Edit tour

Windows Analysis Report
LisectAVT_2403002A_101.exe

Overview

General Information

Sample name:	LisectAVT_2403002A_101.exe
Analysis ID:	1482524
MD5:	780bd376a8b748d6ac621b4881ea908a
SHA1:	bafeee797024d02afcad3eac316cae519ad58aa9
SHA256:	5fe1de0adf99f8dff660c75a7e9f2c1d0720f6694f63a7aa406fc16f8bf498d3
Tags:	exe
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Contains functionality to bypass UAC (CMSTPLUA)

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Drops script at startup location

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Drops VBS files to the startup folder

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: WScript or CScript Dropper

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Yara detected WebBrowserPassView password recovery tool

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to execute programs as a different user

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

LisectAVT_2403002A_101.exe (PID: 7440 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_101.exe" MD5: 780BD376A8B748D6AC621B4881EA908A)

unnervously.exe (PID: 7272 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_101.exe" MD5: 50614E143F8D18ACB986F7B1677E25F1)

unnervously.exe (PID: 7432 cmdline: "C:\Users\user\AppData\Local\Wausaukee\unnervously.exe" MD5: 50614E143F8D18ACB986F7B1677E25F1)

unnervously.exe (PID: 1096 cmdline: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe /stext "C:\Users\user\AppData\Local\Temp\zhxznlyhhoxqew" MD5: 50614E143F8D18ACB986F7B1677E25F1)

unnervously.exe (PID: 1212 cmdline: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe /stext "C:\Users\user\AppData\Local\Temp\kcdsoejjvwpvgchse" MD5: 50614E143F8D18ACB986F7B1677E25F1)

unnervously.exe (PID: 3892 cmdline: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe /stext "C:\Users\user\AppData\Local\Temp\meicpwucjehhjidwwwibd" MD5: 50614E143F8D18ACB986F7B1677E25F1)

wscript.exe (PID: 2036 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unnervously.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

unnervously.exe (PID: 4712 cmdline: "C:\Users\user\AppData\Local\Wausaukee\unnervously.exe" MD5: 50614E143F8D18ACB986F7B1677E25F1)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "107.175.229.139:8087:0", "Assigned name": "RemoteHost", "Connect interval": "5", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "jhudguiytgu-AAHEXC", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "yes.png", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\aka\yes.png	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.3770114936.00000000010BA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
Process Memory Space: unnervously.exe PID: 7272	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: unnervously.exe PID: 7272	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: unnervously.exe PID: 7272	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xa467f:$a1: Remcos restarted by watchdog! 0xa4bd9:$a3: %02i:%02i:%02i:%03i 0xa5008:$a3: %02i:%02i:%02i:%03i
Process Memory Space: unnervously.exe PID: 7432	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: unnervously.exe PID: 7432	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: unnervously.exe PID: 7432	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: unnervously.exe PID: 7432	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x9419b:$a1: Remcos restarted by watchdog! 0xa6cd7:$a1: Remcos restarted by watchdog! 0x946f5:$a3: %02i:%02i:%02i:%03i 0x94b24:$a3: %02i:%02i:%02i:%03i 0xa7231:$a3: %02i:%02i:%02i:%03i 0xa7660:$a3: %02i:%02i:%02i:%03i
Process Memory Space: unnervously.exe PID: 1096	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: unnervously.exe PID: 4712	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: unnervously.exe PID: 4712	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: unnervously.exe PID: 4712	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x4712a:$a1: Remcos restarted by watchdog! 0x9d865:$a1: Remcos restarted by watchdog! 0x47684:$a3: %02i:%02i:%02i:%03i 0x47ab3:$a3: %02i:%02i:%02i:%03i 0x9ddbf:$a3: %02i:%02i:%02i:%03i 0x9e1ee:$a3: %02i:%02i:%02i:%03i
Click to see the 32 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.unnervously.exe.32c0000.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
10.2.unnervously.exe.32c0000.2.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.unnervously.exe.32c0000.2.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690a8:$a1: Remcos restarted by watchdog! 0x69620:$a3: %02i:%02i:%02i:%03i
10.2.unnervously.exe.32c0000.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x630fc:$str_a1: C:\Windows\System32\cmd.exe 0x63078:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63078:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63578:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63da8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6316c:$str_b2: Executing file: 0x641ec:$str_b3: GetDirectListeningPort 0x63b98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d18:$str_b7: \update.vbs 0x63194:$str_b9: Downloaded file: 0x63180:$str_b10: Downloading file: 0x63224:$str_b12: Failed to upload file: 0x641b4:$str_b13: StartForward 0x641d4:$str_b14: StopForward 0x63c70:$str_b15: fso.DeleteFile " 0x63c04:$str_b16: On Error Resume Next 0x63ca0:$str_b17: fso.DeleteFolder " 0x63214:$str_b18: Uploaded file: 0x631d4:$str_b19: Unable to delete: 0x63c38:$str_b20: while fso.FileExists(" 0x636b1:$str_c0: [Firefox StoredLogins not found]
10.2.unnervously.exe.32c0000.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62fe8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f7c:$s1: CoGetObject 0x62f90:$s1: CoGetObject 0x62fac:$s1: CoGetObject 0x6cf38:$s1: CoGetObject 0x62f3c:$s2: Elevation:Administrator!new:
10.2.unnervously.exe.400000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
10.2.unnervously.exe.400000.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.unnervously.exe.400000.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
10.2.unnervously.exe.400000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
10.2.unnervously.exe.400000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
10.2.unnervously.exe.400000.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
10.2.unnervously.exe.400000.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.unnervously.exe.400000.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
10.2.unnervously.exe.400000.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
10.2.unnervously.exe.400000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
9.2.unnervously.exe.3560000.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
9.2.unnervously.exe.3560000.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
9.2.unnervously.exe.3560000.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
9.2.unnervously.exe.3560000.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
9.2.unnervously.exe.3560000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
15.2.unnervously.exe.400000.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
15.2.unnervously.exe.400000.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.unnervously.exe.400000.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
15.2.unnervously.exe.400000.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
15.2.unnervously.exe.400000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
10.2.unnervously.exe.32c0000.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
10.2.unnervously.exe.32c0000.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.unnervously.exe.32c0000.2.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
10.2.unnervously.exe.32c0000.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
10.2.unnervously.exe.32c0000.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
15.2.unnervously.exe.3ae0000.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
15.2.unnervously.exe.3ae0000.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.unnervously.exe.3ae0000.2.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
15.2.unnervously.exe.3ae0000.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
15.2.unnervously.exe.3ae0000.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
9.2.unnervously.exe.3560000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
9.2.unnervously.exe.3560000.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
9.2.unnervously.exe.3560000.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690a8:$a1: Remcos restarted by watchdog! 0x69620:$a3: %02i:%02i:%02i:%03i
9.2.unnervously.exe.3560000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x630fc:$str_a1: C:\Windows\System32\cmd.exe 0x63078:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63078:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63578:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63da8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6316c:$str_b2: Executing file: 0x641ec:$str_b3: GetDirectListeningPort 0x63b98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d18:$str_b7: \update.vbs 0x63194:$str_b9: Downloaded file: 0x63180:$str_b10: Downloading file: 0x63224:$str_b12: Failed to upload file: 0x641b4:$str_b13: StartForward 0x641d4:$str_b14: StopForward 0x63c70:$str_b15: fso.DeleteFile " 0x63c04:$str_b16: On Error Resume Next 0x63ca0:$str_b17: fso.DeleteFolder " 0x63214:$str_b18: Uploaded file: 0x631d4:$str_b19: Unable to delete: 0x63c38:$str_b20: while fso.FileExists(" 0x636b1:$str_c0: [Firefox StoredLogins not found]
9.2.unnervously.exe.3560000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62fe8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f7c:$s1: CoGetObject 0x62f90:$s1: CoGetObject 0x62fac:$s1: CoGetObject 0x6cf38:$s1: CoGetObject 0x62f3c:$s2: Elevation:Administrator!new:
15.2.unnervously.exe.400000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
15.2.unnervously.exe.400000.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.unnervously.exe.400000.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
15.2.unnervously.exe.400000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
15.2.unnervously.exe.400000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
15.2.unnervously.exe.3ae0000.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
15.2.unnervously.exe.3ae0000.2.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.unnervously.exe.3ae0000.2.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690a8:$a1: Remcos restarted by watchdog! 0x69620:$a3: %02i:%02i:%02i:%03i
15.2.unnervously.exe.3ae0000.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x630fc:$str_a1: C:\Windows\System32\cmd.exe 0x63078:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63078:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63578:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63da8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6316c:$str_b2: Executing file: 0x641ec:$str_b3: GetDirectListeningPort 0x63b98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d18:$str_b7: \update.vbs 0x63194:$str_b9: Downloaded file: 0x63180:$str_b10: Downloading file: 0x63224:$str_b12: Failed to upload file: 0x641b4:$str_b13: StartForward 0x641d4:$str_b14: StopForward 0x63c70:$str_b15: fso.DeleteFile " 0x63c04:$str_b16: On Error Resume Next 0x63ca0:$str_b17: fso.DeleteFolder " 0x63214:$str_b18: Uploaded file: 0x631d4:$str_b19: Unable to delete: 0x63c38:$str_b20: while fso.FileExists(" 0x636b1:$str_c0: [Firefox StoredLogins not found]
15.2.unnervously.exe.3ae0000.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62fe8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f7c:$s1: CoGetObject 0x62f90:$s1: CoGetObject 0x62fac:$s1: CoGetObject 0x6cf38:$s1: CoGetObject 0x62f3c:$s2: Elevation:Administrator!new:
Click to see the 45 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unnervously.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unnervously.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unnervously.vbs" , ProcessId: 2036, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unnervously.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unnervously.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unnervously.vbs" , ProcessId: 2036, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe, ProcessId: 7272, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unnervously.vbs

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern HCa - Source IP: 192.168.2.9 - Destination IP: 178.237.33.50

Timestamp:	2024-07-26T00:28:26.008105+0200
SID:	2803304
Source Port:	51054
Destination Port:	80
Protocol:	TCP
Classtype:	Unknown Traffic

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.68.123.157 - Destination IP: 192.168.2.9

Timestamp:	2024-07-26T00:26:22.600432+0200
SID:	2022930
Source Port:	443
Destination Port:	49706
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.68.123.157 - Destination IP: 192.168.2.9

Timestamp:	2024-07-26T00:26:49.732218+0200
SID:	2022930
Source Port:	443
Destination Port:	51051
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Remcos 3.x Unencrypted Server Response - Source IP: 107.175.229.139 - Destination IP: 192.168.2.9

Timestamp:	2024-07-26T00:28:25.130434+0200
SID:	2032777
Source Port:	8087
Destination Port:	51052
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.68.123.157 - Destination IP: 192.168.2.9

Timestamp:	2024-07-26T00:26:48.439453+0200
SID:	2022930
Source Port:	443
Destination Port:	51050
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Remcos 3.x Unencrypted Checkin - Source IP: 192.168.2.9 - Destination IP: 107.175.229.139

Timestamp:	2024-07-26T00:28:24.191264+0200
SID:	2032776
Source Port:	51052
Destination Port:	8087
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002A_101.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe

Avira: detection malicious, Label: HEUR/AGEN.1319342

Found malware configuration

Source: 0000000A.00000002.3770114936.00000000010BA000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "107.175.229.139:8087:0", "Assigned name": "RemoteHost", "Connect interval": "5", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "jhudguiytgu-AAHEXC", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "yes.png", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara detected Remcos RAT

Source: Yara match	File source: 10.2.unnervously.exe.32c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.unnervously.exe.3560000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.unnervously.exe.32c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.unnervously.exe.3ae0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.unnervously.exe.3560000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.unnervously.exe.3ae0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3770114936.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: unnervously.exe PID: 7272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: unnervously.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: unnervously.exe PID: 4712, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\aka\yes.png, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: LisectAVT_2403002A_101.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		10_2_00433837
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,		11_2_00404423

Source: unnervously.exe, 00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_a2b9494a-e

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 10.2.unnervously.exe.32c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.unnervously.exe.3560000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.unnervously.exe.32c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.unnervously.exe.3ae0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.unnervously.exe.3560000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.unnervously.exe.3ae0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: unnervously.exe PID: 7272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: unnervously.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: unnervously.exe PID: 4712, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe

Code function: 10_2_004074FD _wcslen,CoGetObject,

10_2_004074FD

Source: LisectAVT_2403002A_101.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_0010DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0010DBBE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_000DC2A2 FindFirstFileExW,	0_2_000DC2A2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_001168EE FindFirstFileW,FindClose,	0_2_001168EE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_0011698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0011698F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_0010D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0010D076
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_0010D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0010D3A9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_00119642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00119642
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_0011979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0011979D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_00119B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00119B2B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_00115C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00115C97
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_0030DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	9_2_0030DBBE
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_002DC2A2 FindFirstFileExW,	9_2_002DC2A2
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_003168EE FindFirstFileW,FindClose,	9_2_003168EE
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_0031698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	9_2_0031698F
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_0030D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	9_2_0030D076
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_0030D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	9_2_0030D3A9
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_00319642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	9_2_00319642
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_0031979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	9_2_0031979D
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_00319B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	9_2_00319B2B
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_00315C97 FindFirstFileW,FindNextFileW,FindClose,	9_2_00315C97
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	10_2_00409253
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	10_2_0041C291
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	10_2_0040C34D
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	10_2_00409665
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_0044E879 FindFirstFileExA,	10_2_0044E879
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	10_2_0040880C
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_0040783C FindFirstFileW,FindNextFileW,	10_2_0040783C
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	10_2_00419AF5
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	10_2_0040BB30
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	10_2_0040BD37
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	10_2_100010F1
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_10006580 FindFirstFileExA,	10_2_10006580
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_002DC2A2 FindFirstFileExW,	11_2_002DC2A2
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_003168EE FindFirstFileW,FindClose,	11_2_003168EE
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_0031698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	11_2_0031698F
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_0030D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_0030D076
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_0030D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_0030D3A9
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_00319642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_00319642
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_0031979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_0031979D
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_00319B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	11_2_00319B2B
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_0030DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	11_2_0030DBBE
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_00315C97 FindFirstFileW,FindNextFileW,FindClose,	11_2_00315C97
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_0040AE51 FindFirstFileW,FindNextFileW,	11_2_0040AE51

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe

Code function: 10_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

10_2_00407C97

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 107.175.229.139

Source: global traffic

TCP traffic: 192.168.2.9:51052 -> 107.175.229.139:8087

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 107.175.229.139 107.175.229.139
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.229.139

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

Code function: 0_2_0011CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0011CE44

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: unnervously.exe, 0000000B.00000003.2775508960.00000000010BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: unnervously.exe, 0000000B.00000003.2775508960.00000000010BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: unnervously.exe, 0000000A.00000002.3771869384.0000000004AB0000.00000040.10000000.00040000.00000000.sdmp, unnervously.exe, 0000000D.00000002.2768944403.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: unnervously.exe, 0000000A.00000002.3771869384.0000000004AB0000.00000040.10000000.00040000.00000000.sdmp, unnervously.exe, 0000000D.00000002.2768944403.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: unnervously.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: unnervously.exe, 0000000A.00000002.3771535783.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, unnervously.exe, 0000000B.00000002.2776874861.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: unnervously.exe, 0000000A.00000002.3771535783.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, unnervously.exe, 0000000B.00000002.2776874861.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: 183.59.114.20.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: unnervously.exe, 0000000A.00000003.2748718391.0000000000F79000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000003.2745450049.0000000000F79000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000003.2749423959.0000000000F79000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000002.3770114936.00000000010EE000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000003.2746780049.0000000000F79000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000003.2745236773.0000000000F79000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000003.2748522331.0000000000F79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/
Source: unnervously.exe, 0000000A.00000002.3770114936.000000000108F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: unnervously.exe, 0000000A.00000002.3768379154.0000000000F28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp#0lV
Source: unnervously.exe, 00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp, unnervously.exe, 0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, unnervously.exe, 0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: unnervously.exe, 0000000A.00000002.3770114936.00000000010BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpL
Source: unnervously.exe, 0000000A.00000003.2745236773.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000003.2745450049.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000003.2749423959.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000002.3768379154.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000003.2748522331.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpSystem32
Source: unnervously.exe, 0000000A.00000002.3771869384.0000000004AB0000.00000040.10000000.00040000.00000000.sdmp, unnervously.exe, 0000000D.00000002.2768944403.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: unnervously.exe, 0000000A.00000002.3771869384.0000000004AB0000.00000040.10000000.00040000.00000000.sdmp, unnervously.exe, 0000000D.00000002.2769382612.000000000153D000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000D.00000002.2768944403.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: unnervously.exe, 0000000D.00000002.2769382612.000000000153D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.coma
Source: unnervously.exe, 0000000A.00000002.3771869384.0000000004AB0000.00000040.10000000.00040000.00000000.sdmp, unnervously.exe, 0000000D.00000002.2768944403.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: unnervously.exe, 0000000A.00000002.3771869384.0000000004AB0000.00000040.10000000.00040000.00000000.sdmp, unnervously.exe, 0000000D.00000002.2768944403.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: unnervously.exe, 0000000B.00000002.2777627610.0000000000BEF000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: unnervously.exe, 0000000D.00000002.2768944403.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: unnervously.exe, 0000000B.00000003.2763169956.0000000002884000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000B.00000003.2762943053.0000000002881000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000B.00000003.2775508960.00000000010BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: unnervously.exe, 0000000B.00000003.2763169956.0000000002884000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000B.00000003.2762943053.0000000002881000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: unnervously.exe, 0000000B.00000003.2763169956.0000000002884000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000B.00000003.2762943053.0000000002881000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: unnervously.exe, 0000000B.00000003.2775442282.000000000287C000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000B.00000003.2775383892.000000000287C000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000B.00000003.2775996310.000000000287C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_i__q
Source: unnervously.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: unnervously.exe, 0000000A.00000002.3771869384.0000000004AB0000.00000040.10000000.00040000.00000000.sdmp, unnervously.exe, 0000000D.00000002.2768944403.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: unnervously.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe

Code function: 10_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,00000000

10_2_0040A2B8

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

Code function: 0_2_0011EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0011EAFF

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_0011ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	0_2_0011ED6A
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_0031ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	9_2_0031ED6A
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,GlobalUnWire,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalFix,GlobalUnWire,CloseClipboard,	10_2_004168C1
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_0031ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	11_2_0031ED6A
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	11_2_0040987A
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	11_2_004098E2

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

0_2_0011EAFF

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

Code function: 0_2_0010AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0010AA57

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_00139576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	0_2_00139576
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_00339576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	9_2_00339576
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_00339576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	11_2_00339576

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 10.2.unnervously.exe.32c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.unnervously.exe.3560000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.unnervously.exe.32c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.unnervously.exe.3ae0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.unnervously.exe.3560000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.unnervously.exe.3ae0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3770114936.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: unnervously.exe PID: 7272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: unnervously.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: unnervously.exe PID: 4712, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\aka\yes.png, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe

Code function: 10_2_0041C9E2 SystemParametersInfoW,

10_2_0041C9E2

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.unnervously.exe.32c0000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.unnervously.exe.32c0000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.unnervously.exe.32c0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 9.2.unnervously.exe.3560000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.unnervously.exe.3560000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.unnervously.exe.3560000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.unnervously.exe.32c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.unnervously.exe.32c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.unnervously.exe.32c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.unnervously.exe.3ae0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.unnervously.exe.3ae0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.unnervously.exe.3ae0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 9.2.unnervously.exe.3560000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 9.2.unnervously.exe.3560000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 9.2.unnervously.exe.3560000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.unnervously.exe.3ae0000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.unnervously.exe.3ae0000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.unnervously.exe.3ae0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: unnervously.exe PID: 7272, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: unnervously.exe PID: 7432, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: unnervously.exe PID: 4712, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Binary is likely a compiled AutoIt script file

Source: LisectAVT_2403002A_101.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: LisectAVT_2403002A_101.exe, 00000000.00000003.2659342224.0000000003881000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9f91cf56-a
Source: LisectAVT_2403002A_101.exe, 00000000.00000003.2659342224.0000000003881000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_69d6448c-7
Source: LisectAVT_2403002A_101.exe, 00000000.00000000.1306003099.0000000000162000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f44c028a-e
Source: LisectAVT_2403002A_101.exe, 00000000.00000000.1306003099.0000000000162000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_b0b96847-0
Source: unnervously.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: unnervously.exe, 00000009.00000000.2671586663.0000000000362000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_da948699-6
Source: unnervously.exe, 00000009.00000000.2671586663.0000000000362000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_963b5010-5
Source: unnervously.exe, 0000000A.00000002.3766241558.0000000000362000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_59a8609a-a
Source: unnervously.exe, 0000000A.00000002.3766241558.0000000000362000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_f8b3c3a4-4
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: This is a third-party compiled AutoIt script.	11_2_002A2A32
Source: unnervously.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: unnervously.exe, 0000000B.00000002.2776632635.0000000000362000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_906caa72-9
Source: unnervously.exe, 0000000B.00000002.2776632635.0000000000362000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_baa75ad0-b
Source: unnervously.exe, 0000000C.00000000.2761199777.0000000000362000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_df6847e8-1
Source: unnervously.exe, 0000000C.00000000.2761199777.0000000000362000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_a41e0f83-5
Source: unnervously.exe, 0000000D.00000000.2766871036.0000000000362000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_4af46346-f
Source: unnervously.exe, 0000000D.00000000.2766871036.0000000000362000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_bbea4a01-2
Source: unnervously.exe, 0000000F.00000002.2848724306.0000000000362000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9809d32c-7
Source: unnervously.exe, 0000000F.00000002.2848724306.0000000000362000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_aeeb6e9e-b
Source: LisectAVT_2403002A_101.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_dab532ca-1
Source: LisectAVT_2403002A_101.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_44ff335c-5
Source: unnervously.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0c5a28cd-d
Source: unnervously.exe.0.dr	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_cc3ba537-c

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Process Stats: CPU usage > 49%
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,	10_2_004180EF
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,	10_2_004132D2
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_0041D58F NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	10_2_0041D58F
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle,	10_2_0041BB09
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_0041BB35 OpenProcess,NtResumeProcess,CloseHandle,	10_2_0041BB35
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	11_2_0040DD85
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_00401806 NtdllDefWindowProc_W,	11_2_00401806
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_004018C0 NtdllDefWindowProc_W,	11_2_004018C0

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

Code function: 0_2_0010D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0010D5EB

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

Code function: 0_2_00101201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00101201

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_0010E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	0_2_0010E8F6
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_0030E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	9_2_0030E8F6
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,	10_2_004167B4
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_0030E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	11_2_0030E8F6

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_00112046	0_2_00112046
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_000A8060	0_2_000A8060
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_00108298	0_2_00108298
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_000DE4FF	0_2_000DE4FF
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_000D676B	0_2_000D676B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_00134873	0_2_00134873
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_000CCAA0	0_2_000CCAA0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_000ACAF0	0_2_000ACAF0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_000BCC39	0_2_000BCC39
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_000D6DD9	0_2_000D6DD9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_000BB119	0_2_000BB119
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_000A91C0	0_2_000A91C0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_000C1394	0_2_000C1394
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_000C1706	0_2_000C1706
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_000C781B	0_2_000C781B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_000A7920	0_2_000A7920
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_000B997D	0_2_000B997D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_000C19B0	0_2_000C19B0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_000C7A4A	0_2_000C7A4A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_000C1C77	0_2_000C1C77
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_000C7CA7	0_2_000C7CA7
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_0012BE44	0_2_0012BE44
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_000D9EEE	0_2_000D9EEE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_000C1F32	0_2_000C1F32
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_00E437A0	0_2_00E437A0
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_002A8060	9_2_002A8060
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_00312046	9_2_00312046
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_00308298	9_2_00308298
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_002DE4FF	9_2_002DE4FF
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_002D676B	9_2_002D676B
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_00334873	9_2_00334873
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_002CCAA0	9_2_002CCAA0
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_002ACAF0	9_2_002ACAF0
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_002BCC39	9_2_002BCC39
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_002D6DD9	9_2_002D6DD9
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_002BD064	9_2_002BD064
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_002BB119	9_2_002BB119
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_002A91C0	9_2_002A91C0
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_002C1394	9_2_002C1394
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_002C1706	9_2_002C1706
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_002C781B	9_2_002C781B
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_002A7920	9_2_002A7920
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_002B997D	9_2_002B997D
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_002C19B0	9_2_002C19B0
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_002C7A4A	9_2_002C7A4A
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_002C1C77	9_2_002C1C77
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_002C7CA7	9_2_002C7CA7
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_0032BE44	9_2_0032BE44
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_002D9EEE	9_2_002D9EEE
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_002C1F32	9_2_002C1F32
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_002ABF40	9_2_002ABF40
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_030337A0	9_2_030337A0
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_0043E0CC	10_2_0043E0CC
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_0041F0FA	10_2_0041F0FA
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_00454159	10_2_00454159
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_00438168	10_2_00438168
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_004461F0	10_2_004461F0
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_0043E2FB	10_2_0043E2FB
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_0045332B	10_2_0045332B
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_0042739D	10_2_0042739D
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_004374E6	10_2_004374E6
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_0043E558	10_2_0043E558
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_00438770	10_2_00438770
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_004378FE	10_2_004378FE
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_00433946	10_2_00433946
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_0044D9C9	10_2_0044D9C9
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_00427A46	10_2_00427A46
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_0041DB62	10_2_0041DB62
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_00427BAF	10_2_00427BAF
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_00437D33	10_2_00437D33
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_00435E5E	10_2_00435E5E
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_00426E0E	10_2_00426E0E
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_0043DE9D	10_2_0043DE9D
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_00413FCA	10_2_00413FCA
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_00436FEA	10_2_00436FEA
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_10017194	10_2_10017194
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_1000B5C1	10_2_1000B5C1
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_00EF37A0	10_2_00EF37A0
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_002A8060	11_2_002A8060
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_00312046	11_2_00312046
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_00308298	11_2_00308298
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_002DE4FF	11_2_002DE4FF
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_002D676B	11_2_002D676B
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_00334873	11_2_00334873
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_002CCAA0	11_2_002CCAA0
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_002ACAF0	11_2_002ACAF0
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_002BCC39	11_2_002BCC39
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_002D6DD9	11_2_002D6DD9
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_002BAFAC	11_2_002BAFAC
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_002BD064	11_2_002BD064
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_002A91C0	11_2_002A91C0
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_002C1394	11_2_002C1394
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_002C1706	11_2_002C1706
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_002C781B	11_2_002C781B
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_002A7920	11_2_002A7920
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_002B997D	11_2_002B997D
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_002C19B0	11_2_002C19B0
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_002C7A4A	11_2_002C7A4A
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_002C1C77	11_2_002C1C77
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_002C7CA7	11_2_002C7CA7
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_0032BE44	11_2_0032BE44
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_002D9EEE	11_2_002D9EEE
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_002C1F32	11_2_002C1F32
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_002ABF40	11_2_002ABF40
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_0043610D	11_2_0043610D
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_0044A490	11_2_0044A490
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_0043C560	11_2_0043C560
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_0044081D	11_2_0044081D
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_00414957	11_2_00414957
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_0044AA80	11_2_0044AA80
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_00412AA9	11_2_00412AA9
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_00404B74	11_2_00404B74
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_00404B03	11_2_00404B03
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_00404BE5	11_2_00404BE5
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_00404C76	11_2_00404C76
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_00416D72	11_2_00416D72
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_00446D30	11_2_00446D30
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_00446D8B	11_2_00446D8B
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_00406E8F	11_2_00406E8F
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_0044B040	11_2_0044B040
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_00447310	11_2_00447310
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_0040755A	11_2_0040755A
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_0044B610	11_2_0044B610
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_0044D6C0	11_2_0044D6C0
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_004476F0	11_2_004476F0
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_0044B870	11_2_0044B870
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_004079EE	11_2_004079EE
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_00407AEB	11_2_00407AEB
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_0044BBD8	11_2_0044BBD8
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_00415CFE	11_2_00415CFE

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: String function: 000A9CB3 appears 31 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: String function: 000BF9F2 appears 40 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: String function: 000C4963 appears 31 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: String function: 000C0A30 appears 46 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: String function: 00434E10 appears 54 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: String function: 00402093 appears 50 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: String function: 00434770 appears 41 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: String function: 002E1F50 appears 53 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: String function: 004169A7 appears 87 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: String function: 0044DB70 appears 41 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: String function: 004165FF appears 35 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: String function: 002A988F appears 33 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: String function: 002A600E appears 34 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: String function: 002C0A30 appears 92 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: String function: 002C4963 appears 64 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: String function: 002D2FA6 appears 48 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: String function: 002BF9F2 appears 81 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: String function: 00401E65 appears 34 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: String function: 002C4A28 appears 42 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: String function: 002C8E0B appears 36 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: String function: 002A9CB3 appears 62 times
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: String function: 00416760 appears 69 times

Source: LisectAVT_2403002A_101.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 10.2.unnervously.exe.32c0000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.unnervously.exe.32c0000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.unnervously.exe.32c0000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 9.2.unnervously.exe.3560000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.unnervously.exe.3560000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.unnervously.exe.3560000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.unnervously.exe.32c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.unnervously.exe.32c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.unnervously.exe.32c0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.unnervously.exe.3ae0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.unnervously.exe.3ae0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.unnervously.exe.3ae0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 9.2.unnervously.exe.3560000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 9.2.unnervously.exe.3560000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.2.unnervously.exe.3560000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.unnervously.exe.3ae0000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.unnervously.exe.3ae0000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.unnervously.exe.3ae0000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: unnervously.exe PID: 7272, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: unnervously.exe PID: 7432, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: unnervously.exe PID: 4712, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@14/16@3/2

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

Code function: 0_2_001137B5 GetLastError,FormatMessageW,

0_2_001137B5

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_001010BF AdjustTokenPrivileges,CloseHandle,	0_2_001010BF
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_001016C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_001016C3
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_003010BF AdjustTokenPrivileges,CloseHandle,	9_2_003010BF
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_003016C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	9_2_003016C3
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	10_2_00417952
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_003010BF AdjustTokenPrivileges,CloseHandle,	11_2_003010BF
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_003016C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	11_2_003016C3

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

Code function: 0_2_001151CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_001151CD

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

Code function: 0_2_0012A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0012A67C

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

Code function: 0_2_0011648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0011648E

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

Code function: 0_2_000A42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_000A42A2

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe

Code function: 10_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

10_2_0041AA4A

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

File created: C:\Users\user\AppData\Local\Wausaukee

Jump to behavior

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe

Mutant created: \Sessions\1\BaseNamedObjects\jhudguiytgu-AAHEXC

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

File created: C:\Users\user\AppData\Local\Temp\autB22F.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unnervously.vbs"

Source: LisectAVT_2403002A_101.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unnervously.exe, unnervously.exe, 0000000B.00000002.2776874861.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: unnervously.exe, unnervously.exe, 0000000B.00000002.2776874861.0000000000400000.00000040.80000000.00040000.00000000.sdmp, unnervously.exe, 0000000C.00000002.2762474357.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: unnervously.exe, 0000000A.00000002.3771535783.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, unnervously.exe, 0000000B.00000002.2776874861.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: unnervously.exe, unnervously.exe, 0000000B.00000002.2776874861.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: unnervously.exe, unnervously.exe, 0000000B.00000002.2776874861.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: unnervously.exe, unnervously.exe, 0000000B.00000002.2776874861.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: unnervously.exe, 0000000B.00000002.2778318069.0000000002E60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: unnervously.exe, unnervously.exe, 0000000B.00000002.2776874861.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

File read: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe "C:\Users\user\Desktop\LisectAVT_2403002A_101.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Process created: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe "C:\Users\user\Desktop\LisectAVT_2403002A_101.exe"
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Process created: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe "C:\Users\user\AppData\Local\Wausaukee\unnervously.exe"
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Process created: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe C:\Users\user\AppData\Local\Wausaukee\unnervously.exe /stext "C:\Users\user\AppData\Local\Temp\zhxznlyhhoxqew"
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Process created: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe C:\Users\user\AppData\Local\Wausaukee\unnervously.exe /stext "C:\Users\user\AppData\Local\Temp\kcdsoejjvwpvgchse"
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Process created: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe C:\Users\user\AppData\Local\Wausaukee\unnervously.exe /stext "C:\Users\user\AppData\Local\Temp\meicpwucjehhjidwwwibd"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unnervously.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe "C:\Users\user\AppData\Local\Wausaukee\unnervously.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Process created: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe "C:\Users\user\Desktop\LisectAVT_2403002A_101.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Process created: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe "C:\Users\user\AppData\Local\Wausaukee\unnervously.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Process created: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe C:\Users\user\AppData\Local\Wausaukee\unnervously.exe /stext "C:\Users\user\AppData\Local\Temp\zhxznlyhhoxqew"	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Process created: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe C:\Users\user\AppData\Local\Wausaukee\unnervously.exe /stext "C:\Users\user\AppData\Local\Temp\kcdsoejjvwpvgchse"	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Process created: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe C:\Users\user\AppData\Local\Wausaukee\unnervously.exe /stext "C:\Users\user\AppData\Local\Temp\meicpwucjehhjidwwwibd"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe "C:\Users\user\AppData\Local\Wausaukee\unnervously.exe"	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: ntasn1.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source: LisectAVT_2403002A_101.exe

Static file information: File size 1400329 > 1048576

Source: LisectAVT_2403002A_101.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: LisectAVT_2403002A_101.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: LisectAVT_2403002A_101.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: LisectAVT_2403002A_101.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: LisectAVT_2403002A_101.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: LisectAVT_2403002A_101.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: LisectAVT_2403002A_101.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: LisectAVT_2403002A_101.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: LisectAVT_2403002A_101.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: LisectAVT_2403002A_101.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: LisectAVT_2403002A_101.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: LisectAVT_2403002A_101.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

Code function: 0_2_000A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000A42DE

Source: LisectAVT_2403002A_101.exe

Static PE information: real checksum: 0x15d197 should be: 0x15d1a0

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_000C0A76 push ecx; ret	0_2_000C0A89
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_002C0A76 push ecx; ret	9_2_002C0A89
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_00457106 push ecx; ret	10_2_00457119
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_0045B11A push esp; ret	10_2_0045B141
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_0045E54D push esi; ret	10_2_0045E556
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_00457A28 push eax; ret	10_2_00457A46
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_00434E56 push ecx; ret	10_2_00434E69
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_10002806 push ecx; ret	10_2_10002819
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_002C0A76 push ecx; ret	11_2_002C0A89
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_0044693D push ecx; ret	11_2_0044694D
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_0044DB70 push eax; ret	11_2_0044DB84
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_0044DB70 push eax; ret	11_2_0044DBAC
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_00451D54 push eax; ret	11_2_00451D61

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe

Code function: 10_2_00406EB0 ShellExecuteW,URLDownloadToFileW,

10_2_00406EB0

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

File created: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unnervously.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unnervously.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unnervously.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe

Code function: 10_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

10_2_0041AA4A

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_000BF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_000BF98E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_00131C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_00131C41
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_002BF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	9_2_002BF98E
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_00331C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	9_2_00331C41
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_002BF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	11_2_002BF98E
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_00331C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	11_2_00331C41

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe

Code function: 10_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

10_2_0041CB50

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe

Code function: 10_2_0040F7A7 Sleep,ExitProcess,

10_2_0040F7A7

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep			graph_0-98183

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe

Code function: 11_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,

11_2_0040DD85

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

10_2_0041A748

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Window / User API: threadDelayed 3044	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Window / User API: threadDelayed 6452	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Window / User API: foregroundWindowGot 1765	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	API coverage: 4.1 %
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	API coverage: 4.0 %
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	API coverage: 5.7 %

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe TID: 7468	Thread sleep count: 246 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe TID: 7468	Thread sleep time: -123000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe TID: 7464	Thread sleep count: 3044 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe TID: 7464	Thread sleep time: -9132000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe TID: 7464	Thread sleep count: 6452 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe TID: 7464	Thread sleep time: -19356000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_0010DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0010DBBE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_000DC2A2 FindFirstFileExW,	0_2_000DC2A2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_001168EE FindFirstFileW,FindClose,	0_2_001168EE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_0011698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0011698F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_0010D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0010D076
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_0010D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0010D3A9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_00119642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00119642
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_0011979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0011979D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_00119B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00119B2B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_00115C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00115C97
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_0030DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	9_2_0030DBBE
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_002DC2A2 FindFirstFileExW,	9_2_002DC2A2
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_003168EE FindFirstFileW,FindClose,	9_2_003168EE
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_0031698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	9_2_0031698F
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_0030D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	9_2_0030D076
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_0030D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	9_2_0030D3A9
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_00319642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	9_2_00319642
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_0031979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	9_2_0031979D
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_00319B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	9_2_00319B2B
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_00315C97 FindFirstFileW,FindNextFileW,FindClose,	9_2_00315C97
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	10_2_00409253
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	10_2_0041C291
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	10_2_0040C34D
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	10_2_00409665
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_0044E879 FindFirstFileExA,	10_2_0044E879
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	10_2_0040880C
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_0040783C FindFirstFileW,FindNextFileW,	10_2_0040783C
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	10_2_00419AF5
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	10_2_0040BB30
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	10_2_0040BD37
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	10_2_100010F1
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_10006580 FindFirstFileExA,	10_2_10006580
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_002DC2A2 FindFirstFileExW,	11_2_002DC2A2
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_003168EE FindFirstFileW,FindClose,	11_2_003168EE
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_0031698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	11_2_0031698F
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_0030D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_0030D076
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_0030D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_0030D3A9
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_00319642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_00319642
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_0031979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_0031979D
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_00319B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	11_2_00319B2B
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_0030DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	11_2_0030DBBE
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_00315C97 FindFirstFileW,FindNextFileW,FindClose,	11_2_00315C97
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_0040AE51 FindFirstFileW,FindNextFileW,	11_2_0040AE51

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe

Code function: 10_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

10_2_00407C97

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

Code function: 0_2_000A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000A42DE

Source: LisectAVT_2403002A_101.exe, 00000000.00000003.1307363088.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_101.exe, 00000000.00000002.2673495527.0000000003740000.00000004.00001000.00020000.00000000.sdmp, unnervously.exe, 00000009.00000003.2673216740.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000003.2703523765.00000000010AB000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000F.00000003.2823710378.00000000017B1000.00000004.00000020.00020000.00000000.sdmp, anaboly.0.dr	Binary or memory string: tvroz}k;R:S"$ 1$/96]7X735*90$-H MGBGYMEsO!W:KILSGL[S9P?OJOQEMU]7^0@E@^JBU]0Y7wsujypdm
Source: unnervously.exe, 0000000A.00000003.2745326082.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000003.2777998984.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000002.3769568767.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000003.2746989710.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000003.2746780049.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000003.2748522331.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: unnervously.exe, 0000000A.00000002.3770114936.00000000010BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWHT

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

Code function: 0_2_0011EAA2 BlockInput,

0_2_0011EAA2

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

Code function: 0_2_000D2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_000D2622

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe

11_2_0040DD85

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

Code function: 0_2_000A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000A42DE

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_000C4CE8 mov eax, dword ptr fs:[00000030h]	0_2_000C4CE8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_00E43690 mov eax, dword ptr fs:[00000030h]	0_2_00E43690
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_00E43630 mov eax, dword ptr fs:[00000030h]	0_2_00E43630
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_00E41EFE mov eax, dword ptr fs:[00000030h]	0_2_00E41EFE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_00E41F10 mov eax, dword ptr fs:[00000030h]	0_2_00E41F10
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_002C4CE8 mov eax, dword ptr fs:[00000030h]	9_2_002C4CE8
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_03033630 mov eax, dword ptr fs:[00000030h]	9_2_03033630
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_03033690 mov eax, dword ptr fs:[00000030h]	9_2_03033690
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_03031F10 mov eax, dword ptr fs:[00000030h]	9_2_03031F10
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_03031EFE mov eax, dword ptr fs:[00000030h]	9_2_03031EFE
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_004432B5 mov eax, dword ptr fs:[00000030h]	10_2_004432B5
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_10004AB4 mov eax, dword ptr fs:[00000030h]	10_2_10004AB4
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_00EF3690 mov eax, dword ptr fs:[00000030h]	10_2_00EF3690
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_00EF3630 mov eax, dword ptr fs:[00000030h]	10_2_00EF3630
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_00EF1EFE mov eax, dword ptr fs:[00000030h]	10_2_00EF1EFE
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_00EF1F10 mov eax, dword ptr fs:[00000030h]	10_2_00EF1F10
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_002C4CE8 mov eax, dword ptr fs:[00000030h]	11_2_002C4CE8

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

Code function: 0_2_00100B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00100B62

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_000D2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000D2622
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_000C083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000C083F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_000C09D5 SetUnhandledExceptionFilter,	0_2_000C09D5
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_000C0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_000C0C21
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_002D2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_002D2622
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_002C083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_002C083F
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_002C09D5 SetUnhandledExceptionFilter,	9_2_002C09D5
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_002C0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_002C0C21
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_004349F9
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_00434B47 SetUnhandledExceptionFilter,	10_2_00434B47
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_0043BB22
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00434FDC
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_100060E2
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_10002639
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 10_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_10002B1C
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_002D2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_002D2622
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_002C083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_002C083F
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_002C09D5 SetUnhandledExceptionFilter,	11_2_002C09D5
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 11_2_002C0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_002C0C21

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe

Code function: 10_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,

10_2_004180EF

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Section loaded: NULL target: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

10_2_004120F7

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

0_2_00101201

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

Code function: 0_2_000E2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_000E2BA5

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

Code function: 0_2_0010B226 SendInput,keybd_event,

0_2_0010B226

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

Code function: 0_2_001222DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_001222DA

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Process created: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe C:\Users\user\AppData\Local\Wausaukee\unnervously.exe /stext "C:\Users\user\AppData\Local\Temp\zhxznlyhhoxqew"	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Process created: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe C:\Users\user\AppData\Local\Wausaukee\unnervously.exe /stext "C:\Users\user\AppData\Local\Temp\kcdsoejjvwpvgchse"	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Process created: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe C:\Users\user\AppData\Local\Wausaukee\unnervously.exe /stext "C:\Users\user\AppData\Local\Temp\meicpwucjehhjidwwwibd"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe "C:\Users\user\AppData\Local\Wausaukee\unnervously.exe"	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

0_2_00100B62

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

Code function: 0_2_00101663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00101663

Source: LisectAVT_2403002A_101.exe, unnervously.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: unnervously.exe, 0000000A.00000002.3768379154.0000000000F79000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000002.3770114936.000000000108F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: unnervously.exe	Binary or memory string: Shell_TrayWnd
Source: unnervously.exe, 0000000A.00000002.3768379154.0000000000F79000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerles\*
Source: unnervously.exe, 0000000A.00000002.3768379154.0000000000F79000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager103
Source: unnervously.exe, 0000000A.00000002.3768379154.0000000000F79000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr\|
Source: unnervously.exe, 0000000A.00000002.3770114936.00000000010BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager9.139:8087
Source: unnervously.exe, 0000000A.00000002.3770114936.00000000010BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program ManagerD
Source: unnervously.exe, 0000000A.00000002.3768379154.0000000000F79000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerles\*yQ:W
Source: unnervously.exe, 0000000A.00000002.3768379154.0000000000F79000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager103125\QYW
Source: unnervously.exe, 0000000A.00000002.3770114936.000000000108F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager\a]^
Source: unnervously.exe, 0000000A.00000002.3770114936.00000000010BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: unnervously.exe, 0000000A.00000002.3770114936.00000000010BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Program Manager]

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

Code function: 0_2_000C0698 cpuid

0_2_000C0698

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: EnumSystemLocalesW,	10_2_00452036
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	10_2_004520C3
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: GetLocaleInfoW,	10_2_00452313
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: EnumSystemLocalesW,	10_2_00448404
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	10_2_0045243C
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: GetLocaleInfoW,	10_2_00452543
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	10_2_00452610
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: GetLocaleInfoA,	10_2_0040F8D1
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: GetLocaleInfoW,	10_2_004488ED
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	10_2_00451CD8
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: EnumSystemLocalesW,	10_2_00451F50
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: EnumSystemLocalesW,	10_2_00451F9B

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

Code function: 0_2_00118195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00118195

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

Code function: 0_2_000FD27A GetUserNameW,

0_2_000FD27A

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

Code function: 0_2_000DB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_000DB952

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

Code function: 0_2_000A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_000A42DE

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 10.2.unnervously.exe.32c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.unnervously.exe.3560000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.unnervously.exe.32c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.unnervously.exe.3ae0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.unnervously.exe.3560000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.unnervously.exe.3ae0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3770114936.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: unnervously.exe PID: 7272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: unnervously.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: unnervously.exe PID: 4712, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\aka\yes.png, type: DROPPED

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

10_2_0040BA12

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		10_2_0040BB30
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: \key3.db		10_2_0040BB30

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: Process Memory Space: unnervously.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: unnervously.exe PID: 1096, type: MEMORYSTR

Source: unnervously.exe	Binary or memory string: WIN_81
Source: unnervously.exe	Binary or memory string: WIN_XP
Source: unnervously.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: unnervously.exe	Binary or memory string: WIN_XPe
Source: unnervously.exe	Binary or memory string: WIN_VISTA
Source: unnervously.exe	Binary or memory string: WIN_7
Source: unnervously.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 10.2.unnervously.exe.32c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.unnervously.exe.3560000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.unnervously.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.unnervously.exe.32c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.unnervously.exe.3ae0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.unnervously.exe.3560000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.unnervously.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.unnervously.exe.3ae0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3770114936.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: unnervously.exe PID: 7272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: unnervously.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: unnervously.exe PID: 4712, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\aka\yes.png, type: DROPPED

Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe

Code function: cmd.exe

10_2_0040569A

Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_00121204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	0_2_00121204
Source: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe	Code function: 0_2_00121806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00121806
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_00321204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	9_2_00321204
Source: C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	Code function: 9_2_00321806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	9_2_00321806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	1 Native API	111 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	2 Valid Accounts	1 Bypass User Account Control	2 Obfuscated Files or Information	1 Credentials in Registry	1 System Service Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Windows Service	2 Valid Accounts	1 DLL Side-Loading	3 Credentials In Files	3 File and Directory Discovery	Distributed Component Object Model	121 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 Bypass User Account Control	LSA Secrets	38 System Information Discovery	SSH	3 Clipboard Data	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Windows Service	1 Masquerading	Cached Domain Credentials	131 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	222 Process Injection	2 Valid Accounts	DCSync	11 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	2 Registry Run Keys / Startup Folder	11 Virtualization/Sandbox Evasion	Proc Filesystem	4 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	222 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LisectAVT_2403002A_101.exe	100%	Avira	HEUR/AGEN.1319342
LisectAVT_2403002A_101.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Wausaukee\unnervously.exe	100%	Avira	HEUR/AGEN.1319342

Source	Detection	Scanner	Label
http://geoplugin.net/json.gp	0%	URL Reputation	safe
http://www.imvu.comr	0%	URL Reputation	safe
http://geoplugin.net/json.gp/C	0%	URL Reputation	safe
http://www.imvu.com	0%	URL Reputation	safe
https://login.yahoo.com/config/login	0%	URL Reputation	safe
http://www.ebuddy.com	0%	URL Reputation	safe
http://geoplugin.net/json.gp#0lV	0%	Avira URL Cloud	safe
http://geoplugin.net/json.gpL	0%	Avira URL Cloud	safe
https://www.google.com/accounts/servicelogin	0%	Avira URL Cloud	safe
https://www.google.com	0%	Avira URL Cloud	safe
107.175.229.139	0%	Avira URL Cloud	safe
http://geoplugin.net/	0%	Avira URL Cloud	safe
http://www.nirsoft.net	0%	Avira URL Cloud	safe
http://www.imvu.coma	0%	Avira URL Cloud	safe
http://geoplugin.net/json.gpSystem32	0%	Avira URL Cloud	safe
http://www.nirsoft.net/	0%	Avira URL Cloud	safe
http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	unknown
geoplugin.net	178.237.33.50	true	false	unknown
183.59.114.20.in-addr.arpa	unknown	unknown	true	unknown
206.23.85.13.in-addr.arpa	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp	false	URL Reputation: safe	unknown
107.175.229.139	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.google.com	unnervously.exe, 0000000A.00000002.3771869384.0000000004AB0000.00000040.10000000.00040000.00000000.sdmp, unnervously.exe, 0000000D.00000002.2768944403.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.imvu.comr	unnervously.exe, 0000000A.00000002.3771869384.0000000004AB0000.00000040.10000000.00040000.00000000.sdmp, unnervously.exe, 0000000D.00000002.2768944403.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://geoplugin.net/	unnervously.exe, 0000000A.00000003.2748718391.0000000000F79000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000003.2745450049.0000000000F79000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000003.2749423959.0000000000F79000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000002.3770114936.00000000010EE000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000003.2746780049.0000000000F79000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000003.2745236773.0000000000F79000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000003.2748522331.0000000000F79000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gp/C	unnervously.exe, 00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp, unnervously.exe, 0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, unnervously.exe, 0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://geoplugin.net/json.gpL	unnervously.exe, 0000000A.00000002.3770114936.00000000010BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.imvu.com	unnervously.exe, 0000000A.00000002.3771869384.0000000004AB0000.00000040.10000000.00040000.00000000.sdmp, unnervously.exe, 0000000D.00000002.2769382612.000000000153D000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000D.00000002.2768944403.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/accounts/servicelogin	unnervously.exe	false	Avira URL Cloud: safe	unknown
https://login.yahoo.com/config/login	unnervously.exe	false	URL Reputation: safe	unknown
http://geoplugin.net/json.gp#0lV	unnervously.exe, 0000000A.00000002.3768379154.0000000000F28000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.imvu.coma	unnervously.exe, 0000000D.00000002.2769382612.000000000153D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nirsoft.net	unnervously.exe, 0000000B.00000002.2777627610.0000000000BEF000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nirsoft.net/	unnervously.exe, 0000000D.00000002.2768944403.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gpSystem32	unnervously.exe, 0000000A.00000003.2745236773.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000003.2745450049.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000003.2749423959.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000002.3768379154.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, unnervously.exe, 0000000A.00000003.2748522331.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com	unnervously.exe, 0000000A.00000002.3771869384.0000000004AB0000.00000040.10000000.00040000.00000000.sdmp, unnervously.exe, 0000000D.00000002.2768944403.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ebuddy.com	unnervously.exe, 0000000A.00000002.3771869384.0000000004AB0000.00000040.10000000.00040000.00000000.sdmp, unnervously.exe, 0000000D.00000002.2768944403.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
107.175.229.139	unknown	United States		36352	AS-COLOCROSSINGUS	true
178.237.33.50	geoplugin.net	Netherlands		8455	ATOM86-ASATOM86NL	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482524
Start date and time:	2024-07-26 00:25:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002A_101.exe
Detection:	MAL
Classification:	mal100.rans.phis.troj.spyw.expl.evad.winEXE@14/16@3/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 51 Number of non-executed functions: 312
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: LisectAVT_2403002A_101.exe

Simulations

Behavior and APIs

Time	Type	Description
18:28:55	API Interceptor	1462323x Sleep call for process: unnervously.exe modified
23:28:23	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unnervously.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
107.175.229.139	LisectAVT_2403002A_407.exe	Get hash	malicious	Remcos	Browse
	LisectAVT_2403002A_431.exe	Get hash	malicious	Remcos	Browse
	Lisect_AVT_24003_G1A_24.exe	Get hash	malicious	Bdaejec, Remcos	Browse
	Lisect_AVT_24003_G1A_30.exe	Get hash	malicious	Bdaejec, Remcos	Browse
	fd0987654345.exe	Get hash	malicious	Remcos	Browse
	FDSO0987656789000HK.LKH.exe	Get hash	malicious	Remcos	Browse
	R0O765456009000K.exe	Get hash	malicious	Remcos	Browse
	DS0987656789000J.exe	Get hash	malicious	Remcos	Browse
	cnaniAxghZ.exe	Get hash	malicious	Remcos	Browse
	REM6789098756GHUITR.bat.exe	Get hash	malicious	Remcos	Browse
178.237.33.50	LisectAVT_2403002A_407.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	LisectAVT_2403002A_431.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	IAENMAIL-A4-240717-0830-000090912_PDF.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	CDG__ Copia de Pagamento.pdf.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	CFS-0682-2-08 Order.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe	Get hash	malicious	Remcos, DBatLoader	Browse	geoplugin.net/json.gp
	remcos.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	ogetback.doc	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	S0042328241130.xls	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Payroll for July.exe	Get hash	malicious	Remcos, DBatLoader	Browse	geoplugin.net/json.gp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	http://telstra-107152.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	http://outlook-accede-aqui.iceiy.com/	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://verify-metamask.simple-url.com/nkbihfbeogaeaoehlefnkodbefknnfbfzeygds	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://b14d.lnsd.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	http://sdgvgsdgsdjms1.pages.dev/	Get hash	malicious	TechSupportScam	Browse	199.232.214.172
	http://walletdappsync.com/	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://currently7043.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	http://tgudme.com/	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://my-site-104323.weeblysite.com/	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://airbnb-clone-git-main-khr-gitit.vercel.app/	Get hash	malicious	Unknown	Browse	199.232.214.172
geoplugin.net	LisectAVT_2403002A_407.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	LisectAVT_2403002A_431.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	IAENMAIL-A4-240717-0830-000090912_PDF.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	CDG__ Copia de Pagamento.pdf.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	CFS-0682-2-08 Order.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	remcos.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	ogetback.doc	Get hash	malicious	Remcos	Browse	178.237.33.50
	S0042328241130.xls	Get hash	malicious	Remcos	Browse	178.237.33.50
	Payroll for July.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-COLOCROSSINGUS	LisectAVT_2403002A_111.exe	Get hash	malicious	Trickbot	Browse	108.174.60.238
	042240724.xls	Get hash	malicious	Remcos	Browse	198.46.176.133
	LisectAVT_2403002A_407.exe	Get hash	malicious	Remcos	Browse	107.175.229.139
	LisectAVT_2403002A_431.exe	Get hash	malicious	Remcos	Browse	107.175.229.139
	createdgoodthingswtihmewhilealot.gif.vbs	Get hash	malicious	Unknown	Browse	198.46.176.133
	greatbunfeelsoftandhoney.gif.vbs	Get hash	malicious	Unknown	Browse	198.46.176.133
	LisectAVT_2403002B_38.exe	Get hash	malicious	Sality	Browse	107.172.18.180
	PO S0042328241130.xls	Get hash	malicious	Remcos	Browse	198.46.176.133
	ogetback.doc	Get hash	malicious	Remcos	Browse	198.46.176.133
	Order_490104.xls	Get hash	malicious	Unknown	Browse	192.3.176.154
ATOM86-ASATOM86NL	LisectAVT_2403002A_407.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	LisectAVT_2403002A_431.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	IAENMAIL-A4-240717-0830-000090912_PDF.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	CDG__ Copia de Pagamento.pdf.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	CFS-0682-2-08 Order.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-24.Pdf.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50
	remcos.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	ogetback.doc	Get hash	malicious	Remcos	Browse	178.237.33.50
	S0042328241130.xls	Get hash	malicious	Remcos	Browse	178.237.33.50
	Payroll for July.exe	Get hash	malicious	Remcos, DBatLoader	Browse	178.237.33.50

Process:	C:\Users\user\AppData\Local\Wausaukee\unnervously.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	962
Entropy (8bit):	5.012309356796613
Encrypted:	false
SSDEEP:	12:tklu+mnd66GkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qlu+KdbauKyGX85jvXhNlT3/7AcV9Wro
MD5:	14B479958E659C5A4480548A393022AC
SHA1:	CD0766C1DAB80656D469ABDB22917BE668622015
SHA-256:	0F92BDD807D2F5C9947E1775A20231233043C171F62E1AFA705A7E7938909BFE
SHA-512:	4E87CA47392DD9710F9E3D4A2124A34B41938986A4F43D50A48623DB1838C0D6CFF05FD2A23792DCD5A974A94416C97DC04ECEF85025FC785F3393B69A0B1DC5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"0ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Temp\anaboly

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_101.exe
File Type:	data
Category:	dropped
Size (bytes):	494080
Entropy (8bit):	7.526413102241331
Encrypted:	false
SSDEEP:	12288:z1Q1pZ2BlDf5fe+uHqQXqSemPJZIXOjSZOJ2F4:BQN2BvuHqQXqBWP2kYF4
MD5:	FAF168065F2ADF023A878C1BF7F75198
SHA1:	1F752127BD290DA952251AC3358CBF1A9688C4C5
SHA-256:	340A51F1E25A0CCEAB1094A14275D2631A85F19168F94E138F183BBC9AC4CF38
SHA-512:	3120D5C1FAEAAAA9604B6904405E73F79C797A56B3314263ACAE9C57C28984422BA9B1FF0016DE37B5AAB0D88D7E5A86A8BDF1F9D6408E8B727BF2F2083FC5B3
Malicious:	false
Reputation:	low
Preview:	...Z3Y7GFGYM..Z0.7GBGYME.Z0Y7GBGYMERZ0Y7GBGYMERZ0Y7GBGYMERZ0Q6GBIF.KR.9...C..l.:3CyG5- +,(r9Q7Y(6g;(e /^y^)b...e?5T<.JOM}MERZ0Y7#..tm..$...9b..3.4~Nj.<.?k;..'.!e9g..,s..If..'..@$...9..2...N..=]..;...&5..9p..,c.Ig..'P..$...8...3..pNx.<...:s..'e.!/y..,Z0Y7GBGY..RZ\|X0G.U:(ERZ0Y7GB.YODY[>Y75GGYYGRZ0Y7..DYMURZ0.2GBG.MEBZ0Y5GBBYLERZ0Y2GCGYMERZ.Q7GFGYMERZ2Y7.BGIMEBZ0Y7WBGIMERZ0Y'GBGYMERZ0Y7.AYIDRZ0.0G".YMERZ0Y7GBGYMERZ0Y7.EG.vER.._7.BGYMERZ0Y7GBGYMERZ0..AB_YME.6YwGBGYMERZ0Y7G.BY.ARZ0Y7GBGYMERZ0Y7GBGYMERZ0Y.3'?-MER/A\7GRGYM7WZ0]7GBGYMERZ0Y7GBgYM%\|(T8C&BG.4DRZ.\7G8FYM3WZ0Y7GBGYMERZ0.7G.i=,13Z0Ys.BGY]BRZ>Y7G.AYMERZ0Y7GBGYM.RZ.wC+1GYME[Z0Y77EGYOERZ._7GBGYMERZ0Y7G.GY.k5<Y=DGBw[MER.7Y7CBGYMBRZ0Y7GBGYMERZpY7.l5?&RZ09.GBG.JER.0Y7CEGYMERZ0Y7GBGY.ER..+R+-$YM.iZ0Y.@BGeMER.7Y7GBGYMERZ0Y7.BG.MERZ0Y7GBGYMERZ0Y7GBGYMERZ0Y7GBGYMERZ0Y7GBGYMERZ0Y7GBGYMERZ0Y7GBGYMERZ0Y7GBGYMERZ0Y7GBGYMERZ0Y7GBGYMERZ0Y7GBGYMERZ0Y7GBGYMERZ0Y7GBGYMERZ0Y7GBGYMERZ0Y7GBGYMERZ0Y7GBGYMERZ0Y7GBGYMERZ0Y7GBGYMERZ0Y7GBGYMERZ0Y7GBG

C:\Users\user\AppData\Local\Temp\aut287.tmp

Download File

Process:	C:\Users\user\AppData\Local\Wausaukee\unnervously.exe
File Type:	data
Category:	dropped
Size (bytes):	399810
Entropy (8bit):	7.9751464995941275
Encrypted:	false
SSDEEP:	12288:hSd7p+Fwxyog3dzLU7utxRix5sQ5BYZ2s45O3ff1w:hi8ogdzL4utxRK5aZ2s458ffa
MD5:	37BDD10C4320883750431B98BD169FF8
SHA1:	A44639D3C038A7FE14653634A6F5E2BD4EE255C3
SHA-256:	97A4F867F3FBAA52DEE977410A8916ED766152F482B54AE3F2F8C79149A17E80
SHA-512:	5C6FDD4B8C5D9E5A2E5F8B3A078689C6604BE1965F63134FB437B63B846E37BD7F31AEAE85FDA7906F2AE8A5A0DE139CA48430DC29A487C4E15C5644CE2038CB
Malicious:	false
Reputation:	low
Preview:	EA06.....G.U..foG.Q.4...0.... .....L+ .y....u....I.}.u/t.)....yKdFu3..h.Yl.W,.\.5..fQ6....Y...y.JlP8.z.?..'..U>.}.M....[w.y$CG....Fi~.Z..).N.k..t.Y>.Ce.....e.e....)?.?@.D......2..1..O/=........&..r.>.,...>.''.o..M/..8..,....x.X:_......Ye..}..`...v.R._+..<^.:..s.OY..+5..fo5...5.8.....+4..Y.....m...,Mh..f..oL..0..D ...&U....G...boW.....8..}...f.D.Xf.y.<.....h.[................d..6...k}.Vv4..?.........._A.M.. .boW.L+......M..%.I..MB.........Q.4.\.7.....+L.Y1....8...].T.@'..eA.y. ....C..@.....7...4...._.y. Tz.6.5.Vg.J=..[..;Sz...B.1...fo..MeS.0..9.....U....!(tP./...~G.u)\.IY..m ..^.B..@.H...{..../.../...M..z.~wM..d..l~a...(4x.;......B....,.@.....}...d.Y...R....n.Q.~Nl..R..v0.M..1.....&.D.G.Rz/..}.M....f.-..n.....D..0.U..X............H.Y...00.g..-N+X....B../tZ...&.Q._;}:....w ....D.L....d.Z.Vq..d....Y+S..bq...yw:.j..O.....,S......:...X.Y...1p.j.G............i.r...[&u.v.QG.Eb.Z.c.....y.....[.?L'...,.'....Y...b..,.. ..l.Y.[...._.R.V2...._..Q.P?..O..43.&....

C:\Users\user\AppData\Local\Temp\aut2E6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Wausaukee\unnervously.exe
File Type:	data
Category:	dropped
Size (bytes):	10036
Entropy (8bit):	7.627021480349245
Encrypted:	false
SSDEEP:	192:nOB4D8BrW5+y4a2BGiVZtkN5BM3Jl/qjLLg5SsoE0bNm9WAXbz:nOiD8Bk/2hVMN43LiHLMT62Wgf
MD5:	B47B257F89D7112D7EBD80B515F5F386
SHA1:	2DCEFB433FFF77627F514093F9BD219C2370E4B5
SHA-256:	BB6482B254EF3F0FBF745B0186D3A443C330305527CF508AB629956D9A1B21A6
SHA-512:	C4ED1315D05E2521424C378C77E39FEBCB49817FCAA987F592D8B0509440AC2F7D285F23753C06738B4994856F8074AE3D45BD7FEEE93A39F12A79E4F4D745EF
Malicious:	false
Reputation:	low
Preview:	EA06..t..x......l..hS.}..m.O'@.$..?..(T.`.c:.P(.*...B.[(t....m..%..<....AB.6-.........-t.h...o.P....oP.V....k..u.yl.....?...........6...o.......s....V....S.+t.}p...6..........@.....}B........Z..4.1..........$.....0z.?..$}3......=?..`d....!d..V...7g..t..B...\|....W.n...\|v...W.n...\|v.X.W.n...\|v.x.W.o...\|v...W-.O...k....Z...C...^.B...F.@.z..G....].t......T...G. /Z...z.n...l.;........\|......A...}4.x........;^...`=......\.....4..o....,.......x.....H<.l[@:...b..........<...g..d..K......l..i\|v.F......[-.....t..........?..g.._.......A.>Km....ir.o..hS....n..g........9...S >.............C..'.+p!..Y....p...ju>....yk.h........,.uB.,..3........g.....g`....,j.:..'T0.J.......g`....'v.u..o..h....O..;<.X...>.\.V@.F.......g.......+.5....@!;=.X...c )E.{@... ...''.....,f.@..(.......Br\|......n.)..}<...B....@.......n.O-.!..........X5n....h..C..!;?.X...cV.......(@B...,v..!.`>.k..m. .M..@...X...l.O.@X..B.a.Q...t...[gS....?..h.!...,v......n........#. ....2.rZ...Gr....Bn.......gs....C..@

C:\Users\user\AppData\Local\Temp\autB22F.tmp

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_101.exe
File Type:	data
Category:	dropped
Size (bytes):	399810
Entropy (8bit):	7.9751464995941275
Encrypted:	false
SSDEEP:	12288:hSd7p+Fwxyog3dzLU7utxRix5sQ5BYZ2s45O3ff1w:hi8ogdzL4utxRK5aZ2s458ffa
MD5:	37BDD10C4320883750431B98BD169FF8
SHA1:	A44639D3C038A7FE14653634A6F5E2BD4EE255C3
SHA-256:	97A4F867F3FBAA52DEE977410A8916ED766152F482B54AE3F2F8C79149A17E80
SHA-512:	5C6FDD4B8C5D9E5A2E5F8B3A078689C6604BE1965F63134FB437B63B846E37BD7F31AEAE85FDA7906F2AE8A5A0DE139CA48430DC29A487C4E15C5644CE2038CB
Malicious:	false
Preview:	EA06.....G.U..foG.Q.4...0.... .....L+ .y....u....I.}.u/t.)....yKdFu3..h.Yl.W,.\.5..fQ6....Y...y.JlP8.z.?..'..U>.}.M....[w.y$CG....Fi~.Z..).N.k..t.Y>.Ce.....e.e....)?.?@.D......2..1..O/=........&..r.>.,...>.''.o..M/..8..,....x.X:_......Ye..}..`...v.R._+..<^.:..s.OY..+5..fo5...5.8.....+4..Y.....m...,Mh..f..oL..0..D ...&U....G...boW.....8..}...f.D.Xf.y.<.....h.[................d..6...k}.Vv4..?.........._A.M.. .boW.L+......M..%.I..MB.........Q.4.\.7.....+L.Y1....8...].T.@'..eA.y. ....C..@.....7...4...._.y. Tz.6.5.Vg.J=..[..;Sz...B.1...fo..MeS.0..9.....U....!(tP./...~G.u)\.IY..m ..^.B..@.H...{..../.../...M..z.~wM..d..l~a...(4x.;......B....,.@.....}...d.Y...R....n.Q.~Nl..R..v0.M..1.....&.D.G.Rz/..}.M....f.-..n.....D..0.U..X............H.Y...00.g..-N+X....B../tZ...&.Q._;}:....w ....D.L....d.Z.Vq..d....Y+S..bq...yw:.j..O.....,S......:...X.Y...1p.j.G............i.r...[&u.v.QG.Eb.Z.c.....y.....[.?L'...,.'....Y...b..,.. ..l.Y.[...._.R.V2...._..Q.P?..O..43.&....

C:\Users\user\AppData\Local\Temp\autB29D.tmp

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_101.exe
File Type:	data
Category:	dropped
Size (bytes):	10036
Entropy (8bit):	7.627021480349245
Encrypted:	false
SSDEEP:	192:nOB4D8BrW5+y4a2BGiVZtkN5BM3Jl/qjLLg5SsoE0bNm9WAXbz:nOiD8Bk/2hVMN43LiHLMT62Wgf
MD5:	B47B257F89D7112D7EBD80B515F5F386
SHA1:	2DCEFB433FFF77627F514093F9BD219C2370E4B5
SHA-256:	BB6482B254EF3F0FBF745B0186D3A443C330305527CF508AB629956D9A1B21A6
SHA-512:	C4ED1315D05E2521424C378C77E39FEBCB49817FCAA987F592D8B0509440AC2F7D285F23753C06738B4994856F8074AE3D45BD7FEEE93A39F12A79E4F4D745EF
Malicious:	false
Preview:	EA06..t..x......l..hS.}..m.O'@.$..?..(T.`.c:.P(.*...B.[(t....m..%..<....AB.6-.........-t.h...o.P....oP.V....k..u.yl.....?...........6...o.......s....V....S.+t.}p...6..........@.....}B........Z..4.1..........$.....0z.?..$}3......=?..`d....!d..V...7g..t..B...\|....W.n...\|v...W.n...\|v.X.W.n...\|v.x.W.o...\|v...W-.O...k....Z...C...^.B...F.@.z..G....].t......T...G. /Z...z.n...l.;........\|......A...}4.x........;^...`=......\.....4..o....,.......x.....H<.l[@:...b..........<...g..d..K......l..i\|v.F......[-.....t..........?..g.._.......A.>Km....ir.o..hS....n..g........9...S >.............C..'.+p!..Y....p...ju>....yk.h........,.uB.,..3........g.....g`....,j.:..'T0.J.......g`....'v.u..o..h....O..;<.X...>.\.V@.F.......g.......+.5....@!;=.X...c )E.{@... ...''.....,f.@..(.......Br\|......n.)..}<...B....@.......n.O-.!..........X5n....h..C..!;?.X...cV.......(@B...,v..!.`>.k..m. .M..@...X...l.O.@X..B.a.Q...t...[gS....?..h.!...,v......n........#. ....2.rZ...Gr....Bn.......gs....C..@

C:\Users\user\AppData\Local\Temp\autC7C1.tmp

Download File

Process:	C:\Users\user\AppData\Local\Wausaukee\unnervously.exe
File Type:	data
Category:	dropped
Size (bytes):	399810
Entropy (8bit):	7.9751464995941275
Encrypted:	false
SSDEEP:	12288:hSd7p+Fwxyog3dzLU7utxRix5sQ5BYZ2s45O3ff1w:hi8ogdzL4utxRK5aZ2s458ffa
MD5:	37BDD10C4320883750431B98BD169FF8
SHA1:	A44639D3C038A7FE14653634A6F5E2BD4EE255C3
SHA-256:	97A4F867F3FBAA52DEE977410A8916ED766152F482B54AE3F2F8C79149A17E80
SHA-512:	5C6FDD4B8C5D9E5A2E5F8B3A078689C6604BE1965F63134FB437B63B846E37BD7F31AEAE85FDA7906F2AE8A5A0DE139CA48430DC29A487C4E15C5644CE2038CB
Malicious:	false
Preview:	EA06.....G.U..foG.Q.4...0.... .....L+ .y....u....I.}.u/t.)....yKdFu3..h.Yl.W,.\.5..fQ6....Y...y.JlP8.z.?..'..U>.}.M....[w.y$CG....Fi~.Z..).N.k..t.Y>.Ce.....e.e....)?.?@.D......2..1..O/=........&..r.>.,...>.''.o..M/..8..,....x.X:_......Ye..}..`...v.R._+..<^.:..s.OY..+5..fo5...5.8.....+4..Y.....m...,Mh..f..oL..0..D ...&U....G...boW.....8..}...f.D.Xf.y.<.....h.[................d..6...k}.Vv4..?.........._A.M.. .boW.L+......M..%.I..MB.........Q.4.\.7.....+L.Y1....8...].T.@'..eA.y. ....C..@.....7...4...._.y. Tz.6.5.Vg.J=..[..;Sz...B.1...fo..MeS.0..9.....U....!(tP./...~G.u)\.IY..m ..^.B..@.H...{..../.../...M..z.~wM..d..l~a...(4x.;......B....,.@.....}...d.Y...R....n.Q.~Nl..R..v0.M..1.....&.D.G.Rz/..}.M....f.-..n.....D..0.U..X............H.Y...00.g..-N+X....B../tZ...&.Q._;}:....w ....D.L....d.Z.Vq..d....Y+S..bq...yw:.j..O.....,S......:...X.Y...1p.j.G............i.r...[&u.v.QG.Eb.Z.c.....y.....[.?L'...,.'....Y...b..,.. ..l.Y.[...._.R.V2...._..Q.P?..O..43.&....

C:\Users\user\AppData\Local\Temp\autC84E.tmp

Download File

Process:	C:\Users\user\AppData\Local\Wausaukee\unnervously.exe
File Type:	data
Category:	dropped
Size (bytes):	10036
Entropy (8bit):	7.627021480349245
Encrypted:	false
SSDEEP:	192:nOB4D8BrW5+y4a2BGiVZtkN5BM3Jl/qjLLg5SsoE0bNm9WAXbz:nOiD8Bk/2hVMN43LiHLMT62Wgf
MD5:	B47B257F89D7112D7EBD80B515F5F386
SHA1:	2DCEFB433FFF77627F514093F9BD219C2370E4B5
SHA-256:	BB6482B254EF3F0FBF745B0186D3A443C330305527CF508AB629956D9A1B21A6
SHA-512:	C4ED1315D05E2521424C378C77E39FEBCB49817FCAA987F592D8B0509440AC2F7D285F23753C06738B4994856F8074AE3D45BD7FEEE93A39F12A79E4F4D745EF
Malicious:	false
Preview:	EA06..t..x......l..hS.}..m.O'@.$..?..(T.`.c:.P(.*...B.[(t....m..%..<....AB.6-.........-t.h...o.P....oP.V....k..u.yl.....?...........6...o.......s....V....S.+t.}p...6..........@.....}B........Z..4.1..........$.....0z.?..$}3......=?..`d....!d..V...7g..t..B...\|....W.n...\|v...W.n...\|v.X.W.n...\|v.x.W.o...\|v...W-.O...k....Z...C...^.B...F.@.z..G....].t......T...G. /Z...z.n...l.;........\|......A...}4.x........;^...`=......\.....4..o....,.......x.....H<.l[@:...b..........<...g..d..K......l..i\|v.F......[-.....t..........?..g.._.......A.>Km....ir.o..hS....n..g........9...S >.............C..'.+p!..Y....p...ju>....yk.h........,.uB.,..3........g.....g`....,j.:..'T0.J.......g`....'v.u..o..h....O..;<.X...>.\.V@.F.......g.......+.5....@!;=.X...c )E.{@... ...''.....,f.@..(.......Br\|......n.)..}<...B....@.......n.O-.!..........X5n....h..C..!;?.X...cV.......(@B...,v..!.`>.k..m. .M..@...X...l.O.@X..B.a.Q...t...[gS....?..h.!...,v......n........#. ....2.rZ...Gr....Bn.......gs....C..@

C:\Users\user\AppData\Local\Temp\autD398.tmp

Download File

Process:	C:\Users\user\AppData\Local\Wausaukee\unnervously.exe
File Type:	data
Category:	dropped
Size (bytes):	399810
Entropy (8bit):	7.9751464995941275
Encrypted:	false
SSDEEP:	12288:hSd7p+Fwxyog3dzLU7utxRix5sQ5BYZ2s45O3ff1w:hi8ogdzL4utxRK5aZ2s458ffa
MD5:	37BDD10C4320883750431B98BD169FF8
SHA1:	A44639D3C038A7FE14653634A6F5E2BD4EE255C3
SHA-256:	97A4F867F3FBAA52DEE977410A8916ED766152F482B54AE3F2F8C79149A17E80
SHA-512:	5C6FDD4B8C5D9E5A2E5F8B3A078689C6604BE1965F63134FB437B63B846E37BD7F31AEAE85FDA7906F2AE8A5A0DE139CA48430DC29A487C4E15C5644CE2038CB
Malicious:	false
Preview:	EA06.....G.U..foG.Q.4...0.... .....L+ .y....u....I.}.u/t.)....yKdFu3..h.Yl.W,.\.5..fQ6....Y...y.JlP8.z.?..'..U>.}.M....[w.y$CG....Fi~.Z..).N.k..t.Y>.Ce.....e.e....)?.?@.D......2..1..O/=........&..r.>.,...>.''.o..M/..8..,....x.X:_......Ye..}..`...v.R._+..<^.:..s.OY..+5..fo5...5.8.....+4..Y.....m...,Mh..f..oL..0..D ...&U....G...boW.....8..}...f.D.Xf.y.<.....h.[................d..6...k}.Vv4..?.........._A.M.. .boW.L+......M..%.I..MB.........Q.4.\.7.....+L.Y1....8...].T.@'..eA.y. ....C..@.....7...4...._.y. Tz.6.5.Vg.J=..[..;Sz...B.1...fo..MeS.0..9.....U....!(tP./...~G.u)\.IY..m ..^.B..@.H...{..../.../...M..z.~wM..d..l~a...(4x.;......B....,.@.....}...d.Y...R....n.Q.~Nl..R..v0.M..1.....&.D.G.Rz/..}.M....f.-..n.....D..0.U..X............H.Y...00.g..-N+X....B../tZ...&.Q._;}:....w ....D.L....d.Z.Vq..d....Y+S..bq...yw:.j..O.....,S......:...X.Y...1p.j.G............i.r...[&u.v.QG.Eb.Z.c.....y.....[.?L'...,.'....Y...b..,.. ..l.Y.[...._.R.V2...._..Q.P?..O..43.&....

C:\Users\user\AppData\Local\Temp\autD3E7.tmp

Download File

Process:	C:\Users\user\AppData\Local\Wausaukee\unnervously.exe
File Type:	data
Category:	dropped
Size (bytes):	10036
Entropy (8bit):	7.627021480349245
Encrypted:	false
SSDEEP:	192:nOB4D8BrW5+y4a2BGiVZtkN5BM3Jl/qjLLg5SsoE0bNm9WAXbz:nOiD8Bk/2hVMN43LiHLMT62Wgf
MD5:	B47B257F89D7112D7EBD80B515F5F386
SHA1:	2DCEFB433FFF77627F514093F9BD219C2370E4B5
SHA-256:	BB6482B254EF3F0FBF745B0186D3A443C330305527CF508AB629956D9A1B21A6
SHA-512:	C4ED1315D05E2521424C378C77E39FEBCB49817FCAA987F592D8B0509440AC2F7D285F23753C06738B4994856F8074AE3D45BD7FEEE93A39F12A79E4F4D745EF
Malicious:	false
Preview:	EA06..t..x......l..hS.}..m.O'@.$..?..(T.`.c:.P(.*...B.[(t....m..%..<....AB.6-.........-t.h...o.P....oP.V....k..u.yl.....?...........6...o.......s....V....S.+t.}p...6..........@.....}B........Z..4.1..........$.....0z.?..$}3......=?..`d....!d..V...7g..t..B...\|....W.n...\|v...W.n...\|v.X.W.n...\|v.x.W.o...\|v...W-.O...k....Z...C...^.B...F.@.z..G....].t......T...G. /Z...z.n...l.;........\|......A...}4.x........;^...`=......\.....4..o....,.......x.....H<.l[@:...b..........<...g..d..K......l..i\|v.F......[-.....t..........?..g.._.......A.>Km....ir.o..hS....n..g........9...S >.............C..'.+p!..Y....p...ju>....yk.h........,.uB.,..3........g.....g`....,j.:..'T0.J.......g`....'v.u..o..h....O..;<.X...>.\.V@.F.......g.......+.5....@!;=.X...c )E.{@... ...''.....,f.@..(.......Br\|......n.)..}<...B....@.......n.O-.!..........X5n....h..C..!;?.X...cV.......(@B...,v..!.`>.k..m. .M..@...X...l.O.@X..B.a.Q...t...[gS....?..h.!...,v......n........#. ....2.rZ...Gr....Bn.......gs....C..@

C:\Users\user\AppData\Local\Temp\bhvE943.tmp

Download File

Process:	C:\Users\user\AppData\Local\Wausaukee\unnervously.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x3decec11, page size 32768, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	16252928
Entropy (8bit):	0.9688582807526867
Encrypted:	false
SSDEEP:	6144:woTz5eo1CKGP5q/XiE9ENP//Xsx0BnNP//Xsx0Bn695nu8eX8e58ekpjX8ev8efS:Ah+NFrVo90FdLhVKsKan19
MD5:	7BB87EF2174F9B773E8243EE9392CA3E
SHA1:	D44C0759E6687BC6DFB04B87C60037240EB5D5BE
SHA-256:	12A82BBE4FBF8BCD8945DEC65CA0C406727C47F63E708E6C9F7E0B18F7A7089F
SHA-512:	F2FB237DB6EAE222573F07308B223A04B655E4459364BE251B32584F7C1E693B4A2D9CD84A4A5BEE94F0BD9AF743B80EBD274ECE97CAA2535AD4C23850DAA22B
Malicious:	false
Preview:	=...... .......4........X.2';...{k.......................k..........{/......\|..h.m............................';...{-.............................................................................................S...........eJ......n........................................................................................................... ............{E..................................................................................................................................................................................................{E.................................Q..7.....\|....................7Y.....\|...........................#......h.m.....................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\caprone

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_101.exe
File Type:	Unicode text, UTF-8 text, with very long lines (29698), with no line terminators
Category:	dropped
Size (bytes):	29700
Entropy (8bit):	3.5691795945955525
Encrypted:	false
SSDEEP:	768:7VNxEAwD8U3NMUzajk9Ny/5NpSaqblGpEzkPlClHU5J7p:tEAuTMUujk9Ny/5NpSaqb3U5P
MD5:	893C6AA13DDFD46A82CDF5EE6494A6AB
SHA1:	F912184FCB55EA57B53D7918766FABAC1C3F2C2E
SHA-256:	42C2E6F3D22E1CB5A826B4E36B607CC008E6B9A6582DBCC9FAE5BB2F6ACD408F
SHA-512:	EF7B4F7F559CBFDC739107C760BCBA30A2D7BF3AC554AE0B069A5BF3818718F2D35262B59B7BD0A33F151FD4D6CFCD6AC2E2B2E725DEB4CA42912289403C268D
Malicious:	false
Preview:	:.??BlomB;ommm:<::::?@?AlB@l::::::@@BC>?B>lC@?::::::@@BC>nB@lkA<::::::@@BC??BBlB@o::::::@@BC>?BklC@?::::::@@BC>nBmlk@m::::::@@BC??BolB==::::::@@BC>?C:lC=<::::::@@BC>nC<lk<o::::::@@BC??C>lB@>::::::@@BC>?C@lC@m::::::@@BC>nCBlk@m::::::@@BC??Ck==m:@@BC>?CmlC@o::::::@@BCBn>>pppppplkA>::::::@@BCC?>@pppppplB@>::::::@@BCB?>BpppppplC@m::::::@@BCBn>kpppppplk@m::::::@@BCC?>mpppppplB<o::::::@@BCB?>opppppplC@>::::::@@BCBn?:pppppplk@m::::::@@BCC??<pppppplB@m::::::@@BCB??>pppppp==mC@@BCBn?@pppppplkA?::::::@@BC??n:lBA=::::::@@BC>?n<lC@?::::::@@BC>nn>lkA<::::::@@BC??n@lB==::::::@@BC>?nBlC=<::::::@@BC>nnklk<o::::::@@BC??nmlB@>::::::@@BC>?nolC@m::::::@@BC>no:lk@m::::::@@BC??o<==m:@@BC>?o>lC@;::::::@@BCBn@Bpppppplk@>::::::@@BCC?@kpppppplBA@::::::@@BCB?@mpppppplC@;::::::@@BCBn@opppppplkA:::::::@@BCC?A:pppppplB@C::::::@@BCB?A<pppppplC==::::::@@BCBnA>pppppplk=<::::::@@BCC?A@pppppplB<o::::::@@BCB?ABpppppplC@>::::::@@BCBnAkpppppplk@m::::::@@BCC?AmpppppplB@m::::::@@BCB?Aopppppp==mC@@BC>nB:lkA=::::::@@BC??k:lB

C:\Users\user\AppData\Local\Temp\zhxznlyhhoxqew

Download File

Process:	C:\Users\user\AppData\Local\Wausaukee\unnervously.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Local\Wausaukee\unnervously.exe

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_101.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	114646537
Entropy (8bit):	7.999497410314248
Encrypted:	true
SSDEEP:	786432:nD0zkUgwxV31HGEMnWYpg0PkeMHnIzwCBMvbms/7h+:L0w
MD5:	50614E143F8D18ACB986F7B1677E25F1
SHA1:	8E1196C291A4E19EB60833A601DB6D037FCD2D37
SHA-256:	596DE3FCFD57A8899F75143DE3890DF6E11E4EE3548B652D48D2DC596338A5DA
SHA-512:	16E8D690F221E1A00793A6E180FD1892BC841A9AC6A60DF0F2B902EEA4DBED5CEFC39577B3DB49D3CFFD0E1F6A290AEA757AE0844FCF6AD59576C653458A5331
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L......e..........".................w.............@.......................................@...@.......@.....................d...\|....@..H....................@...u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...H....@......................@..@.reloc...u...@...v..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unnervously.vbs

Download File

Process:	C:\Users\user\AppData\Local\Wausaukee\unnervously.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	3.415908956019522
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclgMsUEZ+lX1ylRMlWAlJ12nriIM8lfQVn:DsO+vNlgMsQ1uMp1MmA2n
MD5:	48BCCAD8B26BFD0E634B904201C2D8CA
SHA1:	0FE98002E63364ED95C8B62E3056BC38CE21DB79
SHA-256:	866690D9B63B6378C8C392C84676ECEA739D5DBF5993624CB8C61029955B639B
SHA-512:	E80C0CFEAF96E38EDA741C8B1E40FD9818975FD26117C90B6FFB96BF4B7D6F2B67BA02265DF84A0141EDC3A19AE1D882F8374CBEAA7349FE90EBCC31C1F8CAD4
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.t.i.n.a.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.W.a.u.s.a.u.k.e.e.\.u.n.n.e.r.v.o.u.s.l.y...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

C:\Users\user\AppData\Roaming\aka\yes.png

Download File

Process:	C:\Users\user\AppData\Local\Wausaukee\unnervously.exe
File Type:	data
Category:	dropped
Size (bytes):	204
Entropy (8bit):	3.3629512129270016
Encrypted:	false
SSDEEP:	3:rhlKlVgKfNld/lWfwlDl5JWRal2Jl+7R0DAlBG45klovDl64oojklovDl6v:6lVgKG4b5YcIeeDAlOWA41gWAv
MD5:	8D77DECB724DCD8EDB713E25568025EC
SHA1:	A0D000FE7D0A2749988DA24B6478691758A327BA
SHA-256:	ABFA7E7D38C289F730716C63959E13B6A347943326E45DC09D43431BDD67F3AE
SHA-512:	A9CAA90E32969DCAE5B455A1283CDBBF8D479FE8F59FC8AB209E508FCB3FA94058D8A058F3D98CFE85E26D129F4CDCA2B879318412DD903348844CB5BF55094F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Roaming\aka\yes.png, Author: Joe Security
Preview:	....[.2.0.2.4./.0.7./.2.5. .1.8.:.2.8.:.2.3. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.159010691753827
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LisectAVT_2403002A_101.exe
File size:	1'400'329 bytes
MD5:	780bd376a8b748d6ac621b4881ea908a
SHA1:	bafeee797024d02afcad3eac316cae519ad58aa9
SHA256:	5fe1de0adf99f8dff660c75a7e9f2c1d0720f6694f63a7aa406fc16f8bf498d3
SHA512:	7180b6a9cbb88765dd3f9aa2aaa86678639b168ba70342411daf8183509537e3cbfd9b2dfb666540dbbd8950b03cf29ee9b1656dfcf19a629868b0f82b74bd2e
SSDEEP:	24576:NqDEvCTbMWu7rQYlBQcBiT6rprG8akaUQRzetQhDt5o4mht:NTvC/MTQYxsWR7akTQ57Ztu
TLSH:	AA55BF0273918022FF9B92F20B57F61D567D692A0D23E52F12981CBDB9705A3463E7B3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	3131f99b9196c3a1

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x65AF8BA4 [Tue Jan 23 09:49:24 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FC2F4C7C753h
jmp 00007FC2F4C7C05Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FC2F4C7C23Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FC2F4C7C20Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FC2F4C7EDFDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FC2F4C7EE48h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FC2F4C7EE31h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x7f348	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x154000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x7f348	0x7f400	ce5d6cc5f03a4be95e1adc92ef6efaec	False	0.8627248587917485	data	7.685562866343298	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x154000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd4350	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4478	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 3543 x 3543 px/m	English	Great Britain	0.04828167514491896
RT_STRING	0xe4ca0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xe5234	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xe58c0	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xe5d50	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xe634c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xe69a8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xe6e10	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xe6f68	0x6beec	data			1.0003189381395727
RT_GROUP_ICON	0x152e54	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x152e68	0x14	data	English	Great Britain	1.15
RT_VERSION	0x152e7c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x152f58	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-26T00:28:26.008105+0200	TCP	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	51054	80	192.168.2.9	178.237.33.50
2024-07-26T00:26:22.600432+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49706	40.68.123.157	192.168.2.9
2024-07-26T00:26:49.732218+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	51051	40.68.123.157	192.168.2.9
2024-07-26T00:28:25.130434+0200	TCP	2032777	ET MALWARE Remcos 3.x Unencrypted Server Response	8087	51052	107.175.229.139	192.168.2.9
2024-07-26T00:26:48.439453+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	51050	40.68.123.157	192.168.2.9
2024-07-26T00:28:24.191264+0200	TCP	2032776	ET MALWARE Remcos 3.x Unencrypted Checkin	51052	8087	192.168.2.9	107.175.229.139

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 00:28:24.183494091 CEST	51052	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:24.190720081 CEST	8087	51052	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:24.190846920 CEST	51052	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:24.191263914 CEST	51052	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:24.198348999 CEST	8087	51052	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.130434036 CEST	8087	51052	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.133557081 CEST	51052	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:25.140305042 CEST	8087	51052	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.244791031 CEST	8087	51052	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.247483969 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:25.253628016 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.253696918 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:25.253803968 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:25.260835886 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.296875000 CEST	51052	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:25.330064058 CEST	51054	80	192.168.2.9	178.237.33.50
Jul 26, 2024 00:28:25.337140083 CEST	80	51054	178.237.33.50	192.168.2.9
Jul 26, 2024 00:28:25.337218046 CEST	51054	80	192.168.2.9	178.237.33.50
Jul 26, 2024 00:28:25.337481976 CEST	51054	80	192.168.2.9	178.237.33.50
Jul 26, 2024 00:28:25.344253063 CEST	80	51054	178.237.33.50	192.168.2.9
Jul 26, 2024 00:28:25.878009081 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.878026962 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.878037930 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.878050089 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.878062963 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.878073931 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.878079891 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.878093958 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.878108025 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.878119946 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.878122091 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:25.878187895 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:25.885390043 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.885422945 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.885519981 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:25.972986937 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.973006010 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.973026991 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.973041058 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.973206043 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:25.980110884 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.980134010 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.980146885 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.980159998 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.980216980 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:25.980259895 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:25.986979008 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.986994028 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.987016916 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.987030983 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.987041950 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.987061977 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:25.987096071 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:25.993926048 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.993942976 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.993963003 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.993976116 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:25.994046926 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.000896931 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.000910044 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.000922918 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.000936031 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.000948906 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.000971079 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.001014948 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.008028030 CEST	80	51054	178.237.33.50	192.168.2.9
Jul 26, 2024 00:28:26.008044004 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.008054018 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.008069038 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.008105040 CEST	51054	80	192.168.2.9	178.237.33.50
Jul 26, 2024 00:28:26.008135080 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.060796976 CEST	51052	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.068156958 CEST	8087	51052	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.068346977 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.068411112 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.068423033 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.068474054 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.075263977 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.075277090 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.075299978 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.075313091 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.075377941 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.075418949 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.082536936 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.082550049 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.082588911 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.082612038 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.082624912 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.082654953 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.089536905 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.089550018 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.089560032 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.089575052 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.089585066 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.089589119 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.089598894 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.089610100 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.089613914 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.089627981 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.089641094 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.089648962 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.089660883 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.089660883 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.089673996 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.089688063 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.089695930 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.089704990 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.089718103 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.089729071 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.089731932 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.089745045 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.089756966 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.089770079 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.089771986 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.089781046 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.089793921 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.089804888 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.089816093 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.089817047 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.089829922 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.089837074 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.089853048 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.089864016 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.089874983 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.089875937 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.089883089 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.089886904 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.089901924 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.089930058 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.089951992 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.101545095 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.101583958 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.101594925 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.101617098 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.101628065 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.101655960 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.101928949 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.101972103 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.164408922 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.164436102 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.164448023 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.164462090 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.164520979 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.164563894 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.164782047 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.164827108 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.164839983 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.164866924 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.164884090 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.164927006 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.165744066 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.165764093 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.165775061 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.165803909 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.165836096 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.165873051 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.166646004 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.166656017 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.166671991 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.166702986 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.166708946 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.166744947 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.167503119 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.167576075 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.167587996 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.167629004 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.167632103 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.167666912 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.168487072 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.168503046 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.168514013 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.168525934 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.168545961 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.168575048 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.169331074 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.169384956 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.169395924 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.169436932 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.169450998 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.169486046 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.170262098 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.170280933 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.170294046 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.170331955 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.170367002 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.170407057 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.171173096 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.171230078 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.171241045 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.171253920 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.171281099 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.171305895 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.172103882 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.172116041 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.172127962 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.172166109 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.172168016 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.172219038 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.173110008 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.173160076 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.173196077 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.173202991 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.173800945 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.173850060 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.173892021 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.174128056 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.174154997 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.174173117 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.174578905 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.174629927 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.174640894 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.174653053 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.174698114 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.174734116 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.175504923 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.175544977 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.175555944 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.175576925 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.175586939 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.175610065 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.176454067 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.176465034 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.176476955 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.176496029 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.176508904 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.176542044 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.177377939 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.177387953 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.177401066 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.177417994 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.177423000 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.177453041 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.178191900 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.178206921 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.178219080 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.178246975 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.178251982 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.178291082 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.178854942 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.182756901 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.197027922 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.197050095 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.197062969 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.197122097 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.197134972 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.197197914 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.197228909 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.197241068 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.197252989 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.197257996 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.197267056 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.197282076 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.197299957 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.197382927 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.197392941 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.197428942 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.251475096 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.259650946 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.259681940 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.259695053 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.259742022 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.259754896 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.259772062 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.259787083 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.259793997 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.259802103 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.259824991 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.259946108 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.259958029 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.259968996 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.259999037 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.260030031 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.260031939 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.260118008 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.260132074 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.260179996 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.260194063 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.260205030 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.260217905 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.260231018 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.260235071 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.260262012 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.260384083 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.260395050 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.260407925 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.260421038 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.260435104 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.260436058 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.260466099 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.261034012 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.261045933 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.261058092 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.261106014 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.261147976 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.261158943 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.261171103 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.261183023 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.261194944 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.261215925 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.261317015 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.261328936 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.261341095 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.261353016 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.261364937 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.261368036 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.261388063 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.261420965 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.261982918 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.261996984 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.262008905 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.262074947 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.262106895 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.262118101 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.262130022 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.262141943 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.262142897 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.262171030 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.262247086 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.262258053 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.262269974 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.262280941 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.262293100 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.262300968 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.262334108 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.262887955 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.262950897 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.262963057 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.263000011 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.263065100 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.263077974 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.263087988 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.263101101 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.263117075 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.263139009 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.263207912 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.263221979 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.263236046 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.263247967 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.263259888 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.263261080 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.263282061 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.263319969 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.263851881 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.263906002 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.263921976 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.263961077 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.264008999 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.264020920 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.264034033 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.264046907 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.264055967 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.264081001 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.264103889 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.264175892 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.264189005 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.264200926 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.264202118 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.264214039 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.264230967 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.264259100 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.264815092 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.264866114 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.264878988 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.264904976 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.264967918 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.264980078 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.264991045 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.265003920 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.265012980 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.265031099 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.265125036 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.265136003 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.265146017 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.265158892 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.265166998 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.265171051 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.265193939 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.265213013 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.265834093 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.265846014 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.265857935 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.265877962 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.265923023 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.265933990 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.265945911 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.265958071 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.265960932 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.265990973 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.266067982 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.266079903 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.266093969 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.266105890 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.266132116 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.266132116 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.266145945 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.266185045 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.268505096 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.292536020 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.292546988 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.292557955 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.292603016 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.292613029 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.292623997 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.292635918 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.292690992 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.292866945 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.292867899 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.294698000 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.356952906 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.356992006 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.357004881 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.357047081 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.357059002 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.357076883 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.357074976 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.357090950 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.357124090 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.357124090 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.357223988 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.357234955 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.357244968 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.357258081 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.357265949 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.357273102 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.357286930 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.357295990 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.357316017 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.357379913 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.357392073 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.357403994 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.357431889 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.357467890 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.357914925 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.357925892 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.357948065 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.357961893 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.357970953 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.357975006 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.357989073 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.358001947 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.358001947 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.358016968 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.358030081 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.358040094 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.358043909 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.358056068 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.358067989 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.358069897 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.358079910 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.358092070 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.358093023 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.358104944 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.358119011 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.358119965 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.358150005 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.358166933 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.358264923 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.358304977 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.358315945 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.358346939 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.358414888 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.358426094 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.358441114 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.358458042 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.358481884 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.358594894 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.358606100 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.358616114 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.358629942 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.358639002 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.358644009 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.358656883 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.358685970 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.358720064 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.358825922 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.358836889 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.358849049 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.358861923 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.358875990 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.358902931 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.359221935 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.359282970 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.359296083 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.359373093 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.359378099 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.359385014 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.359399080 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.359426975 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.359451056 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.359536886 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.359548092 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.359558105 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.359569073 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.359582901 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.359596014 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.359601021 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.359627962 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.359646082 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.359735966 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.359746933 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.359757900 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.359771967 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.359787941 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.359816074 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.360266924 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.360317945 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.360330105 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.360363960 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.360368967 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.360375881 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.360405922 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.360531092 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.360542059 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.360553026 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.360565901 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.360578060 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.360580921 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.360601902 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.360618114 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.360708952 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.360719919 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.360729933 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.360742092 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.360755920 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.360757113 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.360768080 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.360784054 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.360800982 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.361187935 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.361200094 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.361212015 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.361249924 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.361289024 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.361299992 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.361310005 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.361325026 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.361331940 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.361347914 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.361490011 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.361500978 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.361510992 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.361525059 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.361536026 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.361541033 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.361547947 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.361562014 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.361563921 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.361577034 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.361589909 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.361592054 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.361610889 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.361638069 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.362013102 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.362091064 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.362102985 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.362114906 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.362147093 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.362168074 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.395657063 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.395684958 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.395695925 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.395740986 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.395777941 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.395790100 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.395802021 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.395822048 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.395834923 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.395848989 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.431583881 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.450860023 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.450896978 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.450911045 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.450936079 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.450949907 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.450953960 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.450999022 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.451003075 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.451018095 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.451064110 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.451145887 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.451158047 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.451169968 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.451183081 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.451186895 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.451196909 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.451220036 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.451248884 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.451297998 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.451323032 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.451334953 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.451363087 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.451435089 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.451447010 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.451461077 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.451476097 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.451507092 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.451508045 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.451533079 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.451546907 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.451579094 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.451607943 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.451653004 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.451683998 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.451695919 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.451709986 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.451723099 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.451725006 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.451776981 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.451806068 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.451953888 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.452018023 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.452030897 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.452058077 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.452084064 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.452095985 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.452107906 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.452121019 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.452133894 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.452152967 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.452197075 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.452198982 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.452296972 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.452348948 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.452362061 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.452394962 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.452430010 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.452433109 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.452447891 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.452460051 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:26.452518940 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.500005007 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:26.995042086 CEST	80	51054	178.237.33.50	192.168.2.9
Jul 26, 2024 00:28:26.995172977 CEST	51054	80	192.168.2.9	178.237.33.50
Jul 26, 2024 00:28:29.346585035 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:29.353598118 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:29.353611946 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:29.353631020 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:29.353640079 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:29.353648901 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:29.353676081 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:29.353804111 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:29.355912924 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:29.355922937 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:29.355938911 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:29.355947018 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:29.358123064 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:29.360469103 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:29.360479116 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:29.360493898 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:29.362076044 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:29.362086058 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:29.362093925 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:29.362154961 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:29.374074936 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:29.381195068 CEST	8087	51053	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:29.381261110 CEST	51053	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:51.534416914 CEST	8087	51052	107.175.229.139	192.168.2.9
Jul 26, 2024 00:28:51.540637970 CEST	51052	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:28:51.547533035 CEST	8087	51052	107.175.229.139	192.168.2.9
Jul 26, 2024 00:29:21.713962078 CEST	8087	51052	107.175.229.139	192.168.2.9
Jul 26, 2024 00:29:21.715764046 CEST	51052	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:29:21.722693920 CEST	8087	51052	107.175.229.139	192.168.2.9
Jul 26, 2024 00:29:51.706557989 CEST	8087	51052	107.175.229.139	192.168.2.9
Jul 26, 2024 00:29:51.709692001 CEST	51052	8087	192.168.2.9	107.175.229.139
Jul 26, 2024 00:29:51.716224909 CEST	8087	51052	107.175.229.139	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 00:26:43.262327909 CEST	53	56731	162.159.36.2	192.168.2.9
Jul 26, 2024 00:26:43.768867970 CEST	58005	53	192.168.2.9	1.1.1.1
Jul 26, 2024 00:26:43.778099060 CEST	53	58005	1.1.1.1	192.168.2.9
Jul 26, 2024 00:26:45.100549936 CEST	51822	53	192.168.2.9	1.1.1.1
Jul 26, 2024 00:26:45.110439062 CEST	53	51822	1.1.1.1	192.168.2.9
Jul 26, 2024 00:28:25.313152075 CEST	60869	53	192.168.2.9	1.1.1.1
Jul 26, 2024 00:28:25.322469950 CEST	53	60869	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 26, 2024 00:26:43.768867970 CEST	192.168.2.9	1.1.1.1	0xc64f	Standard query (0)	206.23.85.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Jul 26, 2024 00:26:45.100549936 CEST	192.168.2.9	1.1.1.1	0x1e2a	Standard query (0)	183.59.114.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Jul 26, 2024 00:28:25.313152075 CEST	192.168.2.9	1.1.1.1	0xcce3	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 26, 2024 00:25:57.130606890 CEST	1.1.1.1	192.168.2.9	0x5d2e	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jul 26, 2024 00:25:57.130606890 CEST	1.1.1.1	192.168.2.9	0x5d2e	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jul 26, 2024 00:26:43.778099060 CEST	1.1.1.1	192.168.2.9	0xc64f	Name error (3)	206.23.85.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Jul 26, 2024 00:26:45.110439062 CEST	1.1.1.1	192.168.2.9	0x1e2a	Name error (3)	183.59.114.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Jul 26, 2024 00:28:25.322469950 CEST	1.1.1.1	192.168.2.9	0xcce3	No error (0)	geoplugin.net		178.237.33.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	51054	178.237.33.50	80	7432	C:\Users\user\AppData\Local\Wausaukee\unnervously.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 00:28:25.337481976 CEST	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
Jul 26, 2024 00:28:26.008028030 CEST	1170	IN	HTTP/1.1 200 OK date: Thu, 25 Jul 2024 22:28:25 GMT server: Apache content-length: 962 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 30 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED] Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"0ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

Target ID:	0
Start time:	18:26:01
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_101.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_101.exe"
Imagebase:	0xa0000
File size:	1'400'329 bytes
MD5 hash:	780BD376A8B748D6AC621B4881EA908A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	18:28:17
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Local\Wausaukee\unnervously.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_101.exe"
Imagebase:	0x2a0000
File size:	114'646'537 bytes
MD5 hash:	50614E143F8D18ACB986F7B1677E25F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000009.00000002.2703381537.0000000003560000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	18:28:20
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Local\Wausaukee\unnervously.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Wausaukee\unnervously.exe"
Imagebase:	0x2a0000
File size:	114'646'537 bytes
MD5 hash:	50614E143F8D18ACB986F7B1677E25F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.3770114936.00000000010BA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000A.00000002.3770517218.00000000032C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000A.00000002.3766719987.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	18:28:26
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Local\Wausaukee\unnervously.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Wausaukee\unnervously.exe /stext "C:\Users\user\AppData\Local\Temp\zhxznlyhhoxqew"
Imagebase:	0x2a0000
File size:	114'646'537 bytes
MD5 hash:	50614E143F8D18ACB986F7B1677E25F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	18:28:26
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Local\Wausaukee\unnervously.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Wausaukee\unnervously.exe /stext "C:\Users\user\AppData\Local\Temp\kcdsoejjvwpvgchse"
Imagebase:	0x2a0000
File size:	114'646'537 bytes
MD5 hash:	50614E143F8D18ACB986F7B1677E25F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	18:28:27
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Local\Wausaukee\unnervously.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Wausaukee\unnervously.exe /stext "C:\Users\user\AppData\Local\Temp\meicpwucjehhjidwwwibd"
Imagebase:	0x2a0000
File size:	114'646'537 bytes
MD5 hash:	50614E143F8D18ACB986F7B1677E25F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	18:28:32
Start date:	25/07/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unnervously.vbs"
Imagebase:	0x7ff6e9e20000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	18:28:32
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Local\Wausaukee\unnervously.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Wausaukee\unnervously.exe"
Imagebase:	0x2a0000
File size:	114'646'537 bytes
MD5 hash:	50614E143F8D18ACB986F7B1677E25F1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000F.00000002.2849527453.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000F.00000002.2848851973.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	2.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	51

Executed Functions

Function 000A42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 000A430D

Part of subcall function 000A6B57: _wcslen.LIBCMT ref: 000A6B6A

GetCurrentProcess.KERNEL32(?,0013CB64,00000000,?,?), ref: 000A4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 000A4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 000A4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 000A4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 000A4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 000A447B
GetSystemInfo.KERNEL32(?,?,?), ref: 000A44A0

Strings

|O, xrefs: 000E36F8
kernel32.dll, xrefs: 000A444F
GetNativeSystemInfo, xrefs: 000A4460

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 4137581bef1b35e4cdceec77c49803f073b952604c0516f6b3206c2591c83ad1
Instruction ID: 40d01a40b5c396e388fa9b74235158a970bba265da6a333e360c6d7235a55804
Opcode Fuzzy Hash: 4137581bef1b35e4cdceec77c49803f073b952604c0516f6b3206c2591c83ad1
Instruction Fuzzy Hash: E7A1A37691E2C0FFC721CBBE7C451997FF47B66360B084999E08DA7E62D26046C8CB61

Function 000A42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,000A50AA,?,?,00000000,00000000), ref: 000A42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,000A50AA,?,?,00000000,00000000), ref: 000A42C9
LoadResource.KERNEL32(?,00000000,?,?,000A50AA,?,?,00000000,00000000,?,?,?,?,?,?,000A4F20), ref: 000E35BE
SizeofResource.KERNEL32(?,00000000,?,?,000A50AA,?,?,00000000,00000000,?,?,?,?,?,?,000A4F20), ref: 000E35D3
LockResource.KERNEL32(000A50AA,?,?,000A50AA,?,?,00000000,00000000,?,?,?,?,?,?,000A4F20,?), ref: 000E35E6

Strings

SCRIPT, xrefs: 000A42BF

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 890a8a4758f831d19eb112d6b4ad95aa3e1bbad5b3c36de2f83c06b8876f171f
Instruction ID: b9c9b7d782e033edcacbb885f097fbec80390a8d9c43b750e74970a49743a80b
Opcode Fuzzy Hash: 890a8a4758f831d19eb112d6b4ad95aa3e1bbad5b3c36de2f83c06b8876f171f
Instruction Fuzzy Hash: 76118E75640700BFD7218BA5DC48F277BB9EBC6B51F104169F402E6650DBB1DC408760

Function 000E2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 000A2B6B

Part of subcall function 000A3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00171418,?,000A2E7F,?,?,?,00000000), ref: 000A3A78

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00162224), ref: 000E2C10
ShellExecuteW.SHELL32(00000000,?,?,00162224), ref: 000E2C17

Strings

runas, xrefs: 000E2C0B

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: f8db4e3fff36e572693d3bc28d7141770322ec9d5469f7a327b4cd73d90b7a7c
Instruction ID: 1a9c8d39f6ee9e50cc7a4c082ef53123f1e8e7bc19c994dcddf1f5edb619430d
Opcode Fuzzy Hash: f8db4e3fff36e572693d3bc28d7141770322ec9d5469f7a327b4cd73d90b7a7c
Instruction Fuzzy Hash: 481196322083416BC714FFE8DC529FEB7A5AB93750F44542DF187620A3DF2186498752

Function 0010DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,000E5222), ref: 0010DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0010DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 0010DBEE
FindClose.KERNEL32(00000000), ref: 0010DBFA

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: f28328e659e97ae3662f1839c37a6398b4a6d711858b06f4b2cdc8739d0106a6
Instruction ID: 0cb6e3f89d2cc134cb7f6df18af79d12528c6ecefbe8372dfdcaf040c2c0b1bd
Opcode Fuzzy Hash: f28328e659e97ae3662f1839c37a6398b4a6d711858b06f4b2cdc8739d0106a6
Instruction Fuzzy Hash: 0CF0A03181092057D2206BB8AE0D8AB3B6D9F02334B10470AF8B6D24E0EBF059948AD5

Function 000AD733 Relevance: 21.6, APIs: 14, Instructions: 623windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 000AD807
timeGetTime.WINMM ref: 000ADA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000ADB28
TranslateMessage.USER32(?), ref: 000ADB7B
DispatchMessageW.USER32(?), ref: 000ADB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000ADB9F
Sleep.KERNEL32(0000000A), ref: 000ADBB1

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: f9d879844276630c2c9ada7116b25a8ef4dbc02e03dbb5f4b38f85b74714d4b8
Instruction ID: 79621f5e760cfc56494786fc7e516783aad1ddded0110d4645fe01374ea8b6ef
Opcode Fuzzy Hash: f9d879844276630c2c9ada7116b25a8ef4dbc02e03dbb5f4b38f85b74714d4b8
Instruction Fuzzy Hash: D142D030608346EFD778CF64C844BBAB7E1BF46314F14451EE5A687AA2D770E884DB92

Function 000A344D Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000A3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00171418,?,000A2E7F,?,?,?,00000000), ref: 000A3A78

Part of subcall function 000A3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 000A3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 000A356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 000E318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 000E31CE
RegCloseKey.ADVAPI32(?), ref: 000E3210
_wcslen.LIBCMT ref: 000E3277
_wcslen.LIBCMT ref: 000E3286

Strings

Software\AutoIt v3\AutoIt, xrefs: 000A3560
Include, xrefs: 000E3184, 000E31C5
pU, xrefs: 000A349D
\, xrefs: 000E328C
l(, xrefs: 000A34E2
\Include\, xrefs: 000A3527

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\$l($pU
API String ID: 98802146-3078148313
Opcode ID: 2e69f50ae945b07c78c6d1e6da3bdfb8a71c63ccbee2d71d718e6f14c3d411a9
Instruction ID: c1f1f15645b10a0728d784b78bcdfa6b808359f1915a9e72d76859c328213477
Opcode Fuzzy Hash: 2e69f50ae945b07c78c6d1e6da3bdfb8a71c63ccbee2d71d718e6f14c3d411a9
Instruction Fuzzy Hash: 087192715043019EC314DF65DC869ABBBF8FF89350F40482EF589A71A1EB749AC9CB92

Function 000A2CD4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 000A2D07
RegisterClassExW.USER32(00000030), ref: 000A2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000A2D42
InitCommonControlsEx.COMCTL32(?), ref: 000A2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000A2D6F
LoadIconW.USER32(000000A9), ref: 000A2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000A2D94

Strings

h(, xrefs: 000A2D80, 000A2D8E
0, xrefs: 000A2CE9
AutoIt v3 GUI, xrefs: 000A2D23
TaskbarCreated, xrefs: 000A2D37
+, xrefs: 000A2CF0

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated$h(
API String ID: 2914291525-1085546706
Opcode ID: d7a627faafbdff93790b13e4819ed79bfeef2d64113850fb9b6fd2ebe2242411
Instruction ID: 8db14334350d4ed742b57eb958a8d39f27fc9dde1b3debc83d9e71350e888feb
Opcode Fuzzy Hash: d7a627faafbdff93790b13e4819ed79bfeef2d64113850fb9b6fd2ebe2242411
Instruction Fuzzy Hash: 9C21F4B5911308AFDB00DFA8EC89BDDBBB4FB08704F10411AFA15B66A0D7B54580CFA0

Function 000E065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000E039A: CreateFileW.KERNELBASE(00000000,00000000,?,000E0704,?,?,00000000,?,000E0704,00000000,0000000C), ref: 000E03B7

GetLastError.KERNEL32 ref: 000E076F
__dosmaperr.LIBCMT ref: 000E0776
GetFileType.KERNELBASE(00000000), ref: 000E0782
GetLastError.KERNEL32 ref: 000E078C
__dosmaperr.LIBCMT ref: 000E0795
CloseHandle.KERNEL32(00000000), ref: 000E07B5
CloseHandle.KERNEL32(?), ref: 000E08FF
GetLastError.KERNEL32 ref: 000E0931
__dosmaperr.LIBCMT ref: 000E0938

Strings

H, xrefs: 000E08BD

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 12670a024aca3d98364addf66474bfa7ccb4ac6bb7b2b5d83597e287e9d6a9d7
Instruction ID: a1bbacd13894eb9de4d538ed1240fde96202daaee4414630bbc123ecf613639d
Opcode Fuzzy Hash: 12670a024aca3d98364addf66474bfa7ccb4ac6bb7b2b5d83597e287e9d6a9d7
Instruction Fuzzy Hash: 00A13832A041858FDF19AF68DC51BAD3BF1AB4A320F14015DF855AB392C7719D92CB91

Function 000A2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 000A2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 000A2B9D
LoadIconW.USER32(00000063), ref: 000A2BB3
LoadIconW.USER32(000000A4), ref: 000A2BC5
LoadIconW.USER32(000000A2), ref: 000A2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 000A2BEF
RegisterClassExW.USER32(?), ref: 000A2C40

Part of subcall function 000A2CD4: GetSysColorBrush.USER32(0000000F), ref: 000A2D07
Part of subcall function 000A2CD4: RegisterClassExW.USER32(00000030), ref: 000A2D31
Part of subcall function 000A2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000A2D42
Part of subcall function 000A2CD4: InitCommonControlsEx.COMCTL32(?), ref: 000A2D5F
Part of subcall function 000A2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000A2D6F
Part of subcall function 000A2CD4: LoadIconW.USER32(000000A9), ref: 000A2D85
Part of subcall function 000A2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 000A2D94

Strings

0, xrefs: 000A2C0F
#, xrefs: 000A2C16
AutoIt v3, xrefs: 000A2C2F

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 1a2453bed0180bd2551941dffd6cea18b68a5e79ff7a61673faa4728a8f606f1
Instruction ID: 8e0359cf23e695d709f5f7a7be2bd5be53f8914bbbb227392fe0be08742f8bc5
Opcode Fuzzy Hash: 1a2453bed0180bd2551941dffd6cea18b68a5e79ff7a61673faa4728a8f606f1
Instruction Fuzzy Hash: AA212975E00318BBDB109FA9EC56BA97FB4FB48B60F10402AF508B6AA0D7B545C4CF90

Function 000A3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,000A316A,?,?), ref: 000A31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,000A316A,?,?), ref: 000A3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 000A3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,000A316A,?,?), ref: 000A3232
CreatePopupMenu.USER32 ref: 000A3246
PostQuitMessage.USER32(00000000), ref: 000A3267

Strings

TaskbarCreated, xrefs: 000A322D

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: d5154060318e9ba368a7740d7d586d2e6fe8cb6f622366d08b3c1f8f8fe92a43
Instruction ID: bd11b1fa047f021d1c1dcc53b676a18e78222350852a7feef58c487ee85fc437
Opcode Fuzzy Hash: d5154060318e9ba368a7740d7d586d2e6fe8cb6f622366d08b3c1f8f8fe92a43
Instruction Fuzzy Hash: 8A415D31244204BBDB641BFCDD0EBBD36AAF747354F044215FA0AA66E2CB718EC197A1

Function 000D8D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 255d197a70b3ed6c54fe1aa1baa2cc900012747e13ddfef6ffef1b267b56405c
Instruction ID: 60449d88874c83fde2e8314cb3568e5cd8f1f0537b962afbaa228b0d357bceb5
Opcode Fuzzy Hash: 255d197a70b3ed6c54fe1aa1baa2cc900012747e13ddfef6ffef1b267b56405c
Instruction Fuzzy Hash: 2FC1D074A04349AFDB61DFA8D845BEDBFF1AF09310F14819AE519A7392C7309981CB71

Function 00E40920 Relevance: 10.7, APIs: 7, Instructions: 185
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00E40965

Memory Dump Source

Source File: 00000000.00000002.2673055580.0000000000E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 28aa79915beb11918698720707ebb43b2bda4a086287e743706ae16bd51aa008
Instruction ID: 25504023d547cd034593ef6ea332bd0ee2c1f061b8ce7e8efbd144325312f203
Opcode Fuzzy Hash: 28aa79915beb11918698720707ebb43b2bda4a086287e743706ae16bd51aa008
Instruction Fuzzy Hash: 8771C775A10208EBDF24DFA4DC85FEEB7B5BF48704F208558F605BB280DA74AA44DB64

Function 000A2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 000A2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 000A2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,000A1CAD,?), ref: 000A2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,000A1CAD,?), ref: 000A2CCF

Strings

edit, xrefs: 000A2CAC
AutoIt v3, xrefs: 000A2C89, 000A2C8E, 000A2C8F

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: c8a72cde310a86ad824065bd56f9e01f5254d6fa422bb3673ef9321be1d4686a
Instruction ID: 61a0b734db526edf9ba38d7c236d3bf29205936a94425acce24251f8ca690c21
Opcode Fuzzy Hash: c8a72cde310a86ad824065bd56f9e01f5254d6fa422bb3673ef9321be1d4686a
Instruction Fuzzy Hash: 8EF0DA755903907AEB31172BAC09E773EBDE7C6F60F11405AFD08A29A0C66118D0DBB0

Function 000A10F3 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000A1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 000A1BF4
Part of subcall function 000A1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 000A1BFC
Part of subcall function 000A1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 000A1C07
Part of subcall function 000A1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 000A1C12
Part of subcall function 000A1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 000A1C1A
Part of subcall function 000A1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 000A1C22

Part of subcall function 000A1B4A: RegisterWindowMessageW.USER32(00000004,?,000A12C4), ref: 000A1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 000A136A
OleInitialize.OLE32 ref: 000A1388
CloseHandle.KERNEL32(00000000,00000000), ref: 000E24AB

Strings

(h, xrefs: 000A116A
Xn, xrefs: 000A1115

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: (h$Xn
API String ID: 1986988660-92771946
Opcode ID: 01b674a01b6e5a9b86f63e8d6fc06f4378562e8d3798d743e57c9c0dc09b7e98
Instruction ID: 14f36a5543ff251e0a6ef4c7e172654b479ceda1d2879403f0e1f230d5a1955b
Opcode Fuzzy Hash: 01b674a01b6e5a9b86f63e8d6fc06f4378562e8d3798d743e57c9c0dc09b7e98
Instruction Fuzzy Hash: 7A71ADB5911300AFC388EFBDAD466953AF5FB8A344755822AE40EE7B62EB7044C1CF51

Function 00112947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00112C05
DeleteFileW.KERNEL32(?), ref: 00112C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00112C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00112CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00112CC0

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 6a2e72a316eee0b7abab5023d5a10b206298eff672d35537ca990165c9fd03d8
Instruction ID: d7777e20d458418f61eaf2dfeb0a01c2721d3bcbb97a6b1826b5bd339c21fc92
Opcode Fuzzy Hash: 6a2e72a316eee0b7abab5023d5a10b206298eff672d35537ca990165c9fd03d8
Instruction Fuzzy Hash: 5DB16E71900119ABDF25DBA4CC85EDEB7BDEF59350F1040B6F609E7142EB309A948FA1

Function 000D5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JO, xrefs: 000D5BA8, 000D5C6C

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID:
String ID: JO
API String ID: 0-360213456
Opcode ID: 567ddfac50a8ebce4939871aab97ceeb70fe0ba4965130c8663318ec7aa25c67
Instruction ID: c2eea0daf113cd29c424f9f3b69a923382a6d59e90659e0eb60328c967e09995
Opcode Fuzzy Hash: 567ddfac50a8ebce4939871aab97ceeb70fe0ba4965130c8663318ec7aa25c67
Instruction Fuzzy Hash: 13516D7191070AAFDB219FA8CC45FEE7BB8AF49322F14005BF805A7392D77199419B72

Function 00E42520 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00E42654
VirtualAlloc.KERNELBASE(00000000,000000FF,00003000,00000004), ref: 00E42689
ReadFile.KERNELBASE(000000FF,00000000,000000FF,?,00000000), ref: 00E426AF

Strings

MERZ0Y7GBGY, xrefs: 00E426D4, 00E426D7

Memory Dump Source

Source File: 00000000.00000002.2673055580.0000000000E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: File$AllocCreateReadVirtual
String ID: MERZ0Y7GBGY
API String ID: 3585551309-3728424541
Opcode ID: 41539717696f08d6b3f54e993c97e9898c56fe04b2c4b9e1b84cc8371327fc66
Instruction ID: d60ab1809b96b9d28b15f99f61d2d1de69bd1f4f5985711ae908f8a5445e3f00
Opcode Fuzzy Hash: 41539717696f08d6b3f54e993c97e9898c56fe04b2c4b9e1b84cc8371327fc66
Instruction Fuzzy Hash: 9351A231D0025ADBEF10DBB4D819BEEBB78AF14304F4041A9E718BB2C0DA795B45CBA5

Function 000A3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,000A3B0F,SwapMouseButtons,00000004,?), ref: 000A3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,000A3B0F,SwapMouseButtons,00000004,?), ref: 000A3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,000A3B0F,SwapMouseButtons,00000004,?), ref: 000A3B83

Strings

Control Panel\Mouse, xrefs: 000A3B3E

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: b1e3b601fad128362f882158aac5d7bf548c105dd2d52a4c2b91da94b161ae61
Instruction ID: f866c12425de72f978f6bbba32b83a1d2cff35aae6bee3ada493c6ef942e5e59
Opcode Fuzzy Hash: b1e3b601fad128362f882158aac5d7bf548c105dd2d52a4c2b91da94b161ae61
Instruction Fuzzy Hash: 5F112AB5521208FFDB608FA5DC85AAEB7BDEF45744B104459FA05E7110D3319E4097A0

Function 000ADFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 000F32B7

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: da13521647f00e91bab5020cc08035277eb6b2fd99eec398b8f0240f372f6493
Instruction ID: e99c3d77b7e539e4f828b6d4794a814b8b6e14aa36a920bd24605d68b61786a1
Opcode Fuzzy Hash: da13521647f00e91bab5020cc08035277eb6b2fd99eec398b8f0240f372f6493
Instruction Fuzzy Hash: 1EC2AC71A00255CFCB24CF98C884AADB7F1FF4A310F248569E915AB392D775EE81CB91

Function 000BFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 000C0668

Part of subcall function 000C32A4: RaiseException.KERNEL32(?,?,?,000C068A,?,00171444,?,?,?,?,?,?,000C068A,000A1129,00168738,000A1129), ref: 000C3304

__CxxThrowException@8.LIBVCRUNTIME ref: 000C0685

Strings

Unknown exception, xrefs: 000C0692

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 49468050232bf843cdc45b5980c4de030d9c7741ed0b4dcbcf896a22061639c7
Instruction ID: 2c5791f94527bab160e7382d14139521e9fc94b97069eae7445b764fe4a2c736
Opcode Fuzzy Hash: 49468050232bf843cdc45b5980c4de030d9c7741ed0b4dcbcf896a22061639c7
Instruction Fuzzy Hash: 69F0623490020DB7CF10BBA4DC4AEEE7BAD5F40350B604539B914D65D2EF71EA66C681

Function 00E41060 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00E410A5
ExitProcess.KERNEL32(00000000), ref: 00E410C4

Strings

D, xrefs: 00E41071

Memory Dump Source

Source File: 00000000.00000002.2673055580.0000000000E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 5daa9b7238fa4ec1454e6c1b31ac8cab11c4b0ae369da0b25f7351ff99cfb3b0
Instruction ID: 656bc3d1d79bd4bcb92a789a81fa249789132aa43af3c56bc94a5f26f7a67de4
Opcode Fuzzy Hash: 5daa9b7238fa4ec1454e6c1b31ac8cab11c4b0ae369da0b25f7351ff99cfb3b0
Instruction Fuzzy Hash: D5F0FF7594024CABDF64DFE0CC49FEE77BCBF04701F508509FB0AAA180DA7496488B61

Function 00113017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0011302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00113044

Strings

aut, xrefs: 00113038

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 60f5760d66ed16012fc54b45aff3cb1cbde0d5987059bdd994fd6166c36f4a4c
Instruction ID: 9ae115f6ebe7df50752eaeca604e2103dafb71895f3855995a6e6014de80770e
Opcode Fuzzy Hash: 60f5760d66ed16012fc54b45aff3cb1cbde0d5987059bdd994fd6166c36f4a4c
Instruction Fuzzy Hash: 3CD05E7250032867DA20A7A4AC0EFCB7A7CDB04750F0002A1BA55F2091DAB09984CBD0

Function 00127F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 001282F5
TerminateProcess.KERNEL32(00000000), ref: 001282FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 001284DD

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 415d1614bae67519cdb4ee0e29eb7bf0164795ec1d151c3ad3a2c411139b1584
Instruction ID: 15a1a1d73c08f678680423399cd8a604dc2d658e8b681cdbcd5f39779acdb4e3
Opcode Fuzzy Hash: 415d1614bae67519cdb4ee0e29eb7bf0164795ec1d151c3ad3a2c411139b1584
Instruction Fuzzy Hash: DD127971A083519FD714DF28D480B6ABBE5FF89318F04895DE8898B292CB31ED45CB92

Function 000A54C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 000A556D
SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 000A557D

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 5d62bc4bcf21252b1263d3a801a951277ea06413164c9f820d2aeff3073442f1
Instruction ID: b6e332da503ae9fce9e627393f03c39b58ec0ba9fd81e76c9872ec05cb1452d4
Opcode Fuzzy Hash: 5d62bc4bcf21252b1263d3a801a951277ea06413164c9f820d2aeff3073442f1
Instruction Fuzzy Hash: 16316C71A00A09EFDB14CFA8CC80B9DB7B6FB48315F148229E919A7240D771FE94CB90

Function 000D86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,000D85CC,?,00168CC8,0000000C), ref: 000D8704
GetLastError.KERNEL32(?,000D85CC,?,00168CC8,0000000C), ref: 000D870E
__dosmaperr.LIBCMT ref: 000D8739

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 33d33dc4599eccdad5f220be12096fc0d4771f2d0f3dce6a2f71cbe3baf2fd6e
Instruction ID: 8e10d11f4be026f4c68a0fe9fba45a773587d6c13fd3661f07a66b8a827b0863
Opcode Fuzzy Hash: 33d33dc4599eccdad5f220be12096fc0d4771f2d0f3dce6a2f71cbe3baf2fd6e
Instruction Fuzzy Hash: 45016B3260436026D2A567346C45BBE2B898B81775F39411BFC089B3D3DEA0CCC183B0

Function 00112FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00112CD4,?,?,?,00000004,00000001), ref: 00112FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00112CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00113006
CloseHandle.KERNEL32(00000000,?,00112CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0011300D

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 4478f6530110f5fb80e5a953941e175446ef98dc881f4951eaf24bce04c3fca4
Instruction ID: 7a68f498772d1679dcd88e8f6d696f0e5207f8c6f96306ebcc6334420afd64d3
Opcode Fuzzy Hash: 4478f6530110f5fb80e5a953941e175446ef98dc881f4951eaf24bce04c3fca4
Instruction Fuzzy Hash: 57E0863228021077D2302755BC0DFCB3A5CD78AB71F104220F729750D046A0554153E8

Function 000B1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 000B17F6

Strings

CALL, xrefs: 000B17C6

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: d3b22d897fc482e524058ac2ee0a304a01249010b0c94a042cc8da8937cf4a8c
Instruction ID: e882078696217c8d5e84e3243a2f9175026c6a864be64970cdcca6bd35344abf
Opcode Fuzzy Hash: d3b22d897fc482e524058ac2ee0a304a01249010b0c94a042cc8da8937cf4a8c
Instruction Fuzzy Hash: CD228C70608201DFC724DF14C4A0BAABBF1BF85314F64892DF5969B7A2D732E945CB92

Function 00116EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00116F6B

Part of subcall function 000A4ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00171418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000A4EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00116F5A, 00116F63

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 18b7a3afc5bac562f90acefb3967262569f8f085e5bada24e6c575b3f073ca1b
Instruction ID: dd92ea33b7d5089e5c7b0526591c79302c22b84028f9b7baede30d892ddfe2c6
Opcode Fuzzy Hash: 18b7a3afc5bac562f90acefb3967262569f8f085e5bada24e6c575b3f073ca1b
Instruction Fuzzy Hash: C7B195316082018FCB18EF60C8919EEB7F5AF96310F44892DF496972A2DF71ED45CB91

Function 000A2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 000E2C8C

Part of subcall function 000A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000A3A97,?,?,000A2E7F,?,?,?,00000000), ref: 000A3AC2

Part of subcall function 000A2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 000A2DC4

Strings

X, xrefs: 000E2C5A

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 714237cec919f4a9272d786b2eec6a95005eb26ef579b6fda5bf08de48882f03
Instruction ID: 13e9e7ab2550b13d3ce7824bc86453c89cf2ba7c4ee8c41c6f611db0cfa0b213
Opcode Fuzzy Hash: 714237cec919f4a9272d786b2eec6a95005eb26ef579b6fda5bf08de48882f03
Instruction Fuzzy Hash: F621A571A00298AFDB41EFD8CC45BEE7BFCAF49314F004069E405B7242DBB45A898FA1

Function 00112557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00112587

Strings

EA06, xrefs: 001125B9

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 42330d7db40b341979d64c8423f19c03ceb5690d70d7ddbf92579d58258a0362
Instruction ID: 94d36fb44b19500b50f2b5e04a364d6a6d00d28c9ed15a0ee069d8d08401e7cc
Opcode Fuzzy Hash: 42330d7db40b341979d64c8423f19c03ceb5690d70d7ddbf92579d58258a0362
Instruction Fuzzy Hash: 8001B5729442587EDF28C7A8CC56FEEBBF8DB05301F00455EE152D21C2E5B4E618CB60

Function 000A5745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,000A949C,?,00008000), ref: 000A5773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,000A949C,?,00008000), ref: 000E4052

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3e3cea37c1b3bc2995a4225391119c78cb8ffa7266d7df0b9962e7a266a93ad9
Instruction ID: 546d4584a05cd7d4ae6ba3ca10b5d56004ed8db93c61eb3dcac36c9033f142aa
Opcode Fuzzy Hash: 3e3cea37c1b3bc2995a4225391119c78cb8ffa7266d7df0b9962e7a266a93ad9
Instruction Fuzzy Hash: F3019230145225FAE3711A6ADC0EF9B7F98EF067B1F108310BA9C6A1E0C7B45854DBD0

Function 000AB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 000ABB4E

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 58065bb8a2c02e8a929669f8115122c2a0e1271de579daa880e6e114dee78e43
Instruction ID: 047506c6a2c40eab29078572f6f8368562c79ee470672dc2d3e5e3d5e4c82b70
Opcode Fuzzy Hash: 58065bb8a2c02e8a929669f8115122c2a0e1271de579daa880e6e114dee78e43
Instruction Fuzzy Hash: 37329D34A00209DFDB24CF94C894ABEB7F9FF46310F148059EA05AB653D7B5AE81DB91

Function 00E410D0 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

APIs

Part of subcall function 00E408E0: GetFileAttributesW.KERNELBASE(?), ref: 00E408EB

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00E4123E

Memory Dump Source

Source File: 00000000.00000002.2673055580.0000000000E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: efcf82dec09c48f53afa33aa2f547d18a6d6a47406a54141f5770dd63c6ae4c6
Instruction ID: cd5ebc17be9894fcf6125244e7bff84effa379b33b6397f67316e38454e4c7e1
Opcode Fuzzy Hash: efcf82dec09c48f53afa33aa2f547d18a6d6a47406a54141f5770dd63c6ae4c6
Instruction Fuzzy Hash: 7E614031A1020896EF14DFA0D854BEF737AFF58700F0055ADE60DF7290EA759A85CBA5

Function 000A4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 000A4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,000A4EDD,?,00171418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000A4E9C
Part of subcall function 000A4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 000A4EAE
Part of subcall function 000A4E90: FreeLibrary.KERNEL32(00000000,?,?,000A4EDD,?,00171418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000A4EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00171418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000A4EFD

Part of subcall function 000A4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,000E3CDE,?,00171418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000A4E62
Part of subcall function 000A4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 000A4E74
Part of subcall function 000A4E59: FreeLibrary.KERNEL32(00000000,?,?,000E3CDE,?,00171418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000A4E87

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 9b0c70bcd5df14394b7cc6f4dc4f13d8e46ae0760ab980df34335ec569e046f5
Instruction ID: e3520ec3cfac2f61c4df4095d51c678d3a6923c566df99f653d19229aebc6966
Opcode Fuzzy Hash: 9b0c70bcd5df14394b7cc6f4dc4f13d8e46ae0760ab980df34335ec569e046f5
Instruction Fuzzy Hash: EA11E736610205AECB24EFA0DC06FED77A5AF91711F20442DF552BB1C2DFB0AE459750

Function 000D8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 000D8440

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: cbce062f5961e969325efab2e51c55fa25b219718119007162d885947588a81f
Instruction ID: 8cc984af5c31e8d87e737cfba5337192869e3d7d99473680de10e9cc048856ce
Opcode Fuzzy Hash: cbce062f5961e969325efab2e51c55fa25b219718119007162d885947588a81f
Instruction Fuzzy Hash: C911187590420AAFCB15DF58E941ADE7BF9EF49314F14805AF808AB312DB31EA11CBA5

Function 000A9A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,000A543F,?,00010000,00000000,00000000,00000000,00000000), ref: 000A9A9C

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f1ce57d22907d05aa53df47512c79ccceceb6bebff6a94467afcde05f0ea410b
Instruction ID: 55653d763beacfe650ca34ba097db5139174270aa587fba01232e401666b4034
Opcode Fuzzy Hash: f1ce57d22907d05aa53df47512c79ccceceb6bebff6a94467afcde05f0ea410b
Instruction Fuzzy Hash: 1C118832200B009FD720CF85C880BA6B7F8EF55360F14C42EE99B8AA51C770A845CBA1

Function 000D5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000D4C7D: RtlAllocateHeap.NTDLL(00000008,000A1129,00000000,?,000D2E29,00000001,00000364,?,?,?,000CF2DE,000D3863,00171444,?,000BFDF5,?), ref: 000D4CBE

_free.LIBCMT ref: 000D506C

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 7479e567e6154aab870bab1004699d83a095b4318597c3adc3446754d5b70e8c
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: C40126722047046BE3318E659C85A9AFFECFB89370F25051EE58483380EA30A805C6B4

Function 000CE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 422f0125559da6018e97cd004a79afc0a1c380bcf45fed7eb5c882bd62309bc7
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 83F0D132521B5096C6312B79DC05F9E339C9F623B4F10072EF421922D3DA74A80186B5

Function 000D4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,000A1129,00000000,?,000D2E29,00000001,00000364,?,?,?,000CF2DE,000D3863,00171444,?,000BFDF5,?), ref: 000D4CBE

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d1e1df192dcc7eab62a942ff9560ed4c336a59bca30e8c0d65cb8f969da1a225
Instruction ID: 0842ff8d7d9ae21cbe6a5dab7c795debeee07679556782a48e8f621107c1285f
Opcode Fuzzy Hash: d1e1df192dcc7eab62a942ff9560ed4c336a59bca30e8c0d65cb8f969da1a225
Instruction Fuzzy Hash: EDF0BE31622324A7DBA15F629C0AF9E37C9BF517A1B19512BB819AA381CA70D80196F0

Function 000D3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00171444,?,000BFDF5,?,?,000AA976,00000010,00171440,000A13FC,?,000A13C6,?,000A1129), ref: 000D3852

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2d67a085329ca5becd4b5a6d65116f09b1284d777da46c3ee8db405510637633
Instruction ID: ac4191c2711406c44899d0d5ece2ab5b476ad478c210492d93368b0fd461975a
Opcode Fuzzy Hash: 2d67a085329ca5becd4b5a6d65116f09b1284d777da46c3ee8db405510637633
Instruction Fuzzy Hash: D9E0E531100325A6D63127669C01FDE368AAB427B0F090026BC0496A81CF50DD01B2F3

Function 000A4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00171418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000A4F6D

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 2ec0edb18b6220617904b1f3dd0347e1a879d5624a79bb014d566bf24cdb6234
Instruction ID: 934f64d35c9199d222055357211dbe2599f2792daee90d63fd60c21dec60aa3b
Opcode Fuzzy Hash: 2ec0edb18b6220617904b1f3dd0347e1a879d5624a79bb014d566bf24cdb6234
Instruction Fuzzy Hash: A4F0A979005342CFCB348FA0D490826BBE0AF42329320997EE1EA82621C7B19884EF40

Function 000A2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 000A2DC4

Part of subcall function 000A6B57: _wcslen.LIBCMT ref: 000A6B6A

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: f600f5e97a5031bec2cb3d94450ea0aa160d7de9b919220d13fdcd7d7f79ec5f
Instruction ID: e3ea6fc7d77365976fce8598224caa1778998e6f5f1aa769f0ec90f211e782e1
Opcode Fuzzy Hash: f600f5e97a5031bec2cb3d94450ea0aa160d7de9b919220d13fdcd7d7f79ec5f
Instruction Fuzzy Hash: 8AE0CD726001245BC71192989C05FDA77EDDFC8790F040071FD09E7249DA70ADC08690

Function 00112693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 001126B5

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: cfc72fdcdd000bc744b609c148cbee4dc6fe93c0f174c1fbc18c1faf950410fc
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: 8EE04FB0609B005FDF3D5A28A851BF677E89F49300F10086EFA9F83252E6726895CA5D

Function 000A2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 000A3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 000A3908

Part of subcall function 000AD733: GetInputState.USER32 ref: 000AD807

SetCurrentDirectoryW.KERNEL32(?), ref: 000A2B6B

Part of subcall function 000A30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 000A314E

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: c02a09dc9c8d62f8ab8577e98358ca45e38b520756df459b465691feff07f30e
Instruction ID: 239b840e5de0df4331f7aa7bc68a33a1e1584d1922b05a34cbdbccc32fc1344b
Opcode Fuzzy Hash: c02a09dc9c8d62f8ab8577e98358ca45e38b520756df459b465691feff07f30e
Instruction Fuzzy Hash: 18E0CD3230424417C608BBF8A8565FDB759DBD3351F40553EF14757163DF2485894351

Function 00E408E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 00E408EB

Memory Dump Source

Source File: 00000000.00000002.2673055580.0000000000E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: f6fe6c6837d8e93b31788e48b3c62f2158ffc7943517f66b3ff0f25d94178d3d
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: 59E0867151520CDBD714CBB8E9046E973A4D7C4310F104664E715E3181D5348E409654

Function 00E408B0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 00E408BB

Memory Dump Source

Source File: 00000000.00000002.2673055580.0000000000E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: 086d61da97bccd9a657b3f47238a5c3483b68a5eaf41fb077fd62980aeab1b65
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 95D0A73090620CEBCB10CFB4AD04ADA73A8DB08320F104764FE15E3280D6319D409790

Function 000E039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,000E0704,?,?,00000000,?,000E0704,00000000,0000000C), ref: 000E03B7

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b35b3baaea2b46cca4ed0b3a6a2c9a1af7386082786df449ef10f2272edd7ecc
Instruction ID: ff41de3570ef44d84763798572b3e89c2f95121c97a7a49b4ad043a7bdf0e610
Opcode Fuzzy Hash: b35b3baaea2b46cca4ed0b3a6a2c9a1af7386082786df449ef10f2272edd7ecc
Instruction Fuzzy Hash: 7ED06C3204010DFBDF029F84DD06EDA3BAAFB48714F014000BE1866020C732E861AB90

Function 000A1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 000A1CBC

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 84ee1ceb54cc02f6f9d489886f2a73d2a3efaef512a2bd90d0f8b7df4b26472b
Instruction ID: 0116f8300fc6c90d0c1752481993495aebde2de1ff09bddb1992718b1b4a6363
Opcode Fuzzy Hash: 84ee1ceb54cc02f6f9d489886f2a73d2a3efaef512a2bd90d0f8b7df4b26472b
Instruction Fuzzy Hash: 07C04836380205AAE2148B94AC4AF507764A348B10F148001F64DA99E382A228E0AAA0

Function 0011744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 000A5745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,000A949C,?,00008000), ref: 000A5773

GetLastError.KERNEL32(00000002,00000000), ref: 001176DE

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 7ba45dd042486979d4f30d7714c06f0fb7f5eb355253cd4fbdcc0b6295de563a
Instruction ID: 9cee6f779541f629f2d9e5519a851097bbf1f7b96aa52b0ccdf49da59e92f092
Opcode Fuzzy Hash: 7ba45dd042486979d4f30d7714c06f0fb7f5eb355253cd4fbdcc0b6295de563a
Instruction Fuzzy Hash: 05816D306087019FDB18EF68C491AA9B7F1BF8A350F04452DF8965B3D2DB70AD85CB92

Function 000BFC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 000BFD1F

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 73549ad5f2d60e0b8912469fdac12fd074d1ba64b0ae1ad6cd95330466279c7e
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 8831E275A0010ADBC768CF59D980AA9FBA6FF49300B2486A5E809CF756D731EDC1CBC0

Function 00E42340 Relevance: 1.3, APIs: 1, Instructions: 34sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00E42352

Memory Dump Source

Source File: 00000000.00000002.2673055580.0000000000E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: dce1e67ee7a905aee1ad479c7a3e30644d0bd5a7b1fbfaf3e5e7a496efc26c57
Instruction ID: 2acdce44a0009b792e0bfd31446efa9102a1789498bfffdd356d01f9eff8b066
Opcode Fuzzy Hash: dce1e67ee7a905aee1ad479c7a3e30644d0bd5a7b1fbfaf3e5e7a496efc26c57
Instruction Fuzzy Hash: DBF0C47094020EAFCF00EFA4D989AEEBBB5FF04311F504599FA16A6180DB349A50CBA1

Non-executed Functions

Function 00139576 Relevance: 75.9, APIs: 39, Strings: 4, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000B9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0013961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0013965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0013969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001396C9
SendMessageW.USER32 ref: 001396F2
GetKeyState.USER32(00000011), ref: 0013978B
GetKeyState.USER32(00000009), ref: 00139798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001397AE
GetKeyState.USER32(00000010), ref: 001397B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001397E9
SendMessageW.USER32 ref: 00139810
SendMessageW.USER32(?,00001030,?,00137E95), ref: 00139918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0013992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00139941
SetCapture.USER32(?), ref: 0013994A
ClientToScreen.USER32(?,?), ref: 001399AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 001399BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001399D6
ReleaseCapture.USER32 ref: 001399E1
GetCursorPos.USER32(?), ref: 00139A19
ScreenToClient.USER32(?,?), ref: 00139A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00139A80
SendMessageW.USER32 ref: 00139AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00139AEB
SendMessageW.USER32 ref: 00139B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00139B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00139B4A
GetCursorPos.USER32(?), ref: 00139B68
ScreenToClient.USER32(?,?), ref: 00139B75
GetParent.USER32(?), ref: 00139B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00139BFA
SendMessageW.USER32 ref: 00139C2B
ClientToScreen.USER32(?,?), ref: 00139C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00139CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00139CDE
SendMessageW.USER32 ref: 00139D01
ClientToScreen.USER32(?,?), ref: 00139D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00139D82

Part of subcall function 000B9944: GetWindowLongW.USER32(?,000000EB), ref: 000B9952

GetWindowLongW.USER32(?,000000F0), ref: 00139E05

Strings

@GUI_DRAGID, xrefs: 0013997D
F, xrefs: 00139D07
8V, xrefs: 00139728, 00139894, 001398B7, 001398EF, 00139A3C, 00139BB7, 00139C5E, 00139C8E, 00139D2C, 00139D58, 00139DA1, 00139DF2, 00139E16, 00139E40
@U=u, xrefs: 0013965B, 001396C9, 001396F2, 001397AE, 001397E9, 00139810, 00139918, 00139A80, 00139AAE, 00139AEB, 00139B1A, 00139BFA, 00139C2B, 00139CDE, 00139D01

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: 8V$@GUI_DRAGID$@U=u$F
API String ID: 3429851547-3646012143
Opcode ID: d99b97f1adbb6bcc8069915367828d7d5f076d1dd25034da2beab751c04d782e
Instruction ID: 4c7065e8ccc4be233751acf1047286b4a274d24c1423bbb5c01abb4e0cbe14eb
Opcode Fuzzy Hash: d99b97f1adbb6bcc8069915367828d7d5f076d1dd25034da2beab751c04d782e
Instruction Fuzzy Hash: 7A42ADB5205200AFDB24CF28CC85EAABBF5FF49314F100619F699976A1D7B1E891CF91

Function 00134873 Relevance: 63.6, APIs: 33, Strings: 3, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 001348F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00134908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00134927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0013494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0013495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0013497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 001349AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 001349D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00134A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00134A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00134A7E
IsMenu.USER32(?), ref: 00134A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00134AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00134B20
GetWindowLongW.USER32(?,000000F0), ref: 00134B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00134BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00134C82
wsprintfW.USER32 ref: 00134CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00134CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00134CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00134D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00134D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00134D5A

Strings

8V, xrefs: 0013489F
%d/%02d/%02d, xrefs: 00134CA8
@U=u, xrefs: 001348F3, 00134908, 0013495C, 00134A0F, 00134A56, 00134A7E, 00134BE3, 00134C82, 00134CC9, 00134D13, 00134D33, 00134E15, 00134E4E, 00134EA5, 00134F10

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d$8V$@U=u
API String ID: 4054740463-1888415769
Opcode ID: 86bf91ab7ea30f992013a7083253ba5ee2401a86ab0348e26ca66c2ab134aa7f
Instruction ID: 36a233011cb13438f6d17d27acf042730cc3075a6b655b1ff82e90946b0ff63e
Opcode Fuzzy Hash: 86bf91ab7ea30f992013a7083253ba5ee2401a86ab0348e26ca66c2ab134aa7f
Instruction Fuzzy Hash: 8E12BC71600254ABEB258F68CC4AFEE7BF8EF45710F144129F516EB2E1DB74A941CB90

Function 000BF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 000BF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 000FF474
IsIconic.USER32(00000000), ref: 000FF47D
ShowWindow.USER32(00000000,00000009), ref: 000FF48A
SetForegroundWindow.USER32(00000000), ref: 000FF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 000FF4AA
GetCurrentThreadId.KERNEL32 ref: 000FF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 000FF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 000FF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 000FF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 000FF4DE
SetForegroundWindow.USER32(00000000), ref: 000FF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 000FF4F6
keybd_event.USER32(00000012,00000000), ref: 000FF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 000FF50B
keybd_event.USER32(00000012,00000000), ref: 000FF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 000FF519
keybd_event.USER32(00000012,00000000), ref: 000FF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 000FF528
keybd_event.USER32(00000012,00000000), ref: 000FF52D
SetForegroundWindow.USER32(00000000), ref: 000FF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 000FF557

Strings

Shell_TrayWnd, xrefs: 000FF46F

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: a8bb7912d2269179716d39185b7d23cef60beb27e333e1696d72d5d6e7820eb9
Instruction ID: ea83eb7c84a2709ee1300266b76db985ab30b69cd5fd8eead8f6faa304e77efb
Opcode Fuzzy Hash: a8bb7912d2269179716d39185b7d23cef60beb27e333e1696d72d5d6e7820eb9
Instruction Fuzzy Hash: 08313E71A40218BAEB206BB55C4AFBF7EACEB44B50F100065FB05F65D1D6B19940ABA0

Function 00101201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 001016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0010170D
Part of subcall function 001016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0010173A
Part of subcall function 001016C3: GetLastError.KERNEL32 ref: 0010174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00101286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 001012A8
CloseHandle.KERNEL32(?), ref: 001012B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 001012D1
GetProcessWindowStation.USER32 ref: 001012EA
SetProcessWindowStation.USER32(00000000), ref: 001012F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00101310

Part of subcall function 001010BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001011FC), ref: 001010D4
Part of subcall function 001010BF: CloseHandle.KERNEL32(?,?,001011FC), ref: 001010E9

Strings

winsta0, xrefs: 001012CC
default, xrefs: 0010130B
, xrefs: 0010125A

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 48de0b0aa9fe3f88bc7a79d976c3e929bdcf0ca1e7c2b202d2b5acdf8b95e8fb
Instruction ID: 645a7df8424be1c02d444c444c7b9cfeb454f8f6a82df35b057b1b916b17449e
Opcode Fuzzy Hash: 48de0b0aa9fe3f88bc7a79d976c3e929bdcf0ca1e7c2b202d2b5acdf8b95e8fb
Instruction Fuzzy Hash: 3B817A71900249BBDF219FA4DC49BEE7BB9EF08704F144129F950F62A0DBB98994CB61

Function 00100B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00101114
Part of subcall function 001010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00100B9B,?,?,?), ref: 00101120
Part of subcall function 001010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00100B9B,?,?,?), ref: 0010112F
Part of subcall function 001010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00100B9B,?,?,?), ref: 00101136
Part of subcall function 001010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0010114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00100BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00100C00
GetLengthSid.ADVAPI32(?), ref: 00100C17
GetAce.ADVAPI32(?,00000000,?), ref: 00100C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00100C6D
GetLengthSid.ADVAPI32(?), ref: 00100C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00100C8C
HeapAlloc.KERNEL32(00000000), ref: 00100C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00100CB4
CopySid.ADVAPI32(00000000), ref: 00100CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00100CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00100D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00100D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00100D45
HeapFree.KERNEL32(00000000), ref: 00100D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00100D55
HeapFree.KERNEL32(00000000), ref: 00100D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00100D65
HeapFree.KERNEL32(00000000), ref: 00100D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00100D78
HeapFree.KERNEL32(00000000), ref: 00100D7F

Part of subcall function 00101193: GetProcessHeap.KERNEL32(00000008,00100BB1,?,00000000,?,00100BB1,?), ref: 001011A1
Part of subcall function 00101193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00100BB1,?), ref: 001011A8
Part of subcall function 00101193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00100BB1,?), ref: 001011B7

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 5f916c28a5055a1e1066d94648b4332c4a2ccc2a7307e8593310e5af4010b655
Instruction ID: e333e52d82c32f4172603f04b990eccf896f531e036df6a741fc3011163983f0
Opcode Fuzzy Hash: 5f916c28a5055a1e1066d94648b4332c4a2ccc2a7307e8593310e5af4010b655
Instruction Fuzzy Hash: F471687690020AABDF11DFE4DC44BAEBBB8BF08310F048515F954B6291D7B5AA45CBB0

Function 0011EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0013CC08), ref: 0011EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0011EB37
GetClipboardData.USER32(0000000D), ref: 0011EB43
CloseClipboard.USER32 ref: 0011EB4F
GlobalLock.KERNEL32(00000000), ref: 0011EB87
CloseClipboard.USER32 ref: 0011EB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 0011EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0011EBC9
GetClipboardData.USER32(00000001), ref: 0011EBD1
GlobalLock.KERNEL32(00000000), ref: 0011EBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 0011EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0011EC38
GetClipboardData.USER32(0000000F), ref: 0011EC44
GlobalLock.KERNEL32(00000000), ref: 0011EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0011EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0011EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0011ECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 0011ECF3
CountClipboardFormats.USER32 ref: 0011ED14
CloseClipboard.USER32 ref: 0011ED59

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 4cdb04addd327c53604946248ae6c9a11b5b027cdeeaa44bfe79f6fc3c465170
Instruction ID: 17a88369d1cf441952abc40664be23db2ffdd078343c7c4a32d8c7607b01f62c
Opcode Fuzzy Hash: 4cdb04addd327c53604946248ae6c9a11b5b027cdeeaa44bfe79f6fc3c465170
Instruction Fuzzy Hash: F861F4752083019FD704EFA4D889FAA77E4EF85714F08452DF856972A2CB31DD85CBA2

Function 0011698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001169BE
FindClose.KERNEL32(00000000), ref: 00116A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00116A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00116A75

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00116AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00116ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 00116B32
%03d, xrefs: 00116DA2
%02d, xrefs: 00116C00, 00116C0A, 00116C5A, 00116CAA, 00116CFA, 00116D4A
%4d, xrefs: 00116BB1
%4d%02d%02d%02d%02d%02d, xrefs: 00116B6A

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 9d198a920fac22f6363cb8f59c027c99a95aa66e61dc9b407a35595a66047589
Instruction ID: eb08575d9d083051201d1346c50fbe9ba2366a620ebfe70768ec89917d69ca86
Opcode Fuzzy Hash: 9d198a920fac22f6363cb8f59c027c99a95aa66e61dc9b407a35595a66047589
Instruction Fuzzy Hash: 84D13172508300AEC714EBA4CC91EEBB7ECAF89704F44492DF589D7192EB75DA44CB62

Function 00119642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00119663
GetFileAttributesW.KERNEL32(?), ref: 001196A1
SetFileAttributesW.KERNEL32(?,?), ref: 001196BB
FindNextFileW.KERNEL32(00000000,?), ref: 001196D3
FindClose.KERNEL32(00000000), ref: 001196DE
FindFirstFileW.KERNEL32(*.*,?), ref: 001196FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0011974A
SetCurrentDirectoryW.KERNEL32(00166B7C), ref: 00119768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00119772
FindClose.KERNEL32(00000000), ref: 0011977F
FindClose.KERNEL32(00000000), ref: 0011978F

Strings

*.*, xrefs: 001196F5

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: fc2e9728bd8b203323af0d770a95799fcb92df7b52bb2c7f487c05065e4a85b6
Instruction ID: 41674e54b69f7f4210e78dc593200991b6e5cbc1fa03483121675925aaebde79
Opcode Fuzzy Hash: fc2e9728bd8b203323af0d770a95799fcb92df7b52bb2c7f487c05065e4a85b6
Instruction Fuzzy Hash: E531B3326406196ADB18AFB4DC59EEE77ACAF09321F144165F825E20E0DB34DDC4CFA4

Function 0011979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 001197BE
FindNextFileW.KERNEL32(00000000,?), ref: 00119819
FindClose.KERNEL32(00000000), ref: 00119824
FindFirstFileW.KERNEL32(*.*,?), ref: 00119840
SetCurrentDirectoryW.KERNEL32(?), ref: 00119890
SetCurrentDirectoryW.KERNEL32(00166B7C), ref: 001198AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 001198B8
FindClose.KERNEL32(00000000), ref: 001198C5
FindClose.KERNEL32(00000000), ref: 001198D5

Part of subcall function 0010DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0010DB00

Strings

*.*, xrefs: 0011983B

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: b2d5e294ca1e1e23b7d5dfbf09a1bd03bdda458fd93e0f111b0e382d315103da
Instruction ID: bac3fb509f1c62dfbb311abd80b7245a0cba8b3802af0c0c019adcd3df96fb9d
Opcode Fuzzy Hash: b2d5e294ca1e1e23b7d5dfbf09a1bd03bdda458fd93e0f111b0e382d315103da
Instruction Fuzzy Hash: 0C31B43250061D6EDB18EFB4EC58ADE77ACAF06320F144165E864B21E1DB34D9C5CB60

Function 00118195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00118257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00118267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00118273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00118310
SetCurrentDirectoryW.KERNEL32(?), ref: 00118324
SetCurrentDirectoryW.KERNEL32(?), ref: 00118356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0011838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00118395

Strings

*.*, xrefs: 0011839B

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 347752e031c908be2564318d14faf028c32e39112dbada8a3c3a861262a6bab7
Instruction ID: f469b5d4f186fceea2730f63385d34dd8f136d91cd00891cda215d51ef07d425
Opcode Fuzzy Hash: 347752e031c908be2564318d14faf028c32e39112dbada8a3c3a861262a6bab7
Instruction Fuzzy Hash: 75616B725047059FC714EF64C840AEEB3E8FF89314F04892EF99997252EB31E985CB92

Function 0010D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000A3A97,?,?,000A2E7F,?,?,?,00000000), ref: 000A3AC2

Part of subcall function 0010E199: GetFileAttributesW.KERNEL32(?,0010CF95), ref: 0010E19A

FindFirstFileW.KERNEL32(?,?), ref: 0010D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0010D1DD
MoveFileW.KERNEL32(?,?), ref: 0010D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0010D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0010D237

Part of subcall function 0010D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0010D21C,?,?), ref: 0010D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0010D253
FindClose.KERNEL32(00000000), ref: 0010D264

Strings

\*.*, xrefs: 0010D0CD, 0010D0D6, 0010D0EB

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 613bd6d1238475816bca1cd628bc005ae4ec5667e6f7364756b13e41173885ed
Instruction ID: cce27b188f63dc7791ebb086a0acd59034326d691364888828302d85c3d8cf3c
Opcode Fuzzy Hash: 613bd6d1238475816bca1cd628bc005ae4ec5667e6f7364756b13e41173885ed
Instruction Fuzzy Hash: 59617D3190111DABCF05EBE0DA929EEB7B5AF66340F608165E44277192EF706F09CB60

Function 0011ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0011ED91
EmptyClipboard.USER32 ref: 0011ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0011EDAC
CloseClipboard.USER32 ref: 0011EEA3

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 88940a1451ae8cc38fa5122390e4cbc4223f6c674ce54eac1a70312fd2130dfd
Instruction ID: 9a46dfacf822ba0377d08ac877edca381193ccc398be6715e116b3ca8fe207ce
Opcode Fuzzy Hash: 88940a1451ae8cc38fa5122390e4cbc4223f6c674ce54eac1a70312fd2130dfd
Instruction Fuzzy Hash: 51419D75204611AFE714CFA5E849F59BBE1AF44318F15C0A9E8199BA62C731EC81CBD0

Function 0010E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 001016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0010170D
Part of subcall function 001016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0010173A
Part of subcall function 001016C3: GetLastError.KERNEL32 ref: 0010174A

ExitWindowsEx.USER32(?,00000000), ref: 0010E932

Strings

, xrefs: 0010E95C
@, xrefs: 0010E925
SeShutdownPrivilege, xrefs: 0010E902
, xrefs: 0010E920

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: c9fadfb06d6ce3b2f37428a140d4f1ce025992e64af1a7b841dae923af31d2f1
Instruction ID: ce58203e5f644518e71471ca3e636f541b3a024ae346529e9681abc1815bfefd
Opcode Fuzzy Hash: c9fadfb06d6ce3b2f37428a140d4f1ce025992e64af1a7b841dae923af31d2f1
Instruction Fuzzy Hash: AB01D673610311ABEB5826B69C86BBB729CA718758F154D21FC82F21D1D7E55C8086D0

Function 00121204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 00121276
WSAGetLastError.WSOCK32 ref: 00121283
bind.WSOCK32(00000000,?,00000010), ref: 001212BA
WSAGetLastError.WSOCK32 ref: 001212C5
closesocket.WSOCK32(00000000), ref: 001212F4
listen.WSOCK32(00000000,00000005), ref: 00121303
WSAGetLastError.WSOCK32 ref: 0012130D
closesocket.WSOCK32(00000000), ref: 0012133C

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: bec1c6a06bc52dbda60878d439dd2c28602b588d063dda0c9f0bcf9200f2fd01
Instruction ID: 2080b630ff8d329e7caa31687d7989b019eb5541ff9ad0fd103c84597f3477bd
Opcode Fuzzy Hash: bec1c6a06bc52dbda60878d439dd2c28602b588d063dda0c9f0bcf9200f2fd01
Instruction Fuzzy Hash: 66416331A00110EFD714DF64D484B6ABBE6BF56318F288198E8569F297C771ED81CBE1

Function 000DB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000DB9D4
_free.LIBCMT ref: 000DB9F8
_free.LIBCMT ref: 000DBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00143700), ref: 000DBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0017121C,000000FF,00000000,0000003F,00000000,?,?), ref: 000DBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00171270,000000FF,?,0000003F,00000000,?), ref: 000DBC36
_free.LIBCMT ref: 000DBD4B

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 6486ddf5624930796d461c9d0511796f160fbd787b28f1ad5b8713a3e5aee439
Instruction ID: c9d6ad5df922b0287208de1f8442808ad0924be8241a9e884d4737d40123971e
Opcode Fuzzy Hash: 6486ddf5624930796d461c9d0511796f160fbd787b28f1ad5b8713a3e5aee439
Instruction Fuzzy Hash: 8AC10375904344EBCB209F6C8C51AAEBBF9EF41350F26419BE49497352EB309E419B70

Function 0010D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000A3A97,?,?,000A2E7F,?,?,?,00000000), ref: 000A3AC2

Part of subcall function 0010E199: GetFileAttributesW.KERNEL32(?,0010CF95), ref: 0010E19A

FindFirstFileW.KERNEL32(?,?), ref: 0010D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0010D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0010D481
FindClose.KERNEL32(00000000), ref: 0010D498
FindClose.KERNEL32(00000000), ref: 0010D4A1

Strings

\*.*, xrefs: 0010D3F2

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: bf2688d5e07fa320f8c32993e1bed490227cc011c167f4c8042692eacc46b897
Instruction ID: fe1be979e1559edae76ad89f50e0fe2ca59548833dd5f54795bf2cb49c6b0e97
Opcode Fuzzy Hash: bf2688d5e07fa320f8c32993e1bed490227cc011c167f4c8042692eacc46b897
Instruction Fuzzy Hash: 89315C720083559BC304EFA4D8918EFB7A8BF92314F444A1DF4D1931D2EB74AA09CBA3

Function 000DE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 000DE645

Strings

1#SNAN, xrefs: 000DF844
1#QNAN, xrefs: 000DF84B
1#IND, xrefs: 000DF83D
1#INF, xrefs: 000DF852

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 2fde496ee71036f744a0674f124781ad61f7977cfdd9de5d59e939c9b9e9137d
Instruction ID: b9644d803d2500723f69ea58640789be04c2c6cf0c5e531c4fea027e3c1613ad
Opcode Fuzzy Hash: 2fde496ee71036f744a0674f124781ad61f7977cfdd9de5d59e939c9b9e9137d
Instruction Fuzzy Hash: E9C23771E086698BDB65DF28DD407EAB7B5EB48304F1481EBD80EE7241E774AE818F50

Function 0011648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001164DC
CoInitialize.OLE32(00000000), ref: 00116639
CoCreateInstance.OLE32(0013FCF8,00000000,00000001,0013FB68,?), ref: 00116650
CoUninitialize.OLE32 ref: 001168D4

Strings

.lnk, xrefs: 001164BA, 00116524, 001165E0

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 2be558eccbbd2c7752c02cf4021125197db6a9208c32d652ed27972102b9b50b
Instruction ID: f1f118bd45e2f746ebdca56c0b74b60b3ae6ba5dbed757a15cd7eb70b9b2b26a
Opcode Fuzzy Hash: 2be558eccbbd2c7752c02cf4021125197db6a9208c32d652ed27972102b9b50b
Instruction Fuzzy Hash: C3D15971608301AFC304EF64C881EABB7E9FF95344F00896DF5958B292EB71E945CB92

Function 001222DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 001222E8

Part of subcall function 0011E4EC: GetWindowRect.USER32(?,?), ref: 0011E504

GetDesktopWindow.USER32 ref: 00122312
GetWindowRect.USER32(00000000), ref: 00122319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00122355
GetCursorPos.USER32(?), ref: 00122381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 001223DF

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 9ae4baa698fbbb542d9b819db931a8d54f1a2667c00bff4b56afa325dedbc49d
Instruction ID: fcf45908c7946927ba12ca3a6895739796bfe9605db07bffc6d00e2cd5fe2698
Opcode Fuzzy Hash: 9ae4baa698fbbb542d9b819db931a8d54f1a2667c00bff4b56afa325dedbc49d
Instruction Fuzzy Hash: 6831ED72104325AFD724DF54D809A9BBBE9FF88314F000A19F984A7181DB74EA58CBD2

Function 00119B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00119B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00119C8B

Part of subcall function 00113874: GetInputState.USER32 ref: 001138CB
Part of subcall function 00113874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00113966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00119BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00119C75

Strings

*.*, xrefs: 00119B5D

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 9390ae182035245224b73a1f7fc839e364ced8750f3035622c74adb6e866d216
Instruction ID: a219071978c364b195b5f6f9672834874915e39b024e4e26c1e1a1e2ca6d0523
Opcode Fuzzy Hash: 9390ae182035245224b73a1f7fc839e364ced8750f3035622c74adb6e866d216
Instruction Fuzzy Hash: 0B41517190420A9FCF18DFA4C855BEEBBB8EF05310F144165E855B6191EB30AE94CFA0

Function 000A8060 Relevance: 8.7, Strings: 6, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 000E5DF0
VUUU, xrefs: 000A83FA
VUUU, xrefs: 000A843C
ffffba7200000066899514ffffffb86f00000066898516ffffffb97300000066898d18ffffffba6f0000006689951affffffb8660000006689851cffffffb97400, xrefs: 000E5D0F
VUUU, xrefs: 000A83E8
ERCP, xrefs: 000A813C

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU$ffffba7200000066899514ffffffb86f00000066898516ffffffb97300000066898d18ffffffba6f0000006689951affffffb8660000006689851cffffffb97400
API String ID: 0-1878390929
Opcode ID: 09227c21774bb759dbabc40f35707faaef0103613824f8760dcd6fcf7cd7b5d5
Instruction ID: 8267b0e316b370f79cc9888c4cd201b76b2130bb02543aca4eb13f25cfbab51b
Opcode Fuzzy Hash: 09227c21774bb759dbabc40f35707faaef0103613824f8760dcd6fcf7cd7b5d5
Instruction Fuzzy Hash: 75A29D70E0065ACFDF74CF99C8447AEB7B1BF55314F2485AAD815AB281EB319E81CB90

Function 000B997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 000B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000B9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 000B9A4E
GetSysColor.USER32(0000000F), ref: 000B9B23
SetBkColor.GDI32(?,00000000), ref: 000B9B36

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 0ea23751b0d01461d996f260e909a1751ae7bc282cf44e01adaf6e1f93935b4f
Instruction ID: 9cf7a56cd84d30e1f56e7a42c4047777ca6201fb93d93b87f29bcbf155d00398
Opcode Fuzzy Hash: 0ea23751b0d01461d996f260e909a1751ae7bc282cf44e01adaf6e1f93935b4f
Instruction Fuzzy Hash: 16A1E570218548BEE778AA3C8C99EFF36DDDB42340F154119F706D6E92CA259D41E2B3

Function 00121806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0012304E: inet_addr.WSOCK32(?), ref: 0012307A
Part of subcall function 0012304E: _wcslen.LIBCMT ref: 0012309B

socket.WSOCK32(00000002,00000002,00000011), ref: 0012185D
WSAGetLastError.WSOCK32 ref: 00121884
bind.WSOCK32(00000000,?,00000010), ref: 001218DB
WSAGetLastError.WSOCK32 ref: 001218E6
closesocket.WSOCK32(00000000), ref: 00121915

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 70155ddf16842fb1891168c7fcab70eb4b61b2415231f4de05effb2c1cd7abc6
Instruction ID: 928f7ec1babba437804a4a8e24c057c59b5a220197f038c2bc32bd70b88f8df5
Opcode Fuzzy Hash: 70155ddf16842fb1891168c7fcab70eb4b61b2415231f4de05effb2c1cd7abc6
Instruction Fuzzy Hash: 5251B371A00210AFEB10EF64D886FAA77E5AB45718F488098F9096F3C3C771AD418BA1

Function 00131C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00131CC0
IsWindowEnabled.USER32 ref: 00131CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00131CDB
IsIconic.USER32 ref: 00131CE9
IsZoomed.USER32 ref: 00131CF7

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 95442b07321cc10160a179e72603413381afd2b0a230a5cd296009fa098d4ea9
Instruction ID: c2bbdeafe96fa90c419c252519be5d9e7d0111f01f1a97c0ab92acb937b42923
Opcode Fuzzy Hash: 95442b07321cc10160a179e72603413381afd2b0a230a5cd296009fa098d4ea9
Instruction Fuzzy Hash: A421A331740211AFD7209F2AC854B6A7BA5EF95325F199068E84A9B351C771DC42CBD0

Function 0012A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0012A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0012A6BA

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0012A79C
CloseHandle.KERNEL32(00000000), ref: 0012A7AB

Part of subcall function 000BCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,000E3303,?), ref: 000BCE8A

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 74571ad9874615586dc1735e984129810e87d4a69c0f9846b245f0db38a0bc51
Instruction ID: abc1f91a5ab147e9ed112dc3920c7f49954f9c89a89a6fcef00ee74f57eeaad7
Opcode Fuzzy Hash: 74571ad9874615586dc1735e984129810e87d4a69c0f9846b245f0db38a0bc51
Instruction Fuzzy Hash: 41517DB15083109FD310EF64D886AABBBE8FF89754F40892DF58997252EB30D904CB92

Function 0010AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0010AAAC
SetKeyboardState.USER32(00000080), ref: 0010AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0010AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0010AB88

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 8e38f3dbe785e99f7b7e8ad68d90e2d1d59db5bea2aeee762722e2c0fb1f974b
Instruction ID: d6efaafede4e2d8a1b92ca038b6f152323453d1298f444e5e7b32e44051ffd9b
Opcode Fuzzy Hash: 8e38f3dbe785e99f7b7e8ad68d90e2d1d59db5bea2aeee762722e2c0fb1f974b
Instruction Fuzzy Hash: 1D311671A40308AEFB358B64CC05BFA7BA6AF44310F84821AF4C1561D1D3B4D981C7A2

Function 0011CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0011CE89
GetLastError.KERNEL32(?,00000000), ref: 0011CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0011CEFE

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: a6573aa8269646e32124c31a10635952dd9bb3ccbd846267341e924eb704f9c0
Instruction ID: 342fc8703197133138caca18ed31ec561ad4d086e13d4f2f27825a02d03285da
Opcode Fuzzy Hash: a6573aa8269646e32124c31a10635952dd9bb3ccbd846267341e924eb704f9c0
Instruction Fuzzy Hash: D121BD71540705ABDB24CFA5C948BEBBBF8EB40354F10442EE546A2151E774EE858BE0

Function 00108298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 001082AA

Strings

|, xrefs: 001082DA
(, xrefs: 001082F0

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 48176eec44b758caa0ff2b73ee4e8a0a3dd68f24c027bc2e2fd251bb2f91d079
Instruction ID: 84a457bcb7fb78f0d1fb40f645e33bc40722f5d7f85affeef740b69a04bae3ea
Opcode Fuzzy Hash: 48176eec44b758caa0ff2b73ee4e8a0a3dd68f24c027bc2e2fd251bb2f91d079
Instruction Fuzzy Hash: D7323574A047059FCB28CF59C481AAAB7F1FF48710B15C56EE59ADB3A1EBB0E941CB40

Function 000D2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 000D271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 000D2724
UnhandledExceptionFilter.KERNEL32(?), ref: 000D2731

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e641a7ac11a9eaafa73ac05106522fa1fc60926986e81c1e8e72651f7baa26ce
Instruction ID: 8af5bc4f5d0e849d4699d3615c5e322d35d664bedb8361d73ac838abbba0eccb
Opcode Fuzzy Hash: e641a7ac11a9eaafa73ac05106522fa1fc60926986e81c1e8e72651f7baa26ce
Instruction Fuzzy Hash: FA31C475901318ABCB21DF64DC88BDDBBB8AF18310F5041EAE81CA7261E7349F818F55

Function 001151CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001151DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00115238
SetErrorMode.KERNEL32(00000000), ref: 001152A1

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: c3a1299cc37717ee88717e749b9597b2a77fa6803347d61a4b5d9d2c145eed96
Instruction ID: a17b304582ec7db76e120d11e719200bf17f26bc7f7de1c50c68220d52c34f51
Opcode Fuzzy Hash: c3a1299cc37717ee88717e749b9597b2a77fa6803347d61a4b5d9d2c145eed96
Instruction Fuzzy Hash: 9C312B75A00518DFDB00DF94D884EEDBBB5FF49314F0580A9E809AB3A2DB71E855CB90

Function 001016C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 000BFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 000C0668
Part of subcall function 000BFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 000C0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0010170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0010173A
GetLastError.KERNEL32 ref: 0010174A

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: b0ba64b15b1856834079053de8adebd1f8fd6e77214fe4d0b546410be2575fa7
Instruction ID: b008f37d29e0750698c012c8f80800464d53b23d3a298804258b191f9bb2ee7e
Opcode Fuzzy Hash: b0ba64b15b1856834079053de8adebd1f8fd6e77214fe4d0b546410be2575fa7
Instruction Fuzzy Hash: 66119EB2504305BFD718AF54DC86DABB7B9EB44714B20852EF09657681EBB0FC818B60

Function 0010D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0010D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0010D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0010D650

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 445b18904b0f9769a7bbf64c24d584b41301b201c6d3579251b815932ecc03ab
Instruction ID: a9da40794adb33bd06b524397201da5d4084e7ff61530230c4138e64c3a39990
Opcode Fuzzy Hash: 445b18904b0f9769a7bbf64c24d584b41301b201c6d3579251b815932ecc03ab
Instruction Fuzzy Hash: 6F113C75E05228BBDB108F95AC45FAFBBBCEB49B60F108115F904F7290D6B04A058BA1

Function 00101663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0010168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 001016A1
FreeSid.ADVAPI32(?), ref: 001016B1

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: cd0ae30aae86a7342af778f2741f2743c9ca5642f00e7e6dc01541c9b061433a
Instruction ID: 1d00cbab1d603fb463bc7fafefdc8c1094eea5979ef760e32d1f36b552c216dd
Opcode Fuzzy Hash: cd0ae30aae86a7342af778f2741f2743c9ca5642f00e7e6dc01541c9b061433a
Instruction Fuzzy Hash: 69F0F47595030DFBDB00DFE49D89AAEBBBCFB08704F504565E501E2181E774AA848B90

Function 000C4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(000D28E9,?,000C4CBE,000D28E9,001688B8,0000000C,000C4E15,000D28E9,00000002,00000000,?,000D28E9), ref: 000C4D09
TerminateProcess.KERNEL32(00000000,?,000C4CBE,000D28E9,001688B8,0000000C,000C4E15,000D28E9,00000002,00000000,?,000D28E9), ref: 000C4D10
ExitProcess.KERNEL32 ref: 000C4D22

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 204eb5171a4182f7340432cba04bab8ce2282a373182bf18651139b8281d0869
Instruction ID: a8fc09406d1c40c839ca0647d63bcdc26cf696bbd544ae417f1b157c9a31954e
Opcode Fuzzy Hash: 204eb5171a4182f7340432cba04bab8ce2282a373182bf18651139b8281d0869
Instruction Fuzzy Hash: D6E0B631000248ABCF11BF64DD1AF9C3B69FB41791B108418FC0A9A623CB35DD92DB90

Function 000DC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 000DC36C

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: fe934d11992296d36a1405bdbed8facb729a7b390d5e80127b1866d7717b42db
Instruction ID: 92970fcb619f01320dc5d105c7e62cb25f93941605e4e8f7e5fb6f9bc8a13d85
Opcode Fuzzy Hash: fe934d11992296d36a1405bdbed8facb729a7b390d5e80127b1866d7717b42db
Instruction Fuzzy Hash: 53413B7650031A6FDB249FB9CC49EBB77B8EB84314F10426EF905D7281E6709E81CB60

Function 000FD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 000FD28C

Strings

X64, xrefs: 000FD2A8

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 26b26bda45b6e3f40ce1fdb4f6f396fa8e493ffcc57db85e29ce8398fd560e4c
Instruction ID: 5b0e17ac395c21fdc1d0ee2720e511d199dc63540c7eb841b516ca2dfd571c61
Opcode Fuzzy Hash: 26b26bda45b6e3f40ce1fdb4f6f396fa8e493ffcc57db85e29ce8398fd560e4c
Instruction Fuzzy Hash: DCD0C9B481111DEACBA4DB90DC88DDDB37CBB14305F100152F106A2000D73495489F50

Function 000CCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 353d60158afbedb109d0fbdb073bb0a77dd3a722e9a30cb05197095d8c835401
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 6F020B71E002199BEF14CFA9C980BADBBF1EF48314F25816ED919E7385D731AE418B94

Function 001168EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00116918
FindClose.KERNEL32(00000000), ref: 00116961

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 88b9b1b86663b9c84040f3d4887af26542457eaff56c8e3c935259fc4100ebb9
Instruction ID: 168d0834965c3f045008fa681ea09e26df50b09b3bcbb94172a4a49512519f1a
Opcode Fuzzy Hash: 88b9b1b86663b9c84040f3d4887af26542457eaff56c8e3c935259fc4100ebb9
Instruction Fuzzy Hash: EC11D0316042149FD714DF69C884A56BBE5FF85328F05C6A9E8698F6A2C731EC45CB90

Function 001137B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00124891,?,?,00000035,?), ref: 001137E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00124891,?,?,00000035,?), ref: 001137F4

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 5371b1553e61ef8a44b751d408338a70479903414460b7a7927f6442e8f892c2
Instruction ID: ee338a8360baa48d33e0b55b5dbc3044ec8e38fde0b78f54fa0c58197c8d74c6
Opcode Fuzzy Hash: 5371b1553e61ef8a44b751d408338a70479903414460b7a7927f6442e8f892c2
Instruction Fuzzy Hash: 24F0E5B17043282AE72017A68C4DFEB3AAEEFC5761F000175F509E22C5DA609D84C7F0

Function 0010B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0010B25D
keybd_event.USER32(?,753DC0D0,?,00000000), ref: 0010B270

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 69a8cb3f7b57252d243a23d72c0eb69122546dda55d3ea19946ccc4f0f8a5b0a
Instruction ID: 976730eef679cf29497747f8aa1fb2b0db85d502ce1e7d474bc8476cd9070c72
Opcode Fuzzy Hash: 69a8cb3f7b57252d243a23d72c0eb69122546dda55d3ea19946ccc4f0f8a5b0a
Instruction Fuzzy Hash: C7F01D7190428EABDB059FA0C805BAE7BB4FF08305F008009F955A5191C37996559F94

Function 001010BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,001011FC), ref: 001010D4
CloseHandle.KERNEL32(?,?,001011FC), ref: 001010E9

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 292bb68d691a1c1ca005cbb91db03fd9042656bf1544cf59a50d703f863dc59b
Instruction ID: bee0853d3fc99b1e56fb3fe3194b2662401472925740f5b6692af0b21c85b383
Opcode Fuzzy Hash: 292bb68d691a1c1ca005cbb91db03fd9042656bf1544cf59a50d703f863dc59b
Instruction Fuzzy Hash: AAE0BF72014611AEE7252B51FC05EB777E9EB04320B14882DF5A5914B5DB62ACE0DB50

Function 000ACAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 000F0C40

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 131af91e0983a017312c51aae3502e3d940f3cb4e9cad672e13cadab19294b6f
Instruction ID: a961f13d6d2f0c629cfeb5187480ba01ee8a6394ae221de576054cf17c5bfb34
Opcode Fuzzy Hash: 131af91e0983a017312c51aae3502e3d940f3cb4e9cad672e13cadab19294b6f
Instruction Fuzzy Hash: 71327970A00218DFEF24DF94C980EFDB7B5BF06304F158069E906AB292DB75AE45DB60

Function 000D676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,000D6766,?,?,00000008,?,?,000DFEFE,00000000), ref: 000D6998

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 9216f90ca1b82f7f521d221acefa18e6679924df5fb4a202db79798df098834f
Instruction ID: b7f5144c1a04ba3e61b39209b8c4b4ded31969bf0d7d208b16b4778e4362d0f6
Opcode Fuzzy Hash: 9216f90ca1b82f7f521d221acefa18e6679924df5fb4a202db79798df098834f
Instruction Fuzzy Hash: F7B148316107099FD755CF28C48AB697BE0FF05364F25865AE89ACF3A2C736E981CB50

Function 000BB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 000F851F

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 931c0a05487104faf417e8a30e1d17eb7d969d9d2a771fb69a85f53b85edc3fc
Instruction ID: 1211a29b661edf4bda9c03e88a0d7132b7bfb32a8cd8433cd3ceb42bcb164775
Opcode Fuzzy Hash: 931c0a05487104faf417e8a30e1d17eb7d969d9d2a771fb69a85f53b85edc3fc
Instruction Fuzzy Hash: 1E125F71A002299BDB64CF58C8816FEB7F5FF48710F14819AE949EB251EB709E81DB90

Function 0011EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0011EABD

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 1cbe81a53c89b15e6c20e503e7129245f75f637b75cb89ed636d5b5b621a44c2
Instruction ID: 4a91c9c0252498ea05f5047c038d3a08f1a387c7a13760b67c6617687046696a
Opcode Fuzzy Hash: 1cbe81a53c89b15e6c20e503e7129245f75f637b75cb89ed636d5b5b621a44c2
Instruction Fuzzy Hash: 64E04F322002049FD714EFA9E805EDAF7E9AF99760F018426FC4AD7352DB70E8808BD1

Function 000C09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,000C03EE), ref: 000C09DA

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0abf2aeb3838899aaaabc4a62ed9d936e1fbf061a4d4205cfb30840d6c88f474
Instruction ID: c1a60529ebcd87c6ca5f9a1277cc354f9c34dae1994628821b171eb9a636007f
Opcode Fuzzy Hash: 0abf2aeb3838899aaaabc4a62ed9d936e1fbf061a4d4205cfb30840d6c88f474
Instruction Fuzzy Hash:

Function 000C781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 000C798B

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 00e4bb52fe1bee6faa02a09897a37399ea22659373e3298d4990f261a84ae011
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 1C51686168C6055BDBB887688859FFE23D9DB52340F18050DEA8ED7282CE21DE09DF56

Function 000D6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbd7f1c85fce59eb982acfeffb0cae4a576d14f0fea1ac12f95f5248403bd5b9
Instruction ID: d2b12b48e768176c18c20c76ea947c6375386e0464499ee54938ac9dc62f8210
Opcode Fuzzy Hash: cbd7f1c85fce59eb982acfeffb0cae4a576d14f0fea1ac12f95f5248403bd5b9
Instruction Fuzzy Hash: 5A321026D29F014DD7239634D822336A689AFB73C5F55D737F81AB5EAAEB29C4C34100

Function 000BCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3b706fef9f0ffae731abf4b68c3b2cffef6b30d7f4283ec0e7b79b7a22af2d9
Instruction ID: 407f116b0857183893c02b6ad8020395c2d797f72d16b8635ce09fd385b563e6
Opcode Fuzzy Hash: a3b706fef9f0ffae731abf4b68c3b2cffef6b30d7f4283ec0e7b79b7a22af2d9
Instruction Fuzzy Hash: 36321831A0414D8BFF78CA28C696EBD7BE1EB45304F28856AD659C7A91D330DD81FB41

Function 000A7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c26f6fcd1eba117108d7c20e8b2407d49b72f56566501ddaf10d1b6596c5c9
Instruction ID: 431eba1136ebb22396131897d056e977576ce06d1ddb57d182a9efd814753e85
Opcode Fuzzy Hash: 15c26f6fcd1eba117108d7c20e8b2407d49b72f56566501ddaf10d1b6596c5c9
Instruction Fuzzy Hash: 8D229FB0A0460ADFDF14CFA5CC81AEEB7F6FF45304F148529E816A7291EB359A51CB60

Function 000A91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c7f561c1634e1ca9fdd068162b9abdb61b75aa25c6286f6ffbf88b2ccdf9fe
Instruction ID: 30d712c02c5b95d4e2c60aad64ca5ca2d2d9a6e310408a067fafbdb1ccd2cfbf
Opcode Fuzzy Hash: 05c7f561c1634e1ca9fdd068162b9abdb61b75aa25c6286f6ffbf88b2ccdf9fe
Instruction Fuzzy Hash: 4A02C7B1A0014AEFCB14DF65D881AEEB7B5FF44300F108169E816AB291EB71EE51CB91

Function 000C1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: bbc69442767f598ba1607b0f5715e716344b75f49024be0dff23fa80b0f54e92
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 2A9187721080A34ADB69473E8574ABDFFE15F533A131A079DE4F3CA1C2EE20C965E620

Function 000C19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: b862a777db23f91729b57352483dc4f473c03299122756e4433a20186af06ded
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 799158722090A34EDB6D437A85749BDFFE15B933A1319079DD4F2CA1C2FE24C965DA20

Function 000C7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc62c85b87cd9819515570f0d95c25907b959a40d3c9c5f4a688e5021796e206
Instruction ID: 14b592c993bbd72fa07418a1e1ce12a03ca0f84b23435a8b71ad7c4e46d5ce95
Opcode Fuzzy Hash: cc62c85b87cd9819515570f0d95c25907b959a40d3c9c5f4a688e5021796e206
Instruction Fuzzy Hash: D761697120870567DBB49B288995FFE23D8DF81710F10491EE94ECB282D7119E42DF16

Function 000C1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 5dbb6e26c6a2c461cbfef9d29e6f1a223bdee6dbc188be878b8299f91257cfd6
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 0E81657250D0A349DBAD433985749BEFFE19F933A131A079DD4F2CA1C2EE24C558E620

Function 00E437A0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2673055580.0000000000E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_LisectAVT_2403002A_101.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 8b5352b608ed4c150b4d12d12eb54eb8c8054f57f4009ac8bd25e7f5b06771d0
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 7341A271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB50

Function 00112046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca108a72c429e77b70df674830247dbef36d551528f03b00414630f9dc90ee87
Instruction ID: e7889b40bc80bc0c9577fcf6e701b75b770d77861bc2b65ba45d55869c1c0fc8
Opcode Fuzzy Hash: ca108a72c429e77b70df674830247dbef36d551528f03b00414630f9dc90ee87
Instruction Fuzzy Hash: BD21A5326206118BD72CCF79C8226BE73E5A754310F25862EF4A7C37D1DE39A984CB80

Function 00E43630 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2673055580.0000000000E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_LisectAVT_2403002A_101.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: c4fca22a20a7e94377f79c78bace82f5861e03ac04fa00ad8a664f981510f013
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: A1014278A05109EFCB48DFA8D5909AEF7F5FB48310F6085D9E919A7741E730AE41DB80

Function 00E43690 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2673055580.0000000000E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_LisectAVT_2403002A_101.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: e90538376e9ddf683c98f54a178ff30d5b02e102a02a9e41f21eb65e83ff973d
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 37019278A01109EFCB44DFA8D5909AEF7F5FB48310F208599E809A7301E730AE41DF80

Function 00E41EFE Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2673055580.0000000000E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_LisectAVT_2403002A_101.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39883051ad0acd5fc3a9b65a285c220fc8651299cfdca9718842298b505bee9e
Instruction ID: 12cbbee2ad97ca28ebd479973cedbf0f86dc4bb29c9604106d163cb5d8cfbbc3
Opcode Fuzzy Hash: 39883051ad0acd5fc3a9b65a285c220fc8651299cfdca9718842298b505bee9e
Instruction Fuzzy Hash: F6C08C300453C89ADB028759E08C7407BEDAB0AA18F1400E4D8080BA02C3A96A048A45

Function 00E41F10 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2673055580.0000000000E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e40000_LisectAVT_2403002A_101.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00122ADE Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00122B30
DeleteObject.GDI32(00000000), ref: 00122B43
DestroyWindow.USER32 ref: 00122B52
GetDesktopWindow.USER32 ref: 00122B6D
GetWindowRect.USER32(00000000), ref: 00122B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00122CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00122CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00122CF8
GetClientRect.USER32(00000000,?), ref: 00122D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00122D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00122D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00122D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00122D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00122D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00122D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00122DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00122DA8
GlobalFree.KERNEL32(00000000), ref: 00122DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00122DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0013FC38,00000000), ref: 00122DDB
GlobalFree.KERNEL32(00000000), ref: 00122DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00122E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00122E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00122E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0012303F

Strings

static, xrefs: 00122D3A, 00122E91
, xrefs: 00122FC5
DISPLAY, xrefs: 00122EA2
AutoIt v3, xrefs: 00122CF2
@U=u, xrefs: 00122E30, 00122FBF

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $@U=u$AutoIt v3$DISPLAY$static
API String ID: 2211948467-3613752883
Opcode ID: 68919d015b00ca2c158f393ef5e8f80f8591f474fc86aed2a7b42a87393798a1
Instruction ID: 45ec1b0ca17cca11e19607e7b9703c566dbf19455fc7507a36e68ccb26f2caa9
Opcode Fuzzy Hash: 68919d015b00ca2c158f393ef5e8f80f8591f474fc86aed2a7b42a87393798a1
Instruction Fuzzy Hash: 00026B71900215EFDB14DFA4DC89EAE7BB9FF49310F048158F919AB2A1CB74AD41CBA0

Function 001370D5 Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0013712F
GetSysColorBrush.USER32(0000000F), ref: 00137160
GetSysColor.USER32(0000000F), ref: 0013716C
SetBkColor.GDI32(?,000000FF), ref: 00137186
SelectObject.GDI32(?,?), ref: 00137195
InflateRect.USER32(?,000000FF,000000FF), ref: 001371C0
GetSysColor.USER32(00000010), ref: 001371C8
CreateSolidBrush.GDI32(00000000), ref: 001371CF
FrameRect.USER32(?,?,00000000), ref: 001371DE
DeleteObject.GDI32(00000000), ref: 001371E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00137230
FillRect.USER32(?,?,?), ref: 00137262
GetWindowLongW.USER32(?,000000F0), ref: 00137284

Part of subcall function 001373E8: GetSysColor.USER32(00000012), ref: 00137421
Part of subcall function 001373E8: SetTextColor.GDI32(?,?), ref: 00137425
Part of subcall function 001373E8: GetSysColorBrush.USER32(0000000F), ref: 0013743B
Part of subcall function 001373E8: GetSysColor.USER32(0000000F), ref: 00137446
Part of subcall function 001373E8: GetSysColor.USER32(00000011), ref: 00137463
Part of subcall function 001373E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00137471
Part of subcall function 001373E8: SelectObject.GDI32(?,00000000), ref: 00137482
Part of subcall function 001373E8: SetBkColor.GDI32(?,00000000), ref: 0013748B
Part of subcall function 001373E8: SelectObject.GDI32(?,?), ref: 00137498
Part of subcall function 001373E8: InflateRect.USER32(?,000000FF,000000FF), ref: 001374B7
Part of subcall function 001373E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001374CE
Part of subcall function 001373E8: GetWindowLongW.USER32(00000000,000000F0), ref: 001374DB

Strings

@U=u, xrefs: 001372CC

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID: @U=u
API String ID: 4124339563-2594219639
Opcode ID: 597b19f0527d73025aef51ba502133095c5ae56390cfab33e0eb3daaf2f58ef2
Instruction ID: d5241bde5c19a745a158bc07e9a1573ffc344e010e312a37d38ed639231fb481
Opcode Fuzzy Hash: 597b19f0527d73025aef51ba502133095c5ae56390cfab33e0eb3daaf2f58ef2
Instruction Fuzzy Hash: FCA1C5B2108301FFDB109F60DC48E6B7BA9FF89320F100A19F962A65E1D771E984DB91

Function 000B8D85 Relevance: 51.2, APIs: 26, Strings: 3, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 000B8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 000F6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 000F6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 000F6F43

Part of subcall function 000B8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,000B8BE8,?,00000000,?,?,?,?,000B8BBA,00000000,?), ref: 000B8FC5

SendMessageW.USER32(?,00001053), ref: 000F6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 000F6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 000F6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 000F6FB7

Strings

8V, xrefs: 000B8DC2, 000F6ADC, 000F6B10, 000F6B5F, 000F6B9F, 000F6C47, 000F6CE8, 000F6D8C, 000F6E18, 000F6EEF, 000F6F15, 000F6FC8
0, xrefs: 000F6DCF
@U=u, xrefs: 000F6AC5, 000F6BD6, 000F6EBF

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0$8V$@U=u
API String ID: 2760611726-2263420558
Opcode ID: 4b37741b13deec948b0609515f0f2949272f9ecea1cfcf2371bde178be386c72
Instruction ID: 732978600a78a03446327c08956baae5a6c7bbafefcc472b2c2ebe0c4f3ba1aa
Opcode Fuzzy Hash: 4b37741b13deec948b0609515f0f2949272f9ecea1cfcf2371bde178be386c72
Instruction Fuzzy Hash: E212BE30600205EFD765DF18C848BFAB7F5FB45300F148469E6999BA61CB32EC92EB91

Function 00122711 Relevance: 47.6, APIs: 22, Strings: 5, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0012273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0012286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 001228A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 001228B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00122900
GetClientRect.USER32(00000000,?), ref: 0012290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00122955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00122964
GetStockObject.GDI32(00000011), ref: 00122974
SelectObject.GDI32(00000000,00000000), ref: 00122978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00122988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00122991
DeleteDC.GDI32(00000000), ref: 0012299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 001229C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 001229DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00122A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00122A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00122A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00122A77
GetStockObject.GDI32(00000011), ref: 00122A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00122A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00122A97

Strings

static, xrefs: 0012294F, 00122A71
DISPLAY, xrefs: 0012295A
msctls_progress32, xrefs: 00122A13
AutoIt v3, xrefs: 001228F8
@U=u, xrefs: 001229CC

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-2771358697
Opcode ID: 66ccc91e4b0cee739f3b31885647b36a283dbd9e9b9cd7167fe3da20602581d6
Instruction ID: 2b6d1eaa1a43a0e7f3df1178457422a3c6af7ad0fa4de76f5bbae185665b171f
Opcode Fuzzy Hash: 66ccc91e4b0cee739f3b31885647b36a283dbd9e9b9cd7167fe3da20602581d6
Instruction Fuzzy Hash: F3B12B71A40215BFEB14DFA8DC8AFAE7BB9EB09710F008514F915E7691D774AD80CBA0

Function 001373E8 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00137421
SetTextColor.GDI32(?,?), ref: 00137425
GetSysColorBrush.USER32(0000000F), ref: 0013743B
GetSysColor.USER32(0000000F), ref: 00137446
CreateSolidBrush.GDI32(?), ref: 0013744B
GetSysColor.USER32(00000011), ref: 00137463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00137471
SelectObject.GDI32(?,00000000), ref: 00137482
SetBkColor.GDI32(?,00000000), ref: 0013748B
SelectObject.GDI32(?,?), ref: 00137498
InflateRect.USER32(?,000000FF,000000FF), ref: 001374B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001374CE
GetWindowLongW.USER32(00000000,000000F0), ref: 001374DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0013752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00137554
InflateRect.USER32(?,000000FD,000000FD), ref: 00137572
DrawFocusRect.USER32(?,?), ref: 0013757D
GetSysColor.USER32(00000011), ref: 0013758E
SetTextColor.GDI32(?,00000000), ref: 00137596
DrawTextW.USER32(?,001370F5,000000FF,?,00000000), ref: 001375A8
SelectObject.GDI32(?,?), ref: 001375BF
DeleteObject.GDI32(?), ref: 001375CA
SelectObject.GDI32(?,?), ref: 001375D0
DeleteObject.GDI32(?), ref: 001375D5
SetTextColor.GDI32(?,?), ref: 001375DB
SetBkColor.GDI32(?,?), ref: 001375E5

Strings

@U=u, xrefs: 0013752A

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID: @U=u
API String ID: 1996641542-2594219639
Opcode ID: feb8dce7c6e4c1030e34ce6bca518f00b0168dbcbf3e5c2707cd7e302414edcb
Instruction ID: 032f41d133d1e5b402c8dfac9f165b8c8802ddc82dbdaa5a29369589c39f7883
Opcode Fuzzy Hash: feb8dce7c6e4c1030e34ce6bca518f00b0168dbcbf3e5c2707cd7e302414edcb
Instruction Fuzzy Hash: 20615AB2900218EFDF159FA4DC49AEEBFB9EB08320F114115F915BB2E1D775A980DB90

Function 00114ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00114AED
GetDriveTypeW.KERNEL32(?,0013CB68,?,\\.\,0013CC08), ref: 00114BCA
SetErrorMode.KERNEL32(00000000,0013CB68,?,\\.\,0013CC08), ref: 00114D36

Strings

ATA, xrefs: 00114C98
Virtual, xrefs: 00114CE5
SSA, xrefs: 00114CA6
Fibre, xrefs: 00114CAD
Removable, xrefs: 00114C10, 00114C15
SAS, xrefs: 00114CC9
Network, xrefs: 00114C02
iSCSI, xrefs: 00114CC2
RAID, xrefs: 00114CBB
RAMDisk, xrefs: 00114BF4
USB, xrefs: 00114CB4
SCSI, xrefs: 00114C8A
FileBackedVirtual, xrefs: 00114CEC
\\.\, xrefs: 00114B3F
PhysicalDrive, xrefs: 00114B76
SSD, xrefs: 00114C4A
Unknown, xrefs: 00114BED, 00114C83
1394, xrefs: 00114C9F
CDROM, xrefs: 00114BFB
ATAPI, xrefs: 00114C91
MMC, xrefs: 00114CDE
Fixed, xrefs: 00114C09
SATA, xrefs: 00114CD0

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 7cce28542d699548292cf74e82ed4d9e0585360cf379e0b7c98c4398d76f611c
Instruction ID: 20d39d6264d188de3037e4faebcff60ee1c51bd35bc830d0d961dafc6c022bde
Opcode Fuzzy Hash: 7cce28542d699548292cf74e82ed4d9e0585360cf379e0b7c98c4398d76f611c
Instruction Fuzzy Hash: 2561B130705105DBCB0CDFA4CE81EECB7A1AB46B40B248035F846AB692DB36DD91DB82

Function 00130241 Relevance: 37.1, APIs: 7, Strings: 14, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001302E5
_wcslen.LIBCMT ref: 0013031F
_wcslen.LIBCMT ref: 00130389
_wcslen.LIBCMT ref: 001303F1
_wcslen.LIBCMT ref: 00130475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 001304C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00130504

Part of subcall function 000BF9F2: _wcslen.LIBCMT ref: 000BF9FD

Part of subcall function 0010223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00102258
Part of subcall function 0010223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0010228A

Strings

GETTEXT, xrefs: 001303EC, 00130407
SELECTALL, xrefs: 00130515
SELECTINVERT, xrefs: 0013057E
GETSELECTEDCOUNT, xrefs: 00130470, 0013048B
DESELECT, xrefs: 0013059C
FINDITEM, xrefs: 00130627
SELECT, xrefs: 00130548
GETITEMCOUNT, xrefs: 00130316, 00130337
VIEWCHANGE, xrefs: 00130675
GETSUBITEMCOUNT, xrefs: 00130384, 0013039F
GETSELECTED, xrefs: 001305E1
ISSELECTED, xrefs: 001304DD
SELECTCLEAR, xrefs: 0013052D
@U=u, xrefs: 001304C5, 00130504

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: @U=u$DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-1753161424
Opcode ID: abbc8e73567914f4360f0a05346a9f7e658ff697abc513e5ef1fb5731a5937a4
Instruction ID: 63f788a6dd9e263d9be422096550caf0b050bf2cdcf61733c9d07b3960b8547b
Opcode Fuzzy Hash: abbc8e73567914f4360f0a05346a9f7e658ff697abc513e5ef1fb5731a5937a4
Instruction Fuzzy Hash: A5E1DF312082018FC719DF24C96197EB3E6BF99318F15496CF896AB3A6DB30ED45CB81

Function 00130FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00131128
GetDesktopWindow.USER32 ref: 0013113D
GetWindowRect.USER32(00000000), ref: 00131144
GetWindowLongW.USER32(?,000000F0), ref: 00131199
DestroyWindow.USER32(?), ref: 001311B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 001311ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0013120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0013121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00131232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00131245
IsWindowVisible.USER32(00000000), ref: 001312A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 001312BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 001312D0
GetWindowRect.USER32(00000000,?), ref: 001312E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0013130E
GetMonitorInfoW.USER32(00000000,?), ref: 00131328
CopyRect.USER32(?,?), ref: 0013133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 001313AA

Strings

tooltips_class32, xrefs: 001311E6
0, xrefs: 001310D3
(, xrefs: 0013131B

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: f78a6afd56935b6875df5bd0ec74a1a82fd3f448351e036e8afabb6f1e7266bd
Instruction ID: 5d115faf17faa68bd83f1a680b75a4cfa2e9b6d5d034c235de924aa58442a2ec
Opcode Fuzzy Hash: f78a6afd56935b6875df5bd0ec74a1a82fd3f448351e036e8afabb6f1e7266bd
Instruction Fuzzy Hash: 30B17D71608341AFD714DF64C885BABBBE5FF85350F00891CF999AB2A2C771E844CB91

Function 000B8891 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000B8968
GetSystemMetrics.USER32(00000007), ref: 000B8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000B899B
GetSystemMetrics.USER32(00000008), ref: 000B89A3
GetSystemMetrics.USER32(00000004), ref: 000B89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 000B89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 000B89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 000B8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 000B8A3C
GetClientRect.USER32(00000000,000000FF), ref: 000B8A5A
GetStockObject.GDI32(00000011), ref: 000B8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 000B8A81

Part of subcall function 000B912D: GetCursorPos.USER32(?), ref: 000B9141
Part of subcall function 000B912D: ScreenToClient.USER32(00000000,?), ref: 000B915E
Part of subcall function 000B912D: GetAsyncKeyState.USER32(00000001), ref: 000B9183
Part of subcall function 000B912D: GetAsyncKeyState.USER32(00000002), ref: 000B919D

SetTimer.USER32(00000000,00000000,00000028,000B90FC), ref: 000B8AA8

Strings

AutoIt v3 GUI, xrefs: 000B8A20
@U=u, xrefs: 000B8A81

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: @U=u$AutoIt v3 GUI
API String ID: 1458621304-2077007950
Opcode ID: bb38b6d2787cc15808a984b9f4ca38834d27f1bf4bd1604551fceffb4b4f63a0
Instruction ID: eb057985a3e1260badbc122fe894dfd8041883e175525fb69de1c2a0fa343963
Opcode Fuzzy Hash: bb38b6d2787cc15808a984b9f4ca38834d27f1bf4bd1604551fceffb4b4f63a0
Instruction Fuzzy Hash: D4B16E75A0020AEFDF14DF68CC45BEE7BB5FB48314F148229FA15A76A0DB70A881DB51

Function 00105A1B Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00105A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00105A40
SetWindowTextW.USER32(?,?), ref: 00105A57
GetDlgItem.USER32(?,000003EA), ref: 00105A6C
SetWindowTextW.USER32(00000000,?), ref: 00105A72
GetDlgItem.USER32(?,000003E9), ref: 00105A82
SetWindowTextW.USER32(00000000,?), ref: 00105A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00105AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00105AC3
GetWindowRect.USER32(?,?), ref: 00105ACC
_wcslen.LIBCMT ref: 00105B33
SetWindowTextW.USER32(?,?), ref: 00105B6F
GetDesktopWindow.USER32 ref: 00105B75
GetWindowRect.USER32(00000000), ref: 00105B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00105BD3
GetClientRect.USER32(?,?), ref: 00105BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00105C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00105C2F

Strings

@U=u, xrefs: 00105A40

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID: @U=u
API String ID: 895679908-2594219639
Opcode ID: 6be0bbd624a7f99591e7669d4c3458ea202cb84bdb53531f1efc3b696421440d
Instruction ID: d9318a950a1644c887b53680b93a075ab2e89b39885a1b1ff0e2ef7a201ed658
Opcode Fuzzy Hash: 6be0bbd624a7f99591e7669d4c3458ea202cb84bdb53531f1efc3b696421440d
Instruction Fuzzy Hash: C8713D71900B09EFDB20DFA9CE45AAFBBF6FF48705F104518E582A25A0D7B5A944CF50

Function 0013091E Relevance: 31.9, APIs: 6, Strings: 12, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001309C6
_wcslen.LIBCMT ref: 00130A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00130A54
_wcslen.LIBCMT ref: 00130A8A
_wcslen.LIBCMT ref: 00130B06
_wcslen.LIBCMT ref: 00130B81

Part of subcall function 000BF9F2: _wcslen.LIBCMT ref: 000BF9FD

Part of subcall function 00102BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00102BFA

Strings

GETTEXT, xrefs: 00130C97
EXISTS, xrefs: 00130B7C, 00130B97
EXPAND, xrefs: 00130BF8
ISCHECKED, xrefs: 00130CE1
CHECK, xrefs: 00130A85, 00130AA0
GETSELECTED, xrefs: 00130C4E
UNCHECK, xrefs: 00130D3E
COLLAPSE, xrefs: 00130B01, 00130B1C
SELECT, xrefs: 00130D11
GETITEMCOUNT, xrefs: 00130C1E
GETTOTALCOUNT, xrefs: 001309F2, 00130A17
@U=u, xrefs: 00130A54

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-383632319
Opcode ID: 8e0dd5ca17d63cb18c3bc41c5be566fa6b1befb68c228a54c61f344fd30de115
Instruction ID: 38bfea59aa8b6db95555939d0617a87614f03e59822d3988198b218e978ef13e
Opcode Fuzzy Hash: 8e0dd5ca17d63cb18c3bc41c5be566fa6b1befb68c228a54c61f344fd30de115
Instruction Fuzzy Hash: 49E1CE352087018FCB15EF64C86096AB7E1FF99318F15895CF89AAB3A2D731ED45CB81

Function 00100D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00101114
Part of subcall function 001010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00100B9B,?,?,?), ref: 00101120
Part of subcall function 001010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00100B9B,?,?,?), ref: 0010112F
Part of subcall function 001010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00100B9B,?,?,?), ref: 00101136
Part of subcall function 001010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0010114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00100DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00100E29
GetLengthSid.ADVAPI32(?), ref: 00100E40
GetAce.ADVAPI32(?,00000000,?), ref: 00100E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00100E96
GetLengthSid.ADVAPI32(?), ref: 00100EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00100EB5
HeapAlloc.KERNEL32(00000000), ref: 00100EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00100EDD
CopySid.ADVAPI32(00000000), ref: 00100EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00100F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00100F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00100F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00100F6E
HeapFree.KERNEL32(00000000), ref: 00100F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00100F7E
HeapFree.KERNEL32(00000000), ref: 00100F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00100F8E
HeapFree.KERNEL32(00000000), ref: 00100F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00100FA1
HeapFree.KERNEL32(00000000), ref: 00100FA8

Part of subcall function 00101193: GetProcessHeap.KERNEL32(00000008,00100BB1,?,00000000,?,00100BB1,?), ref: 001011A1
Part of subcall function 00101193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00100BB1,?), ref: 001011A8
Part of subcall function 00101193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00100BB1,?), ref: 001011B7

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 9f47719df7460d67db152c80d2458f8fe4104243d2b865075d429c8a7453910e
Instruction ID: b760b897166be0f8312abd9bd75bc715c2c0df08fd87464402c0eac32a0eec99
Opcode Fuzzy Hash: 9f47719df7460d67db152c80d2458f8fe4104243d2b865075d429c8a7453910e
Instruction Fuzzy Hash: 9B716D7290020AEBDF219FA4DC44FAEBBB8BF09301F144115FA99F6191D7B19A45DBA0

Function 0013833C Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0013835A
_wcslen.LIBCMT ref: 0013836E
_wcslen.LIBCMT ref: 00138391
_wcslen.LIBCMT ref: 001383B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 001383F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0013361A,?), ref: 0013844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00138487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 001384CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00138501
FreeLibrary.KERNEL32(?), ref: 0013850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0013851D
DestroyIcon.USER32(?), ref: 0013852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00138549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00138555

Strings

.icl, xrefs: 00138368
.exe, xrefs: 00138388
.dll, xrefs: 001383AB
@U=u, xrefs: 00138535

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl$@U=u
API String ID: 799131459-1639919054
Opcode ID: c6bc96df9ec18d44a354a9c1af5da553cf7bf19a3300e9a1f9ae53dee3ccdbbd
Instruction ID: 75b4e36dbd95a50e47f94472d99197bb719d52b56b43a26c7762e7f52dab483e
Opcode Fuzzy Hash: c6bc96df9ec18d44a354a9c1af5da553cf7bf19a3300e9a1f9ae53dee3ccdbbd
Instruction Fuzzy Hash: AA61AF72A40715BAEB14DF64CC45FFE77A8FB08B11F104609F815E61D2DBB4A994CBA0

Function 0012C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0012C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0013CC08,00000000,?,00000000,?,?), ref: 0012C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0012C5A4
_wcslen.LIBCMT ref: 0012C5F4
_wcslen.LIBCMT ref: 0012C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0012C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0012C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0012C84D
RegCloseKey.ADVAPI32(?), ref: 0012C881
RegCloseKey.ADVAPI32(00000000), ref: 0012C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0012C960

Strings

REG_BINARY, xrefs: 0012C913
REG_QWORD, xrefs: 0012C8C3
REG_EXPAND_SZ, xrefs: 0012C5CD
REG_DWORD, xrefs: 0012C804
REG_SZ, xrefs: 0012C644
REG_MULTI_SZ, xrefs: 0012C6F5

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 71714bb5b3721ed2706890cb4a4644212cc0948c96b0d611381c1bcea03a2fbc
Instruction ID: 2f9ec775a150d26137a90c9da08846b48e22bea341a7c31d67601af42f7194fa
Opcode Fuzzy Hash: 71714bb5b3721ed2706890cb4a4644212cc0948c96b0d611381c1bcea03a2fbc
Instruction Fuzzy Hash: C61276356042119FCB18EF24D891B6AB7E5EF89314F05895CF98A9B3A2DB31ED41CB81

Function 0012C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0012B6AE,?,?), ref: 0012C9B5
_wcslen.LIBCMT ref: 0012C9F1
_wcslen.LIBCMT ref: 0012CA68
_wcslen.LIBCMT ref: 0012CA9E
_wcslen.LIBCMT ref: 0012CAF9
_wcslen.LIBCMT ref: 0012CB2F
_wcslen.LIBCMT ref: 0012CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 0012CA62, 0012CA67
HKEY_CLASSES_ROOT, xrefs: 0012CAF3, 0012CAF8
HKEY_CURRENT_CONFIG, xrefs: 0012CB79, 0012CB7E
HKCC, xrefs: 0012CBAC
HKLM, xrefs: 0012CA98, 0012CA9D
HKCU, xrefs: 0012CBCE
HKU, xrefs: 0012CBF0
HKCR, xrefs: 0012CB29, 0012CB2E
HKEY_CURRENT_USER, xrefs: 0012CBBD
HKEY_USERS, xrefs: 0012CBDF

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 46c1aa3a677b89e66321c82e4da9e4ee21e041f6c4bc2b9928223e4dabbcd3f3
Instruction ID: ef9bf7666f537de23249a2dfaedf3bbf913f63912138263398f10ceac67a6f68
Opcode Fuzzy Hash: 46c1aa3a677b89e66321c82e4da9e4ee21e041f6c4bc2b9928223e4dabbcd3f3
Instruction Fuzzy Hash: 8A71C33260053A8BCB20DE7CED516FE3391AFA1794B250528FA56A7285F771CDA583E0

Function 000A7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Unterminated group of comments, xrefs: 000E528C
#notrayicon, xrefs: 000A77E7
#comments-start, xrefs: 000A785F, 000A78B1
', xrefs: 000E5169
#include-once, xrefs: 000A782F
#requireadmin, xrefs: 000A77FF
Bad directive syntax error, xrefs: 000E519A
#include, xrefs: 000A7847
", xrefs: 000E5153
#comments-end, xrefs: 000A78D9
#cs, xrefs: 000A7873, 000A78C5
#pragma compile, xrefs: 000A77D3
Cannot parse #include, xrefs: 000E5279
#ce, xrefs: 000A78ED
#OnAutoItStartRegister, xrefs: 000A7817

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: c83dd4a922f64ef195d88aebaa702e06c0030422b905703a53a9dec7ea7ba15e
Instruction ID: f67c10bf56d798af1c78b72be7c5153c7368b224cb8fe28b09c1f8b8b835b2d1
Opcode Fuzzy Hash: c83dd4a922f64ef195d88aebaa702e06c0030422b905703a53a9dec7ea7ba15e
Instruction Fuzzy Hash: AC81F871A44605BFDB20AFA0DC42FEE37A9AF16340F048428F908AB197EB70D911D7A1

Function 0013856F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00138592
GetFileSize.KERNEL32(00000000,00000000), ref: 001385A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 001385AD
CloseHandle.KERNEL32(00000000), ref: 001385BA
GlobalLock.KERNEL32(00000000), ref: 001385C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 001385D7
GlobalUnlock.KERNEL32(00000000), ref: 001385E0
CloseHandle.KERNEL32(00000000), ref: 001385E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 001385F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,0013FC38,?), ref: 00138611
GlobalFree.KERNEL32(00000000), ref: 00138621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00138641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00138671
DeleteObject.GDI32(00000000), ref: 00138699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 001386AF

Strings

@U=u, xrefs: 001386AF

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID: @U=u
API String ID: 3840717409-2594219639
Opcode ID: 215fc42620b50ab498e06d27c661680304d1ad9debee64073ec849e3d5befe1f
Instruction ID: 3167cf333de589df58d18fe11744f628a99fbf00d4bce69702517ef23c271712
Opcode Fuzzy Hash: 215fc42620b50ab498e06d27c661680304d1ad9debee64073ec849e3d5befe1f
Instruction Fuzzy Hash: C9410A75600204AFDB119FA5DC89EAB7BB8FF89715F108158F909E7260DB309D41DF60

Function 00136CD9 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00136DEB

Part of subcall function 000A6B57: _wcslen.LIBCMT ref: 000A6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00136E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00136E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00136E94
DestroyWindow.USER32(?), ref: 00136EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,000A0000,00000000), ref: 00136EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00136EFD
GetDesktopWindow.USER32 ref: 00136F16
GetWindowRect.USER32(00000000), ref: 00136F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00136F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00136F4D

Part of subcall function 000B9944: GetWindowLongW.USER32(?,000000EB), ref: 000B9952

Strings

tooltips_class32, xrefs: 00136E58, 00136EDD
0, xrefs: 00136D98
8V, xrefs: 00136D0F, 00136DCF, 00136DF1, 00136E04
@U=u, xrefs: 00136E81, 00136E94, 00136EFD, 00136F27

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$8V$@U=u$tooltips_class32
API String ID: 2429346358-3506087199
Opcode ID: 5b51770cd9ba40b082d4de47a5aa511a74f8ca88064a6a9af75be559acb5dddd
Instruction ID: 376ae375eb164a9f5add3ecb55c62b12149ae47f2950174f70c2bcaccd425a37
Opcode Fuzzy Hash: 5b51770cd9ba40b082d4de47a5aa511a74f8ca88064a6a9af75be559acb5dddd
Instruction Fuzzy Hash: A8716874104244AFDB21CF18DC54FAABBF9FB89304F04482DFA9997261C771E98ACB61

Function 0013911E Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 000B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000B9BB2

DragQueryPoint.SHELL32(?,?), ref: 00139147

Part of subcall function 00137674: ClientToScreen.USER32(?,?), ref: 0013769A
Part of subcall function 00137674: GetWindowRect.USER32(?,?), ref: 00137710
Part of subcall function 00137674: PtInRect.USER32(?,?,00138B89), ref: 00137720

SendMessageW.USER32(?,000000B0,?,?), ref: 001391B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 001391BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 001391DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00139225
SendMessageW.USER32(?,000000B0,?,?), ref: 0013923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00139255
SendMessageW.USER32(?,000000B1,?,?), ref: 00139277
DragFinish.SHELL32(?), ref: 0013927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00139371

Strings

@GUI_DRAGID, xrefs: 001392E9
8V, xrefs: 0013917D, 001391EA
@GUI_DRAGFILE, xrefs: 00139320
@U=u, xrefs: 001391B0, 00139225, 0013923E, 00139255, 00139277
@GUI_DROPID, xrefs: 0013929E

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: 8V$@GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u
API String ID: 221274066-1172589423
Opcode ID: a4a4b1737acf192d9e53f11afb5217d7a813b324921c775c0598ef56b117a10b
Instruction ID: 9ea240f512d7ea2b3b517265c81f3a0da579b9094bb4f1894a82110965434d60
Opcode Fuzzy Hash: a4a4b1737acf192d9e53f11afb5217d7a813b324921c775c0598ef56b117a10b
Instruction Fuzzy Hash: F3614971108301AFD701EFA4DC85DAFBBE8FF89750F40092DF595922A1DB709A49CB92

Function 000C00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 000C00C6

Part of subcall function 000C00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0017070C,00000FA0,77A36488,?,?,?,?,000E23B3,000000FF), ref: 000C011C
Part of subcall function 000C00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,000E23B3,000000FF), ref: 000C0127
Part of subcall function 000C00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,000E23B3,000000FF), ref: 000C0138
Part of subcall function 000C00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 000C014E
Part of subcall function 000C00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 000C015C
Part of subcall function 000C00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 000C016A
Part of subcall function 000C00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 000C0195
Part of subcall function 000C00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 000C01A0

___scrt_fastfail.LIBCMT ref: 000C00E7

Part of subcall function 000C00A3: __onexit.LIBCMT ref: 000C00A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 000C0122
InitializeConditionVariable, xrefs: 000C0148
SleepConditionVariableCS, xrefs: 000C0154
WakeAllConditionVariable, xrefs: 000C0162
kernel32.dll, xrefs: 000C0133

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 896e4f6a4efe6fa7afd2ebf4570da8b85462edd6da8f69bd9c6dabd56bcc5353
Instruction ID: 5f2441e41c25d255c5985a20058bbf6c32aacb08104251fb2d02201ad591557f
Opcode Fuzzy Hash: 896e4f6a4efe6fa7afd2ebf4570da8b85462edd6da8f69bd9c6dabd56bcc5353
Instruction Fuzzy Hash: FD21F632A45711EBE7115BA4AC0AFAEB3E4EB04B51F14012DFC45F7A92DBB09C40CA90

Function 001030F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0010318D
_wcslen.LIBCMT ref: 001031F8

Strings

NAME, xrefs: 00103335, 00103346
INSTANCE, xrefs: 00103453
CLASSNN, xrefs: 001031F3, 00103204
CLASS, xrefs: 00103188, 001031A5
REGEXPCLASS, xrefs: 00103255, 00103266
TEXT, xrefs: 0010347C

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: b3a6d821ffd6ec862149f9c956e722427874481382ea7b2edd6c30db41472a68
Instruction ID: e5141a24edb1470b102439f3d01c5d2e36e8cb47f69b67c8fa1347ba350c674a
Opcode Fuzzy Hash: b3a6d821ffd6ec862149f9c956e722427874481382ea7b2edd6c30db41472a68
Instruction Fuzzy Hash: B8E10732A005169BCB189FA8C851BEDFBB9BF14710F558119E4A6F72C1DBB0AE45C790

Function 001144C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0013CC08), ref: 00114527
_wcslen.LIBCMT ref: 0011453B
_wcslen.LIBCMT ref: 00114599
_wcslen.LIBCMT ref: 001145F4
_wcslen.LIBCMT ref: 0011463F
_wcslen.LIBCMT ref: 001146A7

Part of subcall function 000BF9F2: _wcslen.LIBCMT ref: 000BF9FD

GetDriveTypeW.KERNEL32(?,00166BF0,00000061), ref: 00114743

Strings

network, xrefs: 0011469D, 001146A2
ramdisk, xrefs: 001146F1
all, xrefs: 00114531, 00114536
removable, xrefs: 001145EA, 001145EF
cdrom, xrefs: 0011458F, 00114594
fixed, xrefs: 00114635, 0011463A
unknown, xrefs: 00114708

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 4b1e5d85601e64b6ab2dd0e77c541883690e6c04e9235d7e5d6092dc1bada5bb
Instruction ID: ab2453c2ec26bcbad5d4312f854b562ff161c6cabd06a09624ca09c5f4df5235
Opcode Fuzzy Hash: 4b1e5d85601e64b6ab2dd0e77c541883690e6c04e9235d7e5d6092dc1bada5bb
Instruction Fuzzy Hash: 30B1E6716083029FC718DF28C890AEEB7E5BFA6B64F50492DF496D7292D730D884C792

Function 0012AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0012B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0012B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0012B1D4
_wcslen.LIBCMT ref: 0012B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0012B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0012B236
_wcslen.LIBCMT ref: 0012B332

Part of subcall function 001105A7: GetStdHandle.KERNEL32(000000F6), ref: 001105C6

_wcslen.LIBCMT ref: 0012B34B
_wcslen.LIBCMT ref: 0012B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0012B3B6
GetLastError.KERNEL32(00000000), ref: 0012B407
CloseHandle.KERNEL32(?), ref: 0012B439
CloseHandle.KERNEL32(00000000), ref: 0012B44A
CloseHandle.KERNEL32(00000000), ref: 0012B45C
CloseHandle.KERNEL32(00000000), ref: 0012B46E
CloseHandle.KERNEL32(?), ref: 0012B4E3

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: f3a39d78d5b1ef7cb5a138894f52da0e8fc83131542b5677b89acebf8ebd14bc
Instruction ID: 0c79bdaff78d978d8cc4fb45647b0fe93eedffa70bdf99cecaed8afa0a7ec91d
Opcode Fuzzy Hash: f3a39d78d5b1ef7cb5a138894f52da0e8fc83131542b5677b89acebf8ebd14bc
Instruction Fuzzy Hash: DBF19B316083509FC715EF24D891BAEBBE1BF85310F18855DF8999B2A2DB31EC50CB92

Function 000A326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00171990), ref: 000E2F8D
GetMenuItemCount.USER32(00171990), ref: 000E303D
GetCursorPos.USER32(?), ref: 000E3081
SetForegroundWindow.USER32(00000000), ref: 000E308A
TrackPopupMenuEx.USER32(00171990,00000000,?,00000000,00000000,00000000), ref: 000E309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 000E30A9

Strings

0, xrefs: 000A327D

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: f9c7914e0dc91ad93fbd99d3ee35724471fd6f105f4c5ac524f10e6daf73ff24
Instruction ID: f90071728bbcc770a43d4d86dc486376fd5c0ac33d7899f841c31c9df2cf2a51
Opcode Fuzzy Hash: f9c7914e0dc91ad93fbd99d3ee35724471fd6f105f4c5ac524f10e6daf73ff24
Instruction Fuzzy Hash: 38711571644255BEEB219F65CC89FAEBFA8FF05324F204226F5247A1E1C7B1AD50CB90

Function 0013541D Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00135504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00135515
CharNextW.USER32(00000158), ref: 00135544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00135585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0013559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001355AC

Strings

8V, xrefs: 0013545F
@U=u, xrefs: 00135504, 00135515, 0013554A, 001355C9, 0013562B, 00135816

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSend$CharNext
String ID: 8V$@U=u
API String ID: 1350042424-1020947142
Opcode ID: ead622112451b03e14f683ec10f40f3a466d20d11ef0c58eaf5447c67e2d3eb9
Instruction ID: 3e361bfcf9d2321090fdf19c241f671843ff8f74a353f297301e9bbb003ce44d
Opcode Fuzzy Hash: ead622112451b03e14f683ec10f40f3a466d20d11ef0c58eaf5447c67e2d3eb9
Instruction Fuzzy Hash: 84619D71900608EFDF14CF94CC85AFE7BBAEF09B24F108145F925AB291D7749A80DBA0

Function 000B8BCD Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 000B8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,000B8BE8,?,00000000,?,?,?,?,000B8BBA,00000000,?), ref: 000B8FC5

DestroyWindow.USER32(?), ref: 000B8C81
KillTimer.USER32(00000000,?,?,?,?,000B8BBA,00000000,?), ref: 000B8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 000F6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,000B8BBA,00000000,?), ref: 000F69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,000B8BBA,00000000,?), ref: 000F69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,000B8BBA,00000000), ref: 000F69D4
DeleteObject.GDI32(00000000), ref: 000F69E6

Strings

8V, xrefs: 000B8C06

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID: 8V
API String ID: 641708696-3441868543
Opcode ID: 749c0161e3aed4f0aaf8536705139998ca8135c7222207754280f37ee87ea5a6
Instruction ID: fdbe90386c7a32aad15df40596f4e7c488cda9e92622ef7c06c64bca861d0ed0
Opcode Fuzzy Hash: 749c0161e3aed4f0aaf8536705139998ca8135c7222207754280f37ee87ea5a6
Instruction Fuzzy Hash: E261BA71102605EFCB758F18C948BA9BBF5FB40316F14851CE246AAD70CB72A8C1EF91

Function 0011C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0011C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0011C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0011C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0011C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0011C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0011C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0011C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0011C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0011C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0011C5F0
InternetCloseHandle.WININET(00000000), ref: 0011C5FB

Strings

, xrefs: 0011C575

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 658e6a5882beb04ded93d7d5ab59b88847f2b59f50cdca5e496fb63c5855386a
Instruction ID: ebfb48ce679ba947876abe3949c84ebbee86c85f9206bc5d6b5b6451a7069743
Opcode Fuzzy Hash: 658e6a5882beb04ded93d7d5ab59b88847f2b59f50cdca5e496fb63c5855386a
Instruction Fuzzy Hash: D5514DB1640605BFEB258FA4C948AFB7BFDFF08754F004429F94596610DB34E984DBA1

Function 000B9838 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 000B9944: GetWindowLongW.USER32(?,000000EB), ref: 000B9952

GetSysColor.USER32(0000000F), ref: 000B9862

Strings

8V, xrefs: 000B987C

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ColorLongWindow
String ID: 8V
API String ID: 259745315-3441868543
Opcode ID: 5c839421d4b9e21d857a444a2eb6f38e58ec403995f88c5bed015c7165167c63
Instruction ID: 11eede397e0982e5052b0eed6e4a0bba46c73e806b80f850342ef9b5f49c0ba5
Opcode Fuzzy Hash: 5c839421d4b9e21d857a444a2eb6f38e58ec403995f88c5bed015c7165167c63
Instruction Fuzzy Hash: EB419F31104644AFDB215F389C84BF93BB5EB46330F144619FBA6972E1CB719C82EB61

Function 001114BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00111502
VariantCopy.OLEAUT32(?,?), ref: 0011150B
VariantClear.OLEAUT32(?), ref: 00111517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 001115FB
VarR8FromDec.OLEAUT32(?,?), ref: 00111657
VariantInit.OLEAUT32(?), ref: 00111708
SysFreeString.OLEAUT32(?), ref: 0011178C
VariantClear.OLEAUT32(?), ref: 001117D8
VariantClear.OLEAUT32(?), ref: 001117E7
VariantInit.OLEAUT32(00000000), ref: 00111823

Strings

Default, xrefs: 001116AF
%4d%02d%02d%02d%02d%02d, xrefs: 00111625

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 3a8ff6a1c26a08a4d5b3e66301e7fb22f8aee678d22f2ba750186f19a763951a
Instruction ID: 81ba7e57f84cf03b52eadf8514eb2f4d9a360008143c86ec54a066d6104d0cf2
Opcode Fuzzy Hash: 3a8ff6a1c26a08a4d5b3e66301e7fb22f8aee678d22f2ba750186f19a763951a
Instruction Fuzzy Hash: F3D10031A04515EBDB189F64D885BFDF7B6BF46700F118066F646AB681DB30EC80DBA2

Function 0012B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

Part of subcall function 0012C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0012B6AE,?,?), ref: 0012C9B5
Part of subcall function 0012C998: _wcslen.LIBCMT ref: 0012C9F1
Part of subcall function 0012C998: _wcslen.LIBCMT ref: 0012CA68
Part of subcall function 0012C998: _wcslen.LIBCMT ref: 0012CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0012B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0012B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0012B80A
RegCloseKey.ADVAPI32(?), ref: 0012B87E
RegCloseKey.ADVAPI32(?), ref: 0012B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0012B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0012B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0012B922
FreeLibrary.KERNEL32(00000000), ref: 0012B983
RegCloseKey.ADVAPI32(00000000), ref: 0012B994

Strings

advapi32.dll, xrefs: 0012B8ED
RegDeleteKeyExW, xrefs: 0012B8FE

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 4be20a20a381475a767a9e9842f69bd71ea37edea639d97775b3197a63bb79a4
Instruction ID: f81f92da836a643c62d5415a47024ea802d6238feafafb600ff1257224dffff9
Opcode Fuzzy Hash: 4be20a20a381475a767a9e9842f69bd71ea37edea639d97775b3197a63bb79a4
Instruction Fuzzy Hash: 57C1A934208211AFD714DF64D4D5F6ABBE5BF85308F14849CF5AA8B2A2CB31ED95CB81

Function 00138D0E Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000B9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00138D5A
GetFocus.USER32 ref: 00138D6A
GetDlgCtrlID.USER32(00000000), ref: 00138D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00138E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00138ECF
GetMenuItemCount.USER32(?), ref: 00138EEC
GetMenuItemID.USER32(?,00000000), ref: 00138EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00138F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00138F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00138FA1

Strings

8V, xrefs: 00138E63, 00138E85
0, xrefs: 00138E9F

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0$8V
API String ID: 1026556194-2721477870
Opcode ID: 5eed67fc36a5fb3868aec38341541f91fd9ee65aa5f1ece883dc7a5fea3f68db
Instruction ID: 9bc28093372a50b7dd1c61e9659859d9ea8c5dd61a6eb6239cd82088889483af
Opcode Fuzzy Hash: 5eed67fc36a5fb3868aec38341541f91fd9ee65aa5f1ece883dc7a5fea3f68db
Instruction Fuzzy Hash: F881A071608301AFD720DF24C884EABBBE9FF88754F14092DF995A7291DB70D945CBA1

Function 0012255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001225D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 001225E8
CreateCompatibleDC.GDI32(?), ref: 001225F4
SelectObject.GDI32(00000000,?), ref: 00122601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0012266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 001226AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 001226D0
SelectObject.GDI32(?,?), ref: 001226D8
DeleteObject.GDI32(?), ref: 001226E1
DeleteDC.GDI32(?), ref: 001226E8
ReleaseDC.USER32(00000000,?), ref: 001226F3

Strings

(, xrefs: 0012268D

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 7b65bcd3ddec892121d70f930120310036cb2b1296ad7c1bce3a95c08d996d16
Instruction ID: 9a001349a61ee1c40bccc72ac1353bda7d064c4157a5109f514df87b232615d5
Opcode Fuzzy Hash: 7b65bcd3ddec892121d70f930120310036cb2b1296ad7c1bce3a95c08d996d16
Instruction Fuzzy Hash: F661E2B6D00219EFCF14CFA4D884AAEBBB6FF48310F208529E955B7250D774A951DFA0

Function 0010E6B0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0010E6B4

Part of subcall function 000BE551: timeGetTime.WINMM(?,?,0010E6D4), ref: 000BE555

Sleep.KERNEL32(0000000A), ref: 0010E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0010E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0010E727
SetActiveWindow.USER32 ref: 0010E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0010E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0010E773
Sleep.KERNEL32(000000FA), ref: 0010E77E
IsWindow.USER32 ref: 0010E78A
EndDialog.USER32(00000000), ref: 0010E79B

Strings

BUTTON, xrefs: 0010E719
@U=u, xrefs: 0010E754, 0010E773

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: @U=u$BUTTON
API String ID: 1194449130-2582809321
Opcode ID: 14a6318a7c06744bba4bb96b73e10b4a9894740a6cbd202b6e52585b50844b77
Instruction ID: c806b96bbd2a8fb597db194706527f723710bf5dbb1846689b91ec2fe13436e6
Opcode Fuzzy Hash: 14a6318a7c06744bba4bb96b73e10b4a9894740a6cbd202b6e52585b50844b77
Instruction Fuzzy Hash: 1C21A8B0200204FFEB006F65EC89A253BB9F754349F244825F95A929F1DBF19CC19B94

Function 000DDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 000DDAA1

Part of subcall function 000DD63C: _free.LIBCMT ref: 000DD659
Part of subcall function 000DD63C: _free.LIBCMT ref: 000DD66B
Part of subcall function 000DD63C: _free.LIBCMT ref: 000DD67D
Part of subcall function 000DD63C: _free.LIBCMT ref: 000DD68F
Part of subcall function 000DD63C: _free.LIBCMT ref: 000DD6A1
Part of subcall function 000DD63C: _free.LIBCMT ref: 000DD6B3
Part of subcall function 000DD63C: _free.LIBCMT ref: 000DD6C5
Part of subcall function 000DD63C: _free.LIBCMT ref: 000DD6D7
Part of subcall function 000DD63C: _free.LIBCMT ref: 000DD6E9
Part of subcall function 000DD63C: _free.LIBCMT ref: 000DD6FB
Part of subcall function 000DD63C: _free.LIBCMT ref: 000DD70D
Part of subcall function 000DD63C: _free.LIBCMT ref: 000DD71F
Part of subcall function 000DD63C: _free.LIBCMT ref: 000DD731

_free.LIBCMT ref: 000DDA96

Part of subcall function 000D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000DD7D1,00000000,00000000,00000000,00000000,?,000DD7F8,00000000,00000007,00000000,?,000DDBF5,00000000), ref: 000D29DE
Part of subcall function 000D29C8: GetLastError.KERNEL32(00000000,?,000DD7D1,00000000,00000000,00000000,00000000,?,000DD7F8,00000000,00000007,00000000,?,000DDBF5,00000000,00000000), ref: 000D29F0

_free.LIBCMT ref: 000DDAB8
_free.LIBCMT ref: 000DDACD
_free.LIBCMT ref: 000DDAD8
_free.LIBCMT ref: 000DDAFA
_free.LIBCMT ref: 000DDB0D
_free.LIBCMT ref: 000DDB1B
_free.LIBCMT ref: 000DDB26
_free.LIBCMT ref: 000DDB5E
_free.LIBCMT ref: 000DDB65
_free.LIBCMT ref: 000DDB82
_free.LIBCMT ref: 000DDB9A

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: c80158b80ee93849bc8cf57611086b95e01c3c21b54f3a2e56bcdb9940513501
Instruction ID: b74565648e60b690526ab0fdd928aaff61e5e694e6f87d922063476317059a86
Opcode Fuzzy Hash: c80158b80ee93849bc8cf57611086b95e01c3c21b54f3a2e56bcdb9940513501
Instruction Fuzzy Hash: 8D313931604705DFEB61AA39E845BAAB7E9FF10324F15841BE459D7392EB31EC409B30

Function 0010365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0010369C
_wcslen.LIBCMT ref: 001036A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00103797
GetClassNameW.USER32(?,?,00000400), ref: 0010380C
GetDlgCtrlID.USER32(?), ref: 0010385D
GetWindowRect.USER32(?,?), ref: 00103882
GetParent.USER32(?), ref: 001038A0
ScreenToClient.USER32(00000000), ref: 001038A7
GetClassNameW.USER32(?,?,00000100), ref: 00103921
GetWindowTextW.USER32(?,?,00000400), ref: 0010395D

Strings

%s%u, xrefs: 00103734

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 2a2330698c6aaed6360eb5f9f5b882998fcd5ab2d6cf1be9427dfb2760a80276
Instruction ID: f1c482ae5d75ab69ea6ac67e5715bda84705e3ba7881b80c10324a6e2ccbc3a8
Opcode Fuzzy Hash: 2a2330698c6aaed6360eb5f9f5b882998fcd5ab2d6cf1be9427dfb2760a80276
Instruction Fuzzy Hash: 0491AE71204606AFD719DF24C885FEAB7ACFF44354F008629F9E9D2191DBB0EA45CB91

Function 00104954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00104994
GetWindowTextW.USER32(?,?,00000400), ref: 001049DA
_wcslen.LIBCMT ref: 001049EB
CharUpperBuffW.USER32(?,00000000), ref: 001049F7
_wcsstr.LIBVCRUNTIME ref: 00104A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00104A64
GetWindowTextW.USER32(?,?,00000400), ref: 00104A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00104AE6
GetClassNameW.USER32(?,?,00000400), ref: 00104B20
GetWindowRect.USER32(?,?), ref: 00104B8B

Strings

ThumbnailClass, xrefs: 00104A6F, 00104AF1

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: b11ca1d717442d8b4d2b6a4b004b57663940be584aca72b903d96352c1c766e0
Instruction ID: 420224d8484641ae6c2c59bd2df630c6c4a8f3ddc3db852835beacfaa9720bb0
Opcode Fuzzy Hash: b11ca1d717442d8b4d2b6a4b004b57663940be584aca72b903d96352c1c766e0
Instruction Fuzzy Hash: 7991AAB21042059BDB04DF14C9C5BAA7BE8FF84314F048469FEC69A1D6EBB4ED45CBA1

Function 00133A23 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00133A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00133AA0
GetWindowLongW.USER32(?,000000F0), ref: 00133AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00133AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00133B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00133BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00133BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00133BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00133BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00133C13

Strings

8V, xrefs: 00133A67, 00133A76, 00133AAC, 00133B01, 00133C2A

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID: 8V
API String ID: 312131281-3441868543
Opcode ID: 0ed1ccb8408ba320da8417ebd57259adba93370fbc077a40bd1aaa5512b452f9
Instruction ID: 9c1f1fdd636dc62b19926cc330e33dc55a98df373a9b754618cce54206a8fbab
Opcode Fuzzy Hash: 0ed1ccb8408ba320da8417ebd57259adba93370fbc077a40bd1aaa5512b452f9
Instruction Fuzzy Hash: F8617C75900248AFDB10DFA8CC81EEE77F8EB09704F10419AFA15A72A1C774AE85DB54

Function 0010DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0010DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0010DC46
_wcslen.LIBCMT ref: 0010DC50
_wcsstr.LIBVCRUNTIME ref: 0010DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0010DCBC

Strings

\VarFileInfo\Translation, xrefs: 0010DCB4
DefaultLangCodepage, xrefs: 0010DD1F
%u.%u.%u.%u, xrefs: 0010DD9A
StringFileInfo\, xrefs: 0010DC8F
04090000, xrefs: 0010DCF2

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 4044accc32571b05d143c9c4cf06d3461da8cb6c8971a2408f1ef5cb1b90ed27
Instruction ID: 5dc99cc7a7e11be18fe3e7969affc9c7e5dce4395f4493abe18860f1ff061f39
Opcode Fuzzy Hash: 4044accc32571b05d143c9c4cf06d3461da8cb6c8971a2408f1ef5cb1b90ed27
Instruction Fuzzy Hash: 9D41DF32A402057AEB14A7B4AC47EFF77ACEF52750F10006AF900A61D3EBB4DA1187A5

Function 0012CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0012CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0012CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0012CD48

Part of subcall function 0012CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0012CCAA
Part of subcall function 0012CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0012CCBD
Part of subcall function 0012CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0012CCCF
Part of subcall function 0012CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0012CD05
Part of subcall function 0012CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0012CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0012CCF3

Strings

advapi32.dll, xrefs: 0012CCB8
RegDeleteKeyExW, xrefs: 0012CCC9

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: c5c14975cedfc93fb0fc4247eece9c39d562edfc614bc3d0cc76dca2f9dc7c18
Instruction ID: bf2a8021a2d49347708bbf688f012b8c9c02d21ae8a009ec58c559ada4f774b6
Opcode Fuzzy Hash: c5c14975cedfc93fb0fc4247eece9c39d562edfc614bc3d0cc76dca2f9dc7c18
Instruction Fuzzy Hash: 64315E75901129BBD7208BA5EC88EFFBB7CEF55750F000165FA05E3140D7749A959BE0

Function 0010E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0010EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0010EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0010EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0010EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0010EAA7

Strings

close PlayMe, xrefs: 0010EA6E, 0010EA9B
play PlayMe wait, xrefs: 0010EA91
play PlayMe, xrefs: 0010EAA2
status PlayMe mode, xrefs: 0010EA58
alias PlayMe, xrefs: 0010EA36
open , xrefs: 0010EA0C

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: d573965e714ac9696401c961a78914ace72013e9c87a64d17c8ca8d8e95a3514
Instruction ID: 7d3e6938f98e51ea0079b12c46253eb8273977601452fdf8856b70e9e2aee98a
Opcode Fuzzy Hash: d573965e714ac9696401c961a78914ace72013e9c87a64d17c8ca8d8e95a3514
Instruction Fuzzy Hash: 5D117731B50219BDD710A7A2DC4ADFF6ABCEBD6B44F4408297801A30D1DFB00D55C5B0

Function 000B8B06 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 000F6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 000F68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 000F68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 000F68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 000F68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,000B8874,00000000,00000000,00000000,000000FF,00000000), ref: 000F6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 000F691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,000B8874,00000000,00000000,00000000,000000FF,00000000), ref: 000F692D

Strings

@U=u, xrefs: 000F68F2, 000F691E

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID: @U=u
API String ID: 1268354404-2594219639
Opcode ID: 2da856df7f20babcedda9d7d70449909eb5c100da2c9ae9c5390cc0451ad6f96
Instruction ID: 58a733f0b6e792235397c7fbc650a91e9c421b24b360c3cb0ffc3d8a67441eb7
Opcode Fuzzy Hash: 2da856df7f20babcedda9d7d70449909eb5c100da2c9ae9c5390cc0451ad6f96
Instruction Fuzzy Hash: 55517970600209EFDB20CF28CC55FAA7BF9FB58750F108518FA56A76A0DB71E991EB50

Function 00138B02 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000B9BB2

Part of subcall function 000B912D: GetCursorPos.USER32(?), ref: 000B9141
Part of subcall function 000B912D: ScreenToClient.USER32(00000000,?), ref: 000B915E
Part of subcall function 000B912D: GetAsyncKeyState.USER32(00000001), ref: 000B9183
Part of subcall function 000B912D: GetAsyncKeyState.USER32(00000002), ref: 000B919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00138B6B
ImageList_EndDrag.COMCTL32 ref: 00138B71
ReleaseCapture.USER32 ref: 00138B77
SetWindowTextW.USER32(?,00000000), ref: 00138C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00138C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00138CFF

Strings

8V, xrefs: 00138BB4, 00138BEE
@GUI_DRAGFILE, xrefs: 00138C9A
@U=u, xrefs: 00138C25
@GUI_DROPID, xrefs: 00138C51

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: 8V$@GUI_DRAGFILE$@GUI_DROPID$@U=u
API String ID: 1924731296-1685267460
Opcode ID: 0f94a075012f25f2451c07372eda813d82eac6c3d433068ec5d82a59bf51bb17
Instruction ID: e190a02cafc57fa32824497489867e976d55ac91fbacdae5dd719c0950c35890
Opcode Fuzzy Hash: 0f94a075012f25f2451c07372eda813d82eac6c3d433068ec5d82a59bf51bb17
Instruction Fuzzy Hash: CC518C71204304AFD704DF54DC56FAA77E4FB89754F400A2DF956672E2CB70A944CBA2

Function 001096E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,000EF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00109717
LoadStringW.USER32(00000000,?,000EF7F8,00000001), ref: 00109720

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,000EF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00109742
LoadStringW.USER32(00000000,?,000EF7F8,00000001), ref: 00109745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00109866

Strings

Line %d:, xrefs: 001097A0
Line %d (File "%s"):, xrefs: 0010978F
%s (%d) : ==> %s: %s %s, xrefs: 0010984A
Error: , xrefs: 0010981D
^ ERROR, xrefs: 001097FB

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 8d6d1ce038871b3f63f087f0e330501865b1b90fae12b7dd85f78658046adda8
Instruction ID: 94ff3cc693cc57e2ab9e1b66b7ebc79242c1e843860baf78dfbb9b731a9c53b0
Opcode Fuzzy Hash: 8d6d1ce038871b3f63f087f0e330501865b1b90fae12b7dd85f78658046adda8
Instruction Fuzzy Hash: 51413A72900219AACF04EBE0CE96DEEB778AF56340F504025F60672093EF756F49CBA1

Function 001006DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 000A6B57: _wcslen.LIBCMT ref: 000A6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 001007A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 001007BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 001007DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00100804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0010082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00100837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0010083C

Strings

SOFTWARE\Classes\, xrefs: 0010070E
\IPC$, xrefs: 00100784
\CLSID, xrefs: 00100724

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 8bbf5502e84c9ea4f365d906003c4d8ad53c00f6d3c23eabb80b39e999918e95
Instruction ID: f22294a3356c621ecfabc7626b396bb25c5f2cd12d3fe259971d60882eb2b0f0
Opcode Fuzzy Hash: 8bbf5502e84c9ea4f365d906003c4d8ad53c00f6d3c23eabb80b39e999918e95
Instruction Fuzzy Hash: 61411672D10229ABCF15EBA4DC85DEEB778BF09350F448129F941B31A1EB749E44CBA0

Function 00133C46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00133C79
SetMenu.USER32(?,00000000), ref: 00133C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00133D10
IsMenu.USER32(?), ref: 00133D24
CreatePopupMenu.USER32 ref: 00133D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00133D5B
DrawMenuBar.USER32 ref: 00133D63

Strings

0, xrefs: 00133C54
8V, xrefs: 00133CCF, 00133CEC
F, xrefs: 00133D4E

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$8V$F
API String ID: 161812096-3088834189
Opcode ID: 6f0a6c18d4f13e546b97fcabc65e556a1fdb96be583c2ace04f967559377fab2
Instruction ID: 114fbf5baef3274cd1b08f7fd6cb38aba4f4b41ed54343e00912b0c567c2f7b8
Opcode Fuzzy Hash: 6f0a6c18d4f13e546b97fcabc65e556a1fdb96be583c2ace04f967559377fab2
Instruction Fuzzy Hash: AF414879A01209EFDB14CFA4D884EEA7BB5FF49350F140029FA56A7360D770AA50CF98

Function 00123C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00123C5C
CoInitialize.OLE32(00000000), ref: 00123C8A
CoUninitialize.OLE32 ref: 00123C94
_wcslen.LIBCMT ref: 00123D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00123DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00123ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00123F0E
CoGetObject.OLE32(?,00000000,0013FB98,?), ref: 00123F2D
SetErrorMode.KERNEL32(00000000), ref: 00123F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00123FC4
VariantClear.OLEAUT32(?), ref: 00123FD8

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 152f211513f5d51d1aa2a3d3d8867e6e90fb096874c73688372629209d9acb2e
Instruction ID: e10f7268237f245bdd2dcb4884fd5144e2dfeea4ecf955c4defcea9537ed2f51
Opcode Fuzzy Hash: 152f211513f5d51d1aa2a3d3d8867e6e90fb096874c73688372629209d9acb2e
Instruction Fuzzy Hash: 21C16571608315AFC700DF68D88496BBBE9FF89744F00491DF99A9B211DB30EE56CB92

Function 00117A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00117AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00117B8F
SHGetDesktopFolder.SHELL32(?), ref: 00117BA3
CoCreateInstance.OLE32(0013FD08,00000000,00000001,00166E6C,?), ref: 00117BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00117C74
CoTaskMemFree.OLE32(?,?), ref: 00117CCC
SHBrowseForFolderW.SHELL32(?), ref: 00117D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00117D7A
CoTaskMemFree.OLE32(00000000), ref: 00117D81
CoTaskMemFree.OLE32(00000000), ref: 00117DD6
CoUninitialize.OLE32 ref: 00117DDC

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: f48fe60cb35b7c9e01decd7beae707a736702afee0448b2447249174ad7859dd
Instruction ID: be92bd425aeb846f669ba427735bf0f677cb1608e8641cfb32d37a41fa322c3c
Opcode Fuzzy Hash: f48fe60cb35b7c9e01decd7beae707a736702afee0448b2447249174ad7859dd
Instruction Fuzzy Hash: D1C11D75A04109AFCB14DFA4C884DAEBBF5FF49314B1484A9E41A9B762D730EE81CB90

Function 000FFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 000FFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 000FFB08
VariantInit.OLEAUT32(?), ref: 000FFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 000FFB3A
VariantCopy.OLEAUT32(?,?), ref: 000FFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 000FFBA1
VariantClear.OLEAUT32(?), ref: 000FFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 000FFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000FFBCC
VariantClear.OLEAUT32(?), ref: 000FFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 000FFBE9

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 2a5a336a13647a5c3d939b80c1ff2f5c64385474f4e2d089a6b0b734d4ef90b3
Instruction ID: e75e80507473f2d96bfd9650de47ea48d77120c263f9fd96891ea6a499239ce3
Opcode Fuzzy Hash: 2a5a336a13647a5c3d939b80c1ff2f5c64385474f4e2d089a6b0b734d4ef90b3
Instruction Fuzzy Hash: 6C415F75A0021ADFCB10DFA4D8549FEBBB9EF48354F008069E915A7661CB30E945DB90

Function 00109C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00109CA1
GetAsyncKeyState.USER32(000000A0), ref: 00109D22
GetKeyState.USER32(000000A0), ref: 00109D3D
GetAsyncKeyState.USER32(000000A1), ref: 00109D57
GetKeyState.USER32(000000A1), ref: 00109D6C
GetAsyncKeyState.USER32(00000011), ref: 00109D84
GetKeyState.USER32(00000011), ref: 00109D96
GetAsyncKeyState.USER32(00000012), ref: 00109DAE
GetKeyState.USER32(00000012), ref: 00109DC0
GetAsyncKeyState.USER32(0000005B), ref: 00109DD8
GetKeyState.USER32(0000005B), ref: 00109DEA

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: e171fd1c592a824501f9d22ef5afc030d3fadc217b2b62ef339b53f8a6185ff7
Instruction ID: 7c4203457b9c751c859a70d34a3ff86508561f9b247e4f82607555620c4048cc
Opcode Fuzzy Hash: e171fd1c592a824501f9d22ef5afc030d3fadc217b2b62ef339b53f8a6185ff7
Instruction Fuzzy Hash: 6941DA74A447CA6DFF3197A0C9243B5BEA06F11344F04805ADAC6565C3DBE59DC8C792

Function 0012055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 001205BC
inet_addr.WSOCK32(?), ref: 0012061C
gethostbyname.WSOCK32(?), ref: 00120628
IcmpCreateFile.IPHLPAPI ref: 00120636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 001206C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 001206E5
IcmpCloseHandle.IPHLPAPI(?), ref: 001207B9
WSACleanup.WSOCK32 ref: 001207BF

Strings

Ping, xrefs: 00120676

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: d790bb7ffacdfdb6f6dbe5c8ef6412aae13fb05e45c3d3e25b999af2428fbc08
Instruction ID: fa5690bc067ceb7f92c6e4118fe1a2300a8c1e2ffe63276a4cdeaaa54517a918
Opcode Fuzzy Hash: d790bb7ffacdfdb6f6dbe5c8ef6412aae13fb05e45c3d3e25b999af2428fbc08
Instruction Fuzzy Hash: AD91AE356042119FD321CF15E888F1ABBE0EF48318F1586A9F4A99B6A3C770ED95CF91

Function 00128CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00128CF3

Part of subcall function 00108E54: _wcslen.LIBCMT ref: 00108E77

_wcslen.LIBCMT ref: 00128D4E
_wcslen.LIBCMT ref: 00128D9C
_wcslen.LIBCMT ref: 00128DDC
_wcslen.LIBCMT ref: 00128E6E

Strings

stdcall, xrefs: 00128DD6, 00128DDB
winapi, xrefs: 00128D96, 00128D9B
cdecl, xrefs: 00128D48, 00128D4D
none, xrefs: 00128E65, 00128E6A

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: dca38c642806c05e90480f09d27fc410dcf28dcb9f5b7d8a51ed6ab4e07be20d
Instruction ID: a145828baf1c5a637787c6586af2c90d721a06100086e20a77f5fafa12358852
Opcode Fuzzy Hash: dca38c642806c05e90480f09d27fc410dcf28dcb9f5b7d8a51ed6ab4e07be20d
Instruction Fuzzy Hash: 3B51B032A0112A9BCB14DFACD9509FEB3A5BF65324B224229E826E72C5DF31DD54C790

Function 0012372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00123774
CoUninitialize.OLE32 ref: 0012377F
CoCreateInstance.OLE32(?,00000000,00000017,0013FB78,?), ref: 001237D9
IIDFromString.OLE32(?,?), ref: 0012384C
VariantInit.OLEAUT32(?), ref: 001238E4
VariantClear.OLEAUT32(?), ref: 00123936

Strings

Invalid parameter, xrefs: 00123865
Failed to create object, xrefs: 001237E4, 0012389A
NULL Pointer assignment, xrefs: 0012381E

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 822500aeda449e9266c7e28ad5bd91bdc7ba90d2e5db641eac80abe45b9bca2d
Instruction ID: b68f57d8c11ce2da4efb789f06bc214a2a07995aca39eb0c7a42e7e311940921
Opcode Fuzzy Hash: 822500aeda449e9266c7e28ad5bd91bdc7ba90d2e5db641eac80abe45b9bca2d
Instruction Fuzzy Hash: 7C61F370608321AFD711DF64D848FAAB7E8EF49714F00090DF9959B291D774EE98CBA2

Function 000A5BEA Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 000A5C7A

Part of subcall function 000A5D0A: GetClientRect.USER32(?,?), ref: 000A5D30
Part of subcall function 000A5D0A: GetWindowRect.USER32(?,?), ref: 000A5D71
Part of subcall function 000A5D0A: ScreenToClient.USER32(?,?), ref: 000A5D99

GetDC.USER32 ref: 000E46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 000E4708
SelectObject.GDI32(00000000,00000000), ref: 000E4716
SelectObject.GDI32(00000000,00000000), ref: 000E472B
ReleaseDC.USER32(?,00000000), ref: 000E4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 000E47C4

Strings

U, xrefs: 000E4693
@U=u, xrefs: 000E4708

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: @U=u$U
API String ID: 4009187628-4110099822
Opcode ID: 7b9ed7f0d45a9774ac8c650dd51ef45f1e4b87229ffcba7177bca2a83efcc47f
Instruction ID: 2cf8ebbaa73e46529f8b5f29f50a514a4f3e88394c5074b99c0aac8e4ac6b61f
Opcode Fuzzy Hash: 7b9ed7f0d45a9774ac8c650dd51ef45f1e4b87229ffcba7177bca2a83efcc47f
Instruction Fuzzy Hash: E471E030404245EFCF218FA5CD84AEE7BF5FF4A365F144269ED956A2AAC7308881DF90

Function 00113388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 001133CF

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 001133F0

Strings

Incorrect parameters to object property !, xrefs: 001134AB
"%s" (%d) : ==> %s:%s%s, xrefs: 00113504
Line %d (File "%s"):, xrefs: 00113443, 0011345C
"%s" (%d) : ==> %s:, xrefs: 00113522
^ ERROR , xrefs: 0011349E
Error: , xrefs: 001134D1

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 3d508e70261f0713df4c711474b019328b06d8cf58336b3125704adaf97d0d5c
Instruction ID: 22b903ca1272e91e776b80f518dc22239590511617c46cea1362d43b4fcbc66d
Opcode Fuzzy Hash: 3d508e70261f0713df4c711474b019328b06d8cf58336b3125704adaf97d0d5c
Instruction Fuzzy Hash: 3A518D72A00209BADF19EBE0CD42EEEB779AF15740F204065F405720A2EF352F98DB60

Function 0010B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0010B5FC
_wcslen.LIBCMT ref: 0010B608
_wcslen.LIBCMT ref: 0010B64D
_wcslen.LIBCMT ref: 0010B68C
_wcslen.LIBCMT ref: 0010B6C7

Strings

EXISTS, xrefs: 0010B686, 0010B68B
KEYS, xrefs: 0010B647, 0010B64C
REMOVE, xrefs: 0010B602, 0010B607
APPEND, xrefs: 0010B6C1, 0010B6C6

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: cbd0a62ec50a280ae518c1ccf3f8194eb51c53ec21cc37a0afc18d48e82241ff
Instruction ID: fe2ec96b3e4817f5b59c45ea5338aa02b31a223e065f2cf3e49d1618d5fd4d12
Opcode Fuzzy Hash: cbd0a62ec50a280ae518c1ccf3f8194eb51c53ec21cc37a0afc18d48e82241ff
Instruction Fuzzy Hash: A041F632A080279BCB206F7DCDD05BE77A5BFA1B54B254229E4A1DB2C4E772CD81C790

Function 0010BC5E Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0010BCFD
IsMenu.USER32(00000000), ref: 0010BD1D
CreatePopupMenu.USER32 ref: 0010BD53
GetMenuItemCount.USER32(@X), ref: 0010BDA4
InsertMenuItemW.USER32(@X,?,00000001,00000030), ref: 0010BDCC

Strings

@X, xrefs: 0010BCE3, 0010BCBC, 0010BDCA
0, xrefs: 0010BCA8
@X, xrefs: 0010BD2B, 0010BDA3
2, xrefs: 0010BD37

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2$@X$@X
API String ID: 93392585-3667543275
Opcode ID: 9abbfe88454e50d42f22e5cc326177d1badd743218811f24d2d9361e68c98227
Instruction ID: 11d493cde7a43f67431e5c1628d4d7eaf241bd9ad3989163299838a7b95542ac
Opcode Fuzzy Hash: 9abbfe88454e50d42f22e5cc326177d1badd743218811f24d2d9361e68c98227
Instruction Fuzzy Hash: 74519C70A0820ADBDB10DFE8D8C8BAEFBF4BF55318F148219E495A72D1D7B09941CB61

Function 00115393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001153A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00115416
GetLastError.KERNEL32 ref: 00115420
SetErrorMode.KERNEL32(00000000,READY), ref: 001154A7

Strings

UNKNOWN, xrefs: 00115444
READONLY, xrefs: 00115452
NOTREADY, xrefs: 0011544B
READY, xrefs: 00115460, 00115468
INVALID, xrefs: 00115459

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 1f7028ca71af39749a53d73caba58272fa449c860f4712abd1918976324967f0
Instruction ID: 18974693e5f9c01908b0cb2c1adf503962c8149e6d4cfad5b635a35447993cfe
Opcode Fuzzy Hash: 1f7028ca71af39749a53d73caba58272fa449c860f4712abd1918976324967f0
Instruction Fuzzy Hash: 4031C135A00604DFD718DFA8C884BEABBB5EF85345F148065E405DB692EB71DDC2CBA0

Function 00132DFD Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00132E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00132E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00132E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00132EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00132EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00132EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00132F0B

Strings

8V, xrefs: 00132E00, 00132E34, 00132E69, 00132EA1, 00132EC5, 00132EFD
@U=u, xrefs: 00132E1C, 00132EB6, 00132EE0

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: 8V$@U=u
API String ID: 2178440468-1020947142
Opcode ID: 4447101e78b28c54c8cac4445317bb9121215b16c786d96cc2656778483d7ce3
Instruction ID: 57374e3564a49c32f5a10a15710b0d5cd98b81360d676898151f95e4e0086f24
Opcode Fuzzy Hash: 4447101e78b28c54c8cac4445317bb9121215b16c786d96cc2656778483d7ce3
Instruction Fuzzy Hash: FC313531604250AFEB20EF18DC86FA537E4FB9AB20F150164FA049F2B1CB71AC80DB40

Function 00132D03 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00132D1B
GetDC.USER32(00000000), ref: 00132D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00132D2E
ReleaseDC.USER32(00000000,00000000), ref: 00132D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00132D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00132D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00135A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00132DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00132DE1

Strings

@U=u, xrefs: 00132D87, 00132DE1

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID: @U=u
API String ID: 3864802216-2594219639
Opcode ID: d597db66f3cebe79f5fe56e6218eadcd89334a8dd9a3e10b288c66df6693cfc4
Instruction ID: cedc4b8c37bd8f992e8820cf1e811dd227fd78cadb7c8b1f7d88317a4d9e7e44
Opcode Fuzzy Hash: d597db66f3cebe79f5fe56e6218eadcd89334a8dd9a3e10b288c66df6693cfc4
Instruction Fuzzy Hash: E4318E76201214BFEB218F50CC8AFEB3FADEF09715F044065FE08AA291C6759C90CBA4

Function 0010209F Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 001020AB
GetClassNameW.USER32(00000000,?,00000100), ref: 001020C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0010214D

Strings

largeicons, xrefs: 001020E1
SHELLDLL_DefView, xrefs: 001020CC
list, xrefs: 0010212F
details, xrefs: 001020FB
smallicons, xrefs: 00102115
@U=u, xrefs: 0010214D

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-1428604138
Opcode ID: b3368bc5e2e1bae1dcdc32949c1e0fded6d2a39d4629d0cc7b300bbd6ec16bcb
Instruction ID: 1a48e37597a8093aa4ae1cf9198fd71a370674375a60a4be501aa437b491056c
Opcode Fuzzy Hash: b3368bc5e2e1bae1dcdc32949c1e0fded6d2a39d4629d0cc7b300bbd6ec16bcb
Instruction Fuzzy Hash: 471106BA688706B9FB192720DC0BDEA779DDB05324F20011AFB44A50E2EFF168525654

Function 0010B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0010B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0010A1E1,?,00000001), ref: 0010B165
GetWindowThreadProcessId.USER32(00000000), ref: 0010B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0010A1E1,?,00000001), ref: 0010B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0010B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0010A1E1,?,00000001), ref: 0010B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0010A1E1,?,00000001), ref: 0010B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0010A1E1,?,00000001), ref: 0010B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0010A1E1,?,00000001), ref: 0010B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0010A1E1,?,00000001), ref: 0010B21D

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: ff081e67c7eb2e86ea98cae4f2aaae0e2b626f2da12ac36abd2055b9460f616b
Instruction ID: 37275d3af38cf87a193aa4a311401eefab5dd9a6e0e21466cc88e9cc1257364b
Opcode Fuzzy Hash: ff081e67c7eb2e86ea98cae4f2aaae0e2b626f2da12ac36abd2055b9460f616b
Instruction Fuzzy Hash: 8431ADB5504204BFDB109F24EC89B6EBBB9BB61311F104405FA59E66D0D7F4AEC08FA0

Function 000D2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 000D2C94

Part of subcall function 000D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000DD7D1,00000000,00000000,00000000,00000000,?,000DD7F8,00000000,00000007,00000000,?,000DDBF5,00000000), ref: 000D29DE
Part of subcall function 000D29C8: GetLastError.KERNEL32(00000000,?,000DD7D1,00000000,00000000,00000000,00000000,?,000DD7F8,00000000,00000007,00000000,?,000DDBF5,00000000,00000000), ref: 000D29F0

_free.LIBCMT ref: 000D2CA0
_free.LIBCMT ref: 000D2CAB
_free.LIBCMT ref: 000D2CB6
_free.LIBCMT ref: 000D2CC1
_free.LIBCMT ref: 000D2CCC
_free.LIBCMT ref: 000D2CD7
_free.LIBCMT ref: 000D2CE2
_free.LIBCMT ref: 000D2CED
_free.LIBCMT ref: 000D2CFB

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b1cc9a40cdd9756d686725c8f8c52e712fc5ccaea88776d2653d42e39dd54614
Instruction ID: a7da965033a8330edf9845b9ae407ad7c77a052f92128d1779eb15d892fb70db
Opcode Fuzzy Hash: b1cc9a40cdd9756d686725c8f8c52e712fc5ccaea88776d2653d42e39dd54614
Instruction Fuzzy Hash: 41119376100208AFCB02EF54D992CDD7BA5FF15350F4144A6FA489B322DA31EE50ABA0

Function 000A1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 000A1459
OleUninitialize.OLE32(?,00000000), ref: 000A14F8
UnregisterHotKey.USER32(?), ref: 000A16DD
DestroyWindow.USER32(?), ref: 000E24B9
FreeLibrary.KERNEL32(?), ref: 000E251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 000E254B

Strings

close all, xrefs: 000A1454

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 08fcc71095b3d85b29d9b784002f0d0cb6b4dbc4a0c5529d7e8e64c690bc4c42
Instruction ID: d284c5ca89ede94400676c616283cd58e8283d3d0113d7938c06fd01c9c8f991
Opcode Fuzzy Hash: 08fcc71095b3d85b29d9b784002f0d0cb6b4dbc4a0c5529d7e8e64c690bc4c42
Instruction Fuzzy Hash: 19D17C31701212CFCB29EF55C999AA9F7A5BF06700F1542ADE44ABB252CB30ED52CF90

Function 0011359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001135E4

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

LoadStringW.USER32(00172390,?,00000FFF,?), ref: 0011360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00113724
Line %d (File "%s"):, xrefs: 0011366B
"%s" (%d) : ==> %s:, xrefs: 00113742
Error: , xrefs: 001136EF
^ ERROR, xrefs: 001136C9

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 8f8d7089d4e80f0f3316b17670b3ab60ba7a0f7cd58f00b681b7390059c032a3
Instruction ID: a81945ff591e595973fa7ccffb4ec51f74385eb2b0029d2cbceb6c148e57e2d8
Opcode Fuzzy Hash: 8f8d7089d4e80f0f3316b17670b3ab60ba7a0f7cd58f00b681b7390059c032a3
Instruction Fuzzy Hash: F9515B72900219BADF19EBE0CC42EEEBB78AF15350F144125F515721A2EB311BD9DFA1

Function 00133886 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00133925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0013393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00133954
_wcslen.LIBCMT ref: 00133999
SendMessageW.USER32(?,00001057,00000000,?), ref: 001339C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 001339F4

Strings

SysListView32, xrefs: 001338F7
@U=u, xrefs: 00133925, 0013393A

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: @U=u$SysListView32
API String ID: 2147712094-1908207174
Opcode ID: 242171b9c7df0b0c45985b364f9420ebb8ddacfe631f6256211af3195c7dcc4e
Instruction ID: 474bdd31b0812a9af257a6e14304bcfe2a0a99077c1ec6f2830e28c234edb9cf
Opcode Fuzzy Hash: 242171b9c7df0b0c45985b364f9420ebb8ddacfe631f6256211af3195c7dcc4e
Instruction Fuzzy Hash: FA41B371A00218ABEF219F64CC49FEA7BA9FF08354F10056AF958E7281D771DE90CB94

Function 001381DB Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,000FF3AB,00000000,?,?,00000000,?,000F682C,00000004,00000000,00000000), ref: 0013824C
EnableWindow.USER32(00000000,00000000), ref: 00138272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 001382D1
ShowWindow.USER32(00000000,00000004), ref: 001382E5
EnableWindow.USER32(00000000,00000001), ref: 0013830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0013832F

Strings

8V, xrefs: 00138206, 00138252, 00138299, 001382D7, 001382EB
@U=u, xrefs: 0013832F

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID: 8V$@U=u
API String ID: 642888154-1020947142
Opcode ID: 4c6897fad8330f46b36749e289e5b5303dbaa08b5b4ae7278c4ec34693ac9ad5
Instruction ID: 4ee7e2536f1122220261c1e225b12f9f74cadba9cdc83e1ff37b872b8b77fb1f
Opcode Fuzzy Hash: 4c6897fad8330f46b36749e289e5b5303dbaa08b5b4ae7278c4ec34693ac9ad5
Instruction Fuzzy Hash: F8418334601744AFDB25DF19CC99BE57BF1FB0A714F1851A9FA085B6A2CB31A882CB50

Function 0011C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0011C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0011C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0011C2CA
GetLastError.KERNEL32 ref: 0011C322
SetEvent.KERNEL32(?), ref: 0011C336
InternetCloseHandle.WININET(00000000), ref: 0011C341

Strings

, xrefs: 0011C2BB

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 623bac2c573ad94e38f5c2cf56760b6e62a48fdbda11de09f3aee6148c8e04fa
Instruction ID: 59ce6e6ec4a7963bbb93f37b9d82d116bda978b24e83b50fcd62e8073ee0f975
Opcode Fuzzy Hash: 623bac2c573ad94e38f5c2cf56760b6e62a48fdbda11de09f3aee6148c8e04fa
Instruction Fuzzy Hash: C3319FB1544204AFD7259FA58C88AEB7BFCFB49740B10852DF456E2600DB30DD848BE1

Function 0010989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,000E3AAF,?,?,Bad directive syntax error,0013CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 001098BC
LoadStringW.USER32(00000000,?,000E3AAF,?), ref: 001098C3

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00109987

Strings

., xrefs: 0010996D
%s (%d) : ==> %s.: %s %s, xrefs: 001098F1
Line %d:, xrefs: 00109912
Line %d (File "%s"):, xrefs: 0010992D
Error: , xrefs: 00109955

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 64dcfdb4c120578b8d73be3d1ae9c071010e555e521fd521955af8a3e7171af9
Instruction ID: 550bf45853ee4f647f81d2b4b1291317b42e4d80dfb69ac8d5739a50e4ef1225
Opcode Fuzzy Hash: 64dcfdb4c120578b8d73be3d1ae9c071010e555e521fd521955af8a3e7171af9
Instruction Fuzzy Hash: 04216B3290021AABCF15AF90CC16EEE7779FF19304F044469F515760A3EB719A68DB51

Function 000DCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 000DCEB7
_free.LIBCMT ref: 000DCF22
_free.LIBCMT ref: 000DCF48
_free.LIBCMT ref: 000DCF71
_free.LIBCMT ref: 000DCFA9
_free.LIBCMT ref: 000DCFDA
_free.LIBCMT ref: 000DD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 000DD09C
_free.LIBCMT ref: 000DD0B5

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 31198c5d08190fd026f47b736f590f17699658d316a53c389d7ec2d9f5168ed9
Instruction ID: 8d705b30ab6249750265ea4c301a385ea5e875f9dc0ba76f95a55e21bb8d96f1
Opcode Fuzzy Hash: 31198c5d08190fd026f47b736f590f17699658d316a53c389d7ec2d9f5168ed9
Instruction Fuzzy Hash: EE61E2B1904302AFEB21AFB4D895AEDBBE5AF05310F14417FF94997382D6319941D7B0

Function 0011C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0011C182
GetLastError.KERNEL32 ref: 0011C195
SetEvent.KERNEL32(?), ref: 0011C1A9

Part of subcall function 0011C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0011C272
Part of subcall function 0011C253: GetLastError.KERNEL32 ref: 0011C322
Part of subcall function 0011C253: SetEvent.KERNEL32(?), ref: 0011C336
Part of subcall function 0011C253: InternetCloseHandle.WININET(00000000), ref: 0011C341

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: bb32210dc01f02b34f129c9c62be839df8b953d0bc28906225ef3591ed53ef73
Instruction ID: 72e4fbf9c0f07faad955558e1c4da60a18f27763d3ecd37ebda5bd37cc3b565c
Opcode Fuzzy Hash: bb32210dc01f02b34f129c9c62be839df8b953d0bc28906225ef3591ed53ef73
Instruction Fuzzy Hash: E8318D71280601FFDB299FA5DC48AABBBF9FF18300B04442DF95692A10D730E894DBE0

Function 001025A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00103A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00103A57
Part of subcall function 00103A3D: GetCurrentThreadId.KERNEL32 ref: 00103A5E
Part of subcall function 00103A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001025B3), ref: 00103A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 001025BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 001025DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 001025DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 001025E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00102601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00102605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0010260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00102623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00102627

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 1b5ddc945e0dff0747dc8ee075584740109935fd16e7d64ea85576608a7e27d9
Instruction ID: c0f958d05988354b4e63c6b01e7b48bbfa007f971ae65046df3e31bdfabbb3b0
Opcode Fuzzy Hash: 1b5ddc945e0dff0747dc8ee075584740109935fd16e7d64ea85576608a7e27d9
Instruction Fuzzy Hash: 6501D431390210FBFB1067689C8EF993F59DB5EB12F100001F368BF1D1CAF224849AA9

Function 00101803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00101449,?,?,00000000), ref: 0010180C
HeapAlloc.KERNEL32(00000000,?,00101449,?,?,00000000), ref: 00101813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00101449,?,?,00000000), ref: 00101828
GetCurrentProcess.KERNEL32(?,00000000,?,00101449,?,?,00000000), ref: 00101830
DuplicateHandle.KERNEL32(00000000,?,00101449,?,?,00000000), ref: 00101833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00101449,?,?,00000000), ref: 00101843
GetCurrentProcess.KERNEL32(00101449,00000000,?,00101449,?,?,00000000), ref: 0010184B
DuplicateHandle.KERNEL32(00000000,?,00101449,?,?,00000000), ref: 0010184E
CreateThread.KERNEL32(00000000,00000000,00101874,00000000,00000000,00000000), ref: 00101868

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: b46a3d1330c9814ba4a1970b5e817effca228c2365aba0969c00367919388349
Instruction ID: 3aef65380b5c84edb2f1cca5b02c6825fb04b763c2590db2518a6e474da505c7
Opcode Fuzzy Hash: b46a3d1330c9814ba4a1970b5e817effca228c2365aba0969c00367919388349
Instruction Fuzzy Hash: 7201BBB5240308FFE710ABA5DC4DF6B3BACEB89B11F008411FA05EB5A1CA74D850DB60

Function 0010C5D0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000A7620: _wcslen.LIBCMT ref: 000A7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0010C6EE
_wcslen.LIBCMT ref: 0010C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0010C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0010C7CA

Strings

@X, xrefs: 0010C64B
0, xrefs: 0010C6AF
@X, xrefs: 0010C652

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0$@X$@X
API String ID: 1227352736-2047795927
Opcode ID: 69968d3cbe130fcf69a833781cf1a6033ea5ed2e39700a506a8efeca2ab44a3b
Instruction ID: c6284c73c2d1dda3b2d42dcf177964ca89b7b1413e8992450b90c71bded12715
Opcode Fuzzy Hash: 69968d3cbe130fcf69a833781cf1a6033ea5ed2e39700a506a8efeca2ab44a3b
Instruction Fuzzy Hash: 4A51AE726043019BD725AF28C885BAB77E8AB49314F044B29F9D5E32E1DBB0D9448F92

Function 0012A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0010D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0010D501
Part of subcall function 0010D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0010D50F
Part of subcall function 0010D4DC: CloseHandle.KERNEL32(00000000), ref: 0010D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0012A16D
GetLastError.KERNEL32 ref: 0012A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0012A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0012A268
GetLastError.KERNEL32(00000000), ref: 0012A273
CloseHandle.KERNEL32(00000000), ref: 0012A2C4

Strings

SeDebugPrivilege, xrefs: 0012A18F

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: b281362b6112736a638e6bf79f7d6a50e4d61220328b2c0a315da8cdaa15ca9f
Instruction ID: 68180617f1c6764691e5017ca3670d498402a3356a749dd2fc074639e2e9f1ce
Opcode Fuzzy Hash: b281362b6112736a638e6bf79f7d6a50e4d61220328b2c0a315da8cdaa15ca9f
Instruction Fuzzy Hash: B961E130204212EFD720DF54D894F15BBE1AF54318F59849CE46A8BBA3C772EC55CB92

Function 00136B76 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00136C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00136C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00136C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0011AB79,00000000,00000000), ref: 00136C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00136CC7

Strings

8V, xrefs: 00136BB0, 00136C55
@U=u, xrefs: 00136C73

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID: 8V$@U=u
API String ID: 3688381893-1020947142
Opcode ID: a2e227626560ceda6d579fe1b83cb0b7378c485359ac2cb24121cb68d0460ae4
Instruction ID: 2e6c78434e76646747bd4bbf768dfae86cfd2037959ebf51e8570fced069decf
Opcode Fuzzy Hash: a2e227626560ceda6d579fe1b83cb0b7378c485359ac2cb24121cb68d0460ae4
Instruction Fuzzy Hash: C941C635604104BFDB24CF28CC59FE9BBA5EB0A350F159268F999A73E1C371ED81DA90

Function 00104C7D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00104C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00104CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00104CEA
_wcslen.LIBCMT ref: 00104D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00104D10
_wcsstr.LIBVCRUNTIME ref: 00104D1A

Strings

@U=u, xrefs: 00104CB2, 00104CEA

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID: @U=u
API String ID: 72514467-2594219639
Opcode ID: dad108c1a7ac0f15787dda5c218f659914e4a11cc24ba652391352ba8dd86dcf
Instruction ID: 296b940e877223056ab4c8b0ae32cedc2f3d7afeda46717ca634844dca76ac6a
Opcode Fuzzy Hash: dad108c1a7ac0f15787dda5c218f659914e4a11cc24ba652391352ba8dd86dcf
Instruction Fuzzy Hash: 0C2104B2204200BBEB155B79AC8AEBB7B9CDF55750F108029F905DA192EBB1CC4087A0

Function 0010C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0010C913

Strings

warning, xrefs: 0010C8FC
blank, xrefs: 0010C895
stop, xrefs: 0010C8E4
info, xrefs: 0010C8B4
question, xrefs: 0010C8CC

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: ade4b58c374f60780b9a176995246dd393c49970fc6ff89d22dcc031d6950ee0
Instruction ID: 658137d6da350550a9be5a62d14c313fbd562749b2fd102d75b1dbee79b0552e
Opcode Fuzzy Hash: ade4b58c374f60780b9a176995246dd393c49970fc6ff89d22dcc031d6950ee0
Instruction Fuzzy Hash: A7113A32689307BAE7089B54DC83DEE379CDF15318B20412FF944A61C2E7F09E005AE9

Function 000F7439 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 000F7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 000F7469
GetWindowDC.USER32(?), ref: 000F7475
GetPixel.GDI32(00000000,?,?), ref: 000F7484
ReleaseDC.USER32(?,00000000), ref: 000F7496
GetSysColor.USER32(00000005), ref: 000F74B0

Strings

@U=u, xrefs: 000F7469

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID: @U=u
API String ID: 272304278-2594219639
Opcode ID: 9a4bf46e611aa826ee000aebe1a666c1c4e751fd90996f32fa6fbe759ba6ec8e
Instruction ID: 8c97e4f424b5bafe745e635802457b28e13ac58f560c71a335321fa55e6a669f
Opcode Fuzzy Hash: 9a4bf46e611aa826ee000aebe1a666c1c4e751fd90996f32fa6fbe759ba6ec8e
Instruction Fuzzy Hash: 34014B31500619EFEB515F64DC09BEEBBB6FB04321F510164FA19B29A1CB312E91AB91

Function 0010ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0010ED2A
_wcslen.LIBCMT ref: 0010ED3B
_wcslen.LIBCMT ref: 0010ED79
_wcslen.LIBCMT ref: 0010EDAF
_wcslen.LIBCMT ref: 0010EDDF
_wcslen.LIBCMT ref: 0010EDEF
_wcslen.LIBCMT ref: 0010EE2B
_wcslen.LIBCMT ref: 0010EE5A

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: e07aba66e84008c646511f2bc91545cc2926cfd8f100939ab336fa8b1c53641a
Instruction ID: 531733a11310b96708f11c07f3f8243a73ebba85e11a3fe907fdf8e19e9cd74d
Opcode Fuzzy Hash: e07aba66e84008c646511f2bc91545cc2926cfd8f100939ab336fa8b1c53641a
Instruction Fuzzy Hash: 79419265C1021875CB11EBF5C88AEDFB7A8EF45710F50886AF518E3162FB34E255C3A5

Function 000BF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,000F682C,00000004,00000000,00000000), ref: 000BF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,000F682C,00000004,00000000,00000000), ref: 000FF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,000F682C,00000004,00000000,00000000), ref: 000FF454

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: bb47a33c935360fa8e96e561e019985b6f374e5ce44adadc8f8254e5560fdf22
Instruction ID: 8f9bfdcf3658bbe19bf29747a252066720356dce41d14e96300c022c0991b688
Opcode Fuzzy Hash: bb47a33c935360fa8e96e561e019985b6f374e5ce44adadc8f8254e5560fdf22
Instruction Fuzzy Hash: 55411731608682FAC7799B2D8C887BA7BD2AF56354F14443CE587A3A61C632A9C0DB51

Function 00105622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00105637
_memcmp.LIBVCRUNTIME ref: 00105659
_memcmp.LIBVCRUNTIME ref: 00105671
_memcmp.LIBVCRUNTIME ref: 00105684
_memcmp.LIBVCRUNTIME ref: 0010569E
_memcmp.LIBVCRUNTIME ref: 001056B1
_memcmp.LIBVCRUNTIME ref: 001056C9
_memcmp.LIBVCRUNTIME ref: 001056E4

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: af3185d2b68f708faac3ed1f2ad0e40422f603f06b27cd4931d1c534763d62d8
Instruction ID: 890e1d5428e392423123b6d5f0f9b63e0bc15d9fa97f4168050b9e98dcbe9a54
Opcode Fuzzy Hash: af3185d2b68f708faac3ed1f2ad0e40422f603f06b27cd4931d1c534763d62d8
Instruction Fuzzy Hash: 2321AA71A40A09B7D31856118E82FFF335EAF21398F440028FD455A5C2FBE2EE118DA5

Function 00124FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00125007
NULL Pointer assignment, xrefs: 0012502E, 00125383

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 573e706f92c5b828b87116c5cdb285c10f85cdf0d219bdff81942488759fd993
Instruction ID: f81f3ad8d97b65c8bcefcf0e54b0655a50892d531fd03121643d84cc3c61fde4
Opcode Fuzzy Hash: 573e706f92c5b828b87116c5cdb285c10f85cdf0d219bdff81942488759fd993
Instruction Fuzzy Hash: 19D1B271A0061A9FDF14CF98E8C1BAEB7B6BF48354F148069E915AB281E770DD51CB90

Function 000E1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,000E17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 000E15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,000E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 000E1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,000E17FB,?,000E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 000E16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,000E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 000E16FB

Part of subcall function 000D3820: RtlAllocateHeap.NTDLL(00000000,?,00171444,?,000BFDF5,?,?,000AA976,00000010,00171440,000A13FC,?,000A13C6,?,000A1129), ref: 000D3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,000E17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 000E1777
__freea.LIBCMT ref: 000E17A2
__freea.LIBCMT ref: 000E17AE

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: f5b5e636d49527e654e13cd2f8e0bc1299cbd5242772146714b1a7f4535107f2
Instruction ID: fe9906a0df7041224c68ccef617b014c254273699fa02b25fdaf5cdfd6e742cc
Opcode Fuzzy Hash: f5b5e636d49527e654e13cd2f8e0bc1299cbd5242772146714b1a7f4535107f2
Instruction Fuzzy Hash: 3B91C472E046969EDB208F76C881EEEBBF5AF49710F184659E851F7181DB35CD40CBA0

Function 00124523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00124648
VariantInit.OLEAUT32(?), ref: 00124749
VariantClear.OLEAUT32(?), ref: 00124753
VariantClear.OLEAUT32(?), ref: 001247B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0012472C
Null Object assignment in FOR..IN loop, xrefs: 001245D8, 00124706, 001247BE

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 303861359bf9d32925708bf0074d4323ff7060ccabe10911488b8f1a912b3597
Instruction ID: abb91111d863b883b5e6167a8c7d294ee9e7a8711c7946e630c8baf24e549afc
Opcode Fuzzy Hash: 303861359bf9d32925708bf0074d4323ff7060ccabe10911488b8f1a912b3597
Instruction Fuzzy Hash: BF919D71A00229ABDF24CFA4EC84FEEBBB8EF46714F108559F515AB281D7709951CFA0

Function 00111187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0011125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00111284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 001112A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001112D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0011135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001113C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00111430

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: b9f3bbe3511b4bfadca675e0b535ff14f0bd4c0f0fb6e914b49b9648485d7926
Instruction ID: 84ca86a40662d509ffc79cd1d7ecb9e43493ea5566e27b36c6aa15b51595e130
Opcode Fuzzy Hash: b9f3bbe3511b4bfadca675e0b535ff14f0bd4c0f0fb6e914b49b9648485d7926
Instruction Fuzzy Hash: C491F471A00219AFDB08DFA4D884BFEB7B5FF45720F214039EA11E7691D774A981CB90

Function 000B948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 16890a4848fe064a239f27c38a634e281b55f79eb45ddeefad1b307c9077ac19
Instruction ID: 8b1317f59d515d72fefbae8b89c16491a34cca8517ea8b21dfa00d47add25a09
Opcode Fuzzy Hash: 16890a4848fe064a239f27c38a634e281b55f79eb45ddeefad1b307c9077ac19
Instruction Fuzzy Hash: 7D913771D40219EFCB64CFA9CC84AEEBBB8FF49320F148155E615B7251D374AA81DBA0

Function 00123947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0012396B
CharUpperBuffW.USER32(?,?), ref: 00123A7A
_wcslen.LIBCMT ref: 00123A8A
VariantClear.OLEAUT32(?), ref: 00123C1F

Part of subcall function 00110CDF: VariantInit.OLEAUT32(00000000), ref: 00110D1F
Part of subcall function 00110CDF: VariantCopy.OLEAUT32(?,?), ref: 00110D28
Part of subcall function 00110CDF: VariantClear.OLEAUT32(?), ref: 00110D34

Strings

Incorrect Parameter format, xrefs: 001239A6, 00123BA1
AUTOIT.ERROR, xrefs: 00123A80, 00123A85

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 21e2c4a3faaf2bb7277fe1749083ce5adbe06b0eda0f5e47f662ad8d9bb4da58
Instruction ID: 59a8ec17d9cc8061474d031530c53720becf0dc548a53a2606e99a6a1647383d
Opcode Fuzzy Hash: 21e2c4a3faaf2bb7277fe1749083ce5adbe06b0eda0f5e47f662ad8d9bb4da58
Instruction Fuzzy Hash: 4A919C746083119FC704EF64D48096AB7E5FF89314F04892EF89997352DB34EE45CB92

Function 00124BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0010000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,000FFF41,80070057,?,?,?,0010035E), ref: 0010002B
Part of subcall function 0010000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000FFF41,80070057,?,?), ref: 00100046
Part of subcall function 0010000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000FFF41,80070057,?,?), ref: 00100054
Part of subcall function 0010000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000FFF41,80070057,?), ref: 00100064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00124C51
_wcslen.LIBCMT ref: 00124D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00124DCF
CoTaskMemFree.OLE32(?), ref: 00124DDA

Strings

NULL Pointer assignment, xrefs: 00124E23, 00124E52

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 1fa056c8f3545c51bfdc9e46ef4af5588193eabbbcfa41ee4bceb64b75ee8293
Instruction ID: 9ee1603a9d48bb0753b9072f6de187f9f2f12162574cee7216e343e6e89d6579
Opcode Fuzzy Hash: 1fa056c8f3545c51bfdc9e46ef4af5588193eabbbcfa41ee4bceb64b75ee8293
Instruction Fuzzy Hash: D7912771D0022DAFDF14DFA4D890AEEB7B8FF09310F108169E915A7291DB749A54CFA0

Function 001320FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00132183
GetMenuItemCount.USER32(00000000), ref: 001321B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 001321DD
_wcslen.LIBCMT ref: 00132213
GetMenuItemID.USER32(?,?), ref: 0013224D
GetSubMenu.USER32(?,?), ref: 0013225B

Part of subcall function 00103A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00103A57
Part of subcall function 00103A3D: GetCurrentThreadId.KERNEL32 ref: 00103A5E
Part of subcall function 00103A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001025B3), ref: 00103A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001322E3

Part of subcall function 0010E97B: Sleep.KERNEL32 ref: 0010E9F3

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 7937d8f6553fb1035603f18b782a6de117f1c03acdfe135544600ffb417bc883
Instruction ID: f099cddc142917fbfed44e48f092a1d499f18d8e1a2eb308702fe0f71f33ebbe
Opcode Fuzzy Hash: 7937d8f6553fb1035603f18b782a6de117f1c03acdfe135544600ffb417bc883
Instruction Fuzzy Hash: BA718D75A00205AFCB14EFA4C845AAEB7F5FF48310F158469E816EB351DB74EE418B90

Function 0010AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0010AEF9
GetKeyboardState.USER32(?), ref: 0010AF0E
SetKeyboardState.USER32(?), ref: 0010AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0010AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0010AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0010AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0010B020

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 9cbafcc4f15ba4772ca8544ca1730164b854419ef84b3545495faf73002f7fc0
Instruction ID: eb6d776ddcd03f4de9feb5f06df21f00b18e355beb927e4e8f01efdd5796771d
Opcode Fuzzy Hash: 9cbafcc4f15ba4772ca8544ca1730164b854419ef84b3545495faf73002f7fc0
Instruction Fuzzy Hash: 485180B1A087D63DFB368334C885BBABEA95F06304F088589F1D9958C2D7D9A8C4D751

Function 0010ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0010AD19
GetKeyboardState.USER32(?), ref: 0010AD2E
SetKeyboardState.USER32(?), ref: 0010AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0010ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0010ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0010AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0010AE38

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: aa73390cac8932640b68a6c7b6c5a351d8352bb42158392496c9b0152d1e1b0d
Instruction ID: 336e44d4e57dc994a8da3e2970df4f312c68c0d16a78e7fabbe771478cda3e51
Opcode Fuzzy Hash: aa73390cac8932640b68a6c7b6c5a351d8352bb42158392496c9b0152d1e1b0d
Instruction Fuzzy Hash: 6151F3B15087D13DFB368374CC95BBABEA86F06300F488489E1D5568C2D3D4EC88D762

Function 000D542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(000E3CD6,?,?,?,?,?,?,?,?,000D5BA3,?,?,000E3CD6,?,?), ref: 000D5470
__fassign.LIBCMT ref: 000D54EB
__fassign.LIBCMT ref: 000D5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,000E3CD6,00000005,00000000,00000000), ref: 000D552C
WriteFile.KERNEL32(?,000E3CD6,00000000,000D5BA3,00000000,?,?,?,?,?,?,?,?,?,000D5BA3,?), ref: 000D554B
WriteFile.KERNEL32(?,?,00000001,000D5BA3,00000000,?,?,?,?,?,?,?,?,?,000D5BA3,?), ref: 000D5584

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: d048560932cbb29697672de5fef358cf40be0e29b8ff3645d299989e30109ad0
Instruction ID: c54b40d9ec2eddcbca718007b77a256d6e02af6e8af1a72eb512127412558157
Opcode Fuzzy Hash: d048560932cbb29697672de5fef358cf40be0e29b8ff3645d299989e30109ad0
Instruction Fuzzy Hash: 1951BF70A00B49AFDB11CFA8EC55AEEBBF9EF08301F14411BE955E7391D6309A81CB61

Function 00136278 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00E6E730,?), ref: 001362E2
ScreenToClient.USER32(?,?), ref: 00136315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00136382

Strings

8V, xrefs: 001362B1, 001363AC
@U=u, xrefs: 001363DD

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID: 8V$@U=u
API String ID: 3880355969-1020947142
Opcode ID: c1aa7f794e3be6821b2916f4ab9a5bf268c5b58e0db4cc8e84dedcbc18df197e
Instruction ID: 8c686f5608ce5846c2e9b53b25d46ea3fca3392f8c02a2e4593cda4884319dce
Opcode Fuzzy Hash: c1aa7f794e3be6821b2916f4ab9a5bf268c5b58e0db4cc8e84dedcbc18df197e
Instruction Fuzzy Hash: 70512B75A00209EFDF10DF68D881AAE7BB5FF55364F108169F9599B2A0D730ED81CB90

Function 000B912D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 000B9141
ScreenToClient.USER32(00000000,?), ref: 000B915E
GetAsyncKeyState.USER32(00000001), ref: 000B9183
GetAsyncKeyState.USER32(00000002), ref: 000B919D

Strings

ffffba7200000066899514ffffffb86f00000066898516ffffffb97300000066898d18ffffffba6f0000006689951affffffb8660000006689851cffffffb97400, xrefs: 000F7152

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID: ffffba7200000066899514ffffffb86f00000066898516ffffffb97300000066898d18ffffffba6f0000006689951affffffb8660000006689851cffffffb97400
API String ID: 4210589936-1276881343
Opcode ID: 5a7a2d20d96c57c7fb84a5076998b663b3384f4a746b119be956f0a6b77f8b64
Instruction ID: f6ca8f1e5399321ba0054a2668e344061ad6792c7c31af01795dfa5ff3f1a5dc
Opcode Fuzzy Hash: 5a7a2d20d96c57c7fb84a5076998b663b3384f4a746b119be956f0a6b77f8b64
Instruction Fuzzy Hash: A2414F71A0861AFBDF159F68C844BFEB7B4FF05320F208629E529A7290C7346954EB91

Function 000C2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 000C2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 000C2D53
_ValidateLocalCookies.LIBCMT ref: 000C2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 000C2E0C
_ValidateLocalCookies.LIBCMT ref: 000C2E61

Strings

csm, xrefs: 000C2DF6

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: fa5ea854798e634da1b4062844b7adc6913a1de2c1733bacae94659ece9eb5ea
Instruction ID: 7524d53ffd84569e9d79ca353dd7d5018eea294389017e9450553585760dc9fd
Opcode Fuzzy Hash: fa5ea854798e634da1b4062844b7adc6913a1de2c1733bacae94659ece9eb5ea
Instruction Fuzzy Hash: 4D41B234A00209ABCF10DF68C885FDEBBF5BF44324F148159E8156B7A2DB31AA05CBD0

Function 001210B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0012304E: inet_addr.WSOCK32(?), ref: 0012307A
Part of subcall function 0012304E: _wcslen.LIBCMT ref: 0012309B

socket.WSOCK32(00000002,00000001,00000006), ref: 00121112
WSAGetLastError.WSOCK32 ref: 00121121
WSAGetLastError.WSOCK32 ref: 001211C9
closesocket.WSOCK32(00000000), ref: 001211F9

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 665a136d6beb175ce5000efa7b33046476c38e5fc6fa294ab1005bbd4cfcfc1b
Instruction ID: 857e6c46d228251ef197bf4714873dc7aec8ea2f45e1ca801e557a64f10c68e5
Opcode Fuzzy Hash: 665a136d6beb175ce5000efa7b33046476c38e5fc6fa294ab1005bbd4cfcfc1b
Instruction Fuzzy Hash: F9411631600214AFDB10DF64D884BAAB7EAFF55364F148059FD19AB292C770EE91CBE1

Function 0010CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0010DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0010CF22,?), ref: 0010DDFD

Part of subcall function 0010DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0010CF22,?), ref: 0010DE16

lstrcmpiW.KERNEL32(?,?), ref: 0010CF45
MoveFileW.KERNEL32(?,?), ref: 0010CF7F
_wcslen.LIBCMT ref: 0010D005
_wcslen.LIBCMT ref: 0010D01B
SHFileOperationW.SHELL32(?), ref: 0010D061

Strings

\*.*, xrefs: 0010CFF3

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 7c186f1af297290c8395119b36fc2454f9bf41ac58f505b8db0c0ba199186365
Instruction ID: 890c3c0a4cbc3eb64f159e72fada1a198288f1698225d041d87c234f9047b07a
Opcode Fuzzy Hash: 7c186f1af297290c8395119b36fc2454f9bf41ac58f505b8db0c0ba199186365
Instruction Fuzzy Hash: A04167B19052195FDF12EFA4D981EDEB7F9AF18380F1000E6E545EB182EB74AA84CF51

Function 00107726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00107769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0010778F
SysAllocString.OLEAUT32(00000000), ref: 00107792
SysAllocString.OLEAUT32(?), ref: 001077B0
SysFreeString.OLEAUT32(?), ref: 001077B9
StringFromGUID2.OLE32(?,?,00000028), ref: 001077DE
SysAllocString.OLEAUT32(?), ref: 001077EC

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 05915f0a94ba281f7de2cc354c7264bb2dccfb4badcccaf7bcd5d7dc684d2cc0
Instruction ID: 844b41b988ffb20f828eedcf07b16f4e02ce119bc518b51c9a76f0986f7f422b
Opcode Fuzzy Hash: 05915f0a94ba281f7de2cc354c7264bb2dccfb4badcccaf7bcd5d7dc684d2cc0
Instruction Fuzzy Hash: 43219276A04219AFDB10DFA8CC88CBB77ACEB097A47048425FA55DB1D1D7B0ED8187A0

Function 001077FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00107842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00107868
SysAllocString.OLEAUT32(00000000), ref: 0010786B
SysAllocString.OLEAUT32 ref: 0010788C
SysFreeString.OLEAUT32 ref: 00107895
StringFromGUID2.OLE32(?,?,00000028), ref: 001078AF
SysAllocString.OLEAUT32(?), ref: 001078BD

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 1cadb610ab956ac50fa9a8dafd8cada78cf3b905048efb4e61b1098b6e02a4f1
Instruction ID: dce2a4945f1a380e41329b62b233cda3c5f3154d02913af64c69c1ca8ae9f7c5
Opcode Fuzzy Hash: 1cadb610ab956ac50fa9a8dafd8cada78cf3b905048efb4e61b1098b6e02a4f1
Instruction Fuzzy Hash: 14216531A04104AFDB109FA8DC88DBA77ACEB097607108126F955DB1E1D7B4EC41CB64

Function 00135706 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00135745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0013579D
_wcslen.LIBCMT ref: 001357AF
_wcslen.LIBCMT ref: 001357BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00135816

Strings

@U=u, xrefs: 00135745, 0013579D, 00135816

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID: @U=u
API String ID: 763830540-2594219639
Opcode ID: 871feed6e4b55251a8d4ab42a223bb8d4b98e86e4a7e9330d754436a8bd97ed4
Instruction ID: 7e29049422b320777079474ba2133779461b485d9a67aec2cdecac34d5c68a71
Opcode Fuzzy Hash: 871feed6e4b55251a8d4ab42a223bb8d4b98e86e4a7e9330d754436a8bd97ed4
Instruction Fuzzy Hash: 2C219671904618DADB209FA4CC85AED7BB9FF04B24F508256F919EB1C1E7708AC5CF50

Function 001104D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 001104F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0011052E

Strings

nul, xrefs: 00110567

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 3950a5eb73d988cd112b4de4c36dd9fe19af5f4523c4b86cd7d105caa8ae79cb
Instruction ID: 30e9e88cf8a1586961a53446449cd32cc76c13efc7e3fb8cb09deb82615d5c07
Opcode Fuzzy Hash: 3950a5eb73d988cd112b4de4c36dd9fe19af5f4523c4b86cd7d105caa8ae79cb
Instruction Fuzzy Hash: D1218071900305EFDB259F29DC44ADA77A5BF49764F204A29F8A1E72E0E7B099D0CF60

Function 001105A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 001105C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00110601

Strings

nul, xrefs: 00110639

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 3993b71fb632d34cc0e2ebc3f76cee48a4d9ebe8206b673cc6d6541e4a0e2788
Instruction ID: a9973082e7ef48236c783a56ce771e5d7d3a5c58625bf3ed306a8899b235883d
Opcode Fuzzy Hash: 3993b71fb632d34cc0e2ebc3f76cee48a4d9ebe8206b673cc6d6541e4a0e2788
Instruction Fuzzy Hash: 302183759003059FDB259F698C04ADA77E4BF99730F204A29F8A1E72D0D7F098E0CB50

Function 001340AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000A600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 000A604C
Part of subcall function 000A600E: GetStockObject.GDI32(00000011), ref: 000A6060
Part of subcall function 000A600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 000A606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00134112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0013411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0013412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00134139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00134145

Strings

Msctls_Progress32, xrefs: 001340E3

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: e5cb032d835c7451d461005ea37c004144606794635d1fce9b3a7d1ab27491bb
Instruction ID: 39c0b3cde870d6007825d5f8bdb6f6be1ea6c57808ac504d6900f4f916bd8f02
Opcode Fuzzy Hash: e5cb032d835c7451d461005ea37c004144606794635d1fce9b3a7d1ab27491bb
Instruction Fuzzy Hash: D711B2B2140219BFEF119F64CC86EE77F6DEF08798F014111FA18A2190CB72AC61DBA4

Function 000DD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000DD7A3: _free.LIBCMT ref: 000DD7CC

_free.LIBCMT ref: 000DD82D

Part of subcall function 000D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000DD7D1,00000000,00000000,00000000,00000000,?,000DD7F8,00000000,00000007,00000000,?,000DDBF5,00000000), ref: 000D29DE
Part of subcall function 000D29C8: GetLastError.KERNEL32(00000000,?,000DD7D1,00000000,00000000,00000000,00000000,?,000DD7F8,00000000,00000007,00000000,?,000DDBF5,00000000,00000000), ref: 000D29F0

_free.LIBCMT ref: 000DD838
_free.LIBCMT ref: 000DD843
_free.LIBCMT ref: 000DD897
_free.LIBCMT ref: 000DD8A2
_free.LIBCMT ref: 000DD8AD
_free.LIBCMT ref: 000DD8B8

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: ff497e5dc120d57a1c9c5c9f6fea1a1addca213f395938c6af0c32dc7486b923
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: EE115B71984B04AADA21BFB0CC47FCFBBDCAF10700F400827B29DA6293EA65B5059670

Function 0010DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0010DA74
LoadStringW.USER32(00000000), ref: 0010DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0010DA91
LoadStringW.USER32(00000000), ref: 0010DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0010DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0010DAB9

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 079687a7557cf7efaa97509eabb9540bd1da3fbf496173229b92ca3842308344
Instruction ID: 5270f899f212136aeea65445d39e392ab8c613aa53dee4c6550a2f443a6bbcfa
Opcode Fuzzy Hash: 079687a7557cf7efaa97509eabb9540bd1da3fbf496173229b92ca3842308344
Instruction Fuzzy Hash: 720112F6500218BFE711ABA4DD89EE7766CE708701F404495F746F2081EBB49E848FB5

Function 0011096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00E5D340,00E5D340), ref: 0011097B
EnterCriticalSection.KERNEL32(00E5D320,00000000), ref: 0011098D
TerminateThread.KERNEL32(00000000,000001F6), ref: 0011099B
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 001109A9
CloseHandle.KERNEL32(00000000), ref: 001109B8
InterlockedExchange.KERNEL32(00E5D340,000001F6), ref: 001109C8
LeaveCriticalSection.KERNEL32(00E5D320), ref: 001109CF

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 3012d9970e306423e1997899c2f8bcec2b2e84270a9fb72ff30772a090466090
Instruction ID: 354e5c3af01cff2556615bd0ec445aeeec759dd2d6e01a004329729766a851e5
Opcode Fuzzy Hash: 3012d9970e306423e1997899c2f8bcec2b2e84270a9fb72ff30772a090466090
Instruction Fuzzy Hash: A8F0C932442A12ABD7565BA4EE89ADABA29BF05716F402025F202A0CA1C7B594F5CFD0

Function 00121C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?), ref: 00121DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00121DE1
WSAGetLastError.WSOCK32 ref: 00121DF2
htons.WSOCK32(?), ref: 00121EDB
inet_ntoa.WSOCK32(?), ref: 00121E8C

Part of subcall function 001039E8: _strlen.LIBCMT ref: 001039F2

Part of subcall function 00123224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0011EC0C), ref: 00123240

_strlen.LIBCMT ref: 00121F35

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 782eea975bcc380667f8b815c599fd2faa854bd521afd5bcba3e4019a27ce546
Instruction ID: 8f7e0b461d747563d87a8d9ad76ea986da28c6bc529b4b3e1d8805cb42cadd8d
Opcode Fuzzy Hash: 782eea975bcc380667f8b815c599fd2faa854bd521afd5bcba3e4019a27ce546
Instruction Fuzzy Hash: A7B11031604310AFC324DF64D885E6A7BE5AF95318F58894CF46A5B2E3CB31EE46CB91

Function 000D01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 000D00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000D00D6
__allrem.LIBCMT ref: 000D00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000D010B
__allrem.LIBCMT ref: 000D0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000D0140

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: bf9cc5e3d399e1778035f576113a42683cdcd16fa782310f1107f538d7f6f42b
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 9D81E276A00706ABE724AB69CC41BAE73E9EF41364F25413FF415D7382E770D9018BA1

Function 000D61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,000C82D9,000C82D9,?,?,?,000D644F,00000001,00000001,8BE85006), ref: 000D6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,000D644F,00000001,00000001,8BE85006,?,?,?), ref: 000D62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 000D63D8
__freea.LIBCMT ref: 000D63E5

Part of subcall function 000D3820: RtlAllocateHeap.NTDLL(00000000,?,00171444,?,000BFDF5,?,?,000AA976,00000010,00171440,000A13FC,?,000A13C6,?,000A1129), ref: 000D3852

__freea.LIBCMT ref: 000D63EE
__freea.LIBCMT ref: 000D6413

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 2e5567cecdca986e9a58bb65653cd8cdefd8c6a6a0a19ab459ef9669b342b14a
Instruction ID: 654851d1ec5bd3c3538849037f8ef52559a39edf0a83952cee85d274b71cdc69
Opcode Fuzzy Hash: 2e5567cecdca986e9a58bb65653cd8cdefd8c6a6a0a19ab459ef9669b342b14a
Instruction Fuzzy Hash: 0751E172A00316ABEB258F64CC81EBF7BA9EB44750F15422AFC05D6242DB36DD40D6B0

Function 0012BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

Part of subcall function 0012C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0012B6AE,?,?), ref: 0012C9B5
Part of subcall function 0012C998: _wcslen.LIBCMT ref: 0012C9F1
Part of subcall function 0012C998: _wcslen.LIBCMT ref: 0012CA68
Part of subcall function 0012C998: _wcslen.LIBCMT ref: 0012CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0012BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0012BD25
RegCloseKey.ADVAPI32(00000000), ref: 0012BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0012BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0012BDF3
RegCloseKey.ADVAPI32(?), ref: 0012BDFF

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 04e9ae22f55d4e78b0e869eb97994b7d5dfdec9bd37707e30e024b2d0b512e25
Instruction ID: 98f11de185fd7f6998e1937ff23e76f76155acdc63e6169c2aeefbcdf6819e62
Opcode Fuzzy Hash: 04e9ae22f55d4e78b0e869eb97994b7d5dfdec9bd37707e30e024b2d0b512e25
Instruction Fuzzy Hash: 8A81AC30208241AFC714DF64D8C1EAABBE5FF85308F14896CF5598B2A2DB31ED55CB92

Function 000FF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 000FF7B9
SysAllocString.OLEAUT32(00000001), ref: 000FF860
VariantCopy.OLEAUT32(000FFA64,00000000), ref: 000FF889
VariantClear.OLEAUT32(000FFA64), ref: 000FF8AD
VariantCopy.OLEAUT32(000FFA64,00000000), ref: 000FF8B1
VariantClear.OLEAUT32(?), ref: 000FF8BB

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 1569a686ec87b8ab2eb697ba53859e6cf55d3f3c6b5c5569ebd035c2c6fb67f6
Instruction ID: 45dda42e922c482ca00b24909b6c8969cbe7660f3ee57aa13f6551bb079ab3d0
Opcode Fuzzy Hash: 1569a686ec87b8ab2eb697ba53859e6cf55d3f3c6b5c5569ebd035c2c6fb67f6
Instruction Fuzzy Hash: 0351253160431ABACF20AB65C895B7DB3E8EF45310F208467EA01DF693DBB48C40E796

Function 0011910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 000A7620: _wcslen.LIBCMT ref: 000A7625

Part of subcall function 000A6B57: _wcslen.LIBCMT ref: 000A6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 001194E5
_wcslen.LIBCMT ref: 00119506
_wcslen.LIBCMT ref: 0011952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00119585

Strings

X, xrefs: 00119412

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 714c2bc326f090ac81757b6369845ed7e053adf2c37bfa8d461b57e5bd48c7c7
Instruction ID: b0f405865d739efc98b3f3af6a964df03d86e17c27fb7a5719e8c31ea264815f
Opcode Fuzzy Hash: 714c2bc326f090ac81757b6369845ed7e053adf2c37bfa8d461b57e5bd48c7c7
Instruction Fuzzy Hash: 82E1A331A083508FC718DF64C891BAEB7E5BF85314F04896DF8999B2A2DB31DD45CB92

Function 000B920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 000B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000B9BB2

BeginPaint.USER32(?,?,?), ref: 000B9241
GetWindowRect.USER32(?,?), ref: 000B92A5
ScreenToClient.USER32(?,?), ref: 000B92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 000B92D3
EndPaint.USER32(?,?,?,?,?), ref: 000B9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 000F71EA

Part of subcall function 000B9339: BeginPath.GDI32(00000000), ref: 000B9357

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 88ae1c66a3c982c53be121142753632e844453b0af5c6d388555c2bcd55b8791
Instruction ID: 9802deea415fa8635b1d6b1aeef3df2d8723744d6f356043848d2b2709415b94
Opcode Fuzzy Hash: 88ae1c66a3c982c53be121142753632e844453b0af5c6d388555c2bcd55b8791
Instruction Fuzzy Hash: 0D41AD71104300AFD721DF28CC85FFA7BF8EB55724F140629FA98976A2C7319885EB62

Function 001107EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0011080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00110847
EnterCriticalSection.KERNEL32(?), ref: 00110863
LeaveCriticalSection.KERNEL32(?), ref: 001108DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 001108F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00110921

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: eba1bb4b1a8d95530b4bdc1774a123de90de4343ab788084775455ea5ee3dd03
Instruction ID: 5cc8a5231ba466b7c8e8c3829609cac5fce895c53c66b02380e782105a65288a
Opcode Fuzzy Hash: eba1bb4b1a8d95530b4bdc1774a123de90de4343ab788084775455ea5ee3dd03
Instruction Fuzzy Hash: 2F414A71900205EBDF15AF64DC85AAA77B9FF08310F1440B9ED04AB297DB70DEA5DBA0

Function 0011581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 000A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000A3A97,?,?,000A2E7F,?,?,?,00000000), ref: 000A3AC2

_wcslen.LIBCMT ref: 0011587B
CoInitialize.OLE32(00000000), ref: 00115995
CoCreateInstance.OLE32(0013FCF8,00000000,00000001,0013FB68,?), ref: 001159AE
CoUninitialize.OLE32 ref: 001159CC

Strings

.lnk, xrefs: 00115876, 001158C1, 00115985

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: a7ad1ce9711bd7582825ca8d7cf62eaa128a72db9fa8e4ec38e755eeefd42a5a
Instruction ID: 9d7268ed3217d721f9dfc68e79c33a2a03a84085a9e742360c456e0730ef4c27
Opcode Fuzzy Hash: a7ad1ce9711bd7582825ca8d7cf62eaa128a72db9fa8e4ec38e755eeefd42a5a
Instruction Fuzzy Hash: C3D15771608605DFC718DF24C480AAAB7E2EF89714F14896DF8899B362D731ED85CB92

Function 0010175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00100FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00100FCA
Part of subcall function 00100FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00100FD6
Part of subcall function 00100FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00100FE5
Part of subcall function 00100FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00100FEC
Part of subcall function 00100FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00101002

GetLengthSid.ADVAPI32(?,00000000,00101335), ref: 001017AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 001017BA
HeapAlloc.KERNEL32(00000000), ref: 001017C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 001017DA
GetProcessHeap.KERNEL32(00000000,00000000,00101335), ref: 001017EE
HeapFree.KERNEL32(00000000), ref: 001017F5

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 7f573c9c80b5fcc20e9f9e72a9d66a890b31f77e7ad871214d3a0353cc6cee03
Instruction ID: 6f882e04e918171b8eaab32394b3170661140e412846c4d3d6a97088a7743f06
Opcode Fuzzy Hash: 7f573c9c80b5fcc20e9f9e72a9d66a890b31f77e7ad871214d3a0353cc6cee03
Instruction Fuzzy Hash: C2119D32600205FFDB149FA4CC49BAF7BF9EF4A355F104018F481A7290D7BAA984DBA0

Function 001014CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 001014FF
OpenProcessToken.ADVAPI32(00000000), ref: 00101506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00101515
CloseHandle.KERNEL32(00000004), ref: 00101520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0010154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00101563

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 89d37a479b8d8ecba7900f5edb6dbed8e99382ce90f8de055ac2a7f26b19bcc9
Instruction ID: 618ed3cf6e54419b8a9d7d5aa26668eb404759762b864be349442730d89f1d1c
Opcode Fuzzy Hash: 89d37a479b8d8ecba7900f5edb6dbed8e99382ce90f8de055ac2a7f26b19bcc9
Instruction Fuzzy Hash: B4112972504249BBDF118F98DD49BDE7BA9EF49754F044015FA45A20A0C3B58EA4DBA0

Function 000C3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,000C3379,000C2FE5), ref: 000C3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 000C339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 000C33B7
SetLastError.KERNEL32(00000000,?,000C3379,000C2FE5), ref: 000C3409

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 6a15710d5a9fa0f07cdc88e17aa5717ed4fe4f9d92388266ee519bfcfc2336bf
Instruction ID: a280d4b6dd4c8f4d9e8e3cf688131dfdd108841c1b7dd34e24c75ccef36d6c96
Opcode Fuzzy Hash: 6a15710d5a9fa0f07cdc88e17aa5717ed4fe4f9d92388266ee519bfcfc2336bf
Instruction Fuzzy Hash: FD012F3262C311BFEA2827B47C95FAE2A94EB05379320C22EF510912F2EF514E4262C4

Function 000D2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,000D5686,000E3CD6,?,00000000,?,000D5B6A,?,?,?,?,?,000CE6D1,?,00168A48), ref: 000D2D78
_free.LIBCMT ref: 000D2DAB
_free.LIBCMT ref: 000D2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,000CE6D1,?,00168A48,00000010,000A4F4A,?,?,00000000,000E3CD6), ref: 000D2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,000CE6D1,?,00168A48,00000010,000A4F4A,?,?,00000000,000E3CD6), ref: 000D2DEC
_abort.LIBCMT ref: 000D2DF2

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 2b9229969176cdfd6ba38f418865fd69670c49d1d66799052923bcef378f2d8c
Instruction ID: d6e20daeb626f5e13a6c10b450e65cc2567cac91208a51b5073cca40774ad716
Opcode Fuzzy Hash: 2b9229969176cdfd6ba38f418865fd69670c49d1d66799052923bcef378f2d8c
Instruction Fuzzy Hash: 88F0C8319057006BC2622734BC0AEAF35ABBFE27B1F25441BF864A27D3EF64884152B1

Function 00138A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 000B9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000B9693
Part of subcall function 000B9639: SelectObject.GDI32(?,00000000), ref: 000B96A2
Part of subcall function 000B9639: BeginPath.GDI32(?), ref: 000B96B9
Part of subcall function 000B9639: SelectObject.GDI32(?,00000000), ref: 000B96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00138A4E
LineTo.GDI32(?,00000003,00000000), ref: 00138A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00138A70
LineTo.GDI32(?,00000000,00000003), ref: 00138A80
EndPath.GDI32(?), ref: 00138A90
StrokePath.GDI32(?), ref: 00138AA0

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 4246721e0d4de0d03be92d0cf9b3e2f0cb0dda8db7af18838a40c331deb07ca5
Instruction ID: 617786810c9386c7556551a40fc697743c285c4fd829e78e969ec07dd2997762
Opcode Fuzzy Hash: 4246721e0d4de0d03be92d0cf9b3e2f0cb0dda8db7af18838a40c331deb07ca5
Instruction Fuzzy Hash: 0E11DB7600014DFFEF129F94DC88EEA7F6DEB08354F048012BA19AA5A1C7719D95DFA0

Function 001051FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00105218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00105229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00105230
ReleaseDC.USER32(00000000,00000000), ref: 00105238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0010524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00105261

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 750bf55caa933937cb2e57fb6b8e66c683c50f57b91a71bb87504475e768bc0d
Instruction ID: 50afc5fcb719ff7f0208dffc5f0d7fbf7ab21b04c682a8615418da0fea7aa637
Opcode Fuzzy Hash: 750bf55caa933937cb2e57fb6b8e66c683c50f57b91a71bb87504475e768bc0d
Instruction Fuzzy Hash: 7A014FB5A00719BBEB109BA59C49A5EBFB9EF48751F044065FA04E7691D6709800CFA0

Function 000A1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 000A1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 000A1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 000A1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 000A1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 000A1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 000A1C22

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 921228c29b63bc8066a8b7144e9ee08dc69e6617400fe871eb80ff42906d182d
Instruction ID: 06d559e7afbf1c03411da5390940455eb0a82726e9ead62deb69cdac5917e18c
Opcode Fuzzy Hash: 921228c29b63bc8066a8b7144e9ee08dc69e6617400fe871eb80ff42906d182d
Instruction Fuzzy Hash: 68016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47A41C7F5A864CBE5

Function 0010EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0010EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0010EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0010EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0010EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0010EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0010EB75

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 68369bb8925a8da8db2f0dbd8b94040c242255dfe51e58de995fa4dad9d6399c
Instruction ID: ea8ab8a9e888df94ccad58ce09f0923a826af308d5ea5e019d82b9ca694a764b
Opcode Fuzzy Hash: 68369bb8925a8da8db2f0dbd8b94040c242255dfe51e58de995fa4dad9d6399c
Instruction Fuzzy Hash: F2F03AB2240158BBE7215B629C0EEEF3A7CEFCAB11F004158F601E1591E7A05A41DBF5

Function 00101874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0010187F
UnloadUserProfile.USERENV(?,?), ref: 0010188B
CloseHandle.KERNEL32(?), ref: 00101894
CloseHandle.KERNEL32(?), ref: 0010189C
GetProcessHeap.KERNEL32(00000000,?), ref: 001018A5
HeapFree.KERNEL32(00000000), ref: 001018AC

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: fab14bd59d2eab897d88de69e60e6653bc33988bc0ee4df3b6415228edcd337f
Instruction ID: fd3ab29dfaf3868e140389887f34411bdedd6b6f33f5e7ce3e578d010fab3803
Opcode Fuzzy Hash: fab14bd59d2eab897d88de69e60e6653bc33988bc0ee4df3b6415228edcd337f
Instruction Fuzzy Hash: C6E0E536004101FBDB015FA1ED0C90ABF39FF49B22B108220F225A1870CB3294B0EF90

Function 0012AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0012AEA3

Part of subcall function 000A7620: _wcslen.LIBCMT ref: 000A7625

GetProcessId.KERNEL32(00000000), ref: 0012AF38
CloseHandle.KERNEL32(00000000), ref: 0012AF67

Strings

@, xrefs: 0012AE72
<, xrefs: 0012AE6B

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 4887326981f4dd8390e1e0c8f137d2264a1b7425b3891ca4ad4fa85bc0036370
Instruction ID: 0c238182bb5253496f389846cccf31163ab3761c12821fd247bf61fd57c711c6
Opcode Fuzzy Hash: 4887326981f4dd8390e1e0c8f137d2264a1b7425b3891ca4ad4fa85bc0036370
Instruction Fuzzy Hash: 6571AF71A00629DFCB14EFA4D484A9EBBF0FF09310F458499E81AAB352CB74ED55CB91

Function 00102716 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0010B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001021D0,?,?,00000034,00000800,?,00000034), ref: 0010B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00102760

Part of subcall function 0010B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001021FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0010B3F8

Part of subcall function 0010B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0010B355
Part of subcall function 0010B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00102194,00000034,?,?,00001004,00000000,00000000), ref: 0010B365
Part of subcall function 0010B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00102194,00000034,?,?,00001004,00000000,00000000), ref: 0010B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 001027CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0010281A

Strings

@, xrefs: 00102832
@U=u, xrefs: 00102760, 001027CD, 0010281A

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @$@U=u
API String ID: 4150878124-826235744
Opcode ID: 4a7ec7d3e0e3ecb4bef8b3ed803c56438de28cc0eff45f3186691bedf4654255
Instruction ID: 11ac3a46e55cdf3bfcd3851eb6b4b50a367dc42c153233442c8b10bfcf4890c1
Opcode Fuzzy Hash: 4a7ec7d3e0e3ecb4bef8b3ed803c56438de28cc0eff45f3186691bedf4654255
Instruction Fuzzy Hash: BA411F76900218AFDB10DFA4CD85EDEBBB8EF15700F108055FA95B7191DBB06E45CBA1

Function 0010719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00107206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0010723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0010724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 001072CF

Strings

DllGetClassObject, xrefs: 00107242

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 5a5e0eec5288e6ae0d3161d312ec39fa57ac72557553104d0cdceff7bade6f6e
Instruction ID: c73ac3b9e721df5b642b12cf81a4c2f7268b0dc41098ab175c9375be969fd177
Opcode Fuzzy Hash: 5a5e0eec5288e6ae0d3161d312ec39fa57ac72557553104d0cdceff7bade6f6e
Instruction Fuzzy Hash: DA417EB1A04204EFDB15DF94C884A9A7BA9EF44310F1580ADBD059F28AD7F0ED45DBA0

Function 0010C27D Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0010C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0010C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00171990,@X), ref: 0010C395

Strings

@X, xrefs: 0010C28D
0, xrefs: 0010C2DF

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0$@X
API String ID: 135850232-2336991443
Opcode ID: 32526b84611ebb39a7abe843e7a53eff3e3796e32fb2b0b42ac2f0de311f9d18
Instruction ID: 11c00415a21982d591180c53847fba2421d52bb6f199c9b834e1f6962003fb00
Opcode Fuzzy Hash: 32526b84611ebb39a7abe843e7a53eff3e3796e32fb2b0b42ac2f0de311f9d18
Instruction Fuzzy Hash: CF418E312043019FDB24DF25D884B5ABBE4BF85320F148B1DF9A59B2D2D7B0A904CFA2

Function 00137674 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0013769A
GetWindowRect.USER32(?,?), ref: 00137710
PtInRect.USER32(?,?,00138B89), ref: 00137720
MessageBeep.USER32(00000000), ref: 0013778C

Strings

8V, xrefs: 001376D6, 00137733

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID: 8V
API String ID: 1352109105-3441868543
Opcode ID: d9cf9ce0fb40c0f7c7de59bec65cae248203d76a469a20c9bc4e8bda217f530c
Instruction ID: 57a3007e72554af2b837d47b0974f98f0e1297d14f75354a294771ac78bb6f05
Opcode Fuzzy Hash: d9cf9ce0fb40c0f7c7de59bec65cae248203d76a469a20c9bc4e8bda217f530c
Instruction Fuzzy Hash: 4E41C0B4609254EFCB21CF58C899FA97BF4FF49314F1540A8E5149B2A1C330E982CF90

Function 0012C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0012C9F1
_wcslen.LIBCMT ref: 0012CA68
_wcslen.LIBCMT ref: 0012CA9E
_wcslen.LIBCMT ref: 0012CAF9
_wcslen.LIBCMT ref: 0012CB2F
_wcslen.LIBCMT ref: 0012CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 0012CA62, 0012CA67
HKLM, xrefs: 0012CA98, 0012CA9D

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 3f39d1fefb03205cba77fba24c5f0d4301486cb5daad4d47376c37c5e181ba69
Instruction ID: 384901f48e1dfc6e2ddf3c05e35e16d365cf3ad1a97d653426f5c56e0560d6af
Opcode Fuzzy Hash: 3f39d1fefb03205cba77fba24c5f0d4301486cb5daad4d47376c37c5e181ba69
Instruction Fuzzy Hash: 2731E673A0017A4BCB20DF6CE9515BE3391ABA1794B554029E945AB285FB71CEA093E0

Function 00134653 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00134705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00134713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0013471A

Strings

msctls_updown32, xrefs: 00134684
8V, xrefs: 001346D0, 001346EF

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: 8V$msctls_updown32
API String ID: 4014797782-2083019474
Opcode ID: 3f8df3bc0b5b0a2b89d891ab73eb290abf567fc56753f91d2fe45e308d240ef6
Instruction ID: 7f2e732e9b6c8a8dd9e48a949d8cc4f048d41ec9129c99040887163171965e15
Opcode Fuzzy Hash: 3f8df3bc0b5b0a2b89d891ab73eb290abf567fc56753f91d2fe45e308d240ef6
Instruction Fuzzy Hash: 52213EB5600209AFDB11DF68DC91DA737ADEB5A3A8B140059FA059B291CB71FC51CA60

Function 00132F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00132F8D
LoadLibraryW.KERNEL32(?), ref: 00132F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00132FA9
DestroyWindow.USER32(?), ref: 00132FB1

Strings

SysAnimate32, xrefs: 00132F68

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: b8876f7347c4e683ef0de4c02ba66ecd0a96a3f82f842a4b5dd3ddf0b441f2bb
Instruction ID: 1541743ff98b20010cefe488310cfba989025e43ae95fb8c3c027bb94987ffd4
Opcode Fuzzy Hash: b8876f7347c4e683ef0de4c02ba66ecd0a96a3f82f842a4b5dd3ddf0b441f2bb
Instruction Fuzzy Hash: 78218C72204205ABEF106FA4DC81EBB77BDEB59364F104618FA50E6190D771DC919760

Function 00138FC9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000B9BB2

GetCursorPos.USER32(?), ref: 00139001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,000F7711,?,?,?,?,?), ref: 00139016
GetCursorPos.USER32(?), ref: 0013905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,000F7711,?,?,?), ref: 00139094

Strings

8V, xrefs: 0013902E, 00139064

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID: 8V
API String ID: 2864067406-3441868543
Opcode ID: 9d82453810c7fec02d637f9a661fcfe3fb504ab6ac0215735b8c502a29e1feef
Instruction ID: 795188670b3fcf98ae6c3e908ec92128c49a6db6d5c826604162fd0c841587ed
Opcode Fuzzy Hash: 9d82453810c7fec02d637f9a661fcfe3fb504ab6ac0215735b8c502a29e1feef
Instruction Fuzzy Hash: BA21DE35600118FFCB298FA8CC58EFA3FB9EF89350F004069FA059B261C3719990DBA0

Function 00135660 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 001356BB
_wcslen.LIBCMT ref: 001356CD
_wcslen.LIBCMT ref: 001356D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00135816

Strings

@U=u, xrefs: 001356BB, 00135816

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSend_wcslen
String ID: @U=u
API String ID: 455545452-2594219639
Opcode ID: 0c52c957c05124590a745d9cbd175dd2bd27c56d41b267ca92e9b3b1bfd6675a
Instruction ID: 7048cca592f93289ba72545d4b1ffe8e18ff8b6d414bb90d64dbcd8c728b0e97
Opcode Fuzzy Hash: 0c52c957c05124590a745d9cbd175dd2bd27c56d41b267ca92e9b3b1bfd6675a
Instruction Fuzzy Hash: 8411E6B1A00618A6DF20DF65CC86EEE77BDFF11B64F50406AF915E6081EB70CA84CB60

Function 000A600E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 000A604C
GetStockObject.GDI32(00000011), ref: 000A6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 000A606A

Strings

@U=u, xrefs: 000A606A

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID: @U=u
API String ID: 3970641297-2594219639
Opcode ID: 10e4e84a849bd21f6c6cdb5475db0b2737dbf0e07a28faa371b31fcaee7de5f7
Instruction ID: 717134b0b041c200491f683294ece789d4877291d9263270181d07d37b20f4e9
Opcode Fuzzy Hash: 10e4e84a849bd21f6c6cdb5475db0b2737dbf0e07a28faa371b31fcaee7de5f7
Instruction Fuzzy Hash: 32116172501549BFEF124FA49C54EEB7BB9EF09354F050115FA1462110D732ACE0DB90

Function 00137803 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,001718B0,0013A364,000000FC,?,00000000,00000000,?,?,?,000F76CF,?,?,?,?,?), ref: 00137805
GetFocus.USER32 ref: 0013780D

Part of subcall function 000B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000B9BB2

Part of subcall function 000B9944: GetWindowLongW.USER32(?,000000EB), ref: 000B9952

SendMessageW.USER32(00E6E730,000000B0,000001BC,000001C0), ref: 0013787A

Strings

8V, xrefs: 00137841, 00137852
@U=u, xrefs: 0013787A

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: 8V$@U=u
API String ID: 3601265619-1020947142
Opcode ID: bab4f856ddf21360b63e728e4df3a80dec393b3c609f75e52c345747dac66e25
Instruction ID: 80aca97dc3b0c7bed03975618dfc85b1d82176e4b3f7438e5bfabe5e0779adbb
Opcode Fuzzy Hash: bab4f856ddf21360b63e728e4df3a80dec393b3c609f75e52c345747dac66e25
Instruction Fuzzy Hash: 71018F71605200AFC335DB2CE858AF637F6AF8A324F1802ADE515977E1DB316C82CB80

Function 000C4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,000C4D1E,000D28E9,?,000C4CBE,000D28E9,001688B8,0000000C,000C4E15,000D28E9,00000002), ref: 000C4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 000C4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,000C4D1E,000D28E9,?,000C4CBE,000D28E9,001688B8,0000000C,000C4E15,000D28E9,00000002,00000000), ref: 000C4DC3

Strings

CorExitProcess, xrefs: 000C4D98
mscoree.dll, xrefs: 000C4D86

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 155e69ecd2044cc7e2c735404ef49cb2ff8d4346167a5d26b827d4e46b39ea54
Instruction ID: 34c7275dbba8e4e30f756014ecb4db237232e632bc8cc06b3889832cd6132da9
Opcode Fuzzy Hash: 155e69ecd2044cc7e2c735404ef49cb2ff8d4346167a5d26b827d4e46b39ea54
Instruction Fuzzy Hash: A4F04F35A40208FBDB119F95DC59FEDBBF5EF44752F0001A8F906A2660CB705A80DBD1

Function 000FD3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 000FD3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 000FD3BF
FreeLibrary.KERNEL32(00000000), ref: 000FD3E5

Strings

X64, xrefs: 000FD2A8
GetSystemWow64DirectoryW, xrefs: 000FD3B9

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 62eafd3905ef07ac989f2f11ea8e999ad9c78be109175a147eb9a3b17cf1c3bf
Instruction ID: 38028aa2f4ffb51424b51e5f78c2a67631c5af1a3697b37f9daf2dd644b743fb
Opcode Fuzzy Hash: 62eafd3905ef07ac989f2f11ea8e999ad9c78be109175a147eb9a3b17cf1c3bf
Instruction Fuzzy Hash: 27F02032806629DBE7B05710CC689BD73A2AF21B01F548057E702F2914DB20CE80B7C2

Function 000A4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,000A4EDD,?,00171418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000A4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 000A4EAE
FreeLibrary.KERNEL32(00000000,?,?,000A4EDD,?,00171418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000A4EC0

Strings

kernel32.dll, xrefs: 000A4E94
Wow64DisableWow64FsRedirection, xrefs: 000A4EA8

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 9765d9e8d51f790da326f224f41c3664c99117c83efd0154cd4ffb4bdb66b643
Instruction ID: df9347e80958e4f8dd0967c14b541b50a954b556c1381ab4c9268d497b144733
Opcode Fuzzy Hash: 9765d9e8d51f790da326f224f41c3664c99117c83efd0154cd4ffb4bdb66b643
Instruction Fuzzy Hash: 7EE0CD3AA015229BD27157657C18B5F75D4AFC3F63B050115FC05F3100DBE0CD4156E0

Function 000A4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,000E3CDE,?,00171418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000A4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 000A4E74
FreeLibrary.KERNEL32(00000000,?,?,000E3CDE,?,00171418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 000A4E87

Strings

kernel32.dll, xrefs: 000A4E5B
Wow64RevertWow64FsRedirection, xrefs: 000A4E6E

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: d3ffbee8ce00b3faad483de5abe0f2e015be3f8a696d7df52bf19c6e4a2c47ae
Instruction ID: 1ff0ee0708631de96bbfa09111e93bbff50d9055da7c6113f7b44ddf6fc6ffd5
Opcode Fuzzy Hash: d3ffbee8ce00b3faad483de5abe0f2e015be3f8a696d7df52bf19c6e4a2c47ae
Instruction Fuzzy Hash: CCD0123A50262197D6625B657C18DCB6A98AFC7B513050515B905F2154CFA0CD4196D0

Function 0012A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0012A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0012A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0012A468
CloseHandle.KERNEL32(?), ref: 0012A63D

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 543808dbcb7affbb7e1c66922e3341fc25a0bd64e0a2674f444e767c0c788e21
Instruction ID: d37109ebfc311f2feb1d32264b7b82e1bcc74956e7ae60367798f040b256c487
Opcode Fuzzy Hash: 543808dbcb7affbb7e1c66922e3341fc25a0bd64e0a2674f444e767c0c788e21
Instruction Fuzzy Hash: 00A1AF71604301AFE720DF24D886F6AB7E5AF84714F54881DF99A9B293D7B0EC41CB92

Function 000DBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00143700), ref: 000DBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0017121C,000000FF,00000000,0000003F,00000000,?,?), ref: 000DBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00171270,000000FF,?,0000003F,00000000,?), ref: 000DBC36
_free.LIBCMT ref: 000DBB7F

Part of subcall function 000D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000DD7D1,00000000,00000000,00000000,00000000,?,000DD7F8,00000000,00000007,00000000,?,000DDBF5,00000000), ref: 000D29DE
Part of subcall function 000D29C8: GetLastError.KERNEL32(00000000,?,000DD7D1,00000000,00000000,00000000,00000000,?,000DD7F8,00000000,00000007,00000000,?,000DDBF5,00000000,00000000), ref: 000D29F0

_free.LIBCMT ref: 000DBD4B

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 6d408a406bc9bc17d1ba31d251586f40f1796214632b371cbdb964ca3dc5a912
Instruction ID: c9851c540b33bcb3c62df6c4dcaf60fd14750d19cfb6df51651dba357a486265
Opcode Fuzzy Hash: 6d408a406bc9bc17d1ba31d251586f40f1796214632b371cbdb964ca3dc5a912
Instruction Fuzzy Hash: 67519871900309EFC720DF699C419AEB7F8FF44350B21426BE554E7392EB709E819BA0

Function 0010E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0010DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0010CF22,?), ref: 0010DDFD

Part of subcall function 0010DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0010CF22,?), ref: 0010DE16

Part of subcall function 0010E199: GetFileAttributesW.KERNEL32(?,0010CF95), ref: 0010E19A

lstrcmpiW.KERNEL32(?,?), ref: 0010E473
MoveFileW.KERNEL32(?,?), ref: 0010E4AC
_wcslen.LIBCMT ref: 0010E5EB
_wcslen.LIBCMT ref: 0010E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0010E650

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 925bef974897ef29b38dbb16559148e8101a000e119ee8c79356e709184d78d7
Instruction ID: d8bc7c4342e8b072cded9d65475755aed2ac802b47a1e1af6f65ac028bd7e559
Opcode Fuzzy Hash: 925bef974897ef29b38dbb16559148e8101a000e119ee8c79356e709184d78d7
Instruction Fuzzy Hash: EA5150B25083455BC724EB90DC81ADFB3ECAF95340F00492EF5C9D3192EFB5A6888766

Function 0012B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

Part of subcall function 0012C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0012B6AE,?,?), ref: 0012C9B5
Part of subcall function 0012C998: _wcslen.LIBCMT ref: 0012C9F1
Part of subcall function 0012C998: _wcslen.LIBCMT ref: 0012CA68
Part of subcall function 0012C998: _wcslen.LIBCMT ref: 0012CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0012BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0012BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0012BB63
RegCloseKey.ADVAPI32(?,?), ref: 0012BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0012BBB3

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 3bdf3d89cd57d0087117ba79263e34b9ec94752e731cce5aa0ad3fc9614a4bd5
Instruction ID: 77f046b556bbc9f5ba5a1b7646b24d75f6ad84bf81157c70b126b566cc7a8d6d
Opcode Fuzzy Hash: 3bdf3d89cd57d0087117ba79263e34b9ec94752e731cce5aa0ad3fc9614a4bd5
Instruction Fuzzy Hash: 1461C031208241AFC714DF64D8D0E6ABBE5FF85308F54896CF4998B2A2DB31ED45CB92

Function 00108BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00108BCD
VariantClear.OLEAUT32 ref: 00108C3E
VariantClear.OLEAUT32 ref: 00108C9D
VariantClear.OLEAUT32(?), ref: 00108D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00108D3B

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: fc00232cdadf8b89c3e89fe8e1dd24decb7129e111527cdcca4e67b0daef05e1
Instruction ID: f5d0059275d8c2c8e976910a9aabaa2e2a3bdc5f2119e250a4842dc4c1feb545
Opcode Fuzzy Hash: fc00232cdadf8b89c3e89fe8e1dd24decb7129e111527cdcca4e67b0daef05e1
Instruction Fuzzy Hash: 46517BB5A00219EFCB14CF68C894AAAB7F8FF89310B158559F985EB350E770E911CF90

Function 00118AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00118BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00118BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00118C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00118C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00118C5F

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 8c901dcca4183dac243499585b12043528e2cced766ddb60abbd097382c2ed28
Instruction ID: 5a1500254b7b0b5f2cd9fc3f2fd8899d1842f9f9921f0663167c25693f28ebd8
Opcode Fuzzy Hash: 8c901dcca4183dac243499585b12043528e2cced766ddb60abbd097382c2ed28
Instruction Fuzzy Hash: DD512935A006159FCB05DFA4C881AAEBBF5FF49354F08C468E849AB362DB35ED51CB90

Function 00128EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00128F40
GetProcAddress.KERNEL32(00000000,?), ref: 00128FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00128FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00129032
FreeLibrary.KERNEL32(00000000), ref: 00129052

Part of subcall function 000BF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00111043,?,75B8E610), ref: 000BF6E6
Part of subcall function 000BF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000FFA64,00000000,00000000,?,?,00111043,?,75B8E610,?,000FFA64), ref: 000BF70D

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 9900502389fad0de2b67bc230a9220f0bfbb584e2d642e1d3e9fd551cda90204
Instruction ID: 2d0eb5079be0129201bd899d19a721c6b4731e821f96638848308349f801264d
Opcode Fuzzy Hash: 9900502389fad0de2b67bc230a9220f0bfbb584e2d642e1d3e9fd551cda90204
Instruction Fuzzy Hash: 49514834A01215DFC704DF68D4949ADBBF1FF49314F0980A8E80AAB762DB31ED85CB90

Function 000D2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000D20C3
_free.LIBCMT ref: 000D20E3

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c005b6917ec606225e49079f61697e69d4776f09ac20643627f5c402b13c8b79
Instruction ID: df2557de01ba413d2f09bb8e6218c99a20b6f2a3d9876a9d615ac2da94cc9fed
Opcode Fuzzy Hash: c005b6917ec606225e49079f61697e69d4776f09ac20643627f5c402b13c8b79
Instruction Fuzzy Hash: FB41A336A00300AFCB24DF78C981AADB7E5EF99314B1585AAE515EB352DA31AD01DB90

Function 00113874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 001138CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00113922
TranslateMessage.USER32(?), ref: 0011394B
DispatchMessageW.USER32(?), ref: 00113955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00113966

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 7aad32be04f060ce4b79913b1c3b93cce4399e9d949f8476239f74f1e18045da
Instruction ID: 9115ca6983becb4fdbe00327b7f39b01243a6527da566573c2b43775804af118
Opcode Fuzzy Hash: 7aad32be04f060ce4b79913b1c3b93cce4399e9d949f8476239f74f1e18045da
Instruction Fuzzy Hash: 9C31A470904349AEEB3DCB349849BF63BB8AB15318F04057DE476925A4E3B4AAC5CB51

Function 0011CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0011CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0011CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0011C21E,00000000), ref: 0011CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0011C21E,00000000), ref: 0011CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0011C21E,00000000), ref: 0011CFF2

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: fe21fb09b3a21fb2c25b0fefbb56f927c69711d53732198bb8fdf18ba0750a11
Instruction ID: f37587e0f53dffa5ea2bce8d78ec5a50109dcd76c5be79b3e345a543140ffec1
Opcode Fuzzy Hash: fe21fb09b3a21fb2c25b0fefbb56f927c69711d53732198bb8fdf18ba0750a11
Instruction Fuzzy Hash: 75314C71540206AFDB28DFA5C884AEBBBF9EB14350B10443EF516E2141DB30EE82DBA0

Function 00101901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00101915
PostMessageW.USER32(00000001,00000201,00000001), ref: 001019C1
Sleep.KERNEL32(00000000,?,?,?), ref: 001019C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 001019DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 001019E2

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 8ec7e067bd1548d707a386ff2f9f9584b7fbdbb059068a6ab0060fd01fb8dafa
Instruction ID: bb39bded4fc7f432b27f602ba3d777a4f62be4db8b2eafbc8559d14cd442272e
Opcode Fuzzy Hash: 8ec7e067bd1548d707a386ff2f9f9584b7fbdbb059068a6ab0060fd01fb8dafa
Instruction Fuzzy Hash: 2F31C072A00219FFCB04CFA8CD99ADE3BB5FB05319F104229F961A72D1C7B49944DB90

Function 00120930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00120951
GetForegroundWindow.USER32 ref: 00120968
GetDC.USER32(00000000), ref: 001209A4
GetPixel.GDI32(00000000,?,00000003), ref: 001209B0
ReleaseDC.USER32(00000000,00000003), ref: 001209E8

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 1a9020eea4d28bcc3e7b4eb7ad73b82fb50dd06ad18d385b7bc8254a63b7026d
Instruction ID: abd49457cb3b08c26bc4351c96492889e4cfcc08d98b4cfacee9e2c472b81678
Opcode Fuzzy Hash: 1a9020eea4d28bcc3e7b4eb7ad73b82fb50dd06ad18d385b7bc8254a63b7026d
Instruction Fuzzy Hash: 8A218475600214AFD704EFA5DC55AAEB7F5EF49700F048078E84AE7762CB30AC44CB90

Function 000DCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 000DCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000DCDE9

Part of subcall function 000D3820: RtlAllocateHeap.NTDLL(00000000,?,00171444,?,000BFDF5,?,?,000AA976,00000010,00171440,000A13FC,?,000A13C6,?,000A1129), ref: 000D3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 000DCE0F
_free.LIBCMT ref: 000DCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 000DCE31

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a4b3e182e6adcd0921588b23e328918e29543f89e84708118c30c84b20d535a2
Instruction ID: 8176a3238c032af8e68aebd819b06b8c3e3c1e2f326e52735b48fa0957f35149
Opcode Fuzzy Hash: a4b3e182e6adcd0921588b23e328918e29543f89e84708118c30c84b20d535a2
Instruction Fuzzy Hash: A30184B26013167F772116BA6C88D7FBAADEFC6BA1315012BF905D7301EA618D01D2F4

Function 000B9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000B9693
SelectObject.GDI32(?,00000000), ref: 000B96A2
BeginPath.GDI32(?), ref: 000B96B9
SelectObject.GDI32(?,00000000), ref: 000B96E2

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 057f25ef9e4b9ff0f2c41e265cc4fa36034e21fbbc907d579f3fe6edc5646db6
Instruction ID: 950fbad93d012baee0dfc07337bbeaf01b39234c24fedee049920847eb3aaf69
Opcode Fuzzy Hash: 057f25ef9e4b9ff0f2c41e265cc4fa36034e21fbbc907d579f3fe6edc5646db6
Instruction Fuzzy Hash: 6B218E71802305FBDB119F28EC19BE97BB9FB10319F100216F618A65B0D37098D2DB90

Function 00105711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00105726
_memcmp.LIBVCRUNTIME ref: 00105744
_memcmp.LIBVCRUNTIME ref: 00105757
_memcmp.LIBVCRUNTIME ref: 0010576F
_memcmp.LIBVCRUNTIME ref: 00105787

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: d89368569f2ada940297f04ab01e65662139f782c2bcfb9f0796d0c86b34d31c
Instruction ID: 81d457116e1959cf69c722f3d00c5fe1c6b2e93773b31549c819e8d494c79f42
Opcode Fuzzy Hash: d89368569f2ada940297f04ab01e65662139f782c2bcfb9f0796d0c86b34d31c
Instruction Fuzzy Hash: 2101B9B1681605BBD71856109E42FFF735E9F21398F804028FD449A2C3F7E0EE1196A1

Function 000D2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,000CF2DE,000D3863,00171444,?,000BFDF5,?,?,000AA976,00000010,00171440,000A13FC,?,000A13C6), ref: 000D2DFD
_free.LIBCMT ref: 000D2E32
_free.LIBCMT ref: 000D2E59
SetLastError.KERNEL32(00000000,000A1129), ref: 000D2E66
SetLastError.KERNEL32(00000000,000A1129), ref: 000D2E6F

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 33862968ee2b3595bcb3b7d490bb37f3306564cd415c3e07b07723da35f1009b
Instruction ID: 7bd7699ac510360e7bae6c97d0c274bccc2e8fdf9fb66159a7fc420dd3096a25
Opcode Fuzzy Hash: 33862968ee2b3595bcb3b7d490bb37f3306564cd415c3e07b07723da35f1009b
Instruction Fuzzy Hash: B701F4326057006BC62267746C46DAF27A9ABF13B2B25442BF425A3393EBB0CC414170

Function 0010000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,000FFF41,80070057,?,?,?,0010035E), ref: 0010002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000FFF41,80070057,?,?), ref: 00100046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000FFF41,80070057,?,?), ref: 00100054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000FFF41,80070057,?), ref: 00100064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,000FFF41,80070057,?,?), ref: 00100070

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 239f70ae565c4fc7d60ec929c6f2b7eeb052d36e1697f3f09fd7ef351d093a0a
Instruction ID: 1a365482af7ce64a2fb81e02dfc87f65085c5819d0eb4ccfaca6feb4eb59375b
Opcode Fuzzy Hash: 239f70ae565c4fc7d60ec929c6f2b7eeb052d36e1697f3f09fd7ef351d093a0a
Instruction Fuzzy Hash: 9101A276600204BFDB124F68DC08BAA7AEDEF48791F144128F945E2254DBB1DE808BA0

Function 0010E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0010E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0010E9A5
Sleep.KERNEL32(00000000), ref: 0010E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0010E9B7
Sleep.KERNEL32 ref: 0010E9F3

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 70b0b08f9903ebef89c4c0d7028f80542e9917671e3dab0db1ca16280d026213
Instruction ID: 9cd847478cec0b13bfbc79cc8a2534a085504ff25ada9f4ca157d19452f8eccc
Opcode Fuzzy Hash: 70b0b08f9903ebef89c4c0d7028f80542e9917671e3dab0db1ca16280d026213
Instruction Fuzzy Hash: 0A015E31C0162DDBCF00AFE6DD59AEDBBB8FF09705F010956E582B2291CB709694DBA1

Function 001010F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00101114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00100B9B,?,?,?), ref: 00101120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00100B9B,?,?,?), ref: 0010112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00100B9B,?,?,?), ref: 00101136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0010114D

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 73a2681c4a3cfb1882380859939b4a550f8664892dee12f238591f7be99cb281
Instruction ID: 8b8373a8552f9df23d0656df7c741fda964dd43972e145de3eda94c079a3c310
Opcode Fuzzy Hash: 73a2681c4a3cfb1882380859939b4a550f8664892dee12f238591f7be99cb281
Instruction Fuzzy Hash: 8A013C79200215FFDB154FA5DC49E6A3F6EEF893A0B244419FA85E73A0DB71DC409BA0

Function 00100FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00100FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00100FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00100FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00100FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00101002

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 031397b45d817376622508b30420710c7c7437ecc8de95f5072d5989d10ad4dd
Instruction ID: 725bffbaa7c05fef60a1dbfe6e59ff917ca5a6465cd2738419ebe202bf624ea3
Opcode Fuzzy Hash: 031397b45d817376622508b30420710c7c7437ecc8de95f5072d5989d10ad4dd
Instruction Fuzzy Hash: 7DF04939200301FBDB224FA49C49F563BADEF89762F204414FA85E7291CA74DC908BA0

Function 00101014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0010102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00101036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00101045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0010104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00101062

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 8f313ff6a1538478430850d1f8be8667fa21f240f29badb804b02b6a583816d4
Instruction ID: aea1216b2ef7f95cb892f4b8e2f0a8b406621d16444601e4ff159546f45191cd
Opcode Fuzzy Hash: 8f313ff6a1538478430850d1f8be8667fa21f240f29badb804b02b6a583816d4
Instruction Fuzzy Hash: A0F06D39200301FBDB215FA4EC49F563BADFF89761F200814FA85E7290CB74D8908BA0

Function 0011030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0011017D,?,001132FC,?,00000001,000E2592,?), ref: 00110324
CloseHandle.KERNEL32(?,?,?,?,0011017D,?,001132FC,?,00000001,000E2592,?), ref: 00110331
CloseHandle.KERNEL32(?,?,?,?,0011017D,?,001132FC,?,00000001,000E2592,?), ref: 0011033E
CloseHandle.KERNEL32(?,?,?,?,0011017D,?,001132FC,?,00000001,000E2592,?), ref: 0011034B
CloseHandle.KERNEL32(?,?,?,?,0011017D,?,001132FC,?,00000001,000E2592,?), ref: 00110358
CloseHandle.KERNEL32(?,?,?,?,0011017D,?,001132FC,?,00000001,000E2592,?), ref: 00110365

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 7577300ce8fd59d0807e19a574b868ef9035360eb9e9676f4a84ca771948b613
Instruction ID: 28550576681d9464642cd3a2527de403152a3b41cfeb6943a325547dec219deb
Opcode Fuzzy Hash: 7577300ce8fd59d0807e19a574b868ef9035360eb9e9676f4a84ca771948b613
Instruction Fuzzy Hash: C701EE72800B018FCB31AF66D880842FBF9BF643153058A3FD1A252930C3B1A999CF80

Function 000DD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000DD752

Part of subcall function 000D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000DD7D1,00000000,00000000,00000000,00000000,?,000DD7F8,00000000,00000007,00000000,?,000DDBF5,00000000), ref: 000D29DE
Part of subcall function 000D29C8: GetLastError.KERNEL32(00000000,?,000DD7D1,00000000,00000000,00000000,00000000,?,000DD7F8,00000000,00000007,00000000,?,000DDBF5,00000000,00000000), ref: 000D29F0

_free.LIBCMT ref: 000DD764
_free.LIBCMT ref: 000DD776
_free.LIBCMT ref: 000DD788
_free.LIBCMT ref: 000DD79A

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2279e52524bf1be8991ab8d27d00547a798bfb063b21a117e0c658b701728cd4
Instruction ID: c0d75d5aac474684a61265415860962429762912017e6ef896d5675a1942a638
Opcode Fuzzy Hash: 2279e52524bf1be8991ab8d27d00547a798bfb063b21a117e0c658b701728cd4
Instruction Fuzzy Hash: F2F06232548304AB8661EB68FDC5C6AB7DDBB44310B940847F098D7B02D730FC808AB0

Function 00105C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00105C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00105C6F
MessageBeep.USER32(00000000), ref: 00105C87
KillTimer.USER32(?,0000040A), ref: 00105CA3
EndDialog.USER32(?,00000001), ref: 00105CBD

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: aa800b93f4394b5c19fc6cee5f67c8fcee13d6e6111fc9fae859bc4144184e67
Instruction ID: de45e5687e281de8252dc1a907ab907937a5f979231091dba74e59b8a8118924
Opcode Fuzzy Hash: aa800b93f4394b5c19fc6cee5f67c8fcee13d6e6111fc9fae859bc4144184e67
Instruction Fuzzy Hash: CC016D71500B04ABFB255B10DE4FFA67BBDBB00B05F041559E583B15E1DBF4A9848F90

Function 000D22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 000D22BE

Part of subcall function 000D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,000DD7D1,00000000,00000000,00000000,00000000,?,000DD7F8,00000000,00000007,00000000,?,000DDBF5,00000000), ref: 000D29DE
Part of subcall function 000D29C8: GetLastError.KERNEL32(00000000,?,000DD7D1,00000000,00000000,00000000,00000000,?,000DD7F8,00000000,00000007,00000000,?,000DDBF5,00000000,00000000), ref: 000D29F0

_free.LIBCMT ref: 000D22D0
_free.LIBCMT ref: 000D22E3
_free.LIBCMT ref: 000D22F4
_free.LIBCMT ref: 000D2305

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8919ec3ad16d7f711759ecb71837908de87c9ded78b1bdcd451c5410434c6396
Instruction ID: d3e851eb99c1cb74676163ba1a72f37689d8d19571ea142cb30926107a2c31d2
Opcode Fuzzy Hash: 8919ec3ad16d7f711759ecb71837908de87c9ded78b1bdcd451c5410434c6396
Instruction Fuzzy Hash: F1F0B775811320AB8622AF68AC118A87AB9B72CB61715054BF418D6BB2CB7109D1AEF4

Function 000B95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 000B95D4
StrokeAndFillPath.GDI32(?,?,000F71F7,00000000,?,?,?), ref: 000B95F0
SelectObject.GDI32(?,00000000), ref: 000B9603
DeleteObject.GDI32 ref: 000B9616
StrokePath.GDI32(?), ref: 000B9631

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 5a06d6aaa5aef22b3a2d0ca84852c61077ccecc9c5543418cf6390efab744262
Instruction ID: e32414d5a4074f7292bee47efb1726d766203ba7b7e7551f4470fa500d794790
Opcode Fuzzy Hash: 5a06d6aaa5aef22b3a2d0ca84852c61077ccecc9c5543418cf6390efab744262
Instruction Fuzzy Hash: 79F0E735006748EBDB265F69ED1CBA83FB5AB0132AF048214F669698F0C73089D6DF60

Function 000D0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 000D10F9
__freea.LIBCMT ref: 000D1117

Part of subcall function 000D1537: _free.LIBCMT ref: 000D154F

Strings

am/pm, xrefs: 000D117A
a/p, xrefs: 000D11DE

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 86fa12834ad8307eb9a0a49e2bdcff5fecdcc8a8419ce272d306de5c01bfe5b2
Instruction ID: e3ac88e627c696251f6986223a319d2ef260c7ba016b878b630633f654f823e8
Opcode Fuzzy Hash: 86fa12834ad8307eb9a0a49e2bdcff5fecdcc8a8419ce272d306de5c01bfe5b2
Instruction Fuzzy Hash: 62D1DF75900306AADB689F68C855BFEBBF1EF05300F28411BE9059B791DB759E80CBB1

Function 00127B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 000C0242: EnterCriticalSection.KERNEL32(0017070C,00171884,?,?,000B198B,00172518,?,?,?,000A12F9,00000000), ref: 000C024D
Part of subcall function 000C0242: LeaveCriticalSection.KERNEL32(0017070C,?,000B198B,00172518,?,?,?,000A12F9,00000000), ref: 000C028A

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

Part of subcall function 000C00A3: __onexit.LIBCMT ref: 000C00A9

__Init_thread_footer.LIBCMT ref: 00127BFB

Part of subcall function 000C01F8: EnterCriticalSection.KERNEL32(0017070C,?,?,000B8747,00172514), ref: 000C0202
Part of subcall function 000C01F8: LeaveCriticalSection.KERNEL32(0017070C,?,000B8747,00172514), ref: 000C0235

Strings

G, xrefs: 00127C7F
5, xrefs: 00127C78
Variable must be of type 'Object'., xrefs: 00127C3A

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 5c402fe9de65b047a84b098d09cccdcdb0f66011a3c0c365d0f0103ea95d301f
Instruction ID: 014372526d9bef4cfd179e6b6b572a4d08c7e57213a4b6537b5d4b1d69119059
Opcode Fuzzy Hash: 5c402fe9de65b047a84b098d09cccdcdb0f66011a3c0c365d0f0103ea95d301f
Instruction Fuzzy Hash: 7D917C70A04219EFCB14EF94E991DEEB7B1FF45300F148059F806AB292DB71AE61CB51

Function 000D172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\LisectAVT_2403002A_101.exe,00000104), ref: 000D1769
_free.LIBCMT ref: 000D1834
_free.LIBCMT ref: 000D183E

Strings

C:\Users\user\Desktop\LisectAVT_2403002A_101.exe, xrefs: 000D1760, 000D1767, 000D1796, 000D17CE

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\LisectAVT_2403002A_101.exe
API String ID: 2506810119-1051274531
Opcode ID: bea5434ec98b984c26fa748818f586a117ccfd9ef8a8ec6dd766434fe4c2080a
Instruction ID: 459861284d9bb02f3426238a3e08f43ac3480ac38004bae4a6ec5463ced51e8f
Opcode Fuzzy Hash: bea5434ec98b984c26fa748818f586a117ccfd9ef8a8ec6dd766434fe4c2080a
Instruction Fuzzy Hash: 0D316F75A04319BBDB21DB99D885DDEBBFCEB95310B2441A7F404D7312DE708A80DBA0

Function 00134416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0013CC08,00000000,?,?,?,?), ref: 001344AA
GetWindowLongW.USER32 ref: 001344C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 001344D7

Strings

SysTreeView32, xrefs: 0013447C

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 7f28faa38463a0d1a6c6e389b00d6a54f3de0dd24eb8a70d274e56607148ca32
Instruction ID: 6522b1f5d5139022e3ac1364d50a0d148accf91ca06b88e424546a9d8086cf53
Opcode Fuzzy Hash: 7f28faa38463a0d1a6c6e389b00d6a54f3de0dd24eb8a70d274e56607148ca32
Instruction Fuzzy Hash: 2E317E72210605AFDB219F78DC45BEA77A9EB09334F204725F975A21D1D770EC909790

Function 00134537 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0013461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00134634

Strings

8V, xrefs: 001345D7
', xrefs: 0013458E

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSend
String ID: '$8V
API String ID: 3850602802-5232302
Opcode ID: 8bb080e633469532f0d7c949a355278f8a1a03ecfdd5517fc41a78ad153d743c
Instruction ID: 7ef154ec3c58cb926ce21a24b1531fdb4d604b19d002ff672ac790718c8d8c01
Opcode Fuzzy Hash: 8bb080e633469532f0d7c949a355278f8a1a03ecfdd5517fc41a78ad153d743c
Instruction Fuzzy Hash: 1A31F6B5E0130AAFDB14CFA9C991BDABBB5FF49300F14406AE905AB391D770A945CF90

Function 0012304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0012335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00123077,?,?), ref: 00123378

inet_addr.WSOCK32(?), ref: 0012307A
_wcslen.LIBCMT ref: 0012309B
htons.WSOCK32(00000000), ref: 00123106

Strings

255.255.255.255, xrefs: 00123095, 0012309A

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: bcb119dc5edf5e21c08cc5444ad063d436debe58ba7f6bad7501aed4628cfe9f
Instruction ID: c87c69f433e41119bc83001ea4451c02b4c5e7c6b3440e7e49549d4193165cb9
Opcode Fuzzy Hash: bcb119dc5edf5e21c08cc5444ad063d436debe58ba7f6bad7501aed4628cfe9f
Instruction Fuzzy Hash: 743104352002219FCB10CF68D486EAA77E0EF14318F258099E8258B392DB3AEF51C770

Function 001095AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0010961D

Strings

#notrayicon, xrefs: 001095B7
#requireadmin, xrefs: 001095D9
#OnAutoItStartRegister, xrefs: 001095F3

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 5998e946edf44e6405ff81e1d92053bfc8e468a8b371765324e0c61e04957bfe
Instruction ID: 688205dc393a152d8d147cdf6479996cf7dae72aec58e4f7c40bf5486c32fec1
Opcode Fuzzy Hash: 5998e946edf44e6405ff81e1d92053bfc8e468a8b371765324e0c61e04957bfe
Instruction Fuzzy Hash: DE21057220461166D331BB259C22FFBB398AF95310F14842AF9C9971C3EBE2AD42D3D5

Function 001337B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00133840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00133850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00133876

Strings

Listbox, xrefs: 0013380F

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 4c18530e6d3cc6f2d8452cf7ece59fc018b2406f9d77682afd148d1ccfe24a04
Instruction ID: f1261bd63f1e919c923e3389f1eb658fe0a3450c7f0e51540610a647ddbfc315
Opcode Fuzzy Hash: 4c18530e6d3cc6f2d8452cf7ece59fc018b2406f9d77682afd148d1ccfe24a04
Instruction Fuzzy Hash: AA218E72610218BBEF218F54DC85FAB376AEF89764F118224F9149B190C772DC5287A4

Function 0010223F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00102258

Part of subcall function 000A6B57: _wcslen.LIBCMT ref: 000A6B6A

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0010228A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001022CA

Strings

@U=u, xrefs: 00102258, 0010228A, 001022CA

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID: @U=u
API String ID: 763830540-2594219639
Opcode ID: 3c783dae21c105970703b7df0ed1897b1da6cdb6b362c5dcb9a88a9ad8af1651
Instruction ID: 8bc5a50f0641750cd2ab86b3acc87414e5b561747d3defb7ba83ee5518dce762
Opcode Fuzzy Hash: 3c783dae21c105970703b7df0ed1897b1da6cdb6b362c5dcb9a88a9ad8af1651
Instruction Fuzzy Hash: 7221F631700304ABDB10ABA48D8EFEE3BA8EF59710F045024FA45EB2C1DBB4D94587A1

Function 001149F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00114A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00114A5C
SetErrorMode.KERNEL32(00000000,?,?,0013CC08), ref: 00114AD0

Strings

%lu, xrefs: 00114A6F

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 722b3b0ea920dc42f2ce2cb09443b987efc96631b4c9a51b314abc3a12b3b601
Instruction ID: 6c301a55250d809846b7f1c5bc794a349afac3522149db824e73bf1ec14a7968
Opcode Fuzzy Hash: 722b3b0ea920dc42f2ce2cb09443b987efc96631b4c9a51b314abc3a12b3b601
Instruction Fuzzy Hash: D3317375A00109AFDB10DF54C885EEA7BF8EF05318F1480A5F509EB252D771ED45CBA1

Function 00101B2C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00101B4F
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00101B61
SendMessageW.USER32(?,0000000D,?,00000000), ref: 00101B99

Strings

@U=u, xrefs: 00101B99

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: d4331bd6029c141768dbc35d047ef158c54cc895ae1ba9e97f3224c2dea576b6
Instruction ID: b746f91ad8b77a97ea3751ba8eac3564f40238d214997b8297de440125bdbfcb
Opcode Fuzzy Hash: d4331bd6029c141768dbc35d047ef158c54cc895ae1ba9e97f3224c2dea576b6
Instruction Fuzzy Hash: B8219072600119BFDB15DBA8C942DFEB7FAEF44340F10046AE145E3290EBB1AE408BA4

Function 00120CD5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000402,00000000,00000000), ref: 00120D24
SendMessageW.USER32(0000000C,00000000,?), ref: 00120D65
SendMessageW.USER32(0000000C,00000000,?), ref: 00120D8D

Strings

@U=u, xrefs: 00120D24, 00120D65, 00120D8D

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: aac45247acfe9267682dcff73c8a491c0b4cf0150fbdc14f47522e6f4ae07b41
Instruction ID: e42e0526b09d5672a9c254e18aa3206f139ce316f43e8d3f99a91cb641a9be89
Opcode Fuzzy Hash: aac45247acfe9267682dcff73c8a491c0b4cf0150fbdc14f47522e6f4ae07b41
Instruction Fuzzy Hash: C3214D75600914AFD711EBA8ED91EAAB7F6FF0A310B408555F9099BA72C770FC90CB90

Function 001341EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0013424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00134264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00134271

Strings

msctls_trackbar32, xrefs: 00134226

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 456cafb93c10b776d08ff50719a63e18fce0c09efc821c9e1dbebd6d29000158
Instruction ID: 2b99d3092693c29edb3a234f6cdac88f5e53cfb031e6b35ef3a5fd8cf5e28392
Opcode Fuzzy Hash: 456cafb93c10b776d08ff50719a63e18fce0c09efc821c9e1dbebd6d29000158
Instruction Fuzzy Hash: E611E371240208BFEF205F69DC06FAB3BACEF95B54F010114FA55E20A0D371E8519B10

Function 00102F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000A6B57: _wcslen.LIBCMT ref: 000A6B6A

Part of subcall function 00102DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00102DC5
Part of subcall function 00102DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00102DD6
Part of subcall function 00102DA7: GetCurrentThreadId.KERNEL32 ref: 00102DDD
Part of subcall function 00102DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00102DE4

GetFocus.USER32 ref: 00102F78

Part of subcall function 00102DEE: GetParent.USER32(00000000), ref: 00102DF9

GetClassNameW.USER32(?,?,00000100), ref: 00102FC3
EnumChildWindows.USER32(?,0010303B), ref: 00102FEB

Strings

%s%d, xrefs: 00102FFF

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: d5f142b40108d42dd4fea8fa58af7df47cce57128e0ef18be9a83da6c123b964
Instruction ID: f89f7f1a952425f14b1f4f2311766c04f25626c0792db2caedf00c9d46e2640a
Opcode Fuzzy Hash: d5f142b40108d42dd4fea8fa58af7df47cce57128e0ef18be9a83da6c123b964
Instruction Fuzzy Hash: 0611B4B17002056BCF157FB08C8AEEE776EAF95304F048075F95AAB292DFB199458B70

Function 00136181 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 001361FC
SendMessageW.USER32(?,00000194,00000000,00000000), ref: 00136225

Strings

8V, xrefs: 001361A2
@U=u, xrefs: 001361FC, 00136225

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSend
String ID: 8V$@U=u
API String ID: 3850602802-1020947142
Opcode ID: b3499eb8b2185f4c0e4223d3eeed9bf0b93871eae5fbe6287605e1a84c9df404
Instruction ID: a8b69f76837af62a18333500996daf8f6732c8e3281ab3621a067eb05b59525c
Opcode Fuzzy Hash: b3499eb8b2185f4c0e4223d3eeed9bf0b93871eae5fbe6287605e1a84c9df404
Instruction Fuzzy Hash: 8911E371140214BFEF148FA8CC1AFFB3BA5EB0A314F128115FA16AA1E1D3B0DA40DB60

Function 00133429 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 001334AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001334BA

Strings

edit, xrefs: 0013348F
@U=u, xrefs: 001334BA

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: @U=u$edit
API String ID: 2978978980-590756393
Opcode ID: 59c8c3f898439c5f963685bb39835a94fcb5d560d7e9775b6be2096b2f1c1eb5
Instruction ID: 862b6822250d8d3a7304843857c5e09d8c1dbd31d628ca5dcf5ec3a6aa5803ce
Opcode Fuzzy Hash: 59c8c3f898439c5f963685bb39835a94fcb5d560d7e9775b6be2096b2f1c1eb5
Instruction Fuzzy Hash: 27118C71100208AFEB228F68DC44AEB376AEB15378F514324F975A31E0C771DC919B68

Function 00134F80 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 00134FCC

Strings

8V, xrefs: 00134FA1
@U=u, xrefs: 00134FCC, 00135008

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSend
String ID: 8V$@U=u
API String ID: 3850602802-1020947142
Opcode ID: 48c0ff148cef4975635748c527c59534eab377c3a3d7eb0c0d6fb757f9f73847
Instruction ID: 319c9253dfa0f4b208acc9779cdc165015ec6b5e2f8d9af9d30d63394fa6ff71
Opcode Fuzzy Hash: 48c0ff148cef4975635748c527c59534eab377c3a3d7eb0c0d6fb757f9f73847
Instruction Fuzzy Hash: A921E779610119EFCB19CFA8C9408EA7BBAFB4D344B004154FD05A7310D731EE51DB90

Function 00101BD8 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

Part of subcall function 00103CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00103CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00101C46

Strings

ListBox, xrefs: 00101C10
ComboBox, xrefs: 00101BE5
@U=u, xrefs: 00101C46

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: @U=u$ComboBox$ListBox
API String ID: 624084870-2258501812
Opcode ID: 8a9402686631f5bc834bfd4f85cf1139911909c20045134a202aa5c6bac61804
Instruction ID: dfb3f59d7af2d16dd5374e32691088ad3671f0957a03ad39fc51b050fb6f4e35
Opcode Fuzzy Hash: 8a9402686631f5bc834bfd4f85cf1139911909c20045134a202aa5c6bac61804
Instruction Fuzzy Hash: C901847578110476DB08EB90CA529FF77A99B12380F140019A456772C2EF649A5886B1

Function 00101C5C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

Part of subcall function 00103CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00103CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00101CC8

Strings

ListBox, xrefs: 00101C94
ComboBox, xrefs: 00101C69
@U=u, xrefs: 00101CC8

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: @U=u$ComboBox$ListBox
API String ID: 624084870-2258501812
Opcode ID: 2e7d4b5fea9dc553308ce8f093f66b63b5a03051d5c8e6028b6a617a1526c290
Instruction ID: 85ccb5d6f13ab7480ad8532b337445e82717edac72eceb589e0eecd088dc3185
Opcode Fuzzy Hash: 2e7d4b5fea9dc553308ce8f093f66b63b5a03051d5c8e6028b6a617a1526c290
Instruction Fuzzy Hash: 230162B578111877EB14EBA4CB12AFE77AD9B12380F540015B842B32C2EBA5DF19C671

Function 00135882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001358C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001358EE
DrawMenuBar.USER32(?), ref: 001358FD

Strings

0, xrefs: 0013588F

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 66ef8d22a231055b11557c33f546190ba0422cf55a5e9192c19caee53b252d29
Instruction ID: cc513d5c4589d66f898bf9883adda3df0172d02e7b7c5b5331f3dba619bb0a5f
Opcode Fuzzy Hash: 66ef8d22a231055b11557c33f546190ba0422cf55a5e9192c19caee53b252d29
Instruction Fuzzy Hash: F2018031600218EFDB219F11DC44BEEBBB5FF45764F108099E849E6151DB308A94DF71

Function 001390A1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000B9BB2

DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,000F769C,?,?,?), ref: 00139111

Part of subcall function 000B9944: GetWindowLongW.USER32(?,000000EB), ref: 000B9952

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 001390F7

Strings

8V, xrefs: 001390D6
@U=u, xrefs: 001390F7

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: 8V$@U=u
API String ID: 982171247-1020947142
Opcode ID: 4566e14c6ab47f7bf153e84295b3755413c985dc6b51afd210d8c6385de8bd63
Instruction ID: 40c4521f4bf3bdbf4e2c7db43cba564cf176ca01260262defec111f02e1d0d69
Opcode Fuzzy Hash: 4566e14c6ab47f7bf153e84295b3755413c985dc6b51afd210d8c6385de8bd63
Instruction Fuzzy Hash: FD01BC31200204BBDB259F18DC49EA63BB6FB86375F100028FA552A6E1CBB26882DB50

Function 0010007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fff3a1674316ccd41b81010c8fbb3339a3c7986b80c6aa685646cfe187bc3d9
Instruction ID: 96e544a2d680d1dcfb9a581a391b8bd7509bc12be4c672817bdc1ac291a40f0f
Opcode Fuzzy Hash: 1fff3a1674316ccd41b81010c8fbb3339a3c7986b80c6aa685646cfe187bc3d9
Instruction Fuzzy Hash: B4C13875A0020AEFDB16CFA4C894BAEB7B5FF48304F118598E545EB291D771EE81CB90

Function 0012342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00123459
CoUninitialize.OLE32 ref: 00123463
VariantInit.OLEAUT32(?), ref: 0012346E
VariantClear.OLEAUT32(?), ref: 0012371B

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 23c06740b2df04a83440b6c3503e9529e40c5889652c9022fb61842fbbfc3d3d
Instruction ID: 58605956b33cf638d9f7a34b6b3c08ffdb59750dc1eb696d4ea2dc8f2db8fb18
Opcode Fuzzy Hash: 23c06740b2df04a83440b6c3503e9529e40c5889652c9022fb61842fbbfc3d3d
Instruction Fuzzy Hash: 04A19B756047109FCB00EF68D885A6AB7E5FF89310F04885DF99A9B362DB74EE01CB91

Function 00100436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0013FC08,?), ref: 001005F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0013FC08,?), ref: 00100608
CLSIDFromProgID.OLE32(?,?,00000000,0013CC40,000000FF,?,00000000,00000800,00000000,?,0013FC08,?), ref: 0010062D
_memcmp.LIBVCRUNTIME ref: 0010064E

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: f793697a1ea756d06e8c65318cf07185bb74b030bb872b88f3e5cf7c3039b966
Instruction ID: 33d5f51712e0c0d90dc0ccd20c2b9cdeaca6f686d6c42650744de4185d4d66ac
Opcode Fuzzy Hash: f793697a1ea756d06e8c65318cf07185bb74b030bb872b88f3e5cf7c3039b966
Instruction Fuzzy Hash: 9C811A71A00109EFCB05DF94C984EEEB7B9FF89315F204598E546EB290DB71AE46CB60

Function 000E1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 000E14C0

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: cfdd6106b521b17e8a165fdc99d810bd20e307e55b1595c8091cda96bd416c7b
Instruction ID: 077857b7e786818166a4bf87062860bcc9920cab47f207c32f104f784895f4c5
Opcode Fuzzy Hash: cfdd6106b521b17e8a165fdc99d810bd20e307e55b1595c8091cda96bd416c7b
Instruction Fuzzy Hash: 5E414D71600651AFDB256BBA8C45FFE3AE5EF41330F14022AF419F63D3E63489419272

Function 00121AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00121AFD
WSAGetLastError.WSOCK32 ref: 00121B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00121B8A
WSAGetLastError.WSOCK32 ref: 00121B94

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: ab50ecaf0392b12064504e26510a85b8de98fcdcb265f050b7591f57b3a499f7
Instruction ID: 39436a7785e49ddde230a1ffc981c519a8cc5a9203ea9a93f309396d5875d056
Opcode Fuzzy Hash: ab50ecaf0392b12064504e26510a85b8de98fcdcb265f050b7591f57b3a499f7
Instruction Fuzzy Hash: 1E41E074600200AFE720EF20D886FAA77F5AB45718F548498F91A9F3D3D772ED418B90

Function 000DB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 024c6d88904dd7973ebe2624f2e17896c3cfaff6b4697010d1cc0e77062e4b14
Instruction ID: aa673ad26813d7d76c3d9634af46d1e6c5301a168ede8fddb31a50871f0cddbd
Opcode Fuzzy Hash: 024c6d88904dd7973ebe2624f2e17896c3cfaff6b4697010d1cc0e77062e4b14
Instruction Fuzzy Hash: 5541AF75A00744EFD724EF78C841BAEBBE9EB88710F11452FF5519B392D77199018BA0

Function 001156D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00115783
GetLastError.KERNEL32(?,00000000), ref: 001157A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 001157CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 001157FA

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 36ddc5b3d09fec3c2b89ecf480d7b4985af7094cb5c70a0d0e1dbb7f6be52c2a
Instruction ID: 43fb0b098149c1a9879e9c936973ce291ffb6c849a7f6bf69ace3edce9dae400
Opcode Fuzzy Hash: 36ddc5b3d09fec3c2b89ecf480d7b4985af7094cb5c70a0d0e1dbb7f6be52c2a
Instruction Fuzzy Hash: 28411039600A10DFCB15EF65C545A9EBBE2EF89310F59C498E84A6B362CB74FD40CB91

Function 000DD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,000C6D71,00000000,00000000,000C82D9,?,000C82D9,?,00000001,000C6D71,8BE85006,00000001,000C82D9,000C82D9), ref: 000DD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 000DD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 000DD9AB
__freea.LIBCMT ref: 000DD9B4

Part of subcall function 000D3820: RtlAllocateHeap.NTDLL(00000000,?,00171444,?,000BFDF5,?,?,000AA976,00000010,00171440,000A13FC,?,000A13C6,?,000A1129), ref: 000D3852

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: fdbad9e0edf8f34a3f5b05560dc7c088e3f44daa4d445b75d108b17b3b412931
Instruction ID: df1c12e02f83e74194d9dd8eb3f599d269fbcc83f2d09510c934e3cbb5e6b2e8
Opcode Fuzzy Hash: fdbad9e0edf8f34a3f5b05560dc7c088e3f44daa4d445b75d108b17b3b412931
Instruction Fuzzy Hash: 4E31AE72A0030AABDB259F65DC91EEEBBA5EB40310B05416AFC04D6251EB36DD50DBA0

Function 0010AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 0010ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0010AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0010AC74
SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 0010ACC6

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b57291981f44831609d2123f8f1af0e3255498f44254df17a133d0eb27415a44
Instruction ID: 72bf50a1c92253f332ab936f1c301e425beb099fc1d2213cf87c21fe07f32127
Opcode Fuzzy Hash: b57291981f44831609d2123f8f1af0e3255498f44254df17a133d0eb27415a44
Instruction Fuzzy Hash: F9314630A04718AFFF35CB64CD097FE7BA5AF89310F85431AE4C5962D1C3B499858792

Function 001316DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 001316EB

Part of subcall function 00103A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00103A57
Part of subcall function 00103A3D: GetCurrentThreadId.KERNEL32 ref: 00103A5E
Part of subcall function 00103A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,001025B3), ref: 00103A65

GetCaretPos.USER32(?), ref: 001316FF
ClientToScreen.USER32(00000000,?), ref: 0013174C
GetForegroundWindow.USER32 ref: 00131752

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 30ebcf6cd7e9c1acd5137b0bfd3b81d8fe427eab8bc012c78012f7decfeeaacc
Instruction ID: bf3cc05da811949e1014022267dd91eea6a338cf224a282e5512e3fd1a775806
Opcode Fuzzy Hash: 30ebcf6cd7e9c1acd5137b0bfd3b81d8fe427eab8bc012c78012f7decfeeaacc
Instruction Fuzzy Hash: 76315071E00149AFDB04EFA9C881CEEBBFDEF49304B5480A9E415E7212D7319E45CBA0

Function 0010D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0010D501
Process32FirstW.KERNEL32(00000000,?), ref: 0010D50F
Process32NextW.KERNEL32(00000000,?), ref: 0010D52F
CloseHandle.KERNEL32(00000000), ref: 0010D5DC

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 667b65ce733ff889000c19358a455a5d47eb128aa42a678e1bc4d44555262b43
Instruction ID: 7d09ac40e55401f9fdd3ed9bb157ae130461bf53055fbd0143e2d0ca8d8b0ad4
Opcode Fuzzy Hash: 667b65ce733ff889000c19358a455a5d47eb128aa42a678e1bc4d44555262b43
Instruction Fuzzy Hash: E031A2711083019FD300EF94DC81AAFBBF8EF9A354F54092DF581961E2EBB19949CB92

Function 0010D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0013CB68), ref: 0010D2FB
GetLastError.KERNEL32 ref: 0010D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0010D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0013CB68), ref: 0010D376

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: feaec88124c082e6dcaf17cb2e77d761959f572555bbcd402980da5b8a8a12e7
Instruction ID: a72f1e53d8c3593e04007295d3f6f32981371a28562341e7b91ee07a360bf0bf
Opcode Fuzzy Hash: feaec88124c082e6dcaf17cb2e77d761959f572555bbcd402980da5b8a8a12e7
Instruction Fuzzy Hash: 3F218DB05083019FC710DFA8D8818AAB7E4BF56364F504A1DF499DB2E2DB70D946CB93

Function 00101571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00101014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0010102A
Part of subcall function 00101014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00101036
Part of subcall function 00101014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00101045
Part of subcall function 00101014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0010104C
Part of subcall function 00101014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00101062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 001015BE
_memcmp.LIBVCRUNTIME ref: 001015E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00101617
HeapFree.KERNEL32(00000000), ref: 0010161E

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: f551aa24ee83db5457eac327b728b2d1b85afe43d5eadd5215af4f4802e331e1
Instruction ID: 8cebf00b8fd164246177b0849d374b9e7270d43ac8ab044db30d4aaf8b40f7f3
Opcode Fuzzy Hash: f551aa24ee83db5457eac327b728b2d1b85afe43d5eadd5215af4f4802e331e1
Instruction Fuzzy Hash: 84217A31E00108FFDB14DFA4CD45BEEB7B8EF45344F084459E481AB281E7B5AA45DBA0

Function 00132782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0013280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00132824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00132832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00132840

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 63ab4741d6ca7c2951e500c34276d1a48180ec3a7a8d0f65a68ba478b524205a
Instruction ID: 128e79fa7c244c935962684c4a768e7e4141071b0abd7b245c64e611cd0f07d9
Opcode Fuzzy Hash: 63ab4741d6ca7c2951e500c34276d1a48180ec3a7a8d0f65a68ba478b524205a
Instruction Fuzzy Hash: 8A21D031304511AFD714AB24C855FAA7B95BF96324F148158F42A8B6E2CB71FC82CBD0

Function 001078F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00108D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0010790A,?,000000FF,?,00108754,00000000,?,0000001C,?,?), ref: 00108D8C
Part of subcall function 00108D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00108DB2
Part of subcall function 00108D7D: lstrcmpiW.KERNEL32(00000000,?,0010790A,?,000000FF,?,00108754,00000000,?,0000001C,?,?), ref: 00108DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00108754,00000000,?,0000001C,?,?,00000000), ref: 00107923
lstrcpyW.KERNEL32(00000000,?), ref: 00107949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00108754,00000000,?,0000001C,?,?,00000000), ref: 00107984

Strings

cdecl, xrefs: 0010797B

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: c425ce0f7701b66fb93d570d5706e66411e938cee50383b82fea7845f4134b73
Instruction ID: 5907ad5d34dbf5b0f9cc2bce89558c996b09a4951e5afd323b99da2e4e0433c0
Opcode Fuzzy Hash: c425ce0f7701b66fb93d570d5706e66411e938cee50383b82fea7845f4134b73
Instruction Fuzzy Hash: 6911293A204342ABCB156F34CC45D7A77A5FF45364B00402AF882C72E4EF71D811D7A1

Function 00101A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00101A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00101A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00101A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00101A8A

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 92dad9a03b47db2d09480b5707e6abd2be9a824ebd296f3707149b273a7ac1d6
Instruction ID: ab2720e67c8dcdd520cf10a30bfea9f4364fe29d1c705be1d7be754d6c114e36
Opcode Fuzzy Hash: 92dad9a03b47db2d09480b5707e6abd2be9a824ebd296f3707149b273a7ac1d6
Instruction Fuzzy Hash: 1711273AA01219FFEB109BA4CD85FADBB79FB08750F200091EA00B7290D7B16E50DB94

Function 0010E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0010E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0010E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0010E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0010E24D

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 7122d537ba49e07fc8038ba4d2c902a29d05798893bc5c2b7778afa67c607deb
Instruction ID: 35b9650919f5fb094e86fac97128f8949ae4b50af176eeb05dc92be42a54a07f
Opcode Fuzzy Hash: 7122d537ba49e07fc8038ba4d2c902a29d05798893bc5c2b7778afa67c607deb
Instruction Fuzzy Hash: 9A110476904214BBC7019BACAC09A9F7FADAB45324F004629F828E36D1D3B0C9808BA0

Function 000CD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,000CCFF9,00000000,00000004,00000000), ref: 000CD218
GetLastError.KERNEL32 ref: 000CD224
__dosmaperr.LIBCMT ref: 000CD22B
ResumeThread.KERNEL32(00000000), ref: 000CD249

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 253960b3b9b93ae7f46879bff7407cbc7b7ebff107455bb3d2d5f864801b59e6
Instruction ID: 240767ca1498ced2c8899cfba3cc2ed04bcb5105b1fc311fa84fb5b2e139e90b
Opcode Fuzzy Hash: 253960b3b9b93ae7f46879bff7407cbc7b7ebff107455bb3d2d5f864801b59e6
Instruction Fuzzy Hash: 0B01D276805204BBDB215BA5DC09FEE7AADEF91330F20022EF925961E1CB70C941D7A1

Function 000C3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 000C3B56

Part of subcall function 000C3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 000C3AD2
Part of subcall function 000C3AA3: ___AdjustPointer.LIBCMT ref: 000C3AED

_UnwindNestedFrames.LIBCMT ref: 000C3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 000C3B7C
CallCatchBlock.LIBVCRUNTIME ref: 000C3BA4

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 9328fe6b1e6bb74c08b74113cc2566f346110a4cbbe64037f6b583c0ca7dd5f7
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: EF01C532100149BBDF125F95CC46EEF7BA9EF58754F048018FE4856122C736E961ABA0

Function 000D3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,000A13C6,00000000,00000000,?,000D301A,000A13C6,00000000,00000000,00000000,?,000D328B,00000006,FlsSetValue), ref: 000D30A5
GetLastError.KERNEL32(?,000D301A,000A13C6,00000000,00000000,00000000,?,000D328B,00000006,FlsSetValue,00142290,FlsSetValue,00000000,00000364,?,000D2E46), ref: 000D30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,000D301A,000A13C6,00000000,00000000,00000000,?,000D328B,00000006,FlsSetValue,00142290,FlsSetValue,00000000), ref: 000D30BF

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 989163d035e3d542f6b4d9859e6d36d37f7e9f1a864a7fa135906e4d6623a3f2
Instruction ID: 5f0e910354f85a67ff5f1056d3e34cd7d1cf8257d0a8a84fb9de961bc3cb61ba
Opcode Fuzzy Hash: 989163d035e3d542f6b4d9859e6d36d37f7e9f1a864a7fa135906e4d6623a3f2
Instruction Fuzzy Hash: CA01D432301322ABCB314AB8AC54A577F98AF05B61B140621F905F3740C721D981C7F1

Function 00107464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0010747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00107497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 001074AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 001074CA

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 65c71bd88573036e21875c51781eac8d66b281d4f9de371eef64021c5b05f51d
Instruction ID: 9e1de0dcfb0a3140d9226e5d6f8780fe1cfd0347705d1e3376a03db360f249ed
Opcode Fuzzy Hash: 65c71bd88573036e21875c51781eac8d66b281d4f9de371eef64021c5b05f51d
Instruction Fuzzy Hash: E8116DB5A09315ABE7208F14EC09BA27BFCEB00B04F108569A696E65D1D7B0F944DBA0

Function 0010B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0010ACD3,?,00008000), ref: 0010B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0010ACD3,?,00008000), ref: 0010B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0010ACD3,?,00008000), ref: 0010B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0010ACD3,?,00008000), ref: 0010B126

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: db0f5b2ba369a20fcf9cded8a8a82e887912fda200de65d33bf5df0bb76318ee
Instruction ID: e2b0dcce98dfd3819884b4c1c263863398a6eb5a77d9581e52d2b7c40c60c2b9
Opcode Fuzzy Hash: db0f5b2ba369a20fcf9cded8a8a82e887912fda200de65d33bf5df0bb76318ee
Instruction Fuzzy Hash: 26116D71C0552CEBCF04AFE4E9A8AEEBB78FF09711F114085E981B2185CBB056A09B91

Function 00102DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00102DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00102DD6
GetCurrentThreadId.KERNEL32 ref: 00102DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00102DE4

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 23a6b86cc74c4a33f2a5087bbd1dbad8d8697d2d1797479fd94edc99fe5d195e
Instruction ID: e360e28f9c268a567858804e61057e09a14136e76ad021d91c633af9c7c8f669
Opcode Fuzzy Hash: 23a6b86cc74c4a33f2a5087bbd1dbad8d8697d2d1797479fd94edc99fe5d195e
Instruction Fuzzy Hash: 61E0EDB1501624BADB202BA29C0EEEB7E6CEB56BA1F400115F505E15909AA5C981D7F1

Function 00138863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 000B9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 000B9693
Part of subcall function 000B9639: SelectObject.GDI32(?,00000000), ref: 000B96A2
Part of subcall function 000B9639: BeginPath.GDI32(?), ref: 000B96B9
Part of subcall function 000B9639: SelectObject.GDI32(?,00000000), ref: 000B96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00138887
LineTo.GDI32(?,?,?), ref: 00138894
EndPath.GDI32(?), ref: 001388A4
StrokePath.GDI32(?), ref: 001388B2

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 93afa9712a4c6ef4b467ee43d0e86029c43032a1f25a7efc94d65e37fd286c6c
Instruction ID: c08bcb6b6362ca3f7aee49acc89dd5afdc8868ab158bc051e5652c73adfdbef8
Opcode Fuzzy Hash: 93afa9712a4c6ef4b467ee43d0e86029c43032a1f25a7efc94d65e37fd286c6c
Instruction Fuzzy Hash: 6BF05E3A045658FADB125F98AC09FCE3F69AF06310F048040FB16754E2C7755591DFE9

Function 000B98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 000B98CC
SetTextColor.GDI32(?,?), ref: 000B98D6
SetBkMode.GDI32(?,00000001), ref: 000B98E9
GetStockObject.GDI32(00000005), ref: 000B98F1

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 598072ce3154aabdf4e8ecdb688d644d4ff760695dbc52c54649805755cdf758
Instruction ID: 42433165f7371066ba8e52641fbffd5c3b9e99d00f57d43c6e8b6d48e22d72a4
Opcode Fuzzy Hash: 598072ce3154aabdf4e8ecdb688d644d4ff760695dbc52c54649805755cdf758
Instruction Fuzzy Hash: 4AE09B31244644EEDF615B78FC09BE83F51EB51335F048219F7F9644E1C3714680AB11

Function 0010162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00101634
OpenThreadToken.ADVAPI32(00000000,?,?,?,001011D9), ref: 0010163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,001011D9), ref: 00101648
OpenProcessToken.ADVAPI32(00000000,?,?,?,001011D9), ref: 0010164F

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 1426ae9ba45a1b608d270e82be156d82652f69d4219061fd8fb5d69005e25f40
Instruction ID: 404aeca85df1df49b15dfa27a1fc23e3a1146e0b1403fd8441a7648f915e8650
Opcode Fuzzy Hash: 1426ae9ba45a1b608d270e82be156d82652f69d4219061fd8fb5d69005e25f40
Instruction Fuzzy Hash: 1EE08636601211EBD7201FA09D0DB873B7CAF54791F144808F285E9080D7B88484C790

Function 000FD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 000FD858
GetDC.USER32(00000000), ref: 000FD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 000FD882
ReleaseDC.USER32(?), ref: 000FD8A3

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 03c980cd22ca90af33434387255933e83e5b3a4ea11210fdf45323ab459d11c5
Instruction ID: 0473f812aa00620f719f1d3655a1c6a040edb080c3b294184eb5375a4bef678a
Opcode Fuzzy Hash: 03c980cd22ca90af33434387255933e83e5b3a4ea11210fdf45323ab459d11c5
Instruction Fuzzy Hash: 7BE01AB5800204DFCB51AFA0D80DA6DBBB2FB08310F208019F846F7760CB388981AF80

Function 000FD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 000FD86C
GetDC.USER32(00000000), ref: 000FD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 000FD882
ReleaseDC.USER32(?), ref: 000FD8A3

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 1b69cf8b4fbfe2734026c6a778e8b8e06bb695495ba4443fad3922051fdeaa54
Instruction ID: 1475d017fa3cdc959bdcddc81594fb494f9e30f180a5414136edafc763fe56a5
Opcode Fuzzy Hash: 1b69cf8b4fbfe2734026c6a778e8b8e06bb695495ba4443fad3922051fdeaa54
Instruction Fuzzy Hash: BCE092B5800604EFCB51AFA0D84DAADBBB5BB08311F148459F94AF7760DB389981AF90

Function 00114D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 000A7620: _wcslen.LIBCMT ref: 000A7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00114ED4

Strings

*, xrefs: 00114E10
LPT, xrefs: 00114DFB

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 9364a1102510689fdb46b4ab52b9162852f7783b6502564ff1bc394e2bb0b07f
Instruction ID: 0fba50a4f5031d872d4380f9288d07b46e63030bb9e54c49754e8b75768c5fb0
Opcode Fuzzy Hash: 9364a1102510689fdb46b4ab52b9162852f7783b6502564ff1bc394e2bb0b07f
Instruction Fuzzy Hash: 41916175A002059FCB18DF58C484EE9BBF1BF45704F1980A9E40A9F3A2D775ED86CB91

Function 000CE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 000CE30D

Strings

pow, xrefs: 000CE2E5, 000CE302

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: d2e6221bad36165219cd0a51edeb9f7370e6f936efaa3116225750baff104d09
Instruction ID: 6ac2ef515cc31e2591d7c3b17ab879fb474174c3cef63a85a1aad6beae0429dc
Opcode Fuzzy Hash: d2e6221bad36165219cd0a51edeb9f7370e6f936efaa3116225750baff104d09
Instruction Fuzzy Hash: EC515B61A0C34296CB657714C905BBD3BE4AF50740F744DAEF09A423FAFB348CC59A56

Function 000BE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 000BE1B1

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 780bf97e986c8d8e380c03c1dbb182d0a9eabb61ff2cd9967399ebb9eadea916
Instruction ID: 213defc3ca08a82861b16ada66b898db5e216cd7a64d28bac871c6cdac46bd4e
Opcode Fuzzy Hash: 780bf97e986c8d8e380c03c1dbb182d0a9eabb61ff2cd9967399ebb9eadea916
Instruction Fuzzy Hash: 645144355083CADFDB25EF68C0816FE7BE4EF16310F244065E9919B6E1DA349D42DB90

Function 000BF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 000BF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 000BF2BB

Strings

@, xrefs: 000BF2AF

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 3a3476734ab4f1a4e2e647bf463601e7ac33b54724698f4d0175ba159a73ad1e
Instruction ID: a742df884f157feb76c12f1fbaa01094e495f4f339b6cc61134248f9f098dba9
Opcode Fuzzy Hash: 3a3476734ab4f1a4e2e647bf463601e7ac33b54724698f4d0175ba159a73ad1e
Instruction Fuzzy Hash: 82512571408744AFE320AF50DC86BABBBF8FB85340F81885DF199411A6EB718569CB66

Function 00102999 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 001029EB
SendMessageW.USER32(?,0000110A,00000001,?), ref: 00102A8D

Part of subcall function 00102C75: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00102CE0

Strings

@U=u, xrefs: 001029EB, 00102A8D

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: a130e32041198f91a0a8048c601eb66d9f2275aadfd45e8601bdf04e7619811b
Instruction ID: 3d194a25bf51cfcb1ce34b35051d0ebb9a46ebe84b4e8b8a6c1ee26c5a87d83d
Opcode Fuzzy Hash: a130e32041198f91a0a8048c601eb66d9f2275aadfd45e8601bdf04e7619811b
Instruction Fuzzy Hash: 39418371A00209ABDF25DF94CC49BEE7BB9EF45750F040029F946A32D2DBB49A45CBA1

Function 00125745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 001257E0
_wcslen.LIBCMT ref: 001257EC

Strings

CALLARGARRAY, xrefs: 001257E6, 001257EB

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 587a8ae43b1f0541ecdd49791545955586ae3cd581d06a9fe01624cf6490e014
Instruction ID: 58bc4d9c12a61043937940ea352780f95d53a0bb1d53299795ddc73c80bd857a
Opcode Fuzzy Hash: 587a8ae43b1f0541ecdd49791545955586ae3cd581d06a9fe01624cf6490e014
Instruction Fuzzy Hash: 5E41B371E001199FCB04DFA9D8819FEBBF6FF59324F104029E505A7292D7B49D91CB90

Function 0011D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0011D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0011D13A

Strings

|, xrefs: 0011D10B

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 2f035c6f19cb639ce5303909f1896f2322a624989685f7291063d8b038024ec2
Instruction ID: bd9e987faadc7402bc5fceffa4d987f4366a18b4260cc0da74230057befbd94f
Opcode Fuzzy Hash: 2f035c6f19cb639ce5303909f1896f2322a624989685f7291063d8b038024ec2
Instruction Fuzzy Hash: 69312C71D00219ABCF15EFE4DC85AEEBFB9FF05300F000069F815A6162DB35AA46CB60

Function 0013356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00133621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0013365C

Strings

static, xrefs: 001335BC

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: bc2886f5cd8d870dfb425c28e9a2b7303985a95fe580b88fe9840d769198e196
Instruction ID: ee36da140f5e07b0fa46c5c08abf0e5a2c008d590e2039c241a59ef7feac511f
Opcode Fuzzy Hash: bc2886f5cd8d870dfb425c28e9a2b7303985a95fe580b88fe9840d769198e196
Instruction Fuzzy Hash: 84319CB1110204AEEB209F68DC81EFB73A9FF88760F009619F8A5D7290DB31ED91D764

Function 000A3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 000E33A2

Part of subcall function 000A6B57: _wcslen.LIBCMT ref: 000A6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 000A3A04

Strings

Line: , xrefs: 000E33EB

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 40451a23e9c9a949e41abb279ae530345a979965ee6dc03d25629b0ae4693b65
Instruction ID: 86a0c20004e8127252be51c17d1bdbcbfc61b78e6ac2b2cf81001f15c2424321
Opcode Fuzzy Hash: 40451a23e9c9a949e41abb279ae530345a979965ee6dc03d25629b0ae4693b65
Instruction Fuzzy Hash: 8A31C271408304AEC721EBA4DC46FEFB7E8AB42720F00492EF59993492DB709788C7D2

Function 0010286B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00102884
SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 001028B6

Strings

@U=u, xrefs: 00102884, 001028B6

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: c7c8a0127e90a7561515782b572d2cd202d67825c99e92a47ea98a8e68d1b33c
Instruction ID: 3676c815d9c8203727476900dfaf73c7a94212f02f97325f9bcd1d4557accd45
Opcode Fuzzy Hash: c7c8a0127e90a7561515782b572d2cd202d67825c99e92a47ea98a8e68d1b33c
Instruction Fuzzy Hash: C7213736E00224ABCB11AF94C885DFFB7B9EF99710F10401AF945A72C1EBB49C41C7A0

Function 000B97C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 000B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 000B9BB2

Part of subcall function 000B9944: GetWindowLongW.USER32(?,000000EB), ref: 000B9952

GetParent.USER32(?), ref: 000F73A3
DefDlgProcW.USER32(?,00000133,?,?,?,?), ref: 000F742D

Strings

8V, xrefs: 000B980F, 000F73D2, 000F73F9

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: LongWindow$ParentProc
String ID: 8V
API String ID: 2181805148-3441868543
Opcode ID: c5f4282545984d9f48d8e3f49702fca80083cb1873c8a5969244355739b5597d
Instruction ID: a3544e29d947223414142e05a74cafcdad62fd2332b1a4e66e9ecd701b009ba7
Opcode Fuzzy Hash: c5f4282545984d9f48d8e3f49702fca80083cb1873c8a5969244355739b5597d
Instruction Fuzzy Hash: D321AB30604108BFCB259F28C859DF93BE6EF4A360F044255FB295B6A2CB309E91EB51

Function 00103BC4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00103D03: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00103D18

SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00103C23
_strlen.LIBCMT ref: 00103C2E

Strings

@U=u, xrefs: 00103C23

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSend$Timeout_strlen
String ID: @U=u
API String ID: 2777139624-2594219639
Opcode ID: d728f62486a04569cba3c2996ae6cb05a7e6d028567025627eeaf35a871b17d2
Instruction ID: fb131d34297d2a8c17d5cebd9942b65997e5bb0021c1b3f4b94d961a8f0584dd
Opcode Fuzzy Hash: d728f62486a04569cba3c2996ae6cb05a7e6d028567025627eeaf35a871b17d2
Instruction Fuzzy Hash: 3A110D3170011527DB296AB899929FE776C9F56B40F10003EF592EB2D3DFA1DE4287E4

Function 0013336F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0010ED19: GetLocalTime.KERNEL32 ref: 0010ED2A
Part of subcall function 0010ED19: _wcslen.LIBCMT ref: 0010ED3B
Part of subcall function 0010ED19: _wcslen.LIBCMT ref: 0010ED79
Part of subcall function 0010ED19: _wcslen.LIBCMT ref: 0010EDAF
Part of subcall function 0010ED19: _wcslen.LIBCMT ref: 0010EDDF
Part of subcall function 0010ED19: _wcslen.LIBCMT ref: 0010EDEF
Part of subcall function 0010ED19: _wcslen.LIBCMT ref: 0010EE2B

SendMessageW.USER32(?,00001002,00000000,?), ref: 0013340A

Strings

SysDateTimePick32, xrefs: 001333C7
@U=u, xrefs: 0013340A

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: _wcslen$LocalMessageSendTime
String ID: @U=u$SysDateTimePick32
API String ID: 2216836867-2530228043
Opcode ID: c5d26ebb5710d5dc802bed66146eb9571dfb32dee234d069de3e5bb60c4222ee
Instruction ID: fb1c1dad599af391ab7456844b750c78693b90029ba6e53c7f23360d62e5dc22
Opcode Fuzzy Hash: c5d26ebb5710d5dc802bed66146eb9571dfb32dee234d069de3e5bb60c4222ee
Instruction Fuzzy Hash: 2221E1323402096BEF229E54DC82FEE33AAEB54754F204519F950AB1D0DBB5EC9187A4

Function 0010215F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00102178

Part of subcall function 0010B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0010B355
Part of subcall function 0010B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00102194,00000034,?,?,00001004,00000000,00000000), ref: 0010B365
Part of subcall function 0010B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00102194,00000034,?,?,00001004,00000000,00000000), ref: 0010B37B

Part of subcall function 0010B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001021D0,?,?,00000034,00000800,?,00000034), ref: 0010B42D

SendMessageW.USER32(?,00001073,00000000,?), ref: 001021DF

Part of subcall function 0010B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001021FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0010B3F8

Strings

@U=u, xrefs: 00102178, 001021DF

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
String ID: @U=u
API String ID: 1045663743-2594219639
Opcode ID: f7b696554e7c8cd61b285b356c03ad0d74bdefba21e6169910addc27241425d5
Instruction ID: 2a8c1bc0642b722b70dc2c19bddd84089f4abba621060caf1ad1ec127a8cf68c
Opcode Fuzzy Hash: f7b696554e7c8cd61b285b356c03ad0d74bdefba21e6169910addc27241425d5
Instruction Fuzzy Hash: D4215C31901128ABEF15ABA8DC85FDDBBB8FF19350F1001A5F588A61D0EBB05A44CBA0

Function 001331EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0013327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00133287

Strings

Combobox, xrefs: 00133249

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 42efa9e3a982e387a3b4c0adc980b5c62fb4a8f8acaff94b806fe4980bf629c2
Instruction ID: c655590da0ba7615fbd7ecc46680e04eb91f5b1375a32e42b2410b57b752a742
Opcode Fuzzy Hash: 42efa9e3a982e387a3b4c0adc980b5c62fb4a8f8acaff94b806fe4980bf629c2
Instruction Fuzzy Hash: D511B2713002087FEF259F94DC81EFB3B6AEB943A4F104228F92897291D7719DA18760

Function 001332A6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 001332C7
CreatePopupMenu.USER32 ref: 00133339

Strings

8V, xrefs: 00133313, 0013334B

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: CreateMenuPopup
String ID: 8V
API String ID: 3826294624-3441868543
Opcode ID: a5cef6173a89e0f4f33f9c830a1d8ced62eeb135cda12d4f67d716a4a58e1b0e
Instruction ID: 940973ae18a7205e2bd1daf6f36b56c7c85e0bc84ad1ad9b28366949ec72ef56
Opcode Fuzzy Hash: a5cef6173a89e0f4f33f9c830a1d8ced62eeb135cda12d4f67d716a4a58e1b0e
Instruction Fuzzy Hash: 3F213D34608204AFCB21CF68C445BD6B7F5FB4A364F09805AE9AD9B351D331AE42DF69

Function 00133710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 000A600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 000A604C
Part of subcall function 000A600E: GetStockObject.GDI32(00000011), ref: 000A6060
Part of subcall function 000A600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 000A606A

GetWindowRect.USER32(00000000,?), ref: 0013377A
GetSysColor.USER32(00000012), ref: 00133794

Strings

static, xrefs: 00133757

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 6c39a4e06b4639a9f07b2defa7987e5ddb396d3cddbf8684f880a34b89a3de3d
Instruction ID: 403b970787aa3f02ab765b17b422fb636cadbc2fe3873047276f409c5be6569a
Opcode Fuzzy Hash: 6c39a4e06b4639a9f07b2defa7987e5ddb396d3cddbf8684f880a34b89a3de3d
Instruction Fuzzy Hash: 9C113AB2610209AFDF01DFA8CC46EFA7BB8FB08354F014514F965E2250D735E8519B50

Function 0011CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0011CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0011CDA6

Strings

<local>, xrefs: 0011CD66

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 43f8857c161dccfa9ef650b140e7f8dd923a2b9e3df793a9ac111ca05fda31e9
Instruction ID: 3656745c30e94b8b0a8e3aadfa418ed8a4c35ce0bca08f870e45f7233ab0ae20
Opcode Fuzzy Hash: 43f8857c161dccfa9ef650b140e7f8dd923a2b9e3df793a9ac111ca05fda31e9
Instruction Fuzzy Hash: 8911C6712856317ADB3C4BA69C45EE7BE6CEF127A4F004236B50993080D7709880D6F0

Function 001330D2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000401,?,00000000), ref: 00133147

Strings

button, xrefs: 0013311E
@U=u, xrefs: 00133147

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$button
API String ID: 3850602802-1762282863
Opcode ID: d7e63c0b651e26069d89837c51cbac5f126d913684f61092b4df88ccc1b1d689
Instruction ID: ea36ca877317f20f71bcadab38faa1aaea1d274fb94e0b5931fa7641e104335f
Opcode Fuzzy Hash: d7e63c0b651e26069d89837c51cbac5f126d913684f61092b4df88ccc1b1d689
Instruction Fuzzy Hash: 4311C472250205BBDF118FA4DC41FEB3B6AFF08364F150114FE64A7190C776E8A1AB54

Function 00106C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 000A9CB3: _wcslen.LIBCMT ref: 000A9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00106CB6
_wcslen.LIBCMT ref: 00106CC2

Strings

STOP, xrefs: 00106CBC, 00106CC1

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 5ff9e08a6c237524a445fd7ba4a017b15154bc946d2b2ef2d2b51ed69183dba0
Instruction ID: 4c619a117a305b37f16b9097e21648ad352e30f3510ec3fe4be3b91a90d200c2
Opcode Fuzzy Hash: 5ff9e08a6c237524a445fd7ba4a017b15154bc946d2b2ef2d2b51ed69183dba0
Instruction Fuzzy Hash: A2010032A005268BDB20AFFDDD819BF37A5EB61760B010528E8E2961D1EBB1D860C750

Function 001023DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0010B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001021D0,?,?,00000034,00000800,?,00000034), ref: 0010B42D

SendMessageW.USER32(?,0000102B,?,00000000), ref: 0010243B
SendMessageW.USER32(?,0000102B,?,00000000), ref: 0010245E

Strings

@U=u, xrefs: 0010243B, 0010245E

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSend$MemoryProcessWrite
String ID: @U=u
API String ID: 1195347164-2594219639
Opcode ID: 8a36d76df6953819585a39614328f9b985139e833f5e21b28657c211b1980a77
Instruction ID: 6e3eae94ae21a50580e1ac8c51172a221aa3aa0c56fce479550bd61d6f66556f
Opcode Fuzzy Hash: 8a36d76df6953819585a39614328f9b985139e833f5e21b28657c211b1980a77
Instruction Fuzzy Hash: 4501F932900218EBEB116F64DC8AFEEBB78DF18310F10402AF555B61D1DBB05E84CB60

Function 00134366 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000133E,00000000,?), ref: 001343AF
InvalidateRect.USER32(?,00000000,00000001,?,?), ref: 00134408

Strings

@U=u, xrefs: 001343AF

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: InvalidateMessageRectSend
String ID: @U=u
API String ID: 909852535-2594219639
Opcode ID: b1be7245fc4fa4cd392d0e5f1652e2a8e9cbd9fc2df38fbe1bc8f3c6b3951eea
Instruction ID: 2d310cc86be58bebc38482297d0ae588f38d4812497bf753e46396d8c7110e39
Opcode Fuzzy Hash: b1be7245fc4fa4cd392d0e5f1652e2a8e9cbd9fc2df38fbe1bc8f3c6b3951eea
Instruction Fuzzy Hash: BA11BC70500744AFE721CF24C891BEBBBE4BF06310F10891CE8AB97281CB70B945CBA0

Function 000B90DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

8V, xrefs: 000F7077, 000F709D

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID:
String ID: 8V
API String ID: 0-3441868543
Opcode ID: 947282e292474107f16f594fc058870930908edeb151c0d4522c816030d4c27a
Instruction ID: d22469ed43178f8c2d2c047783d1cefeddb93a34fc09533d807c61ab32fc9033
Opcode Fuzzy Hash: 947282e292474107f16f594fc058870930908edeb151c0d4522c816030d4c27a
Instruction Fuzzy Hash: AD112B34604604EFCB20DF18D850EA977F6EF99320F148259FA699B6A0CB71E9819F91

Function 0010250B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000406,00000000,00000000), ref: 00102531
SendMessageW.USER32(?,0000040D,?,00000000), ref: 00102564

Part of subcall function 0010B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,001021FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0010B3F8

Part of subcall function 000A6B57: _wcslen.LIBCMT ref: 000A6B6A

Strings

@U=u, xrefs: 00102531, 00102564

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSend$MemoryProcessRead_wcslen
String ID: @U=u
API String ID: 1083363909-2594219639
Opcode ID: 43a7790944d708f75b9d0e982a2dc4646317fbd9607d93458cede4c18192447e
Instruction ID: 912e0b8c852b14f07872055e9511cfb25b3f611679d8eb24529153688e00da61
Opcode Fuzzy Hash: 43a7790944d708f75b9d0e982a2dc4646317fbd9607d93458cede4c18192447e
Instruction Fuzzy Hash: 94015B71900118AFDB50AF90CC91EE977ACFB24340F8080A5F68AA6191DF705E88CB90

Function 0010246C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00102480
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00102497

Part of subcall function 001023DB: SendMessageW.USER32(?,0000102B,?,00000000), ref: 0010243B

Strings

@U=u, xrefs: 00102480, 00102497

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: e8e39f88573907417319966c0796dc9a3132e46e9586a1c3ce25b2da0cd75cf8
Instruction ID: aacd31653e62e4b1c99f7c5b9f51dc89282c05aed87d9b8ef5aaf28bd03aef14
Opcode Fuzzy Hash: e8e39f88573907417319966c0796dc9a3132e46e9586a1c3ce25b2da0cd75cf8
Instruction Fuzzy Hash: FCF0BE30601121BAEB211B169C0FCDFBF6DDF56760B100014F445A2191C6F05981C7E0

Function 0012747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00127493
_wcslen.LIBCMT ref: 001274B9

Strings

3, 3, 16, 1, xrefs: 00127483

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: bc595d5436e79589753b19745fd5e0ba96f3486bfcfe6127143874f67e7e562d
Instruction ID: d24505ca82ac4b0441b72cfe7616eaea66e543a40604e3d4afd9088318aedcbc
Opcode Fuzzy Hash: bc595d5436e79589753b19745fd5e0ba96f3486bfcfe6127143874f67e7e562d
Instruction Fuzzy Hash: 3DE02B026042701092313379BCC1EFF5689EFC6750710182FF981C22E7EBA48DB193A0

Function 00102BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00102BFA
SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00102C2A

Strings

@U=u, xrefs: 00102BFA, 00102C2A

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 94421de7cab704b280b93234ed24d7d465d144218f99bbedd4338b6d9df06009
Instruction ID: 3e6d4bd60e0c71c145418899b0e73ae1298841f75582e81bf2b5c9f62ff1afbf
Opcode Fuzzy Hash: 94421de7cab704b280b93234ed24d7d465d144218f99bbedd4338b6d9df06009
Instruction Fuzzy Hash: 03F0A076340304BFFA156B84DC8BFEA3B58EB15761F004014F7456A1D1CAE25C4097A0

Function 00102D60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0010286B: SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00102884
Part of subcall function 0010286B: SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 001028B6

SendMessageW.USER32(?,0000110B,00000005,00000000), ref: 00102D80
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00102D90

Strings

@U=u, xrefs: 00102D80, 00102D90

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 72d0fe34a9698e3db4f9b3a4fd5b4f42d413177ac818e2d9e853b0fbbaf5e12a
Instruction ID: 265c3f185cf22c12eb8f049a986dccd743ada083273339882a89de31b4bfd72e
Opcode Fuzzy Hash: 72d0fe34a9698e3db4f9b3a4fd5b4f42d413177ac818e2d9e853b0fbbaf5e12a
Instruction Fuzzy Hash: AEE09A7A3483097BFA260A919C8EEE23B6DDB58B55F100026F204691D1EBF28C609760

Function 00135829 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000133D,?,?), ref: 00135855
InvalidateRect.USER32(?,?,00000001), ref: 00135877

Strings

@U=u, xrefs: 00135855

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: InvalidateMessageRectSend
String ID: @U=u
API String ID: 909852535-2594219639
Opcode ID: d504c3c2126051841d10bdd1d3d9e9386ab7a1ec2b13ad9496f9fb1ecb0cc839
Instruction ID: d8375124a0b7e6b28513cf0bfcb5f3b22d392abf1efea71538b0272a42f3b426
Opcode Fuzzy Hash: d504c3c2126051841d10bdd1d3d9e9386ab7a1ec2b13ad9496f9fb1ecb0cc839
Instruction Fuzzy Hash: BAF0E272604040AFCB20CB65DC04FEEBFF8EB85725F0441B2E51AE9051D7308A81CB60

Function 00100B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00100B23

Strings

Error allocating memory., xrefs: 00100B1C
AutoIt, xrefs: 00100B17

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 76f1674f57a7148707c722c62e3dba92d44f379edfe2e2b87f10e743eaa48d15
Instruction ID: eae2e3921d14461e8e33c94f4230738638ef671e67703422b8c66170176ad3fa
Opcode Fuzzy Hash: 76f1674f57a7148707c722c62e3dba92d44f379edfe2e2b87f10e743eaa48d15
Instruction Fuzzy Hash: 36E04F322883192AD21437947C03FD97A859F09B65F10046AFB98B65C38BE265A047E9

Function 00134729 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000004,?,?), ref: 0013475E

Strings

8V, xrefs: 00134749
@U=u, xrefs: 0013475E

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSend
String ID: 8V$@U=u
API String ID: 3850602802-1020947142
Opcode ID: 2cbbf4cfe8b1c841f8c85e21f34bfb7ed651504eb1e921dc200fa9f90a951df9
Instruction ID: 41f7299a9d26b114efe57755157f40bcac39313bc6d443e641a60add834fa64c
Opcode Fuzzy Hash: 2cbbf4cfe8b1c841f8c85e21f34bfb7ed651504eb1e921dc200fa9f90a951df9
Instruction Fuzzy Hash: C2F0C275204209FFCF01DF94DD41CEA7BBAEB4A344B004055F906A7261D731AE64EB60

Function 000C0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 000BF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,000C0D71,?,?,?,000A100A), ref: 000BF7CE

IsDebuggerPresent.KERNEL32(?,?,?,000A100A), ref: 000C0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,000A100A), ref: 000C0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 000C0D7F

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 090ee622f9ef864d952555456e984239c31cd205ffce3c075e83effad886a158
Instruction ID: cf4af9d08d4c0bc8988d47ac5308dfbba841d8674f4cebe838746afb52ef96f8
Opcode Fuzzy Hash: 090ee622f9ef864d952555456e984239c31cd205ffce3c075e83effad886a158
Instruction Fuzzy Hash: 2DE06D742003118BD3609FB8D808B967BE0AB00740F00896DE886D6A52DBB5E484CBD1

Function 000FD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 000FD220

Strings

%.3d, xrefs: 000FD22B
X64, xrefs: 000FD2A8

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 9b26a3934635a87f6a2d6a0cd1cb5db685168c4d9e4b68b4d06d9d6372bd798f
Instruction ID: 44249d4cd1e1bb5eb68b294400cbb605aad08d462e876a8814b41f5bb3d4872a
Opcode Fuzzy Hash: 9b26a3934635a87f6a2d6a0cd1cb5db685168c4d9e4b68b4d06d9d6372bd798f
Instruction Fuzzy Hash: D3D0626180911DE9CBE097D0DC459FEB77DBB29341F508453FA06A2441E724D55877A1

Function 00132322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0013232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0013233F

Part of subcall function 0010E97B: Sleep.KERNEL32 ref: 0010E9F3

Strings

Shell_TrayWnd, xrefs: 00132325

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a56a2657628c3061e36ee2f4b2d1011a16eff2ebdd95581d5466eaec8d72f037
Instruction ID: 9f9f49eb1c68f66a2dc600dc0ce30be190d203d9e9a4c5406b520c97ebb99fc1
Opcode Fuzzy Hash: a56a2657628c3061e36ee2f4b2d1011a16eff2ebdd95581d5466eaec8d72f037
Instruction Fuzzy Hash: BBD012763D4310B7E664B771DC0FFC67A54AB10B14F0049167789BA1D0CAF0A841CB94

Function 00132356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0013236C
PostMessageW.USER32(00000000), ref: 00132373

Part of subcall function 0010E97B: Sleep.KERNEL32 ref: 0010E9F3

Strings

Shell_TrayWnd, xrefs: 00132365

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: fadaafdd9d9648fa53414047f509e7b42d692674a82a8971005581b54c84ba35
Instruction ID: 2df60e494087126f8f1d2c6840cc57a935052f6a60dd027182310e551fe48da0
Opcode Fuzzy Hash: fadaafdd9d9648fa53414047f509e7b42d692674a82a8971005581b54c84ba35
Instruction Fuzzy Hash: 23D0C9723C13107AE664A7719C0FFC67654AB15B14F0049167685BA1D0CAE0A8418B94

Function 00102313 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 0010231F
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 0010232D

Strings

@U=u, xrefs: 0010231F, 0010232D

Memory Dump Source

Source File: 00000000.00000002.2672368236.00000000000A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.2672187469.00000000000A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.000000000013C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672440973.0000000000162000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672547249.000000000016C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2672574554.0000000000174000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_LisectAVT_2403002A_101.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: a5eed9c761e7b9521e28bde174e93a5c5bc8b1c3b8c24a0b6237b0a2767cad4c
Instruction ID: 8b6bbd61d00b67e41b4ea357ca1b7d9ef8586772005bb4fa4147955c4ac19c16
Opcode Fuzzy Hash: a5eed9c761e7b9521e28bde174e93a5c5bc8b1c3b8c24a0b6237b0a2767cad4c
Instruction Fuzzy Hash: 1DC01271100180BBE6200B23AC0ECC73E3DE7CAF013000008B204A44A586600080C620

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002A_101.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\json[1].json

C:\Users\user\AppData\Local\Temp\anaboly

C:\Users\user\AppData\Local\Temp\aut287.tmp

C:\Users\user\AppData\Local\Temp\aut2E6.tmp

C:\Users\user\AppData\Local\Temp\autB22F.tmp

Windows Analysis Report
LisectAVT_2403002A_101.exe

Function 000A42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre