
_wcslen.LIBCMT ref: 000D952D
GetSaveFileNameW.COMDLG32(00000058), ref: 000D9585

Strings

X, xrefs: 000D9412

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 00bc164b261d146f10c33df60c1d6b91ef30627ad7a3241f41cd9ec83be9c2d2
Instruction ID: e8e007e1ffc2fa2359674e427848f06be0e28eef523d6eb440e7a5c8aa3ffba8
Opcode Fuzzy Hash: 00bc164b261d146f10c33df60c1d6b91ef30627ad7a3241f41cd9ec83be9c2d2
Instruction Fuzzy Hash: 71E19371508301DFD724EF24C881AAAB7E5BF85314F14856DF8899B3A2DB31DD45CBA1

Function 0007920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00079BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00079BB2

BeginPaint.USER32(?,?,?), ref: 00079241
GetWindowRect.USER32(?,?), ref: 000792A5
ScreenToClient.USER32(?,?), ref: 000792C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 000792D3
EndPaint.USER32(?,?,?,?,?), ref: 00079321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 000B71EA

Part of subcall function 00079339: BeginPath.GDI32(00000000), ref: 00079357

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 432f101dfd7bd03623d40c6a23cf2d0fb0a3ee78fdb91f97c9790bdcdef2683f
Instruction ID: 83df25c9b8c3e6785e119f67babe5dc28c9c247ed5c0a581beb2409dc9d1eb85
Opcode Fuzzy Hash: 432f101dfd7bd03623d40c6a23cf2d0fb0a3ee78fdb91f97c9790bdcdef2683f
Instruction Fuzzy Hash: 2E41C130508300AFE721DF28CC85FBA7BF8EF85324F144669F9A9872A2C7359945DB61

Function 000D07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 000D080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 000D0847
EnterCriticalSection.KERNEL32(?), ref: 000D0863
LeaveCriticalSection.KERNEL32(?), ref: 000D08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 000D08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 000D0921

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: a5105e794318ace43211691d4fdb6a1c3ea8847e4893c4a6d97bf9ba445dc5dc
Instruction ID: 644daa96e2ae1156e3b7e7cd386ce81d966f4c1324d29e427c0930e5cde3f6e3
Opcode Fuzzy Hash: a5105e794318ace43211691d4fdb6a1c3ea8847e4893c4a6d97bf9ba445dc5dc
Instruction Fuzzy Hash: 7C416D71900209EFEF14EF54DC85AAAB7B8FF04310F1480A5ED049A297DB74DE65DBA4

Function 000F81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,000BF3AB,00000000,?,?,00000000,?,000B682C,00000004,00000000,00000000), ref: 000F824C
EnableWindow.USER32(00000000,00000000), ref: 000F8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 000F82D1
ShowWindow.USER32(00000000,00000004), ref: 000F82E5
EnableWindow.USER32(00000000,00000001), ref: 000F830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 000F832F

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 1ac1a441b360c103f47b7996852e082c243388796d08841d1e439c808137f68a
Instruction ID: aaa1fb4eb869bd0a95b87f5a00059860422ef29d712051fa7312e812e7f40409
Opcode Fuzzy Hash: 1ac1a441b360c103f47b7996852e082c243388796d08841d1e439c808137f68a
Instruction Fuzzy Hash: 3C419434601648EFEB91CF15C999FF87BE0BB0A714F189169E6084FA72CB31A845EF50

Function 000C4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 000C4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 000C4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 000C4CEA
_wcslen.LIBCMT ref: 000C4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 000C4D10
_wcsstr.LIBVCRUNTIME ref: 000C4D1A

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: b5736283c8d747a75d2930d8d72ee95d0a9740f4f40175a6230e6feab7b56ac3
Instruction ID: 8798249cb85e544151b24bbb600d4d5a0de5ecebde840efd5f20ddddb15d8600
Opcode Fuzzy Hash: b5736283c8d747a75d2930d8d72ee95d0a9740f4f40175a6230e6feab7b56ac3
Instruction Fuzzy Hash: 6A21D7326042057BFB656B299D5AF7F7BE8EF45750F10802DF80ACA1A2EA75DC40D7A0

Function 000D581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00063AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00063A97,?,?,00062E7F,?,?,?,00000000), ref: 00063AC2

_wcslen.LIBCMT ref: 000D587B
CoInitialize.OLE32(00000000), ref: 000D5995
CoCreateInstance.OLE32(000FFCF8,00000000,00000001,000FFB68,?), ref: 000D59AE
CoUninitialize.OLE32 ref: 000D59CC

Strings

.lnk, xrefs: 000D5876, 000D58C1, 000D5985

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: c2f4204565f4eeb5745055de115b2d0001caaf0436245f177e566eb91039f4df
Instruction ID: 2e3b06ec7b11d7863b47ba068ed42a2ff9ee8c885b2adf1450ed0f06f73c7867
Opcode Fuzzy Hash: c2f4204565f4eeb5745055de115b2d0001caaf0436245f177e566eb91039f4df
Instruction Fuzzy Hash: 43D156716047019FC714DF14C890A6ABBE6FF89725F14485EF88A9B362DB31EC45CBA2

Function 000C175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000C0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 000C0FCA
Part of subcall function 000C0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 000C0FD6
Part of subcall function 000C0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 000C0FE5
Part of subcall function 000C0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 000C0FEC
Part of subcall function 000C0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 000C1002

GetLengthSid.ADVAPI32(?,00000000,000C1335), ref: 000C17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 000C17BA
HeapAlloc.KERNEL32(00000000), ref: 000C17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 000C17DA
GetProcessHeap.KERNEL32(00000000,00000000,000C1335), ref: 000C17EE
HeapFree.KERNEL32(00000000), ref: 000C17F5

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: baafbc376b06e924db1452a68d9a96336cfb5999dd4cceda98478b4b94d1a269
Instruction ID: b5ae38d6e6f4f8c3afd8ad64146be7cc724692621cac3808f5d08db043a1fae1
Opcode Fuzzy Hash: baafbc376b06e924db1452a68d9a96336cfb5999dd4cceda98478b4b94d1a269
Instruction Fuzzy Hash: 0C118931504209EFEB109BA4CD4AFEE7BB9EF42355F10425CE48197212C739A955DB60

Function 000C14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 000C14FF
OpenProcessToken.ADVAPI32(00000000), ref: 000C1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 000C1515
CloseHandle.KERNEL32(00000004), ref: 000C1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 000C154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 000C1563

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 36fb1d73685fb36fe729cf2690b4e6929d94f91a4814168d1cfc621b1b4c919d
Instruction ID: 35feb0e49dd60c2fe14103654a248e94efa9fff27e8419ad8f93134c8f7d4145
Opcode Fuzzy Hash: 36fb1d73685fb36fe729cf2690b4e6929d94f91a4814168d1cfc621b1b4c919d
Instruction Fuzzy Hash: 3D11297250020DEBEF118F98DE4AFEE7BA9FF49744F044059FA05A2161C3758E65EB60

Function 00083382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00083379,00082FE5), ref: 00083390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0008339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 000833B7
SetLastError.KERNEL32(00000000,?,00083379,00082FE5), ref: 00083409

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 005cd533f8fabe4c581fa50850e7e3bb0e158d90fe533683ef55a67c25ee61ca
Instruction ID: 14659d9c549c4f0a3d69735d67a0372a977f08ad3ccd181f7e32d23489a98f5e
Opcode Fuzzy Hash: 005cd533f8fabe4c581fa50850e7e3bb0e158d90fe533683ef55a67c25ee61ca
Instruction Fuzzy Hash: 1F012832608711BEA67437787C859AA2AD4FB85B793204229F650801F2EF114F2253C8

Function 00092D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00095686,000A3CD6,?,00000000,?,00095B6A,?,?,?,?,?,0008E6D1,?,00128A48), ref: 00092D78
_free.LIBCMT ref: 00092DAB
_free.LIBCMT ref: 00092DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0008E6D1,?,00128A48,00000010,00064F4A,?,?,00000000,000A3CD6), ref: 00092DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0008E6D1,?,00128A48,00000010,00064F4A,?,?,00000000,000A3CD6), ref: 00092DEC
_abort.LIBCMT ref: 00092DF2

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 37ec343f62c50c9c50d2dc931ec2a00a42676cdd41599fceba0a4f98a2edbdbd
Instruction ID: 4ba3b5aa5a3a47eb37738214dd3418c0fee39a00dbbb6c0685ffedb8d4463a00
Opcode Fuzzy Hash: 37ec343f62c50c9c50d2dc931ec2a00a42676cdd41599fceba0a4f98a2edbdbd
Instruction Fuzzy Hash: EDF0FC3550660077DF627734BC07EAF25D9AFC17E1F250419F824D65D3EF248942B1A0

Function 000F8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00079639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00079693
Part of subcall function 00079639: SelectObject.GDI32(?,00000000), ref: 000796A2
Part of subcall function 00079639: BeginPath.GDI32(?), ref: 000796B9
Part of subcall function 00079639: SelectObject.GDI32(?,00000000), ref: 000796E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 000F8A4E
LineTo.GDI32(?,00000003,00000000), ref: 000F8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 000F8A70
LineTo.GDI32(?,00000000,00000003), ref: 000F8A80
EndPath.GDI32(?), ref: 000F8A90
StrokePath.GDI32(?), ref: 000F8AA0

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 32f85ff252690067cfb5555db3210fca3134f83ce64594a7ed9c7d274cab58f6
Instruction ID: 40f9a276e1362609edaa70d14620239f90ed94a3619c76d338882f6e80830710
Opcode Fuzzy Hash: 32f85ff252690067cfb5555db3210fca3134f83ce64594a7ed9c7d274cab58f6
Instruction Fuzzy Hash: BB110C7600010DFFEB119F90DC49EEA7F6CEB04364F008412BA1995561C7759D55EB60

Function 000C51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 000C5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 000C5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 000C5230
ReleaseDC.USER32(00000000,00000000), ref: 000C5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 000C524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 000C5261

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 1b1b9bbd48bdbe8416a8459d36945f7d97ae80b021173b963d677d7959d480e2
Instruction ID: 39ffaf18a10ac5ed0a5b6b71fe475cf4d9a809332e07abbc6f5530a2302bf90b
Opcode Fuzzy Hash: 1b1b9bbd48bdbe8416a8459d36945f7d97ae80b021173b963d677d7959d480e2
Instruction Fuzzy Hash: F5018F75A00709BBFB109BA59D4AF6EBFB8EF48351F044065FA04E7381DA709800DBA0

Function 00061BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00061BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00061BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00061C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00061C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00061C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00061C22

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 5e20c7401225125bb387f498752579b388b26052aa2e7b2eee37bfe065eb6c8f
Instruction ID: 8f104f5e084e9e6c9446c725c022e5cb24f940c6248c35799ca3f2dd013a1728
Opcode Fuzzy Hash: 5e20c7401225125bb387f498752579b388b26052aa2e7b2eee37bfe065eb6c8f
Instruction Fuzzy Hash: CD016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47941C7F5A864CBE5

Function 000CEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 000CEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 000CEB46
GetWindowThreadProcessId.USER32(?,?), ref: 000CEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000CEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000CEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000CEB75

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 8f0ad48883e36883e2296161aa0c873d2d98df528e9fb7366094c78bcdebe534
Instruction ID: 805d33b71a28201fc01039b416b29b053231b2b5c2edd0e923140faeb666f58f
Opcode Fuzzy Hash: 8f0ad48883e36883e2296161aa0c873d2d98df528e9fb7366094c78bcdebe534
Instruction Fuzzy Hash: 44F01772240158BBF7215B629D0EEFF3A7CEFCAB15F000158FA01D14919BA85A01E6B5

Function 000B7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 000B7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 000B7469
GetWindowDC.USER32(?), ref: 000B7475
GetPixel.GDI32(00000000,?,?), ref: 000B7484
ReleaseDC.USER32(?,00000000), ref: 000B7496
GetSysColor.USER32(00000005), ref: 000B74B0

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 42043ce6a3ed032c7f7b3d0c5afc9bba878e6c8cd93ab035bcd0cfe1b5224cc2
Instruction ID: cd88bcd06e1452c6f6082a7b92aebef163a8752e0d61f870bd74d5d90b903370
Opcode Fuzzy Hash: 42043ce6a3ed032c7f7b3d0c5afc9bba878e6c8cd93ab035bcd0cfe1b5224cc2
Instruction Fuzzy Hash: 1E017831404609EFFB509F64DD0AFFA7BB5FB04322F240060F919A25A0CB351E91EB10

Function 000C1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 000C187F
UnloadUserProfile.USERENV(?,?), ref: 000C188B
CloseHandle.KERNEL32(?), ref: 000C1894
CloseHandle.KERNEL32(?), ref: 000C189C
GetProcessHeap.KERNEL32(00000000,?), ref: 000C18A5
HeapFree.KERNEL32(00000000), ref: 000C18AC

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 91e238c5aae3221c766aa6828a0d82374ded7e08607c2d4b86a77ada523bf68e
Instruction ID: 48236e423f3644afa0f75e1ba183dcf8019c305e5cdeefec923cccf75082fffa
Opcode Fuzzy Hash: 91e238c5aae3221c766aa6828a0d82374ded7e08607c2d4b86a77ada523bf68e
Instruction Fuzzy Hash: FBE0C936004509BBF6015BA1EE0DD15BF29FF4A7217108220F22581870CB365430FB50

Function 000CC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00067620: _wcslen.LIBCMT ref: 00067625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 000CC6EE
_wcslen.LIBCMT ref: 000CC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 000CC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 000CC7CA

Strings

0, xrefs: 000CC6AF

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: f8326debe735f2b45962f7f27eb8ff141ec7f13037133362ae47cfbba1ab4011
Instruction ID: 0cea572b29f1053a214ee64884fff4c0daecd50c8d99a7ec71e2631dad59dfb8
Opcode Fuzzy Hash: f8326debe735f2b45962f7f27eb8ff141ec7f13037133362ae47cfbba1ab4011
Instruction Fuzzy Hash: 3751BF716083019BE7A49F28C985FAFB7E4EF49314F040A2DF99AE31A1DB74D944CB52

Function 000EAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 000EAEA3

Part of subcall function 00067620: _wcslen.LIBCMT ref: 00067625

GetProcessId.KERNEL32(00000000), ref: 000EAF38
CloseHandle.KERNEL32(00000000), ref: 000EAF67

Strings

@, xrefs: 000EAE72
<, xrefs: 000EAE6B

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: cb31de276242a4238e033623f5a0279f6122cbed475843fb063ff0ee877d0e32
Instruction ID: f043aee953360ee33d40700c19e29a3889b804bcb71eadc38530047e108ca80d
Opcode Fuzzy Hash: cb31de276242a4238e033623f5a0279f6122cbed475843fb063ff0ee877d0e32
Instruction Fuzzy Hash: 1B718C70A00659DFCB14EF95C484A9EBBF1FF09314F0484A9E85AAB392CB74ED45CB91

Function 000C719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 000C7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 000C723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 000C724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 000C72CF

Strings

DllGetClassObject, xrefs: 000C7242

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 0ffd9c62ddbd28933ebd18834b3123854daf5fdaea47f4639f453b4a5970701c
Instruction ID: d0c75e254ce1f0174211b0b712bcb176ff97bf0de2a9c4114c620ca519e64436
Opcode Fuzzy Hash: 0ffd9c62ddbd28933ebd18834b3123854daf5fdaea47f4639f453b4a5970701c
Instruction Fuzzy Hash: EE414A71A04204AFEB25CF54C885FAE7BA9EF45310F2480ADBD099F20AD7B5D945DFA0

Function 000F3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000F3E35
IsMenu.USER32(?), ref: 000F3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 000F3E92
DrawMenuBar.USER32 ref: 000F3EA5

Strings

0, xrefs: 000F3D89

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: fca4fe8a3157041adf70c8d7dbfd186c6e0535f1e447f4325893ad4455f2c953
Instruction ID: 4f6b9a46b3b20184c2b1145f10de3a5aa3413cf93a78a60fc6ec1aa2114289ae
Opcode Fuzzy Hash: fca4fe8a3157041adf70c8d7dbfd186c6e0535f1e447f4325893ad4455f2c953
Instruction Fuzzy Hash: F1412575A0020DAFDF10DF50D884EEABBF9FF49364F044129EA05A7690D734AE45EB50

Function 000C1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

Part of subcall function 000C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000C3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 000C1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 000C1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 000C1EA9

Part of subcall function 00066B57: _wcslen.LIBCMT ref: 00066B6A

Strings

ListBox, xrefs: 000C1E25
ComboBox, xrefs: 000C1DF0

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 3ea866cc0d5b6110ef92306c1e14e0b15e865239315c0d2e1a19ebc7e4a74000
Instruction ID: 27b5109c52cb920c480d67a82a855eb794eb8961bf68a9f99ef445d68308c2a9
Opcode Fuzzy Hash: 3ea866cc0d5b6110ef92306c1e14e0b15e865239315c0d2e1a19ebc7e4a74000
Instruction Fuzzy Hash: C2210571A00108BEEB14AB64DD86DFFB7BADF46360B10811DF825E75E2DB78490AD620

Function 000F2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 000F2F8D
LoadLibraryW.KERNEL32(?), ref: 000F2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 000F2FA9
DestroyWindow.USER32(?), ref: 000F2FB1

Strings

SysAnimate32, xrefs: 000F2F68

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 58ef10116bf223dbeb0a52d2101e6dd765013b6be29a22f1b4ba40ada38e4c85
Instruction ID: 3e0fe5d82b4b4c36b5578cdc538e082a43fcd3d14d10a15dfc9335803ae69a0e
Opcode Fuzzy Hash: 58ef10116bf223dbeb0a52d2101e6dd765013b6be29a22f1b4ba40ada38e4c85
Instruction Fuzzy Hash: C521AC7122420DABEB108FA4DC81EBB37B9EB99364F104638FA50D29A0D771DC95A760

Function 00084D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00084D1E,000928E9,?,00084CBE,000928E9,001288B8,0000000C,00084E15,000928E9,00000002), ref: 00084D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00084DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00084D1E,000928E9,?,00084CBE,000928E9,001288B8,0000000C,00084E15,000928E9,00000002,00000000), ref: 00084DC3

Strings

mscoree.dll, xrefs: 00084D86
CorExitProcess, xrefs: 00084D98

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 934ad8e1686e3ca43349f9d75082fb7b3f1c594d17d57ae0b73ecdb26eb4a35f
Instruction ID: 9e47b5e58e6cd39f68945d8a5508d235994fdd060e563dd543c277f5649a8ce1
Opcode Fuzzy Hash: 934ad8e1686e3ca43349f9d75082fb7b3f1c594d17d57ae0b73ecdb26eb4a35f
Instruction Fuzzy Hash: 65F0AF34A0030DBBEB11AF90DC4AFADBBF5FF44751F0000A8F845A2AA0CB785A50DB91

Function 00064E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00064EDD,?,00131418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00064E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00064EAE
FreeLibrary.KERNEL32(00000000,?,?,00064EDD,?,00131418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00064EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00064EA8
kernel32.dll, xrefs: 00064E94

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 238782ac1c34c8a8c8a218a7992ec8aa0ee53789371d74e8edb5877e73267c94
Instruction ID: 2ee2fa6c6f67ff398b4067738c51d733cf9a35589232c7c998a98be0620a82c8
Opcode Fuzzy Hash: 238782ac1c34c8a8c8a218a7992ec8aa0ee53789371d74e8edb5877e73267c94
Instruction Fuzzy Hash: C2E0C236E026365BF2721B25BD2AF7F66A9BF82F62B050115FD04E2A00DB78CD11D4A0

Function 00064E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,000A3CDE,?,00131418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00064E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00064E74
FreeLibrary.KERNEL32(00000000,?,?,000A3CDE,?,00131418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00064E87

Strings

kernel32.dll, xrefs: 00064E5B
Wow64RevertWow64FsRedirection, xrefs: 00064E6E

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 874b70635e39cc5fc9167de3935ee8f6cbbcb1df730fc18b35f5b77747460000
Instruction ID: 44ea5f4be64e7718d8f499c35dc0ee60c6a94f2dc735f2138f2d73c4527aa816
Opcode Fuzzy Hash: 874b70635e39cc5fc9167de3935ee8f6cbbcb1df730fc18b35f5b77747460000
Instruction Fuzzy Hash: 07D02B395026365BB6321B247C1EDEF2A59BF83F113050111F904E2510CF39CD11D1D0

Function 000EA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 000EA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 000EA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 000EA468
CloseHandle.KERNEL32(?), ref: 000EA63D

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 87b729526dbf8fdf31e64eb4e6f8aaf37102d067b42ec8c6321f655277867525
Instruction ID: f85c0511d0f88010d052accd0dc5fef333d5c8c89f0bf7d48a306446ffb231b6
Opcode Fuzzy Hash: 87b729526dbf8fdf31e64eb4e6f8aaf37102d067b42ec8c6321f655277867525
Instruction Fuzzy Hash: 6FA1B0B16047019FE720DF24C886F6AB7E1AF88714F14885DF59A9B292D7B0EC41CB92

Function 0009BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00103700), ref: 0009BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0013121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0009BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00131270,000000FF,?,0000003F,00000000,?), ref: 0009BC36
_free.LIBCMT ref: 0009BB7F

Part of subcall function 000929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0009D7D1,00000000,00000000,00000000,00000000,?,0009D7F8,00000000,00000007,00000000,?,0009DBF5,00000000), ref: 000929DE
Part of subcall function 000929C8: GetLastError.KERNEL32(00000000,?,0009D7D1,00000000,00000000,00000000,00000000,?,0009D7F8,00000000,00000007,00000000,?,0009DBF5,00000000,00000000), ref: 000929F0

_free.LIBCMT ref: 0009BD4B

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 800684c0b5f63d753b67a9620ebd4b52824d756cfa6f0563633c8465a6318bd4
Instruction ID: 4f2157acf2eb49aae985bcad338219363e5292bed7f2da3bb50c0779d628cb19
Opcode Fuzzy Hash: 800684c0b5f63d753b67a9620ebd4b52824d756cfa6f0563633c8465a6318bd4
Instruction Fuzzy Hash: 7C51DB71904209AFDF20DF65AE819AEB7F8EF41330B10426AE554D71A1EB709E41AB90

Function 000CE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 000CDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000CCF22,?), ref: 000CDDFD

Part of subcall function 000CDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,000CCF22,?), ref: 000CDE16

Part of subcall function 000CE199: GetFileAttributesW.KERNEL32(?,000CCF95), ref: 000CE19A

lstrcmpiW.KERNEL32(?,?), ref: 000CE473
MoveFileW.KERNEL32(?,?), ref: 000CE4AC
_wcslen.LIBCMT ref: 000CE5EB
_wcslen.LIBCMT ref: 000CE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 000CE650

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 6463df5d67e9ccd842d43e5fc917ebc7f1aba486f19a2072f7b1895066335c5a
Instruction ID: db746b398a43767bdee610b638cc53808960b001487cb5c09ee92fcc959d80ae
Opcode Fuzzy Hash: 6463df5d67e9ccd842d43e5fc917ebc7f1aba486f19a2072f7b1895066335c5a
Instruction Fuzzy Hash: 695163B24087855BD764EB90DC81EDF73DCAF95340F00492EF689D3192EF74A6888766

Function 000EB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

Part of subcall function 000EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000EB6AE,?,?), ref: 000EC9B5
Part of subcall function 000EC998: _wcslen.LIBCMT ref: 000EC9F1
Part of subcall function 000EC998: _wcslen.LIBCMT ref: 000ECA68
Part of subcall function 000EC998: _wcslen.LIBCMT ref: 000ECA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000EBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000EBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 000EBB63
RegCloseKey.ADVAPI32(?,?), ref: 000EBBA6
RegCloseKey.ADVAPI32(00000000), ref: 000EBBB3

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: b9967864fb51eb1397fb2208179c860ea2aa9fdd267633a6d1c213ccb35c98a6
Instruction ID: e8848eba2921f59580530ed136229e3dd713e68f4c1f45fc78bfc5901ab8db97
Opcode Fuzzy Hash: b9967864fb51eb1397fb2208179c860ea2aa9fdd267633a6d1c213ccb35c98a6
Instruction Fuzzy Hash: 91619031208241AFD714DF15C891E6BBBE9FF84308F54856CF4999B2A2DB31ED45CB92

Function 000C8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 000C8BCD
VariantClear.OLEAUT32 ref: 000C8C3E
VariantClear.OLEAUT32 ref: 000C8C9D
VariantClear.OLEAUT32(?), ref: 000C8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 000C8D3B

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: f864be5c7007a7805a6aef73f76d005530b644b2c953ee28f9c4d8a7e52e84d2
Instruction ID: 87bd7533c31acb695a7807c706c340d08d54d8888a20fc4a052461a1e9c4c5fa
Opcode Fuzzy Hash: f864be5c7007a7805a6aef73f76d005530b644b2c953ee28f9c4d8a7e52e84d2
Instruction Fuzzy Hash: B25168B5A00219EFDB14CF68D884EAAB7F8FF89310F158569E906DB350E734E911CB94

Function 000D8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 000D8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 000D8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 000D8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 000D8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 000D8C5F

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 6b1bdf2b00801b51b22e999603f7159e05925da42eb93389cb26b09036e84d68
Instruction ID: ef25b75195d78f151beeaef4ea1d619cff8baf1f4ce82767f605b1167c9ccf27
Opcode Fuzzy Hash: 6b1bdf2b00801b51b22e999603f7159e05925da42eb93389cb26b09036e84d68
Instruction Fuzzy Hash: 78513C35A00615DFDB04DF64C881EA9BBF5FF48314F088099E849AB362DB35ED51DBA0

Function 000E8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 000E8F40
GetProcAddress.KERNEL32(00000000,?), ref: 000E8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 000E8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 000E9032
FreeLibrary.KERNEL32(00000000), ref: 000E9052

Part of subcall function 0007F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,000D1043,?,7644E610), ref: 0007F6E6
Part of subcall function 0007F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000BFA64,00000000,00000000,?,?,000D1043,?,7644E610,?,000BFA64), ref: 0007F70D

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: ffb66b59a5a6ab1b38cd00056b6cfad6b373372d73de56d7b89b548cc7744517
Instruction ID: dc55b9d3446c88bad30379e2329423ae4b59dd2b2eb31cb56459b159848f3034
Opcode Fuzzy Hash: ffb66b59a5a6ab1b38cd00056b6cfad6b373372d73de56d7b89b548cc7744517
Instruction Fuzzy Hash: EC513834600245DFDB15DF59C4949EDBBF1FF49324B4880A9E80AAB762DB31ED85CB90

Function 000F6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 000F6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 000F6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 000F6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,000DAB79,00000000,00000000), ref: 000F6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 000F6CC7

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 24eaf6189be4713530a850e0f6d6ba07fc8338766a2a9a197d20135f91853c54
Instruction ID: 75204467ecc839480d087c3586a04291399d514b0adbd21cdae6fd114a47ac82
Opcode Fuzzy Hash: 24eaf6189be4713530a850e0f6d6ba07fc8338766a2a9a197d20135f91853c54
Instruction Fuzzy Hash: DA41B33560410CAFE724DF68CD59FB97BE5EB09350F150228FA95E7AE1C372AD41EA80

Function 00092051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000920C3
_free.LIBCMT ref: 000920E3

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 9efe39f6c51aa9f303d975e5dee8402e123d793a843a577d4d89cfb54631bc91
Instruction ID: fe39e017c848f9084ae968e49d5a949f3a3fbe6f616e407fc63ab28947f15530
Opcode Fuzzy Hash: 9efe39f6c51aa9f303d975e5dee8402e123d793a843a577d4d89cfb54631bc91
Instruction Fuzzy Hash: EE41D232A00204AFCF24DF78C881AAEB7E5EF89314F154568E615EB392DB31AD11DB81

Function 0007912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00079141
ScreenToClient.USER32(00000000,?), ref: 0007915E
GetAsyncKeyState.USER32(00000001), ref: 00079183
GetAsyncKeyState.USER32(00000002), ref: 0007919D

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 1f0a9bc03cb0da4b99d506fe956a41652f11d2879700781d4f144f23030c482e
Instruction ID: feef574852cfa1e5a3aff1033961d84e129486c488f7cc060061972d799b8831
Opcode Fuzzy Hash: 1f0a9bc03cb0da4b99d506fe956a41652f11d2879700781d4f144f23030c482e
Instruction Fuzzy Hash: F3418171A0860AFBDF159F68C844BFEB7B4FF45320F208615E429A72D0C7345994DBA1

Function 000D3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 000D38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 000D3922
TranslateMessage.USER32(?), ref: 000D394B
DispatchMessageW.USER32(?), ref: 000D3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000D3966

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 6fa64d02449e4ebee1a913ad749088869fe985a84765785e0ad5b47ba355bac6
Instruction ID: b98fb7afc8b0e4bc01c27537cddf22c543e0eba3503a082d0168474823a08140
Opcode Fuzzy Hash: 6fa64d02449e4ebee1a913ad749088869fe985a84765785e0ad5b47ba355bac6
Instruction Fuzzy Hash: BB31B770904345AEEB75CB34D859FB6B7E8AB05314F04056FE462826E0E7F49AC4DB32

Function 000DCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 000DCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 000DCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,000DC21E,00000000), ref: 000DCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,000DC21E,00000000), ref: 000DCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,000DC21E,00000000), ref: 000DCFF2

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: ef670431e7545650a5c1aa73a72e9e150e10f001d70e47cbfc1c38d852cd2d25
Instruction ID: 4c3bf533d62265e863c96906a0948fd10725c5fdd365538d58bebb288c4b1da0
Opcode Fuzzy Hash: ef670431e7545650a5c1aa73a72e9e150e10f001d70e47cbfc1c38d852cd2d25
Instruction Fuzzy Hash: 28313C7150430AAFEB60DFA5C985EAEBBF9EB14350B10443EF506D2251DB34AE40DB60

Function 000C1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 000C1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 000C19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 000C19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 000C19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 000C19E2

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 23a1d8afc0360bca605baa0567af44996c7a9c0008c331c34e393cc4c66de4f9
Instruction ID: 7fd47965854ec302c9db38826eff9e1f4013db808f25093077636d0bf92249ff
Opcode Fuzzy Hash: 23a1d8afc0360bca605baa0567af44996c7a9c0008c331c34e393cc4c66de4f9
Instruction Fuzzy Hash: E631AD71A00219EFEB10CFA8C999FEE7BB5EB06315F104229F921E72D2C7709954DB90

Function 000F5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 000F5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 000F579D
_wcslen.LIBCMT ref: 000F57AF
_wcslen.LIBCMT ref: 000F57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 000F5816

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: e9ad4783eb99ab16be43dd4a71af50f84fc0d325d3ccd3b530553bf3d6b2b2fd
Instruction ID: d0dc4e5d9b91d793a3b9c280d8cb650538b958bea38fbcb8ea044761ad9bcc1a
Opcode Fuzzy Hash: e9ad4783eb99ab16be43dd4a71af50f84fc0d325d3ccd3b530553bf3d6b2b2fd
Instruction Fuzzy Hash: 8F21A53190861C9AEB209F60DC85AFE77B8FF04325F108216EB19EA581D7709985DF50

Function 000E0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 000E0951
GetForegroundWindow.USER32 ref: 000E0968
GetDC.USER32(00000000), ref: 000E09A4
GetPixel.GDI32(00000000,?,00000003), ref: 000E09B0
ReleaseDC.USER32(00000000,00000003), ref: 000E09E8

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 519ce83b1e6dfbb0704571940df71aa2c7193c488fc3ae6b2601db91bca8b21b
Instruction ID: f0e7aeb75401aa6fc5e12e356a396719527e60df4a1a5edabfb69ef325342170
Opcode Fuzzy Hash: 519ce83b1e6dfbb0704571940df71aa2c7193c488fc3ae6b2601db91bca8b21b
Instruction Fuzzy Hash: CB21AE35600204AFE704EF65D989EAEBBE9EF48700F048029F84AE7762DB74AC44DB50

Function 0009CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0009CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0009CDE9

Part of subcall function 00093820: RtlAllocateHeap.NTDLL(00000000,?,00131444,?,0007FDF5,?,?,0006A976,00000010,00131440,000613FC,?,000613C6,?,00061129), ref: 00093852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0009CE0F
_free.LIBCMT ref: 0009CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0009CE31

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 091b87829de52375c680d2270d1221c5f93731427df85e57933aff75c65837a9
Instruction ID: 511839a533ec7bc4437d97cdb447e2187c670ea75c4ac554ddd38345708bee4f
Opcode Fuzzy Hash: 091b87829de52375c680d2270d1221c5f93731427df85e57933aff75c65837a9
Instruction Fuzzy Hash: 17018472E022157F3B2156B66C89D7F69ADEFC6BA13150129F906C7201EA658E01F2B0

Function 00079639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00079693
SelectObject.GDI32(?,00000000), ref: 000796A2
BeginPath.GDI32(?), ref: 000796B9
SelectObject.GDI32(?,00000000), ref: 000796E2

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 61cf6278b26abed11e9d7e757e64f8da70f50de988fc6ae921cf16046ab39db7
Instruction ID: 8d5b8adcc286f682fe8a60a825ebc4fb253904285cf28db18e31a68a00dc13eb
Opcode Fuzzy Hash: 61cf6278b26abed11e9d7e757e64f8da70f50de988fc6ae921cf16046ab39db7
Instruction Fuzzy Hash: 6F218E30802305FBEB119F64ED09BA93BA8BB41729F108316F418A65B0D37898D1DB98

Function 000C5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 000C5726
_memcmp.LIBVCRUNTIME ref: 000C5744
_memcmp.LIBVCRUNTIME ref: 000C5757
_memcmp.LIBVCRUNTIME ref: 000C576F
_memcmp.LIBVCRUNTIME ref: 000C5787

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 6b4fca711fdf681272961847fd57684c0c968539dd2443877694875708c16fbc
Instruction ID: 45dbf19870d6ce76ba156eb3d6d1636b72ea5e8f3fc83dda14fdc4c1616bd153
Opcode Fuzzy Hash: 6b4fca711fdf681272961847fd57684c0c968539dd2443877694875708c16fbc
Instruction Fuzzy Hash: 1F01D679245609BA92186310AE42FFE639CAF21396B000128FE049E642F7A0FE9192E4

Function 00092DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0008F2DE,00093863,00131444,?,0007FDF5,?,?,0006A976,00000010,00131440,000613FC,?,000613C6), ref: 00092DFD
_free.LIBCMT ref: 00092E32
_free.LIBCMT ref: 00092E59
SetLastError.KERNEL32(00000000,00061129), ref: 00092E66
SetLastError.KERNEL32(00000000,00061129), ref: 00092E6F

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 91b2f451dc342fa8cfef8d761ca7e7e84dd05521efa86a2ce79b51e6f3b59974
Instruction ID: d86151477328ff50d0fe07a9f08205c9b0b207cc3708a418a2e30f601edb60d7
Opcode Fuzzy Hash: 91b2f451dc342fa8cfef8d761ca7e7e84dd05521efa86a2ce79b51e6f3b59974
Instruction Fuzzy Hash: B001F4726056007BDE22A7746CC6DAF26DDAFD13A5B210028F425A2193EB748C1171A0

Function 000C000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,000BFF41,80070057,?,?,?,000C035E), ref: 000C002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000BFF41,80070057,?,?), ref: 000C0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000BFF41,80070057,?,?), ref: 000C0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000BFF41,80070057,?), ref: 000C0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000BFF41,80070057,?,?), ref: 000C0070

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 31091adfc7eef354fc29aac864c09c603941f99fa8ec5e4e5a09e32f26876533
Instruction ID: 84e73e8ca390c0f34e8db6717245d39e7d19d973aa540bbcb49cf12e078cc27a
Opcode Fuzzy Hash: 31091adfc7eef354fc29aac864c09c603941f99fa8ec5e4e5a09e32f26876533
Instruction Fuzzy Hash: 39018F72600209FFEB108F68DD05FAE7AEDEB44791F254128F905D2210DB75DD40DBA0

Function 000CE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 000CE997
QueryPerformanceFrequency.KERNEL32(?), ref: 000CE9A5
Sleep.KERNEL32(00000000), ref: 000CE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 000CE9B7
Sleep.KERNEL32 ref: 000CE9F3

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 85fe0a9ce241a292450c60d4b2de37ec769d9bb1281d5710309085e1d03e7d43
Instruction ID: 2463747da8bb6e574e50f705b2cdc9a8fe8dcb6d396885c45f4ffdd93ae20b4a
Opcode Fuzzy Hash: 85fe0a9ce241a292450c60d4b2de37ec769d9bb1281d5710309085e1d03e7d43
Instruction Fuzzy Hash: 27015731C0162DDBEF40ABE4D94AEEDBB78FF0A300F00055AE502B2241CB349651DBA2

Function 000C10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 000C1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,000C0B9B,?,?,?), ref: 000C1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,000C0B9B,?,?,?), ref: 000C112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,000C0B9B,?,?,?), ref: 000C1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 000C114D

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 6121a1fffbdf77d0590efe048c4f71509962838cbf2da7831e718d0e25b5710b
Instruction ID: aa35800ad083e6207bc79c8af8c45fa8cd8fd3193b208572b62a10e6a3f0e3b5
Opcode Fuzzy Hash: 6121a1fffbdf77d0590efe048c4f71509962838cbf2da7831e718d0e25b5710b
Instruction Fuzzy Hash: 84016D75100309BFEB115FA4DD4AEAA3BAEEF863A0B140418FA41C3350DB35DC10DA60

Function 000C0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 000C0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 000C0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 000C0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 000C0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 000C1002

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 5661f7c83188bc91dc95267b97cd9349c5cac91fc216c08efbfb21c5ac3d598e
Instruction ID: 4e72c7d0beb23dca39bd9035364b78754be3a9f91ff074e6c169c59a2863909a
Opcode Fuzzy Hash: 5661f7c83188bc91dc95267b97cd9349c5cac91fc216c08efbfb21c5ac3d598e
Instruction Fuzzy Hash: 15F04935200309ABEB214FA49D4AFAA3BADFF8A762F214419FA45C6251CA74DC50DA60

Function 000C1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 000C102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 000C1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000C1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 000C104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000C1062

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 857153678a8ac0a30b7618ec25f64d858fe69aef7e761854fe9b51c8729d242e
Instruction ID: 093f61264de7c0eb0637194bade5f9d27d1ded156b2f5d3259d1b49a5407dd1b
Opcode Fuzzy Hash: 857153678a8ac0a30b7618ec25f64d858fe69aef7e761854fe9b51c8729d242e
Instruction Fuzzy Hash: 52F06235140305EBF7215FA4ED4AFAA3BADFF8A761F210414FD45C7251CA74D960DA60

Function 000D030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,000D017D,?,000D32FC,?,00000001,000A2592,?), ref: 000D0324
CloseHandle.KERNEL32(?,?,?,?,000D017D,?,000D32FC,?,00000001,000A2592,?), ref: 000D0331
CloseHandle.KERNEL32(?,?,?,?,000D017D,?,000D32FC,?,00000001,000A2592,?), ref: 000D033E
CloseHandle.KERNEL32(?,?,?,?,000D017D,?,000D32FC,?,00000001,000A2592,?), ref: 000D034B
CloseHandle.KERNEL32(?,?,?,?,000D017D,?,000D32FC,?,00000001,000A2592,?), ref: 000D0358
CloseHandle.KERNEL32(?,?,?,?,000D017D,?,000D32FC,?,00000001,000A2592,?), ref: 000D0365

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ade67622b3234578ea7d8613d90b01f069a5fdad806786dcae591d013fd6ad5d
Instruction ID: 900250d5d2f85e2e01edb008c1918e4703d3d0af2d15f15f2a92108b663aef85
Opcode Fuzzy Hash: ade67622b3234578ea7d8613d90b01f069a5fdad806786dcae591d013fd6ad5d
Instruction Fuzzy Hash: 4C01AE72800B559FCB30AF66D880916FBF9BF603153158A3FD19A52A31C3B1AA58DF90

Function 0009D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0009D752

Part of subcall function 000929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0009D7D1,00000000,00000000,00000000,00000000,?,0009D7F8,00000000,00000007,00000000,?,0009DBF5,00000000), ref: 000929DE
Part of subcall function 000929C8: GetLastError.KERNEL32(00000000,?,0009D7D1,00000000,00000000,00000000,00000000,?,0009D7F8,00000000,00000007,00000000,?,0009DBF5,00000000,00000000), ref: 000929F0

_free.LIBCMT ref: 0009D764
_free.LIBCMT ref: 0009D776
_free.LIBCMT ref: 0009D788
_free.LIBCMT ref: 0009D79A

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 46042543aa516d494921943f067adabd971fd4850f3f138f798e4f2d4e310f13
Instruction ID: 94ad35b39aafd01115aad587a9e18ae3b29e3649792bcf16f825b4263aebdbe9
Opcode Fuzzy Hash: 46042543aa516d494921943f067adabd971fd4850f3f138f798e4f2d4e310f13
Instruction Fuzzy Hash: 91F0FF32588205BB8E61EBA4F9C5C5AB7DDBB447107A40806F18CE7902D720FCC0A6E4

Function 000C5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 000C5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 000C5C6F
MessageBeep.USER32(00000000), ref: 000C5C87
KillTimer.USER32(?,0000040A), ref: 000C5CA3
EndDialog.USER32(?,00000001), ref: 000C5CBD

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 20ed89726da3595b0169d2e7d22df616f90b79f35167c14e15eaa06030a46c9b
Instruction ID: 1420a1f9e280d290425dac81ff9fddf5ef1471364e0c37035e7c3fd317ead49f
Opcode Fuzzy Hash: 20ed89726da3595b0169d2e7d22df616f90b79f35167c14e15eaa06030a46c9b
Instruction Fuzzy Hash: 3F011234504B08AFFB215B10DE8FFAA77B8BB04B06F04155DA593A14E1DBF4B988DA90

Function 000922A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 000922BE

Part of subcall function 000929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0009D7D1,00000000,00000000,00000000,00000000,?,0009D7F8,00000000,00000007,00000000,?,0009DBF5,00000000), ref: 000929DE
Part of subcall function 000929C8: GetLastError.KERNEL32(00000000,?,0009D7D1,00000000,00000000,00000000,00000000,?,0009D7F8,00000000,00000007,00000000,?,0009DBF5,00000000,00000000), ref: 000929F0

_free.LIBCMT ref: 000922D0
_free.LIBCMT ref: 000922E3
_free.LIBCMT ref: 000922F4
_free.LIBCMT ref: 00092305

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9d2b8fa697516ebfae1c6f7b655cd148bfd33789af0ce8face5c5a04988d2d10
Instruction ID: 3ca4e57cca68b9d99c5fec3bda053e494ffb8c03a322dbf0e29967fdecedfdb5
Opcode Fuzzy Hash: 9d2b8fa697516ebfae1c6f7b655cd148bfd33789af0ce8face5c5a04988d2d10
Instruction Fuzzy Hash: 7DF0FE75801520BBCE23EF54BC1188D3BA9F718B61715454AF458D6AB2C73109E2FFE4

Function 000795C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 000795D4
StrokeAndFillPath.GDI32(?,?,000B71F7,00000000,?,?,?), ref: 000795F0
SelectObject.GDI32(?,00000000), ref: 00079603
DeleteObject.GDI32 ref: 00079616
StrokePath.GDI32(?), ref: 00079631

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 9557d7dd01bc28d63baae26919ed5f5602b12170498efa32b271195f4610170f
Instruction ID: 2a6432bb6e167ca0b28b7b5e9676662d75d2dd7b7f5710c5d8ac9e2f791fb058
Opcode Fuzzy Hash: 9557d7dd01bc28d63baae26919ed5f5602b12170498efa32b271195f4610170f
Instruction Fuzzy Hash: A1F0EC35405608EBEB269F65EE1DB743BA5BB0133AF048314F469558F0CB3889A5EF24

Function 00090F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 000910F9
__freea.LIBCMT ref: 00091117

Part of subcall function 00091537: _free.LIBCMT ref: 0009154F

Strings

am/pm, xrefs: 0009117A
a/p, xrefs: 000911DE

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: b9cb620e7dc1cf44e3d88255e8a36105b957d165fdac74ea4e55d7a4487f72a4
Instruction ID: e56f6d5cd35125d4dc8eba7da68c116a20d710fdf356a737e5701f9695d9aa08
Opcode Fuzzy Hash: b9cb620e7dc1cf44e3d88255e8a36105b957d165fdac74ea4e55d7a4487f72a4
Instruction Fuzzy Hash: B3D10071B00207DADF689F68C845BFEB7F1EF05300F288159E9119BA91D3B59E81EB91

Function 000E7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00080242: EnterCriticalSection.KERNEL32(0013070C,00131884,?,?,0007198B,00132518,?,?,?,000612F9,00000000), ref: 0008024D
Part of subcall function 00080242: LeaveCriticalSection.KERNEL32(0013070C,?,0007198B,00132518,?,?,?,000612F9,00000000), ref: 0008028A

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

Part of subcall function 000800A3: __onexit.LIBCMT ref: 000800A9

__Init_thread_footer.LIBCMT ref: 000E7BFB

Part of subcall function 000801F8: EnterCriticalSection.KERNEL32(0013070C,?,?,00078747,00132514), ref: 00080202
Part of subcall function 000801F8: LeaveCriticalSection.KERNEL32(0013070C,?,00078747,00132514), ref: 00080235

Strings

G, xrefs: 000E7C7F
5, xrefs: 000E7C78
Variable must be of type 'Object'., xrefs: 000E7C3A

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: eb9f53f5646a8d7751827ede39b1b0c03a493ee0c9d629b9ce87342c5dc61a0a
Instruction ID: 64ebdbe24c04d0c49773aed992a4e51bdbcaecd45aaeded431fa74337f38fd4a
Opcode Fuzzy Hash: eb9f53f5646a8d7751827ede39b1b0c03a493ee0c9d629b9ce87342c5dc61a0a
Instruction Fuzzy Hash: 92919A70A08249EFCB14EF95D981DFDB7B6BF49300F108059F80AAB292DB71AE41CB51

Function 000C2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000CB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000C21D0,?,?,00000034,00000800,?,00000034), ref: 000CB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 000C2760

Part of subcall function 000CB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,000C21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 000CB3F8

Part of subcall function 000CB32A: GetWindowThreadProcessId.USER32(?,?), ref: 000CB355
Part of subcall function 000CB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,000C2194,00000034,?,?,00001004,00000000,00000000), ref: 000CB365
Part of subcall function 000CB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,000C2194,00000034,?,?,00001004,00000000,00000000), ref: 000CB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000C27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 000C281A

Strings

@, xrefs: 000C2832

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 8aecb8cdf92b2d89cef71744fd9c298a0006f865f1d3f976d2d1c49feb35d43f
Instruction ID: 0900e7d668503ef3940ea13a826a30eddc527b1923666de02d8eaf333438ece2
Opcode Fuzzy Hash: 8aecb8cdf92b2d89cef71744fd9c298a0006f865f1d3f976d2d1c49feb35d43f
Instruction Fuzzy Hash: D6411B72900218AFDB10DBA4CD86FEEBBB8EF09700F104199FA55B7181DB706E45DBA1

Function 0009172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\LisectAVT_2403002A_257.exe,00000104), ref: 00091769
_free.LIBCMT ref: 00091834
_free.LIBCMT ref: 0009183E

Strings

C:\Users\user\Desktop\LisectAVT_2403002A_257.exe, xrefs: 00091760, 00091767, 00091796, 000917CE

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\LisectAVT_2403002A_257.exe
API String ID: 2506810119-952740674
Opcode ID: 272af5487bd2c127d06fdddc2494431296fd46b12b32c43aedcbed6910356e45
Instruction ID: f7e62c1e35265642207a60615509257c6cff95ebf577924dff6e585a5d217f71
Opcode Fuzzy Hash: 272af5487bd2c127d06fdddc2494431296fd46b12b32c43aedcbed6910356e45
Instruction Fuzzy Hash: 14318075B0421ABBDF21DB999885DDFBBFCEB85310B2441A6F80497211DA708E40EBA0

Function 000CC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 000CC306
DeleteMenu.USER32(?,00000007,00000000), ref: 000CC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00131990,00BD46E8), ref: 000CC395

Strings

0, xrefs: 000CC2DF

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: f5cb2bce34b44ff75ddb72499334b90ebb4a365a38368244115f5a062c6357eb
Instruction ID: de3b8c87f36e396a18500d539d9d8f651dc47ec6bb0c33a1855ec55bdf370a23
Opcode Fuzzy Hash: f5cb2bce34b44ff75ddb72499334b90ebb4a365a38368244115f5a062c6357eb
Instruction Fuzzy Hash: 244180712043419FE724DF25E845F6EBBE8AF85310F14861DF9A9972D2D730AA04CB52

Function 000F4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,000FCC08,00000000,?,?,?,?), ref: 000F44AA
GetWindowLongW.USER32 ref: 000F44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 000F44D7

Strings

SysTreeView32, xrefs: 000F447C

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 83b4f2c6742692d038a699f7b0f9cedf058e2f4172bfd102b19799f0740f48fd
Instruction ID: 62acef8b679cebb807b5c40f876f3b1eef389dd9c9d17e8b867b8f6f8fbc622b
Opcode Fuzzy Hash: 83b4f2c6742692d038a699f7b0f9cedf058e2f4172bfd102b19799f0740f48fd
Instruction Fuzzy Hash: 90319C31214609AFEB609E38DC46BEB77A9EB08324F204715FA79A25E1D774EC50AB50

Function 000E304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 000E335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,000E3077,?,?), ref: 000E3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 000E307A
_wcslen.LIBCMT ref: 000E309B
htons.WSOCK32(00000000,?,?,00000000), ref: 000E3106

Strings

255.255.255.255, xrefs: 000E3095, 000E309A

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: d402e778596229aaec150f09a8e623a114714c2295f591fcf805491cc0898b6a
Instruction ID: c93e68f3f23bbfdc8011699c298946b28d0801999c51b3f962ad9db5b329cabe
Opcode Fuzzy Hash: d402e778596229aaec150f09a8e623a114714c2295f591fcf805491cc0898b6a
Instruction Fuzzy Hash: FF3107352002859FDB20CF6AC599EAABBE0EF54314F258099E915AB792CB32DF45C760

Function 000F4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 000F4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 000F4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 000F471A

Strings

msctls_updown32, xrefs: 000F4684

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 80302691af44b1d20dd962113f969c5564952733befcb5c5f2f870cc0f93139e
Instruction ID: 83f3bacb6f7439ca7f787991afbbce90c558be9a372015e68b22b0f8c3494f2b
Opcode Fuzzy Hash: 80302691af44b1d20dd962113f969c5564952733befcb5c5f2f870cc0f93139e
Instruction Fuzzy Hash: 55213EB5604209AFEB11EF64DC81DB737EDEF9A398B050059FA009B652CB71EC51DB60

Function 000C95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000C961D

Strings

#requireadmin, xrefs: 000C95D9
#OnAutoItStartRegister, xrefs: 000C95F3
#notrayicon, xrefs: 000C95B7

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 4a657b1b74a0fa9d3a7a23f717a48460183236f73a9f228dcc7a04a083419e65
Instruction ID: 7cde19bf8ce998a6017ec4e5c165fde73b0d787002e0078998b9dd6e84cac5e4
Opcode Fuzzy Hash: 4a657b1b74a0fa9d3a7a23f717a48460183236f73a9f228dcc7a04a083419e65
Instruction Fuzzy Hash: 30212B72204A1166D331BB24DC0AFFF73D8AF95314F54402EFA899B182EBA19D41D395

Function 000F37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 000F3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 000F3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 000F3876

Strings

Listbox, xrefs: 000F380F

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 0f0278568c04e51ef195f28ef6dae6d0e70bdc918e56f8cdf1976b1a22b7ff50
Instruction ID: 679f137bdc1ac70eacf4e251f4545ef2bda5cacb838bac778030b1536af15d7f
Opcode Fuzzy Hash: 0f0278568c04e51ef195f28ef6dae6d0e70bdc918e56f8cdf1976b1a22b7ff50
Instruction Fuzzy Hash: 8B21B072604218BBEB219F54CC41FBB37AEEF897A0F108124FA009B590CA75DC52D7A0

Function 000D49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 000D4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 000D4A5C
SetErrorMode.KERNEL32(00000000,?,?,000FCC08), ref: 000D4AD0

Strings

%lu, xrefs: 000D4A6F

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: dbbda1c45999342f89ba8323cfe52de691bd7e3ee3ed78872bf980246a9c5658
Instruction ID: 8732ee7fd3d9548067f7669b563d8d7c9502e2ca638c23c119eaafbd76cbadd8
Opcode Fuzzy Hash: dbbda1c45999342f89ba8323cfe52de691bd7e3ee3ed78872bf980246a9c5658
Instruction Fuzzy Hash: DE318E74A00208AFDB10DF58C981EAA7BF8EF08318F1480A9E909DB352D775ED45CB61

Function 000F41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 000F424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 000F4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 000F4271

Strings

msctls_trackbar32, xrefs: 000F4226

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 758bc2d5fb0588a59c1aa67de7ae17ceea5f2a0f6c11a3f9698d467ead309048
Instruction ID: e0d465105959eb17129c094f703ce5ba2362d9df5a92fb55d61c78e13ca11247
Opcode Fuzzy Hash: 758bc2d5fb0588a59c1aa67de7ae17ceea5f2a0f6c11a3f9698d467ead309048
Instruction Fuzzy Hash: 1111E031240248BEEF609E28CC06FBB3BACEF85B64F010524FA55E20A0D271D861EB20

Function 000C2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00066B57: _wcslen.LIBCMT ref: 00066B6A

Part of subcall function 000C2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 000C2DC5
Part of subcall function 000C2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 000C2DD6
Part of subcall function 000C2DA7: GetCurrentThreadId.KERNEL32 ref: 000C2DDD
Part of subcall function 000C2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 000C2DE4

GetFocus.USER32 ref: 000C2F78

Part of subcall function 000C2DEE: GetParent.USER32(00000000), ref: 000C2DF9

GetClassNameW.USER32(?,?,00000100), ref: 000C2FC3
EnumChildWindows.USER32(?,000C303B), ref: 000C2FEB

Strings

%s%d, xrefs: 000C2FFF

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 2b9cc84d0246f46da6ac23a305f0ff5c4f0623dfbf772268d2ba3a52fac136cd
Instruction ID: b2f8b52e5f98dce6574c5310bcab0abb6be63a99be6e99dc947af71e4729ed3d
Opcode Fuzzy Hash: 2b9cc84d0246f46da6ac23a305f0ff5c4f0623dfbf772268d2ba3a52fac136cd
Instruction Fuzzy Hash: 5B11CD71600209ABDF506F608C96FFE37AAAF94304F048079B90A9B293DF7199499B60

Function 000F5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 000F58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 000F58EE
DrawMenuBar.USER32(?), ref: 000F58FD

Strings

0, xrefs: 000F588F

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 81b4ccafd09c045a67d53433c4e4a68360a48b827ae19810957f580370a116fe
Instruction ID: 9d6b0af7f5daf83b544458d51c35f8e74dbf49ec4a06040fb03ad2619842479b
Opcode Fuzzy Hash: 81b4ccafd09c045a67d53433c4e4a68360a48b827ae19810957f580370a116fe
Instruction Fuzzy Hash: 04018B3150420CEEEB209F21DC45BBEBBB4FF45761F108099EA49D6151DB748A84EF20

Function 000C007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 183aa159bfd74454067de64fab475f10bf3b4d06a3145d7d4a01c5c64a31c619
Instruction ID: d4020519ceb9ae81e96405499d23a37b0f3188700ac47d1b6426346a8a377f61
Opcode Fuzzy Hash: 183aa159bfd74454067de64fab475f10bf3b4d06a3145d7d4a01c5c64a31c619
Instruction Fuzzy Hash: A6C11875A0021AEFDB14CFA4C898FAEB7B9FF48704F148598E905AB251D731EE41DB90

Function 000E342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 000E3459
CoUninitialize.OLE32 ref: 000E3463
VariantInit.OLEAUT32(?), ref: 000E346E
VariantClear.OLEAUT32(?), ref: 000E371B

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 451bbed09278d90886feec946b324b46a2595f647647a99c4b49ec272fa09df9
Instruction ID: a8d704dae2fdb23a059d6d49bbd485e557b3f2e5942790bfdc02a7df3fbcce1b
Opcode Fuzzy Hash: 451bbed09278d90886feec946b324b46a2595f647647a99c4b49ec272fa09df9
Instruction Fuzzy Hash: 08A14A756047009FD710DF29C585A6ABBE5FF88714F04885DF98AAB362DB70EE01CB91

Function 000C0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,000FFC08,?), ref: 000C05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,000FFC08,?), ref: 000C0608
CLSIDFromProgID.OLE32(?,?,00000000,000FCC40,000000FF,?,00000000,00000800,00000000,?,000FFC08,?), ref: 000C062D
_memcmp.LIBVCRUNTIME ref: 000C064E

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 06091913bb53bfac1d3b60c682561eff0375fc2eb8218d3966a480a832f49eda
Instruction ID: 5d079f508465ed6ade8ccb2eb4c16dbbde831f29887556de2e223bfdc0d6334b
Opcode Fuzzy Hash: 06091913bb53bfac1d3b60c682561eff0375fc2eb8218d3966a480a832f49eda
Instruction Fuzzy Hash: 0781E975A00109EFDB04DF94C988EEEB7B9FF89315F204558E516AB250DB71AE06CF60

Function 000A1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000A14C0

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 3b4896d4348299c287fa1b568695556f615b9e600b76f00ccebdc3e0bc00bcbe
Instruction ID: 0b7c4459f418ee28aa57345a0d3de22513fbbc55936e3530d49f7dc365ee3fcf
Opcode Fuzzy Hash: 3b4896d4348299c287fa1b568695556f615b9e600b76f00ccebdc3e0bc00bcbe
Instruction Fuzzy Hash: 1A412931A00615ABDF217BFD9C46AFE3AE4FF4B370F144225F429D6193E6348941A3A2

Function 000F6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00BDD7F0,?), ref: 000F62E2
ScreenToClient.USER32(?,?), ref: 000F6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 000F6382

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: bdd1c7377dcac5262804f328ab06e95debd9375c2036d88c6e5b47982050ec0f
Instruction ID: 353b14168beec3ecb2a116c8c4019c29b766a99226312f33247300f94ae0c0c6
Opcode Fuzzy Hash: bdd1c7377dcac5262804f328ab06e95debd9375c2036d88c6e5b47982050ec0f
Instruction Fuzzy Hash: 2C515A70A00209EFDB50DF68D881ABE7BF6EF45360F108169FA159B691D731EE81EB50

Function 000E1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 000E1AFD
WSAGetLastError.WSOCK32 ref: 000E1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 000E1B8A
WSAGetLastError.WSOCK32 ref: 000E1B94

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: d41db9f7e2240a06b1b319f80a0c7e7c022ee77930d8c967ab597349db3ffe30
Instruction ID: 6435c1f43ef6d4c52ce02446a44a143dc68630c8f3cd17e49fb6adfe1702095b
Opcode Fuzzy Hash: d41db9f7e2240a06b1b319f80a0c7e7c022ee77930d8c967ab597349db3ffe30
Instruction Fuzzy Hash: 6941D274600200AFE720AF24C886FAA77E6AB44718F54C498F91A9F7D3D776ED41CB90

Function 0009B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8201f8d9a8b90b842949f516aa020364942e32d64ca92f328afd054840302ce4
Instruction ID: a2d127556653bf1a8474098895bc79cd885ddfb7c30193ee7d201afeca3b5fbc
Opcode Fuzzy Hash: 8201f8d9a8b90b842949f516aa020364942e32d64ca92f328afd054840302ce4
Instruction Fuzzy Hash: 28411675A00704BFDB24AF78DD41BEABBE9EF88720F10452AF151DB292D7719901A780

Function 000D56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 000D5783
GetLastError.KERNEL32(?,00000000), ref: 000D57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 000D57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 000D57FA

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: ce17f72a27e9e9c7aa0293491a2702d5cb2cfa49ac247a8c615fc51400ebcf54
Instruction ID: 485e123cc0b2ed146c76d1c978f3e83cf473c52181934cc92feef4b1adfcde1b
Opcode Fuzzy Hash: ce17f72a27e9e9c7aa0293491a2702d5cb2cfa49ac247a8c615fc51400ebcf54
Instruction Fuzzy Hash: AC415D35200A10DFCB10DF15C545A9EBBF2EF89325B188489EC4AAB362CB74FD41DB91

Function 0009D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00086D71,00000000,00000000,000882D9,?,000882D9,?,00000001,00086D71,8BE85006,00000001,000882D9,000882D9), ref: 0009D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0009D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0009D9AB
__freea.LIBCMT ref: 0009D9B4

Part of subcall function 00093820: RtlAllocateHeap.NTDLL(00000000,?,00131444,?,0007FDF5,?,?,0006A976,00000010,00131440,000613FC,?,000613C6,?,00061129), ref: 00093852

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 64c35d06ac2971e9191bdd5549b28e74757b328792ea59387c5db77a0ca96799
Instruction ID: 0590f00c1e12ea2192ac1d467adc1205d85714ed5de678010c029359f292f46c
Opcode Fuzzy Hash: 64c35d06ac2971e9191bdd5549b28e74757b328792ea59387c5db77a0ca96799
Instruction Fuzzy Hash: 2C31BE72A1020AABDF25EFA4DC41EEF7BA5EB41310B05416AFC04D7291EB39CD54EB90

Function 000F52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 000F5352
GetWindowLongW.USER32(?,000000F0), ref: 000F5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 000F5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 000F53A8

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 78d55f6b28982bd2cb00f89f11533808fbd36e5e40681513dc1b6273b769ddab
Instruction ID: cd421295fbc9c44ddf130db45e402093195e1df272174427127e662ef3da161b
Opcode Fuzzy Hash: 78d55f6b28982bd2cb00f89f11533808fbd36e5e40681513dc1b6273b769ddab
Instruction Fuzzy Hash: 38319034A55A0CEFEB709A1CCC46FF877A6AB05392F584101FB51969E1C7B49B80FB42

Function 000CAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 000CABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 000CAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 000CAC74
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 000CACC6

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b13022a729c997bb1e96cd75694b81c75400c0b96f74c8b093e6cf18a8db1cb4
Instruction ID: 066645209a535889f62084748598e6b8cac56262b303e7acfb6f2c14d60f6389
Opcode Fuzzy Hash: b13022a729c997bb1e96cd75694b81c75400c0b96f74c8b093e6cf18a8db1cb4
Instruction Fuzzy Hash: 2F312630B4461C6FFF34CB688C89FFE7BE5AB8A328F04421EE485921D1C37889859752

Function 000F7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 000F769A
GetWindowRect.USER32(?,?), ref: 000F7710
PtInRect.USER32(?,?,000F8B89), ref: 000F7720
MessageBeep.USER32(00000000), ref: 000F778C

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 683a4535fd8d43a72f70f1cc8447123120188dae4d854ec8963142bc3914d7a4
Instruction ID: 246d6f3ee7008a1ce24cc11b0d53915dd5d0f212ba8fb7cd83fcf200e3bcd439
Opcode Fuzzy Hash: 683a4535fd8d43a72f70f1cc8447123120188dae4d854ec8963142bc3914d7a4
Instruction Fuzzy Hash: E5419E34609318EFDB11EF58C894EB977F5BB48304F1940A8E618DBA61C331E981EB92

Function 000F16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 000F16EB

Part of subcall function 000C3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 000C3A57
Part of subcall function 000C3A3D: GetCurrentThreadId.KERNEL32 ref: 000C3A5E
Part of subcall function 000C3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,000C25B3), ref: 000C3A65

GetCaretPos.USER32(?), ref: 000F16FF
ClientToScreen.USER32(00000000,?), ref: 000F174C
GetForegroundWindow.USER32 ref: 000F1752

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 938e12b8b57b62b066a75720c9023a44b3b94fe28696aab4f5cf33667e7c1094
Instruction ID: 7f14565ac3b46f7a262d5a64f986a6877e3fde34c3e0d0ab5fc1cfa6afb5a472
Opcode Fuzzy Hash: 938e12b8b57b62b066a75720c9023a44b3b94fe28696aab4f5cf33667e7c1094
Instruction Fuzzy Hash: DE315E75D04249EFD704EFA9C981CFEBBF9EF48304B5080AAE419E7612D6319E45CBA0

Function 000CD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000CD501
Process32FirstW.KERNEL32(00000000,?), ref: 000CD50F
Process32NextW.KERNEL32(00000000,?), ref: 000CD52F
CloseHandle.KERNEL32(00000000), ref: 000CD5DC

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 12204735b9315f1ba8cab5fdcb02aed531711bc4db6ce5a71c28bcf0ee2d7153
Instruction ID: 2b479dbbb824fcb10c06bb6c4fb000eff18093273e7167a05b647011b8814de2
Opcode Fuzzy Hash: 12204735b9315f1ba8cab5fdcb02aed531711bc4db6ce5a71c28bcf0ee2d7153
Instruction Fuzzy Hash: 963193711083009FE300EF54C881FAFBBE9EF99354F54052DF585971A2EB719944DBA2

Function 000F8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00079BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00079BB2

GetCursorPos.USER32(?), ref: 000F9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,000B7711,?,?,?,?,?), ref: 000F9016
GetCursorPos.USER32(?), ref: 000F905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,000B7711,?,?,?), ref: 000F9094

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: cbf3a224a6599ddc066e82cbc3b3d3e1fbe70b8b8f9329b4006896fa524106ed
Instruction ID: 025636d2d4757b1985e8d82b5ca9b128c9896ea60414f6dde2eb79cb8df20037
Opcode Fuzzy Hash: cbf3a224a6599ddc066e82cbc3b3d3e1fbe70b8b8f9329b4006896fa524106ed
Instruction Fuzzy Hash: 72219C3560001CEFDB258FA4C859FFA3BB9EB89750F004065FA058B6A1CB359990EF60

Function 000CD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,000FCB68), ref: 000CD2FB
GetLastError.KERNEL32 ref: 000CD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 000CD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,000FCB68), ref: 000CD376

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 57ea83552eb0097d15d8c1adad66886a2d834d16f0b1e7e5d6acbae9b0fabea8
Instruction ID: 4d5fa2771a683b708141af27f8b7012050e76eba219dffd4de525676618ab53d
Opcode Fuzzy Hash: 57ea83552eb0097d15d8c1adad66886a2d834d16f0b1e7e5d6acbae9b0fabea8
Instruction Fuzzy Hash: 9F21A3705082059F9310DF24C981DAEB7E8EF55364F504A2EF499C72E2DB30DA45DB93

Function 000C1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000C1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 000C102A
Part of subcall function 000C1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 000C1036
Part of subcall function 000C1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000C1045
Part of subcall function 000C1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 000C104C
Part of subcall function 000C1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 000C1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 000C15BE
_memcmp.LIBVCRUNTIME ref: 000C15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000C1617
HeapFree.KERNEL32(00000000), ref: 000C161E

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 438c006a79f550dde6fb18614a25eddf1d79dfe228987a2ef18f8b47bc114d13
Instruction ID: cd7210b67435f9dabe7d77ec36884ae7aaad31ea71b693ecc9512a6b496c1687
Opcode Fuzzy Hash: 438c006a79f550dde6fb18614a25eddf1d79dfe228987a2ef18f8b47bc114d13
Instruction Fuzzy Hash: 41214871E00109EFEB10DFA4CA49FEEB7F8EF46354F184459E441AB242E775AA05DBA0

Function 000F2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 000F280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 000F2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 000F2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 000F2840

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: aaeff8fc8144383a1b19f15a514ac8cb74add80fef8839be137d92b7e1656e0b
Instruction ID: b8384e38084ae1b907663cf89819c319ddef5b31a442f8bb247dd2fd894fca7b
Opcode Fuzzy Hash: aaeff8fc8144383a1b19f15a514ac8cb74add80fef8839be137d92b7e1656e0b
Instruction Fuzzy Hash: D8212131209619AFE710EB24C845FBA7B95AF45324F148158F526CBAE2CB75FC82D790

Function 000C78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000C8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,000C790A,?,000000FF,?,000C8754,00000000,?,0000001C,?,?), ref: 000C8D8C
Part of subcall function 000C8D7D: lstrcpyW.KERNEL32(00000000,?), ref: 000C8DB2
Part of subcall function 000C8D7D: lstrcmpiW.KERNEL32(00000000,?,000C790A,?,000000FF,?,000C8754,00000000,?,0000001C,?,?), ref: 000C8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,000C8754,00000000,?,0000001C,?,?,00000000), ref: 000C7923
lstrcpyW.KERNEL32(00000000,?), ref: 000C7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,000C8754,00000000,?,0000001C,?,?,00000000), ref: 000C7984

Strings

cdecl, xrefs: 000C797B

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 80f7330e7582f577c2c7a67a3005536d521e469edd804ef4ce2af07e41fcf643
Instruction ID: fec5a52a7c5a57df42e43ce74e84fecbbffabf59b4f4d90f069fc2a2141dbcb8
Opcode Fuzzy Hash: 80f7330e7582f577c2c7a67a3005536d521e469edd804ef4ce2af07e41fcf643
Instruction Fuzzy Hash: C311293A200306ABDB155F34D845EBE77E5FF85350B10802EF94AC72A5EF319811DB65

Function 000F7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 000F7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 000F7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 000F7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,000DB7AD,00000000), ref: 000F7D6B

Part of subcall function 00079BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00079BB2

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 57d2f9660d900bdad7b48b83ef3da8aa911a651a42d4daa0f938d5979db47a0d
Instruction ID: 06a61b352cf693c0ce4f1fb47ec943b2e27d162cacd1355bd6a3291b3d8a3fa1
Opcode Fuzzy Hash: 57d2f9660d900bdad7b48b83ef3da8aa911a651a42d4daa0f938d5979db47a0d
Instruction Fuzzy Hash: D411DF31608619AFDB108F28CC04EBA3BA5AF45360B518328F939CBAF0D7308D51EB80

Function 000F5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 000F56BB
_wcslen.LIBCMT ref: 000F56CD
_wcslen.LIBCMT ref: 000F56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 000F5816

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: e2d33541b65c3f2759450a2234b8c8365b8a23db7a9b7e91e1163e9ff5e5c138
Instruction ID: 76efe79dc68e5954a02d73bb10babcc6b27e23311700bebadca88b07ba1df0f5
Opcode Fuzzy Hash: e2d33541b65c3f2759450a2234b8c8365b8a23db7a9b7e91e1163e9ff5e5c138
Instruction Fuzzy Hash: B411B47160460DA6EF20DF618C85AFE77ACAF11766B104026FB55D6481EB709A80DB64

Function 00091D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c477750da540e70473b400932b5817262ebd2984d23d96bc9fc924667cf0b67a
Instruction ID: 2dcabe77b962c1c6e4e53f203913a8ed9ad9a41eb98f1e6cb1e2d80edbeff038
Opcode Fuzzy Hash: c477750da540e70473b400932b5817262ebd2984d23d96bc9fc924667cf0b67a
Instruction Fuzzy Hash: 92014FF230A61B7EFE6116786CC1FA7669DEF423B8B340325F535511D2DB648C40A160

Function 000C1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 000C1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 000C1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 000C1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 000C1A8A

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: fded0def5b43a2ee2dd33a436bde5fdc8d32da947d56e6f9ff457c2388462231
Instruction ID: 728bf0dfe9f87dfaf96dcb747a1f2d2299d4201a9b887d795b13543d8e519e6a
Opcode Fuzzy Hash: fded0def5b43a2ee2dd33a436bde5fdc8d32da947d56e6f9ff457c2388462231
Instruction Fuzzy Hash: F211393AD01219FFEB10DBA4CD85FEDBBB8EB08750F200095EA00B7291D6716E50DB94

Function 000CE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000CE1FD
MessageBoxW.USER32(?,?,?,?), ref: 000CE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 000CE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 000CE24D

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: da73e3d18990fe8d7a1ec4d205c567a57c5c415b5e8888392ae7ec1931af6057
Instruction ID: bd87296eb659e56a1c447a0405cc40da3bd0f4244a145f529f3934819e011b82
Opcode Fuzzy Hash: da73e3d18990fe8d7a1ec4d205c567a57c5c415b5e8888392ae7ec1931af6057
Instruction Fuzzy Hash: 0011D676904258BBE7019FA8EC0AFAE7FADFB45320F044259F924E3691D6B4CD0497A0

Function 0008D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0008CFF9,00000000,00000004,00000000), ref: 0008D218
GetLastError.KERNEL32 ref: 0008D224
__dosmaperr.LIBCMT ref: 0008D22B
ResumeThread.KERNEL32(00000000), ref: 0008D249

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: bac218cf0b60bf5bd99123974dc2bf44842446920c7e8f585d2066d9276c319f
Instruction ID: 79d6b61163c4306a9c6b0e9122f5a1d4cd3d9c3d095f570cc5a057a810839caf
Opcode Fuzzy Hash: bac218cf0b60bf5bd99123974dc2bf44842446920c7e8f585d2066d9276c319f
Instruction Fuzzy Hash: DA01D6364051087BEB217BA5DC09BAE7B69FF91330F10031AF965961E1CF708901D7A0

Function 0006600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0006604C
GetStockObject.GDI32(00000011), ref: 00066060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0006606A

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: b6c3e828eedff3abd7a326db1c54792256618d61fa38664815726fa127a15e36
Instruction ID: 52108ab8f098a88096858948a3d734fd4afb5a2e61d49e0ed7954db75d8e9538
Opcode Fuzzy Hash: b6c3e828eedff3abd7a326db1c54792256618d61fa38664815726fa127a15e36
Instruction Fuzzy Hash: 05115E72501548BFFF125F949C55EEBBFAAEF09354F040115FA1552110D736AC60EB90

Function 00083B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00083B56

Part of subcall function 00083AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00083AD2
Part of subcall function 00083AA3: ___AdjustPointer.LIBCMT ref: 00083AED

_UnwindNestedFrames.LIBCMT ref: 00083B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00083B7C
CallCatchBlock.LIBVCRUNTIME ref: 00083BA4

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: e31055cd89efe256cdb0a6b271610b75454170881dd18c048f0cd846bc2bfd0c
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: BA01E972100149BBDF126E95CC46EEB7FA9FF98B54F044014FE8856122D736E961DBA0

Function 00093073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,000613C6,00000000,00000000,?,0009301A,000613C6,00000000,00000000,00000000,?,0009328B,00000006,FlsSetValue), ref: 000930A5
GetLastError.KERNEL32(?,0009301A,000613C6,00000000,00000000,00000000,?,0009328B,00000006,FlsSetValue,00102290,FlsSetValue,00000000,00000364,?,00092E46), ref: 000930B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0009301A,000613C6,00000000,00000000,00000000,?,0009328B,00000006,FlsSetValue,00102290,FlsSetValue,00000000), ref: 000930BF

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 3745ce1013317c132cc5610d444a90e25c77a651b911427d8b7c7be7fa64d3db
Instruction ID: 9008090a8927137f9d351455df659b0ae34128b53a54c4a870071ab2e2da9ac0
Opcode Fuzzy Hash: 3745ce1013317c132cc5610d444a90e25c77a651b911427d8b7c7be7fa64d3db
Instruction Fuzzy Hash: BC01F732301226ABEF714BB89C55E6B7BD8AF85BA1B110720F915E3580C725DD05DAE0

Function 000C7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 000C747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 000C7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 000C74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 000C74CA

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 4010f524b550241eba698d9e775b7a3b53b22dcbb18f7faccb250e346c3fcea2
Instruction ID: 0a3e001ab54ab825b97c3d0664da73be374124208c398059ce09760776f3d4b5
Opcode Fuzzy Hash: 4010f524b550241eba698d9e775b7a3b53b22dcbb18f7faccb250e346c3fcea2
Instruction Fuzzy Hash: 1C118BB1205314ABF7308F54DD09FAABBFCEB00B00F10856DA62AD6591D7B4E904EF60

Function 000CB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,000CACD3,?,00008000), ref: 000CB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,000CACD3,?,00008000), ref: 000CB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,000CACD3,?,00008000), ref: 000CB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,000CACD3,?,00008000), ref: 000CB126

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 5459fd1f5e0fc1e5567abdf2069c1f7db6daaa7c477cb0e8e3a9342bf74bcbe5
Instruction ID: 80e779e469754a2f17a7c3aaf3a3bbfd9c893eb04449074dbd2e2369b2698791
Opcode Fuzzy Hash: 5459fd1f5e0fc1e5567abdf2069c1f7db6daaa7c477cb0e8e3a9342bf74bcbe5
Instruction Fuzzy Hash: F5112731C0152CEBDF10AFE4E95ABEEBB78BF4A711F504089D941B2181CB349A60DB52

Function 000F7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 000F7E33
ScreenToClient.USER32(?,?), ref: 000F7E4B
ScreenToClient.USER32(?,?), ref: 000F7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 000F7E8A

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 5ff0c3d259a1dadb3cd3fabfbe513dce4d49e088f65e3ebc4d8f26e84877ccb3
Instruction ID: 06d8548130eaab2c2adfa220328337298f961cf1bc6ce52f49659471708d69e3
Opcode Fuzzy Hash: 5ff0c3d259a1dadb3cd3fabfbe513dce4d49e088f65e3ebc4d8f26e84877ccb3
Instruction Fuzzy Hash: E81163B9D0420EAFEB41DF98C9859EEBBF5FB08310F104056E915E2610D734AA54DF50

Function 000C2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 000C2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 000C2DD6
GetCurrentThreadId.KERNEL32 ref: 000C2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 000C2DE4

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: e0f9f6811d951c26235ad82775e9de87d6f3ca5e671b5f241462441ee3fd27d6
Instruction ID: 199666a3dfa32ced5b3f319220816c9bbf05514e21bf3617cf72fe6d353f530a
Opcode Fuzzy Hash: e0f9f6811d951c26235ad82775e9de87d6f3ca5e671b5f241462441ee3fd27d6
Instruction Fuzzy Hash: 96E06D711052287AF7201B629D0EFFB3E6CEF53BA1F000019B106D58809AA88840E6B0

Function 000F8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00079639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00079693
Part of subcall function 00079639: SelectObject.GDI32(?,00000000), ref: 000796A2
Part of subcall function 00079639: BeginPath.GDI32(?), ref: 000796B9
Part of subcall function 00079639: SelectObject.GDI32(?,00000000), ref: 000796E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 000F8887
LineTo.GDI32(?,?,?), ref: 000F8894
EndPath.GDI32(?), ref: 000F88A4
StrokePath.GDI32(?), ref: 000F88B2

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: f9136e64d1ba1e53d2050ea4e776b1688c9f2d76004d2b2779b2be62ce988591
Instruction ID: 07108abfd8f07f957a29d45999836845b43e50c40dd1754b49a38bc33cdd194d
Opcode Fuzzy Hash: f9136e64d1ba1e53d2050ea4e776b1688c9f2d76004d2b2779b2be62ce988591
Instruction Fuzzy Hash: 83F03A36041259BAFB125F94AD0AFEA3E59AF06324F048100FA11654E2CB795562EBA9

Function 000798B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 000798CC
SetTextColor.GDI32(?,?), ref: 000798D6
SetBkMode.GDI32(?,00000001), ref: 000798E9
GetStockObject.GDI32(00000005), ref: 000798F1

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: c656cffdb44a4c9adc03ed510ad223b5976dec426b2d2aee1e7eb337e672ddb7
Instruction ID: 0748747fde288b3427b13bd425bebbdd57b12905d3737db65f67d52b8168d03f
Opcode Fuzzy Hash: c656cffdb44a4c9adc03ed510ad223b5976dec426b2d2aee1e7eb337e672ddb7
Instruction Fuzzy Hash: 83E06531244684AAFB215B78AD0AFF83F50FB52336F148219F7F9584E1C3754650EB10

Function 000C162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000C1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,000C11D9), ref: 000C163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,000C11D9), ref: 000C1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,000C11D9), ref: 000C164F

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 8a66b6be528d8794dda0c51fddf6244b44ea7e552e6ce8db4f99879c18c6ec42
Instruction ID: cfe8f23fde04deb5a4af6251edcffac331981ede51b649e08835eb9f2a95d9db
Opcode Fuzzy Hash: 8a66b6be528d8794dda0c51fddf6244b44ea7e552e6ce8db4f99879c18c6ec42
Instruction Fuzzy Hash: ACE08632601215EBF7601FB09F0EFAA3BBDEF45791F144808F245C9080DA384445D750

Function 000BD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 000BD858
GetDC.USER32(00000000), ref: 000BD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 000BD882
ReleaseDC.USER32(?), ref: 000BD8A3

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: f87c4b4370b6b6fcc4ca9bcff652fc027ccfb3e872ee6c1028c74daa67f85c81
Instruction ID: 54e1e506efc2ffaa7c84a279e26b9fd22f9c90fbdb39b937b82883785ba533ca
Opcode Fuzzy Hash: f87c4b4370b6b6fcc4ca9bcff652fc027ccfb3e872ee6c1028c74daa67f85c81
Instruction Fuzzy Hash: 4EE01AB0804208DFEB519FA0DA09E7DBBB2FB08311F248419E84AE7750CB3C4901EF40

Function 000BD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 000BD86C
GetDC.USER32(00000000), ref: 000BD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 000BD882
ReleaseDC.USER32(?), ref: 000BD8A3

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 9bbcedcd329e225d74b63b145a0f949ba2b88fec4bf9bd69fa95fd7f5cc761b2
Instruction ID: 3ee9698d2d938e046d96e27f0861a3c414458d456e0808765b38b0f9cdf150b5
Opcode Fuzzy Hash: 9bbcedcd329e225d74b63b145a0f949ba2b88fec4bf9bd69fa95fd7f5cc761b2
Instruction Fuzzy Hash: B0E012B0C04208EFEB50AFA0DA09A7DBBB2BB08310B148409E84AE7750CB3C5902EF40

Function 0006BBE0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0006BEB3

Strings

H, xrefs: 0006BC11, 0006BCBC
@, xrefs: 0006BC1B, 0006BCC7

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Init_thread_footer
String ID: @$H
API String ID: 1385522511-3093124099
Opcode ID: d1251799565457ff7b96e2ccfc971768abecdb287a7db5422d76a32b5ba64161
Instruction ID: a04503cf6f9548aa93d42d8c2fe811361f917960ea3bf920eb31eb8aafd77881
Opcode Fuzzy Hash: d1251799565457ff7b96e2ccfc971768abecdb287a7db5422d76a32b5ba64161
Instruction Fuzzy Hash: 6A9119B5A0020ADFCB68DF59C0916AAB7F2FF58314F248169D945EB351E731EAC1CB90

Function 000D4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00067620: _wcslen.LIBCMT ref: 00067625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 000D4ED4

Strings

*, xrefs: 000D4E10
LPT, xrefs: 000D4DFB

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 085ea63aafcd2eaf9ccc0bd5cdd1dd4f963a69d6148ae51d1f623df53a38754c
Instruction ID: 4ed4f2414d6f926340514b971545c9471e34864ec354703aa4eae2569286234a
Opcode Fuzzy Hash: 085ea63aafcd2eaf9ccc0bd5cdd1dd4f963a69d6148ae51d1f623df53a38754c
Instruction Fuzzy Hash: 3B916175A003449FDB54DF54C484EAABBF1BF44304F1980AAE80A9F362D775ED85CBA1

Function 0007E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0007E1B1

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 1a4bfbc11aa8d59e1682098c56c67faa77e83313311dde4eaea469c42b493f5b
Instruction ID: 9fc77ac493b03877191c90d9b8bde2ae9a11b5aced7ed4f8b61f83636301ab06
Opcode Fuzzy Hash: 1a4bfbc11aa8d59e1682098c56c67faa77e83313311dde4eaea469c42b493f5b
Instruction Fuzzy Hash: 66515535949286EFDB64DF68C0816FE7BE5EF19310F248095EC919B2D2DA349D43CB90

Function 0007F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0007F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0007F2BB

Strings

@, xrefs: 0007F2AF

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 04a2955e948f1e58bfb4218536956870a36dc28f72687359b69138687a1279e3
Instruction ID: 201a8f2ee72d3b233d63f730730478c766d63a727f5238e3234fabacea489db6
Opcode Fuzzy Hash: 04a2955e948f1e58bfb4218536956870a36dc28f72687359b69138687a1279e3
Instruction Fuzzy Hash: 8F517771418745ABE320AF50DC86BABBBF8FF84304F81885CF1D941096EB718569CB67

Function 000E5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 000E57E0
_wcslen.LIBCMT ref: 000E57EC

Strings

CALLARGARRAY, xrefs: 000E57E6, 000E57EB

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: f49efb353ebaa98d332ea0403793ca2dc1616828bfd14c08f36eec86fcb18b7f
Instruction ID: 87324b7c01a7eb61b9b67b4003be60de71b96c1304d15c88c6d5bc868fa28255
Opcode Fuzzy Hash: f49efb353ebaa98d332ea0403793ca2dc1616828bfd14c08f36eec86fcb18b7f
Instruction Fuzzy Hash: 9741C031E001099FCB14DFA9C9819FEBBF5EF59315F20412AE505B7252EB349D81CB90

Function 000DD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000DD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 000DD13A

Strings

|, xrefs: 000DD10B

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 2358d5b8ca593b45d6c9f12db12896ac7d541ac16ac92761b37b1dced29d2cbb
Instruction ID: 33e67c62895ca13aa0b573f7fd369b7dec2cadaa91aec706bd2de43690900894
Opcode Fuzzy Hash: 2358d5b8ca593b45d6c9f12db12896ac7d541ac16ac92761b37b1dced29d2cbb
Instruction Fuzzy Hash: B3313075D00209ABCF15EFA4CC45AEE7FBAFF04300F00011AF815A6262D732AA05DB60

Function 000F356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 000F3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 000F365C

Strings

static, xrefs: 000F35BC

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 970b04c8e0f5e3002504ebfb991986091eabb8f0f37968e1aff8ad286d8afa92
Instruction ID: 2f2b6937a715905c3ff85d954f117503dc27e73a7b33cbe4f8578eefc381a3cc
Opcode Fuzzy Hash: 970b04c8e0f5e3002504ebfb991986091eabb8f0f37968e1aff8ad286d8afa92
Instruction Fuzzy Hash: 76318F71100608AAEB109F68DC41EFB73A9FF88724F008619FAA5D7291DA35ED81E760

Function 000F4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 000F461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 000F4634

Strings

', xrefs: 000F458E

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: f001bd73cbf22a0cf70eb6c4691de4f6570f049d9a17cf169148c7e417d57e94
Instruction ID: 928c367476d4968485653368bfd8538fb22c43f7c9c7d5049953991452a34b51
Opcode Fuzzy Hash: f001bd73cbf22a0cf70eb6c4691de4f6570f049d9a17cf169148c7e417d57e94
Instruction Fuzzy Hash: 06311674A00609AFDB14DFA9C980BEA7BB5FF09700F10406AEE04EB752D771A941DF90

Function 000F31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 000F327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000F3287

Strings

Combobox, xrefs: 000F3249

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 6a7ce64e5950235d6bc3257cf2fa726387781c339a59c0148172775054d6e019
Instruction ID: d428d4889b4b13a395ffd8dae390cb1cead186eea74f00e5ee8c6874a72678b3
Opcode Fuzzy Hash: 6a7ce64e5950235d6bc3257cf2fa726387781c339a59c0148172775054d6e019
Instruction Fuzzy Hash: 5911B27130020C7FFFA59E54DC81EFB37AAEB94364F104125FA1897691D6319D51A760

Function 000F3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0006600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0006604C
Part of subcall function 0006600E: GetStockObject.GDI32(00000011), ref: 00066060
Part of subcall function 0006600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0006606A

GetWindowRect.USER32(00000000,?), ref: 000F377A
GetSysColor.USER32(00000012), ref: 000F3794

Strings

static, xrefs: 000F3757

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 83cb478c9994585473b12ee3b7559dc527dc5a300d077153601bd96da90cb1c1
Instruction ID: c1dfa06a7f1ba0c1b52f10b459be98e2f10057a4547d70bddb670b5787f403dc
Opcode Fuzzy Hash: 83cb478c9994585473b12ee3b7559dc527dc5a300d077153601bd96da90cb1c1
Instruction Fuzzy Hash: AF1117B2610209AFEB10EFA8CC46EFA7BF8FB08314F004914FA55E2250D735E851EB50

Function 000DCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 000DCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 000DCDA6

Strings

<local>, xrefs: 000DCD66

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 12731f44a2321fd7971b5a29a98c89c5a32c666240588c9dc32de052399c70d0
Instruction ID: 429ae612851e2165cb56cc926b456d6059cf88dc599d3ba57896d91b92400862
Opcode Fuzzy Hash: 12731f44a2321fd7971b5a29a98c89c5a32c666240588c9dc32de052399c70d0
Instruction Fuzzy Hash: 7611C6712057367AF7784B668C45EF7BEAEEF127A4F004227B10983280D7749840D6F0

Function 000F3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 000F34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 000F34BA

Strings

edit, xrefs: 000F348F

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 201ff010e1d4442fa63e05ec665acbf196939186abc040a2f10ee90148d4aba7
Instruction ID: 2ffffff9496e0ad684f559b5b7c6d492b907a99b9f49c148ea2767e777c3ef34
Opcode Fuzzy Hash: 201ff010e1d4442fa63e05ec665acbf196939186abc040a2f10ee90148d4aba7
Instruction Fuzzy Hash: CC116A7110020CAAEB628E64DC45AFB37AAEB05774F504724FA61979E0C775FC91AB60

Function 000C6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

CharUpperBuffW.USER32(?,?,?), ref: 000C6CB6
_wcslen.LIBCMT ref: 000C6CC2

Strings

STOP, xrefs: 000C6CBC, 000C6CC1

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 1a42f93ae4a18cea56b0b7aaebb13a022d3524e771618fa5f5c262737d7424c1
Instruction ID: 857d7b209789e51953a950707de9b8397feafd5840364b9a260b36cbf0af6e3d
Opcode Fuzzy Hash: 1a42f93ae4a18cea56b0b7aaebb13a022d3524e771618fa5f5c262737d7424c1
Instruction Fuzzy Hash: DA01C032A005268BCB30AFFDDD81EBF77EAEB61720B50052CE86297195EB33D900C650

Function 000C1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

Part of subcall function 000C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000C3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 000C1D4C

Strings

ListBox, xrefs: 000C1D16
ComboBox, xrefs: 000C1CEB

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7956a0ff3489a3174ee9d5c9e4b6a510f75ceaf60f4a4e2c66714c601848cc03
Instruction ID: 5798400ad5a7969e1328015505db5b1a9fbf588539b5543e4de77c980e00cfbe
Opcode Fuzzy Hash: 7956a0ff3489a3174ee9d5c9e4b6a510f75ceaf60f4a4e2c66714c601848cc03
Instruction Fuzzy Hash: AC01D871601218ABCB14EBA4CD51EFE73A9EB57360B14091DF823572C3EA309918D760

Function 000C1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

Part of subcall function 000C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000C3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 000C1C46

Strings

ListBox, xrefs: 000C1C10
ComboBox, xrefs: 000C1BE5

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7d207553ccd11ce1ed9226920c91153e6ee91f8a7e97e8514d4c71abc6c2bb61
Instruction ID: 681bae89dfeca2ce6dbe465ab1b9d297e73d872b563c02206ad86f8dbb992f79
Opcode Fuzzy Hash: 7d207553ccd11ce1ed9226920c91153e6ee91f8a7e97e8514d4c71abc6c2bb61
Instruction Fuzzy Hash: 2901A7756811086BDB14EB90CA92FFF77EE9B12340F14001DB41667683EA349E18E7B1

Function 000C1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

Part of subcall function 000C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000C3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 000C1CC8

Strings

ListBox, xrefs: 000C1C94
ComboBox, xrefs: 000C1C69

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 8f452c1a09694aa727b1fc9e1b9a48e38e0447394ca3528252842c54a145c4c3
Instruction ID: 0d4eca5e398029f7a34ccbbe27d5b1727a447d2901111547bc1afd32e8256f0d
Opcode Fuzzy Hash: 8f452c1a09694aa727b1fc9e1b9a48e38e0447394ca3528252842c54a145c4c3
Instruction Fuzzy Hash: 9701D6716801186BDB14FBA0DB92FFE73ED9B12340F540029B802B3683EA309F18D671

Function 000C1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00069CB3: _wcslen.LIBCMT ref: 00069CBD

Part of subcall function 000C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 000C3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 000C1DD3

Strings

ListBox, xrefs: 000C1DA0
ComboBox, xrefs: 000C1D75

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 61fb6b1e0d78348e00a84c09acd51f74896eeb1a06bbe807ffb24f05d451890a
Instruction ID: 5bf6d0e6e03f2e829f4bcf131f15a1fdfa72a88ef27b7bee6bc2098d20a172ec
Opcode Fuzzy Hash: 61fb6b1e0d78348e00a84c09acd51f74896eeb1a06bbe807ffb24f05d451890a
Instruction Fuzzy Hash: 76F0A471A512186BDB14F7A4DD92FFE77ADAB12350F440919B822A36C3DA7059189260

Function 000E747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 000E7493
_wcslen.LIBCMT ref: 000E74B9

Strings

3, 3, 16, 1, xrefs: 000E7483

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: b565fe26ae41198ac76b42bd713a8837cd6e40fe3c26bea74980d5b07350427b
Instruction ID: 8d0bf6dd5bccb80d0e82d2415c3d47eb8c6c9f6c15127ad1e8bf99a27f99520e
Opcode Fuzzy Hash: b565fe26ae41198ac76b42bd713a8837cd6e40fe3c26bea74980d5b07350427b
Instruction Fuzzy Hash: 4DE02B42205261149271227BACC19BF56C9EFD9750710182BF9CDD22E7EB94CD9193A0

Function 000C0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 000C0B23

Strings

AutoIt, xrefs: 000C0B17
Error allocating memory., xrefs: 000C0B1C

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: aef6507383cb5d241f3d20cece0ef9d6d03f3b1f595493243b07aa8ec92c8248
Instruction ID: 3387ab10f000ab94d032b9997dafcb1df8523559312a2fb0ba61ecaa7824145f
Opcode Fuzzy Hash: aef6507383cb5d241f3d20cece0ef9d6d03f3b1f595493243b07aa8ec92c8248
Instruction Fuzzy Hash: EFE0D83128831D3AE21037547D03FD97A858F05B14F10442AF788958C38BE6289096ED

Function 00080D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0007F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00080D71,?,?,?,0006100A), ref: 0007F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0006100A), ref: 00080D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0006100A), ref: 00080D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00080D7F

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: ee37cae3e9330cc9562324a33fe05d66f6276ebf3148b1de264cfbfd04d3a039
Instruction ID: 4fb12da085004ee482f0a877fbacfac3341818266ea1e27add52d165f7743027
Opcode Fuzzy Hash: ee37cae3e9330cc9562324a33fe05d66f6276ebf3148b1de264cfbfd04d3a039
Instruction Fuzzy Hash: 1BE06D742003028BE3A0AFB8D5047A27BE4BF00744F04892DE486C6A52DBB9E448DBA1

Function 000BD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 000BD220

Strings

%.3d, xrefs: 000BD22B
X64, xrefs: 000BD2A8

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 06cb30541b42a1dbf4ce4230cd5aa37012dfde06a3884fbbe4d377ae44113f7a
Instruction ID: 7dfab4fbe80939475252e42edff810ce0aef6835ba2e9db03a094866812fa09c
Opcode Fuzzy Hash: 06cb30541b42a1dbf4ce4230cd5aa37012dfde06a3884fbbe4d377ae44113f7a
Instruction Fuzzy Hash: BCD01261C09159E9CBA097D0DC459FEF37CFB28301F508463F90A91040F728C908AB61

Function 000F2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000F232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 000F233F

Part of subcall function 000CE97B: Sleep.KERNEL32 ref: 000CE9F3

Strings

Shell_TrayWnd, xrefs: 000F2325

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 051c0228c68ddf86af2e2a4e4224fee90c0b0f00690a3b6d58ba4be496c97f2c
Instruction ID: 686102af924ec0d0d91d6723a24e3e4d16135dcd87d190c552f04cf29c61b715
Opcode Fuzzy Hash: 051c0228c68ddf86af2e2a4e4224fee90c0b0f00690a3b6d58ba4be496c97f2c
Instruction Fuzzy Hash: BBD01276394354B7F664B770ED0FFDA7A149B00B10F0049167745EA5D1C9F4A851CA54

Function 000F2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000F236C
PostMessageW.USER32(00000000), ref: 000F2373

Part of subcall function 000CE97B: Sleep.KERNEL32 ref: 000CE9F3

Strings

Shell_TrayWnd, xrefs: 000F2365

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: afd904828f682fed2b99ed1f2f321a0661f3ffcffc7e6b9b491a01fd1311b419
Instruction ID: 20046037576fbb4a2ee798bd458a04cc0b660d101a9f63274855d78deabbfa44
Opcode Fuzzy Hash: afd904828f682fed2b99ed1f2f321a0661f3ffcffc7e6b9b491a01fd1311b419
Instruction Fuzzy Hash: EED022323C03107BF264B330EC0FFCA76149B00B00F0009167301EA0D0C9F4B800CA04

Function 0009BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0009BE93
GetLastError.KERNEL32 ref: 0009BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0009BEFC

Memory Dump Source

Source File: 00000000.00000002.2142184810.0000000000061000.00000020.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.2142170500.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.00000000000FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142234839.0000000000122000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142269440.000000000012C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2142283610.0000000000134000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_LisectAVT_2403002A_257.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 6a705b7372f4154614d470628bf4fa2d4363a32d8fb6767160ed453e5d20ed37
Instruction ID: dcb463c177ec8af6f094379d07d4e47f8635bcf012cb16424d89f92b6bee6439
Opcode Fuzzy Hash: 6a705b7372f4154614d470628bf4fa2d4363a32d8fb6767160ed453e5d20ed37
Instruction Fuzzy Hash: 5341D43460420AEFDF319F64EE64ABABBE9EF42330F144169F959971A1DB308D00EB50

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002A_257.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\autC2E3.tmp

C:\Users\user\AppData\Local\Temp\autC332.tmp

C:\Users\user\AppData\Local\Temp\cunili

C:\Users\user\AppData\Local\Temp\thixophobia

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
LisectAVT_2403002A_257.exe

Function 000642DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 000642A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 000A2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00062CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 000A065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0006344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00062B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00063170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 00098D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 014F2770 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00062C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 014F24E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 170
filememoryCOMMON

Function 000D2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Function 00063B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre