Edit tour

Windows Analysis Report
LisectAVT_2403002A_1.exe

Overview

General Information

Sample name:	LisectAVT_2403002A_1.exe
Analysis ID:	1482526
MD5:	b482f2939a99aa59a86f1897ae6a259f
SHA1:	a6785b567dcd1f65785cc26c4e7c5d58884b5e3f
SHA256:	5e367e602750bb9f6815450f43c4c36ae9734730835839ec85b9ef2b926f16ee
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

LisectAVT_2403002A_1.exe (PID: 6300 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_1.exe" MD5: B482F2939A99AA59A86F1897AE6A259F)

RegSvcs.exe (PID: 2704 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_1.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.fosna.net", "Username": "madamweb@fosna.net", "Password": "}7A;Adw^&~wE"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2069328083.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2069328083.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.2069328083.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2069328083.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3442d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3449f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34529:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345bb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34625:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34697:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3472d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347bd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000000.00000002.2069328083.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3167b:$s2: GetPrivateProfileString 0x30d2e:$s3: get_OSFullName 0x323cb:$s5: remove_Key 0x3258e:$s5: remove_Key 0x33468:$s6: FtpWebRequest 0x3440f:$s7: logins 0x34981:$s7: logins 0x37664:$s7: logins 0x37744:$s7: logins 0x39099:$s7: logins 0x382de:$s9: 1.85 (Hash, version 2, native byte-order)
00000002.00000002.3293827231.00000000023C5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3292761755.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3292761755.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: LisectAVT_2403002A_1.exe PID: 6300	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: LisectAVT_2403002A_1.exe PID: 6300	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: LisectAVT_2403002A_1.exe PID: 6300	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 2704	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 2704	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.LisectAVT_2403002A_1.exe.3fd0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.LisectAVT_2403002A_1.exe.3fd0000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.LisectAVT_2403002A_1.exe.3fd0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3262d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3269f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x32729:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x327bb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32825:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32897:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3292d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x329bd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.LisectAVT_2403002A_1.exe.3fd0000.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f87b:$s2: GetPrivateProfileString 0x2ef2e:$s3: get_OSFullName 0x305cb:$s5: remove_Key 0x3078e:$s5: remove_Key 0x31668:$s6: FtpWebRequest 0x3260f:$s7: logins 0x32b81:$s7: logins 0x35864:$s7: logins 0x35944:$s7: logins 0x37299:$s7: logins 0x364de:$s9: 1.85 (Hash, version 2, native byte-order)
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3442d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3449f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34529:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345bb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34625:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34697:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3472d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347bd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3167b:$s2: GetPrivateProfileString 0x30d2e:$s3: get_OSFullName 0x323cb:$s5: remove_Key 0x3258e:$s5: remove_Key 0x33468:$s6: FtpWebRequest 0x3440f:$s7: logins 0x34981:$s7: logins 0x37664:$s7: logins 0x37744:$s7: logins 0x39099:$s7: logins 0x382de:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.LisectAVT_2403002A_1.exe.3fd0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.LisectAVT_2403002A_1.exe.3fd0000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.LisectAVT_2403002A_1.exe.3fd0000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.LisectAVT_2403002A_1.exe.3fd0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3442d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3449f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34529:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345bb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34625:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34697:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3472d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347bd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.LisectAVT_2403002A_1.exe.3fd0000.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3167b:$s2: GetPrivateProfileString 0x30d2e:$s3: get_OSFullName 0x323cb:$s5: remove_Key 0x3258e:$s5: remove_Key 0x33468:$s6: FtpWebRequest 0x3440f:$s7: logins 0x34981:$s7: logins 0x37664:$s7: logins 0x37744:$s7: logins 0x39099:$s7: logins 0x382de:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 9 entries

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.127.169.103 - Destination IP: 192.168.2.5

Timestamp:	2024-07-26T00:36:08.446356+0200
SID:	2022930
Source Port:	443
Destination Port:	49712
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.127.169.103 - Destination IP: 192.168.2.5

Timestamp:	2024-07-26T00:35:30.310782+0200
SID:	2022930
Source Port:	443
Destination Port:	49705
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002A_1.exe

Avira: detected

Found malware configuration

Source: 2.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.fosna.net", "Username": "madamweb@fosna.net", "Password": "}7A;Adw^&~wE"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: LisectAVT_2403002A_1.exe

Joe Sandbox ML: detected

Source: LisectAVT_2403002A_1.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: LisectAVT_2403002A_1.exe, 00000000.00000003.2067327158.0000000004060000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_1.exe, 00000000.00000003.2066047368.00000000041B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: LisectAVT_2403002A_1.exe, 00000000.00000003.2067327158.0000000004060000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_1.exe, 00000000.00000003.2066047368.00000000041B0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002E4696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_002E4696
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002EC93C FindFirstFileW,FindClose,	0_2_002EC93C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002EC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_002EC9C7
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002EF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_002EF200
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002EF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_002EF35D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002EF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_002EF65E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002E3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_002E3A2B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002E3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_002E3D4E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002EBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_002EBF27

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_1.exe.3fd0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2069328083.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View

ASN Name: TUT-ASUS TUT-ASUS

Source: unknown

DNS query: name: ip-api.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Code function: 0_2_002F25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_002F25E2

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ip-api.com

Source: RegSvcs.exe, 00000002.00000002.3293827231.0000000002472000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3293827231.0000000002391000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3293827231.0000000002458000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: LisectAVT_2403002A_1.exe, 00000000.00000002.2069328083.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3293827231.0000000002391000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3293827231.0000000002458000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3293139215.00000000005E5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3292761755.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: RegSvcs.exe, 00000002.00000002.3293827231.0000000002391000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3293827231.0000000002458000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: LisectAVT_2403002A_1.exe, 00000000.00000002.2069328083.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3292761755.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.LisectAVT_2403002A_1.exe.3fd0000.1.raw.unpack, usQ5OSi3.cs

.Net Code: GTJ

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Code function: 0_2_002F425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalFix,CloseClipboard,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnWire,CountClipboardFormats,CloseClipboard,

0_2_002F425A

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Code function: 0_2_002F4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,_wcscpy,GlobalUnWire,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_002F4458

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

0_2_002F425A

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Code function: 0_2_002E0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_002E0219

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Code function: 0_2_0030CDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0030CDAC

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.LisectAVT_2403002A_1.exe.3fd0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_1.exe.3fd0000.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_1.exe.3fd0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_1.exe.3fd0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000000.00000002.2069328083.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.2069328083.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00283B4C
Source: LisectAVT_2403002A_1.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: LisectAVT_2403002A_1.exe, 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2a588de0-2
Source: LisectAVT_2403002A_1.exe, 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_2a847ab9-3

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_00283633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	0_2_00283633
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_0030C220 NtdllDialogWndProc_W,	0_2_0030C220
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_0030C27C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	0_2_0030C27C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_0030C49C PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	0_2_0030C49C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_0030C788 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	0_2_0030C788
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_0030C86D SendMessageW,NtdllDialogWndProc_W,	0_2_0030C86D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_0030C8EE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	0_2_0030C8EE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_0030CB7F NtdllDialogWndProc_W,	0_2_0030CB7F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_0030CB50 NtdllDialogWndProc_W,	0_2_0030CB50
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_0030CBAE NtdllDialogWndProc_W,	0_2_0030CBAE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_0030CBF9 NtdllDialogWndProc_W,	0_2_0030CBF9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_0030CC2E ClientToScreen,NtdllDialogWndProc_W,	0_2_0030CC2E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_0030CD6C GetWindowLongW,NtdllDialogWndProc_W,	0_2_0030CD6C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_0030CDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	0_2_0030CDAC
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_00281287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,745AC8D0,NtdllDialogWndProc_W,	0_2_00281287
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_00281290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	0_2_00281290
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_0028167D NtdllDialogWndProc_W,	0_2_0028167D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002816B5 NtdllDialogWndProc_W,	0_2_002816B5
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002816DE GetParent,NtdllDialogWndProc_W,	0_2_002816DE
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_0030D6C6 NtdllDialogWndProc_W,	0_2_0030D6C6
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_0030D74C GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	0_2_0030D74C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_0028189B NtdllDialogWndProc_W,	0_2_0028189B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_0030DA9A NtdllDialogWndProc_W,	0_2_0030DA9A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_0030BF4D NtdllDialogWndProc_W,CallWindowProcW,	0_2_0030BF4D

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Code function: 0_2_002E4021: CreateFileW,DeviceIoControl,CloseHandle,

0_2_002E4021

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Code function: 0_2_002D8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74765590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,

0_2_002D8858

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Code function: 0_2_002E545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_002E545F

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_0028E800	0_2_0028E800
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002ADBB5	0_2_002ADBB5
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_0028E060	0_2_0028E060
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_0030804A	0_2_0030804A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_00294140	0_2_00294140
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002A2405	0_2_002A2405
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002B6522	0_2_002B6522
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002B267E	0_2_002B267E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_00300665	0_2_00300665
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002A283A	0_2_002A283A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_00296843	0_2_00296843
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002B89DF	0_2_002B89DF
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_00298A0E	0_2_00298A0E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002B6A94	0_2_002B6A94
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_00300AE2	0_2_00300AE2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002DEB07	0_2_002DEB07
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002E8B13	0_2_002E8B13
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002ACD61	0_2_002ACD61
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002B7006	0_2_002B7006
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_0029710E	0_2_0029710E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_00293190	0_2_00293190
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_00281287	0_2_00281287
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002A33C7	0_2_002A33C7
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002AF419	0_2_002AF419
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_00295680	0_2_00295680
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002A16C4	0_2_002A16C4
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002958C0	0_2_002958C0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002A78D3	0_2_002A78D3
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002A1BB8	0_2_002A1BB8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002B9D05	0_2_002B9D05
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_0028FE40	0_2_0028FE40
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002ABFE6	0_2_002ABFE6
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002A1FD0	0_2_002A1FD0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_017B3730	0_2_017B3730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0093A610	2_2_0093A610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0093D890	2_2_0093D890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00934A88	2_2_00934A88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00933E70	2_2_00933E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_009341B8	2_2_009341B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_009319C0	2_2_009319C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00931A35	2_2_00931A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00937A70	2_2_00937A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05C02480	2_2_05C02480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05C012D0	2_2_05C012D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05C03C28	2_2_05C03C28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05C03540	2_2_05C03540

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: String function: 00287F41 appears 35 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: String function: 002A0D27 appears 70 times
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: String function: 002A8B40 appears 42 times

Source: LisectAVT_2403002A_1.exe, 00000000.00000003.2065671955.00000000042DD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs LisectAVT_2403002A_1.exe
Source: LisectAVT_2403002A_1.exe, 00000000.00000003.2065928641.0000000004133000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs LisectAVT_2403002A_1.exe
Source: LisectAVT_2403002A_1.exe, 00000000.00000002.2069328083.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename811f7f1b-fbd4-4072-a766-9e250402064d.exe4 vs LisectAVT_2403002A_1.exe

Source: LisectAVT_2403002A_1.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.LisectAVT_2403002A_1.exe.3fd0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.LisectAVT_2403002A_1.exe.3fd0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.LisectAVT_2403002A_1.exe.3fd0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.LisectAVT_2403002A_1.exe.3fd0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000000.00000002.2069328083.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.2069328083.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: 0.2.LisectAVT_2403002A_1.exe.3fd0000.1.raw.unpack, 3a7VzuwlM.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_1.exe.3fd0000.1.raw.unpack, 3a7VzuwlM.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.LisectAVT_2403002A_1.exe.3fd0000.1.raw.unpack, jrWJIjXMiC.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_1.exe.3fd0000.1.raw.unpack, jrWJIjXMiC.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_1.exe.3fd0000.1.raw.unpack, vGgzNQTAVFC.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_1.exe.3fd0000.1.raw.unpack, vGgzNQTAVFC.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_1.exe.3fd0000.1.raw.unpack, vGgzNQTAVFC.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.LisectAVT_2403002A_1.exe.3fd0000.1.raw.unpack, vGgzNQTAVFC.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@1/1

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Code function: 0_2_002EA2D5 GetLastError,FormatMessageW,

0_2_002EA2D5

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002D8713 AdjustTokenPrivileges,CloseHandle,		0_2_002D8713
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002D8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_002D8CC3

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Code function: 0_2_002EB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_002EB59E

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Code function: 0_2_002FF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_002FF121

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Code function: 0_2_00284FE9 FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00284FE9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

File created: C:\Users\user\AppData\Local\Temp\aut1D2B.tmp

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.3293827231.00000000024A2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3293827231.0000000002490000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe "C:\Users\user\Desktop\LisectAVT_2403002A_1.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\LisectAVT_2403002A_1.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\LisectAVT_2403002A_1.exe"	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: LisectAVT_2403002A_1.exe, 00000000.00000003.2067327158.0000000004060000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_1.exe, 00000000.00000003.2066047368.00000000041B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: LisectAVT_2403002A_1.exe, 00000000.00000003.2067327158.0000000004060000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_1.exe, 00000000.00000003.2066047368.00000000041B0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Code function: 0_2_003AE0B0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_003AE0B0

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_0028C590 push eax; retn 0028h	0_2_0028C599
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002A8B85 push ecx; ret	0_2_002A8B98
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_0030F84D pushfd ; iretd	0_2_0030F84E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05C0C323 push eax; ret	2_2_05C0C332
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05C0CC47 push ecx; ret	2_2_05C0CC56
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05C0CE20 push edx; ret	2_2_05C0D09E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05C0CBA0 push eax; ret	2_2_05C0CB66
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05C0B5F7 push eax; ret	2_2_05C0B602

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_00284A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00284A35
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_003055FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_003055FD

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Code function: 0_2_002A33C7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_002A33C7

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: LisectAVT_2403002A_1.exe PID: 6300, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

API/Special instruction interceptor: Address: 17B3354

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: LisectAVT_2403002A_1.exe, 00000000.00000002.2069328083.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3293827231.0000000002472000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3293827231.00000000023C5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3292761755.0000000000402000.00000040.80000000.00040000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-99532

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

API coverage: 4.7 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002E4696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_002E4696
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002EC93C FindFirstFileW,FindClose,	0_2_002EC93C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002EC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_002EC9C7
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002EF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_002EF200
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002EF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_002EF35D
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002EF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_002EF65E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002E3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_002E3A2B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002E3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_002E3D4E
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002EBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_002EBF27

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Code function: 0_2_00284AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00284AFE

Source: RegSvcs.exe, 00000002.00000002.3293827231.00000000023C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: RegSvcs.exe, 00000002.00000002.3292761755.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: vmware
Source: RegSvcs.exe, 00000002.00000002.3292761755.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: VMwareVBox
Source: RegSvcs.exe, 00000002.00000002.3294501223.00000000058C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	API call chain: ExitProcess graph end node			graph_0-98259
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	API call chain: ExitProcess graph end node			graph_0-100895

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_00937070 CheckRemoteDebuggerPresent,

2_2_00937070

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Code function: 0_2_002F41FD BlockInput,

0_2_002F41FD

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Code function: 0_2_00283B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00283B4C

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Code function: 0_2_002B5CCC RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

0_2_002B5CCC

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Code function: 0_2_003AE0B0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_003AE0B0

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_017B35C0 mov eax, dword ptr fs:[00000030h]	0_2_017B35C0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_017B3620 mov eax, dword ptr fs:[00000030h]	0_2_017B3620
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_017B1ED0 mov eax, dword ptr fs:[00000030h]	0_2_017B1ED0

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Code function: 0_2_002D81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_002D81F7

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002AA364 SetUnhandledExceptionFilter,		0_2_002AA364
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002AA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_002AA395

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 356008

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Code function: 0_2_002D8C93 LogonUserW,

0_2_002D8C93

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Code function: 0_2_00283B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00283B4C

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Code function: 0_2_00284A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00284A35

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Code function: 0_2_002E4EF5 mouse_event,

0_2_002E4EF5

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\LisectAVT_2403002A_1.exe"

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

0_2_002D81F7

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Code function: 0_2_002E4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_002E4C03

Source: LisectAVT_2403002A_1.exe, 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: LisectAVT_2403002A_1.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Code function: 0_2_002A886B cpuid

0_2_002A886B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Code function: 0_2_002B50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_002B50D7

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Code function: 0_2_002C2230 GetUserNameW,

0_2_002C2230

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Code function: 0_2_002B418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_002B418A

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe

Code function: 0_2_00284AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00284AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.LisectAVT_2403002A_1.exe.3fd0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_1.exe.3fd0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2069328083.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3292761755.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_1.exe PID: 6300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2704, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: LisectAVT_2403002A_1.exe	Binary or memory string: WIN_81
Source: LisectAVT_2403002A_1.exe	Binary or memory string: WIN_XP
Source: LisectAVT_2403002A_1.exe	Binary or memory string: WIN_XPe
Source: LisectAVT_2403002A_1.exe	Binary or memory string: WIN_VISTA
Source: LisectAVT_2403002A_1.exe	Binary or memory string: WIN_7
Source: LisectAVT_2403002A_1.exe	Binary or memory string: WIN_8
Source: LisectAVT_2403002A_1.exe, 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 0.2.LisectAVT_2403002A_1.exe.3fd0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_1.exe.3fd0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2069328083.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3293827231.00000000023C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3292761755.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_1.exe PID: 6300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2704, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.LisectAVT_2403002A_1.exe.3fd0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LisectAVT_2403002A_1.exe.3fd0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2069328083.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3292761755.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_1.exe PID: 6300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2704, type: MEMORYSTR

Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002F6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_002F6596
Source: C:\Users\user\Desktop\LisectAVT_2403002A_1.exe	Code function: 0_2_002F6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_002F6A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	21 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 Software Packing	NTDS	138 System Information Discovery	Distributed Component Object Model	121 Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	651 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	22 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LisectAVT_2403002A_1.exe	100%	Avira	TR/AD.ShellcodeCrypter.exevp
LisectAVT_2403002A_1.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://account.dyn.com/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://ip-api.com/line/?fields=hosting	0%	URL Reputation	safe
http://ip-api.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://account.dyn.com/	LisectAVT_2403002A_1.exe, 00000000.00000002.2069328083.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3292761755.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.3293827231.0000000002391000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3293827231.0000000002458000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ip-api.com	RegSvcs.exe, 00000002.00000002.3293827231.0000000002472000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3293827231.0000000002391000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3293827231.0000000002458000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482526
Start date and time:	2024-07-26 00:34:20 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002A_1.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 59 Number of non-executed functions: 275
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: LisectAVT_2403002A_1.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	LisectAVT_2403002A_147.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	LisectAVT_2403002A_368.exe	Get hash	malicious	Blank Grabber, DCRat, Umbral Stealer	Browse	ip-api.com/json/?fields=225545
	LisectAVT_2403002A_473.exe	Get hash	malicious	Njrat, XWorm	Browse	ip-api.com/line/?fields=hosting
	LisectAVT_2403002A_473.exe	Get hash	malicious	Njrat, XWorm	Browse	ip-api.com/line/?fields=hosting
	LisectAVT_2403002A_52.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	LisectAVT_2403002B_109.exe	Get hash	malicious	Blackshades	Browse	ip-api.com/json/
	LisectAVT_2403002B_253.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	s6K4JjTwtz.exe	Get hash	malicious	RHADAMANTHYS	Browse	ip-api.com/json
	IrJIw2lsaB.msi	Get hash	malicious	RHADAMANTHYS	Browse	ip-api.com/json
	ptuNVk3HeK.exe	Get hash	malicious	RHADAMANTHYS	Browse	ip-api.com/json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	LisectAVT_2403002A_147.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	LisectAVT_2403002A_368.exe	Get hash	malicious	Blank Grabber, DCRat, Umbral Stealer	Browse	208.95.112.1
	LisectAVT_2403002A_473.exe	Get hash	malicious	Njrat, XWorm	Browse	208.95.112.1
	LisectAVT_2403002A_473.exe	Get hash	malicious	Njrat, XWorm	Browse	208.95.112.1
	LisectAVT_2403002A_52.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	LisectAVT_2403002B_109.exe	Get hash	malicious	Blackshades	Browse	208.95.112.1
	LisectAVT_2403002B_253.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	s6K4JjTwtz.exe	Get hash	malicious	RHADAMANTHYS	Browse	208.95.112.1
	IrJIw2lsaB.msi	Get hash	malicious	RHADAMANTHYS	Browse	208.95.112.1
	ptuNVk3HeK.exe	Get hash	malicious	RHADAMANTHYS	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	LisectAVT_2403002A_147.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	LisectAVT_2403002A_368.exe	Get hash	malicious	Blank Grabber, DCRat, Umbral Stealer	Browse	208.95.112.1
	LisectAVT_2403002A_473.exe	Get hash	malicious	Njrat, XWorm	Browse	208.95.112.1
	LisectAVT_2403002A_473.exe	Get hash	malicious	Njrat, XWorm	Browse	208.95.112.1
	LisectAVT_2403002A_52.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	LisectAVT_2403002B_109.exe	Get hash	malicious	Blackshades	Browse	208.95.112.1
	LisectAVT_2403002B_253.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	s6K4JjTwtz.exe	Get hash	malicious	RHADAMANTHYS	Browse	208.95.112.1
	IrJIw2lsaB.msi	Get hash	malicious	RHADAMANTHYS	Browse	208.95.112.1
	ptuNVk3HeK.exe	Get hash	malicious	RHADAMANTHYS	Browse	208.95.112.1

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_1.exe
File Type:	data
Category:	dropped
Size (bytes):	244224
Entropy (8bit):	6.5692091423954775
Encrypted:	false
SSDEEP:	6144:340hDF0ppMjMgOMiLADlGqcj0Yi/EL4R195Ik5m:3foikAJGqcj/Ui4Rl5m
MD5:	25C9172484BD810794A022BC89E28FA0
SHA1:	1D815A4EA216A0441151D4D167D8E7E098A45546
SHA-256:	D989099263632A73483071D45E8FA3104A5B9B36367E55523A574D7293DCD516
SHA-512:	8B11E566BF4CDA05662AA127B2B0F0AC0A799D98636485535FFD7FB7C491C67B6039D2E28616E4C28B9638E7029F50ABE267B7D0423539F3A23268A4EB3899AF
Malicious:	false
Reputation:	low
Preview:	...1SYSAARGK..L1.YSAERGK.JL1PYSAERGKFJL1PYSAERGKFJL1PYSAERGK.JL1^F.OE.N.g.M}.x.),!g;4%+C14s"$<)$2j.Tp+&/e;)k....=67$k_JAbJL1PYSA..GK.KO1Pn.$ERGKFJL1.YQ@NSLKF.O1PQSAERGK..O1PySAE.DKFJ.1PySAEPGKBJL1PYSAARGKFJL1PyWAEPGKFJL1RY..ERWKFZL1PYCAEBGKFJL1@YSAERGKFJL1T.PA.RGKF.O1.\SAERGKFJL1PYSAERGKFJH1\YSAERGKFJL1PYSAERGKFJL1PYSAERGKFJL1PYSAERGKFJL1PYSAErGKNJL1PYSAERGKNjL1.YSAERGKFJL1~-691RGK".O1PySAE.DKFHL1PYSAERGKFJL1pYS!k 49%JL1.\SAE.DKFLL1P.PAERGKFJL1PYSA.RG.h8)]?:SAIRGKFJH1P[SAE.DKFJL1PYSAERGK.JLsPYSAERGKFJL1PYSA..DKFJL1.YSAGRBK..N1.lRAFRGKGJL7PYSAERGKFJL1PYSAERGKFJL1PYSAERGKFJL1PYSAERGKFJL1M......u.7r;2^.g.5.H.._.. ..J.R.=^....^....a?J..Y.Nu..O...,.I@+F...h9X0K:.<iE-.M....of?...7>.)...9y.$J..p...td....>$....&..%%!.1)#- \|.* +>X.[.@ERGK........,*..kIC/dK+....rX4g...;RGK"JL1"YSA$RGK.JL1?YSA+RGK8JL1.YSA.RGK.JL1gYSA`RGK+JL1tYSA;RGK.7C>..(6..KFJL1e..q.?........w4.9.$r..=....B..E$.'.....I.!..G.8Gf..LGLH4R^WBIoI.....R]WDGUCHJwBz...`.t....!...(.7FJL1PY.AE.GKF..1.YSA.R.K..L1P.A.R.K...1

C:\Users\user\AppData\Local\Temp\aut1D2B.tmp

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_1.exe
File Type:	data
Category:	dropped
Size (bytes):	139266
Entropy (8bit):	7.836539941415579
Encrypted:	false
SSDEEP:	3072:AQ5Wd2gfUuNLYYaR1Uhn9giCKsOOtpXDvK/qNSPh/4x0saYrK1H8jW2+2:XWdPoRSnlCKkPDHMPhPfH8CQ
MD5:	890196EEBC6E4275FFEA812998412DEF
SHA1:	FAD7F6C249DC9C3B77280B5400B93A85245F617D
SHA-256:	3DDD4738F113926B124F3B4A611CF2B65AA365D9F861C43571D713E213673BF2
SHA-512:	4040F8AA8F40125A588966AC441610BA981D3133467665BD09DE52010E2619AF9F6BD6657460DF626ED1358FFD799EBB59CFBC4B8AC2A2A252075F54EE5FBAE9
Malicious:	false
Reputation:	low
Preview:	EA06......;...f.A......1....P...J.Lj......}\`..F...jv....s..<.Y!...Y].c4....L.ej.U...4..;...PX.F{6..-u.U......^.K.R.....Q$.`..Q.S.t.]...0T@.1.......eD.$!....Q.t ...@'5y...@..J...QjUz]...H..4Z...(....e.....c...b......1...~@..E.K...v.j.Lc....Kf...a".lg...R..>..f.!..&..(.`.9.~4..C.P.l. .<..8..g....i..l...Q.'>..B..Q..s.....h...%.L\|.....HQ.T.@.......{....u.M.S..{.g..x....H7..TN.....H.~....2:.......q..........%I.J...K..Nk..\.)<..e.zo_.......4..7.\|.?.w.sy..)Q\M.....,.mF..>.A.{...Q..d1...G-._"....}X...4...O......^Y*.Dmt....K....-F..X.Y.\|..2v...`. ..H..@@....a+..'.....0...f...X...X.at.....,.>.z.r...p..Yw=k.>...t"..7.....1......b.XVZ.B.w..O..5..o7t.N.C..Q.s.=.9..Q..J.W.Rm....g..T..z%..C.R..+.A..m..l}......^.<ZQ...cYA..`.W2c...8..=/....;:...p..s&0Y..G)....T..#.O....>?..[(2)......t._..@...".".Vk6.<.#K.S.R@3..:....H..].....F.L..u....G....i.n.R....&...Vj.(mJ.M......6.>.....t.$.Ph.kl..:.Lk@^......)u.}F....@..0..P.Qw.J&.l.Y( ....R...5....Z......(Q..5T.

C:\Users\user\AppData\Local\Temp\aut1D8A.tmp

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_1.exe
File Type:	data
Category:	dropped
Size (bytes):	11724
Entropy (8bit):	7.719976035566066
Encrypted:	false
SSDEEP:	192:LDIZM0On/nSF/ZaZgUMBLJmf4stSNYwohCcjM99nwSjGn/NtiIz/CfJiXFTfm:LDIDuM/ZaZgrBLJstSNZMU9nwjiIrCZ
MD5:	0356708E94DF034A027AF2CB361CFCB8
SHA1:	CD83B7BCEC450F04BD82AB5196E35929FB005511
SHA-256:	77FC4D7E855C7CFD1112150A9AFC3167746BD8994512C59B5F413B7FD4A7D5CF
SHA-512:	05C7A8AF9F72FA46C111E5CFDF14F194AC8900A5049DCA70FA7B22B9E247CF8AFF8ADDAE979EB270C7F58EB6C0D8E14BE49798EA6C0A329176BF9BDFB2572D35
Malicious:	false
Reputation:	low
Preview:	EA06......[......p..-_.K..p........p......7\|=..!..i.....1........p..=..C............j....... ...$....$..Z......l.@2...p...6}@.@.c.....>...P...@->.......6[@.O....@6 .`.....l`....l...c............. ...G..`7@.....6....@....p.a..r}.NN....0.@<>..........>.........f>.........0>.........w`..........@0...Fw..........}`.@.#..$..>..Ch.....@x...!..T...5O.....~`....S..$5`j..........@5O..`.........z\|`.........o-........$? /O..R..H}../O....H}../O.~.!..H;.GO..s..........:\|.\|.v......:\|.\|.~.........0.).;O..Q..d.I.....{......{..6}.{..X...0...$.............gh...............~.@......lt....'..0n.i?M F..i>. F...H.h~.9P.g.........hgj...iB42.I..B44.I.iB4?P..N......4.>.+z.....@#E..x.....`.*.`w`...G......c.......=.....#......~`.c....`.@.,\|`....c....... ........2..... ......a..p,.!o._.................(..H.0..p...........X\|!... ....@!.....G..........,................X};@...N..o... ..w......v...V.......#....B7........V.......N...o.B6....\|.....t.a...@... .5.1.m.B>......`..r..........#

C:\Users\user\AppData\Local\Temp\prespecialist

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_1.exe
File Type:	Unicode text, UTF-8 text, with very long lines (29698), with no line terminators
Category:	dropped
Size (bytes):	59396
Entropy (8bit):	3.238172498467149
Encrypted:	false
SSDEEP:	768:XXcPkTPWdJr8zeXleLfeO/VyVfC97ZmJtH:nDqdJr8zgleLfeO/Uo97ZmJtH
MD5:	4394F1DB10EACEA4399EE4B3C9A22C78
SHA1:	458474D75E91C28CC7E6F54F5822C06354D4CC27
SHA-256:	FE9EE46A8C8D4FF72C75E0EAA4F9AB21F66B339D7879C726984368E3D7808E3A
SHA-512:	47F60E0D9760ED08403257A5FED36B7A221BADDE5572CCDD7BB71127B6DB189D135EED3D2898252FD4DE51B0107C7EF300D2DF799759BA22720CA73C59B42E3A
Malicious:	false
Reputation:	low
Preview:	....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.651089318341196
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	LisectAVT_2403002A_1.exe
File size:	706'570 bytes
MD5:	b482f2939a99aa59a86f1897ae6a259f
SHA1:	a6785b567dcd1f65785cc26c4e7c5d58884b5e3f
SHA256:	5e367e602750bb9f6815450f43c4c36ae9734730835839ec85b9ef2b926f16ee
SHA512:	a31a68e29f5ed846fc266ef4fa8b470af686ab7566c1854475685428f9a87995c479355106f554e075560f207c70bea1870133376f81c117d5d30d2ba1596c8c
SSDEEP:	12288:0YV6MorX7qzuC3QHO9FQVHPF51jgc++he0u2Y/ygAkcCMBM:zBXu9HGaVHRhe9ygjZ
TLSH:	DDE4CE9239CA766FDC2F4679431FEAB22A755CD0739109AD4F80720D4C36A4A80EEDD7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	39199c4e42c9d93c

Static PE Info

General

Entrypoint:	0x52e0b0
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x65FB371C [Wed Mar 20 19:21:00 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fc6683d30d9f25244a50fd5357825e79

Entrypoint Preview

Instruction
pushad
mov esi, 004D8000h
lea edi, dword ptr [esi-000D7000h]
push edi
jmp 00007F26D504A11Dh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F26D504A119h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F26D504A0FFh
mov eax, 00000001h
add ebx, ebx
jne 00007F26D504A119h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F26D504A11Dh
jne 00007F26D504A13Ah
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F26D504A131h
dec eax
add ebx, ebx
jne 00007F26D504A119h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007F26D504A0E6h
add ebx, ebx
jne 00007F26D504A119h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007F26D504A164h
xor ecx, ecx
sub eax, 03h
jc 00007F26D504A123h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F26D504A187h
sar eax, 1
mov ebp, eax
jmp 00007F26D504A11Dh
add ebx, ebx
jne 00007F26D504A119h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F26D504A0DEh
inc ecx
add ebx, ebx
jne 00007F26D504A119h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F26D504A0D0h
add ebx, ebx
jne 00007F26D504A119h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F26D504A101h
jne 00007F26D504A11Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F26D504A0F6h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007F26D504A120h
mov al, byte ptr [edx]

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x184af4	0x424	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12f000	0x55af4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x184f18	0xc	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x12e294	0x48	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0xd7000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0xd8000	0x57000	0x56400	a3a3fe7c96719dc199b1cd2c9dfe01d0	False	0.9874320652173914	data	7.935550797220771	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x12f000	0x56000	0x56000	9ee0505f8b94e800f97173ed82c32a8a	False	0.6608716388081395	data	7.125315161568026	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x12f66c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0x12f798	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0x12f8c4	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0x12f9f0	0x74cb	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	Great Britain	0.9987290544834275
RT_ICON	0x136ec0	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 0	English	Great Britain	0.1602112676056338
RT_ICON	0x14036c	0x67e8	Device independent bitmap graphic, 80 x 160 x 32, image size 0	English	Great Britain	0.1848872180451128
RT_ICON	0x146b58	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 0	English	Great Britain	0.1996765249537893
RT_ICON	0x14bfe4	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0	English	Great Britain	0.2081955597543694
RT_ICON	0x150210	0x3a48	Device independent bitmap graphic, 60 x 120 x 32, image size 0	English	Great Britain	0.21648793565683647
RT_ICON	0x153c5c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.2550829875518672
RT_ICON	0x156208	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 0	English	Great Britain	0.29659763313609466
RT_ICON	0x157c74	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.3405253283302064
RT_ICON	0x158d20	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	Great Britain	0.4385245901639344
RT_ICON	0x1596ac	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 0	English	Great Britain	0.5337209302325582
RT_ICON	0x159d68	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.625886524822695
RT_MENU	0xf3194	0x50	data	English	Great Britain	1.1375
RT_STRING	0xf31e4	0x594	data	English	Great Britain	1.007703081232493
RT_STRING	0xf3778	0x68a	data	English	Great Britain	1.0065710872162486
RT_STRING	0xf3e04	0x490	data	English	Great Britain	1.009417808219178
RT_STRING	0xf4294	0x5fc	data	English	Great Britain	1.0071801566579635
RT_STRING	0xf4890	0x65c	data	English	Great Britain	1.0067567567567568
RT_STRING	0xf4eec	0x466	data	English	Great Britain	1.0097690941385435
RT_STRING	0xf5354	0x158	data	English	Great Britain	1.0319767441860466
RT_RCDATA	0x15a1d4	0x2a34e	data			1.0003528499866958
RT_GROUP_ICON	0x184528	0xae	data	English	Great Britain	0.7068965517241379
RT_GROUP_ICON	0x1845dc	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1845f4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x18460c	0x14	data	English	Great Britain	1.25
RT_VERSION	0x184624	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x184704	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll	GetAce
COMCTL32.dll	ImageList_Remove
COMDLG32.dll	GetOpenFileNameW
GDI32.dll	LineTo
IPHLPAPI.DLL	IcmpSendEcho
MPR.dll	WNetUseConnectionW
ole32.dll	CoGetObject
OLEAUT32.dll	VariantInit
PSAPI.DLL	GetProcessMemoryInfo
SHELL32.dll	DragFinish
USER32.dll	GetDC
USERENV.dll	LoadUserProfileW
UxTheme.dll	IsThemeActive
VERSION.dll	VerQueryValueW
WININET.dll	FtpOpenFileW
WINMM.dll	timeGetTime
WSOCK32.dll	connect

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-26T00:36:08.446356+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49712	40.127.169.103	192.168.2.5
2024-07-26T00:35:30.310782+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49705	40.127.169.103	192.168.2.5

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 00:35:14.627679110 CEST	49704	80	192.168.2.5	208.95.112.1
Jul 26, 2024 00:35:14.634680033 CEST	80	49704	208.95.112.1	192.168.2.5
Jul 26, 2024 00:35:14.634782076 CEST	49704	80	192.168.2.5	208.95.112.1
Jul 26, 2024 00:35:14.635479927 CEST	49704	80	192.168.2.5	208.95.112.1
Jul 26, 2024 00:35:14.641554117 CEST	80	49704	208.95.112.1	192.168.2.5
Jul 26, 2024 00:35:15.116544008 CEST	80	49704	208.95.112.1	192.168.2.5
Jul 26, 2024 00:35:15.159920931 CEST	49704	80	192.168.2.5	208.95.112.1
Jul 26, 2024 00:36:08.304303885 CEST	80	49704	208.95.112.1	192.168.2.5
Jul 26, 2024 00:36:08.304471970 CEST	49704	80	192.168.2.5	208.95.112.1
Jul 26, 2024 00:36:55.120148897 CEST	49704	80	192.168.2.5	208.95.112.1
Jul 26, 2024 00:36:55.126583099 CEST	80	49704	208.95.112.1	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2024 00:35:14.423336983 CEST	51526	53	192.168.2.5	1.1.1.1
Jul 26, 2024 00:35:14.621428013 CEST	53	51526	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 26, 2024 00:35:14.423336983 CEST	192.168.2.5	1.1.1.1	0xd0eb	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 26, 2024 00:35:14.621428013 CEST	1.1.1.1	192.168.2.5	0xd0eb	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	208.95.112.1	80	2704	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jul 26, 2024 00:35:14.635479927 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jul 26, 2024 00:35:15.116544008 CEST	175	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 22:35:14 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Target ID:	0
Start time:	18:35:09
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_1.exe"
Imagebase:	0x280000
File size:	706'570 bytes
MD5 hash:	B482F2939A99AA59A86F1897AE6A259F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2069328083.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.2069328083.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2069328083.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.2069328083.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000000.00000002.2069328083.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:35:12
Start date:	25/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_1.exe"
Imagebase:	0x10000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3293827231.00000000023C5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3292761755.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3292761755.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	8.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	166

Executed Functions

Function 00283B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00283B7A
IsDebuggerPresent.KERNEL32 ref: 00283B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,003462F8,003462E0,?,?), ref: 00283BFD

Part of subcall function 00287D2C: _memmove.LIBCMT ref: 00287D66

Part of subcall function 00290A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00283C26,003462F8,?,?,?), ref: 00290ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00283C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,003393F0,00000010), ref: 002BD4BC
SetCurrentDirectoryW.KERNEL32(?,003462F8,?,?,?), ref: 002BD4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00335D40,003462F8,?,?,?), ref: 002BD57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 002BD581

Part of subcall function 00283A58: GetSysColorBrush.USER32(0000000F), ref: 00283A62
Part of subcall function 00283A58: LoadCursorW.USER32(00000000,00007F00), ref: 00283A71
Part of subcall function 00283A58: LoadIconW.USER32(00000063), ref: 00283A88
Part of subcall function 00283A58: LoadIconW.USER32(000000A4), ref: 00283A9A
Part of subcall function 00283A58: LoadIconW.USER32(000000A2), ref: 00283AAC
Part of subcall function 00283A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00283AD2
Part of subcall function 00283A58: RegisterClassExW.USER32(?), ref: 00283B28

Part of subcall function 002839E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00283A15
Part of subcall function 002839E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00283A36
Part of subcall function 002839E7: ShowWindow.USER32(00000000,?,?), ref: 00283A4A
Part of subcall function 002839E7: ShowWindow.USER32(00000000,?,?), ref: 00283A53

Part of subcall function 002843DB: _memset.LIBCMT ref: 00284401
Part of subcall function 002843DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 002844A6

Strings

%1, xrefs: 00283C56
runas, xrefs: 002BD575
This is a third-party compiled AutoIt script., xrefs: 002BD4B4

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%1
API String ID: 529118366-4187996367
Opcode ID: ee6bc1255e35aab9bce7d67b445fb03b843813b28a91e06ba5809bff23b1bd1c
Instruction ID: cd06cebc233f8dce2a3ce28a54715f778519300752efc6a521bb50a9f551651c
Opcode Fuzzy Hash: ee6bc1255e35aab9bce7d67b445fb03b843813b28a91e06ba5809bff23b1bd1c
Instruction Fuzzy Hash: BC51267C926249BFCF12FFB4DC06AED7B78AB06740F044466F411661E1DAB0A625CF22

Function 00283633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
timewindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 002836D2
KillTimer.USER32(?,00000001), ref: 002836FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0028371F
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 0028372A
CreatePopupMenu.USER32 ref: 0028373E
PostQuitMessage.USER32(00000000), ref: 0028375F

Strings

%1, xrefs: 002BD2D1, 002BD31F
TaskbarCreated, xrefs: 00283725

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
String ID: TaskbarCreated$%1
API String ID: 157504867-434257164
Opcode ID: 9fbd03479e1cfe5650ea464eb30ec49bc3197356acfc76503c01053926db5231
Instruction ID: cf1cc51336933c29963b9733cf7680d488fe62258252177f35bcf7f35f877ab4
Opcode Fuzzy Hash: 9fbd03479e1cfe5650ea464eb30ec49bc3197356acfc76503c01053926db5231
Instruction Fuzzy Hash: 3B41FBBD132106BBDB15BF28DC0ABBD379CE702B40F140525F5018A2E1EAA1ED749B67

Function 00284AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00284B2B

Part of subcall function 00287D2C: _memmove.LIBCMT ref: 00287D66

GetCurrentProcess.KERNEL32(?,0030FAEC,00000000,00000000,?), ref: 00284BF8
IsWow64Process.KERNEL32(00000000), ref: 00284BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00284C45
FreeLibrary.KERNEL32(00000000), ref: 00284C50
GetSystemInfo.KERNEL32(00000000), ref: 00284C81
GetSystemInfo.KERNEL32(00000000), ref: 00284C8D

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 46bbd4f03b18fcdd8337d77a6efd19bf9735496da26a438b9ca2d4594c3f8e06
Instruction ID: 2526671fb218e6ec9ffc6e8a6fdcd0fc562770a2f5b5009f0c240e79b754b898
Opcode Fuzzy Hash: 46bbd4f03b18fcdd8337d77a6efd19bf9735496da26a438b9ca2d4594c3f8e06
Instruction Fuzzy Hash: E091D43596B7C2DFC731EF6884615EAFFE4AF25304B484A5ED0CB83A81D264E918C719

Function 00284FE9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00284EEE,?,?,00000000,00000000), ref: 00285010
LoadResource.KERNEL32(?,00000000,?,?,00284EEE,?,?,00000000,00000000,?,?,?,?,?,?,00284F8F), ref: 002BDD60
SizeofResource.KERNEL32(?,00000000,?,?,00284EEE,?,?,00000000,00000000,?,?,?,?,?,?,00284F8F), ref: 002BDD75
LockResource.KERNEL32(N(,?,?,00284EEE,?,?,00000000,00000000,?,?,?,?,?,?,00284F8F,00000000), ref: 002BDD88

Strings

N(, xrefs: 002BDD85
SCRIPT, xrefs: 00285006

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SCRIPT$N(
API String ID: 3473537107-3616998118
Opcode ID: 909a773be26d1782d5195b0452422527c93751be013a265bb70a5e4f32dc5a0a
Instruction ID: afb6e5c2f5b6f1ee797b1777842901090f829171f352e055f7904a1f68ecf760
Opcode Fuzzy Hash: 909a773be26d1782d5195b0452422527c93751be013a265bb70a5e4f32dc5a0a
Instruction Fuzzy Hash: 38119E79201701AFD7329B65DC58F677BBDEBC9B51F204569F405866A0DB61E8008660

Function 003AE0B0 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 003AE1EA
GetProcAddress.KERNEL32(?,003A7FF9), ref: 003AE208
ExitProcess.KERNEL32(?,003A7FF9), ref: 003AE219
VirtualProtect.KERNELBASE(00280000,00001000,00000004,?,00000000), ref: 003AE267
VirtualProtect.KERNELBASE(00280000,00001000), ref: 003AE27C

Memory Dump Source

Source File: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
String ID:
API String ID: 1996367037-0
Opcode ID: 18a3ffaa57077a15f4bb388c9ac25fce1d9106a127764eb2eddf90b89e3d877e
Instruction ID: 3ff13115343032deed5cd82b67491fc87813634722bfd8351b4bf66bfd7db7db
Opcode Fuzzy Hash: 18a3ffaa57077a15f4bb388c9ac25fce1d9106a127764eb2eddf90b89e3d877e
Instruction Fuzzy Hash: C0512972A543625BD7239EB8CCC0760B7A4EB53324B2D0B39D9E2C73C5EBB459068760

Function 0028E800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Dt4, xrefs: 0028EC21
Dt4, xrefs: 002C3F58
Dt4, xrefs: 002C3F1F
Dt4, xrefs: 0028EC1A
Variable must be of type 'Object'., xrefs: 002C428C

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID:
String ID: Dt4$Dt4$Dt4$Dt4$Variable must be of type 'Object'.
API String ID: 0-880903462
Opcode ID: c30374767564b1938b1ad0b327cf4c6345a519e52388176a7385153a3810463a
Instruction ID: a949fcd0c103281ec1fd169cb2788c92e44f9c19adfbd9d8ee43ccdd4c48225b
Opcode Fuzzy Hash: c30374767564b1938b1ad0b327cf4c6345a519e52388176a7385153a3810463a
Instruction Fuzzy Hash: 2AA2D278A21206CFCF24EF44C580AAEB7B1FF59314F258559E916AB391D770EC62CB81

Function 002E4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,002BE7C1), ref: 002E46A6
FindFirstFileW.KERNELBASE(?,?), ref: 002E46B7
FindClose.KERNEL32(00000000), ref: 002E46C7

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 00538e8c12864225cc5d150f10024df69441a1369782f3712cb20074b054b669
Instruction ID: de0b029aa40eeae0e5853ac40a47d9d67a6e464951cbcaca0cc4b4a4dac72698
Opcode Fuzzy Hash: 00538e8c12864225cc5d150f10024df69441a1369782f3712cb20074b054b669
Instruction Fuzzy Hash: AFE0D8354214015FC220B739EC5D4EA775C9E07335F500B16F935C14E0E7B069608595

Function 00290B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00290BBB
timeGetTime.WINMM ref: 00290E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00290FB3
TranslateMessage.USER32(?), ref: 00290FC7
DispatchMessageW.USER32(?), ref: 00290FD5
Sleep.KERNEL32(0000000A), ref: 00290FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 0029105A
DestroyWindow.USER32 ref: 00291066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00291080
Sleep.KERNEL32(0000000A,?,?), ref: 002C52AD
TranslateMessage.USER32(?), ref: 002C608A
DispatchMessageW.USER32(?), ref: 002C6098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 002C60AC

Strings

@COM_EVENTOBJ, xrefs: 002C591A
@GUI_CTRLID, xrefs: 002C5364
@GUI_CTRLHANDLE, xrefs: 002C540E
pr4, xrefs: 002C542D
@TRAY_ID, xrefs: 002C5BB9
pr4, xrefs: 002C5BDE
pr4, xrefs: 002C5383
@GUI_WINHANDLE, xrefs: 002C53B9
pr4, xrefs: 002C53D8

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pr4$pr4$pr4$pr4
API String ID: 4003667617-1953740406
Opcode ID: 4666a5709ba1c235f7cf5374bd9c704615d9fccaceb2ba707086722266fdd262
Instruction ID: eda5185001547d6332d3ed4894c2bfed5f83fe499422c171f8a4ed95bfc005fb
Opcode Fuzzy Hash: 4666a5709ba1c235f7cf5374bd9c704615d9fccaceb2ba707086722266fdd262
Instruction Fuzzy Hash: 5AB2C374628752DFDB25DF24C884F6AB7E4BF85304F144A1DE48A87291DB71F8A4CB82

Function 002E93DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002E91E9: __time64.LIBCMT ref: 002E91F3

Part of subcall function 00285045: _fseek.LIBCMT ref: 0028505D

__wsplitpath.LIBCMT ref: 002E94BE

Part of subcall function 002A432E: __wsplitpath_helper.LIBCMT ref: 002A436E

_wcscpy.LIBCMT ref: 002E94D1
_wcscat.LIBCMT ref: 002E94E4
__wsplitpath.LIBCMT ref: 002E9509
_wcscat.LIBCMT ref: 002E951F
_wcscat.LIBCMT ref: 002E9532

Part of subcall function 002E922F: _memmove.LIBCMT ref: 002E9268
Part of subcall function 002E922F: _memmove.LIBCMT ref: 002E9277

_wcscmp.LIBCMT ref: 002E9479

Part of subcall function 002E99BE: _wcscmp.LIBCMT ref: 002E9AAE
Part of subcall function 002E99BE: _wcscmp.LIBCMT ref: 002E9AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 002E96DC
_wcsncpy.LIBCMT ref: 002E974F
DeleteFileW.KERNEL32(?,?), ref: 002E9785
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 002E979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002E97AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002E97BE

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 6c9992a350ef58d40ccd191ad9da88e4183bc7fc2a9d19784ea0fd562a0e6f70
Instruction ID: 7f6ebe47ec6e7010d796fb9c5151d1a1812defa83c3a21d593909b19624668b5
Opcode Fuzzy Hash: 6c9992a350ef58d40ccd191ad9da88e4183bc7fc2a9d19784ea0fd562a0e6f70
Instruction Fuzzy Hash: 31C14EB1D10229AFCF21EF95CC85ADEB7BDAF45300F4040ABF609E6141EB709A948F65

Function 002871EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00284864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,003462F8,?,002837C0,?), ref: 00284882

Part of subcall function 002A074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,002872C5), ref: 002A0771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00287308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 002BECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 002BED32
RegCloseKey.ADVAPI32(?), ref: 002BED70
_wcscat.LIBCMT ref: 002BEDC9

Strings

\, xrefs: 002BEDEC
Include, xrefs: 002BECE8, 002BED29
\Include\, xrefs: 002872C5
Software\AutoIt v3\AutoIt, xrefs: 002872FE

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 0d6a50078426c2373349a21a7303ec321eea6e436af389429817cade80f5ad3e
Instruction ID: 2822efe76cad155c45f592a6584a4b3de17309cf952e168accd2168a030412a9
Opcode Fuzzy Hash: 0d6a50078426c2373349a21a7303ec321eea6e436af389429817cade80f5ad3e
Instruction Fuzzy Hash: E0716A7902A3019EC715EF25EC8189BB7ECFF5A740F40482EF445871A1DBB0A958CFA1

Function 00283A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00283A62
LoadCursorW.USER32(00000000,00007F00), ref: 00283A71
LoadIconW.USER32(00000063), ref: 00283A88
LoadIconW.USER32(000000A4), ref: 00283A9A
LoadIconW.USER32(000000A2), ref: 00283AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00283AD2
RegisterClassExW.USER32(?), ref: 00283B28

Part of subcall function 00283041: GetSysColorBrush.USER32(0000000F), ref: 00283074
Part of subcall function 00283041: RegisterClassExW.USER32(00000030), ref: 0028309E
Part of subcall function 00283041: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 002830AF
Part of subcall function 00283041: LoadIconW.USER32(000000A9), ref: 002830F2

Strings

#, xrefs: 00283B0D
AutoIt v3, xrefs: 00283B17
0, xrefs: 00283B06

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
String ID: #$0$AutoIt v3
API String ID: 2880975755-4155596026
Opcode ID: 5ea848c8dbb8f08564650a45853bb7caeb573c0def811dd40138aa207573dc45
Instruction ID: 5aa27e5204ed549bd2b0120abe80745995d43c8d193d5fbcba27608e732c9853
Opcode Fuzzy Hash: 5ea848c8dbb8f08564650a45853bb7caeb573c0def811dd40138aa207573dc45
Instruction Fuzzy Hash: 31215178D11304BFDB12DFA4EC06B9D7BB8FB0A711F00452AF504AA2A0DBF665548F46

Function 00283778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMDLINE, xrefs: 00283834
CMDLINERAW, xrefs: 0028380D
/AutoIt3ExecuteLine, xrefs: 002838B9
/AutoIt3OutputDebug, xrefs: 002838A4
/AutoIt3ExecuteScript, xrefs: 002838CE
/ErrorStdOut, xrefs: 0028388F
b4, xrefs: 002BD44E
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 002837C0

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$b4
API String ID: 1825951767-1798241738
Opcode ID: 385c87cfa5d4d3a844b7a6d522ec6737f10c064f8835fbc0ff3418a3f8e140fa
Instruction ID: d319a41b61f0e07f4d5a47ed6fb6e025bce258257ec49279f7b697c543d4b0d9
Opcode Fuzzy Hash: 385c87cfa5d4d3a844b7a6d522ec6737f10c064f8835fbc0ff3418a3f8e140fa
Instruction Fuzzy Hash: 7FA17179922229ABCB05FFA0CC929EEB7B8BF15700F540429F416A71D1DF74A615CF60

Function 00283015 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 73
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00283074
RegisterClassExW.USER32(00000030), ref: 0028309E
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 002830AF
LoadIconW.USER32(000000A9), ref: 002830F2

Strings

TaskbarCreated, xrefs: 002830A4
0, xrefs: 00283056
AutoIt v3 GUI, xrefs: 00283090
+, xrefs: 0028305D

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: d034470b09769dd4a878cb5f45254d8d0f0e7dfaf8c1bb3475101bf5f4609a89
Instruction ID: df211df534ad578f53e9d95cd00b264f6572f47287616bb28afa9d74b48cddd0
Opcode Fuzzy Hash: d034470b09769dd4a878cb5f45254d8d0f0e7dfaf8c1bb3475101bf5f4609a89
Instruction Fuzzy Hash: C7319AB5802309EFDB12DFA4DC89AC9BFF8FB0A710F10416AE580EA2A0D7B55545CF52

Function 00283041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00283074
RegisterClassExW.USER32(00000030), ref: 0028309E
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 002830AF
LoadIconW.USER32(000000A9), ref: 002830F2

Strings

TaskbarCreated, xrefs: 002830A4
0, xrefs: 00283056
AutoIt v3 GUI, xrefs: 00283090
+, xrefs: 0028305D

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: 2f2f9e28c4cf19b0dabef807ed673b280306cd6c9a3771cf1edf2ec476ab6875
Instruction ID: 0dd2e800f7598970f7e18e631fc989ce6d709522a79f14e7bf815a0e107b4742
Opcode Fuzzy Hash: 2f2f9e28c4cf19b0dabef807ed673b280306cd6c9a3771cf1edf2ec476ab6875
Instruction Fuzzy Hash: 5721F9B5901318AFDB12DF94EC59BDDBBF8FB0A700F00412AF510AA2A0DBB155448F92

Function 0028F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002A03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 002A03D3
Part of subcall function 002A03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 002A03DB
Part of subcall function 002A03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 002A03E6
Part of subcall function 002A03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 002A03F1
Part of subcall function 002A03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 002A03F9
Part of subcall function 002A03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 002A0401

Part of subcall function 00296259: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 002962B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0028FB2D
OleInitialize.OLE32(00000000), ref: 0028FBAA
CloseHandle.KERNEL32(00000000), ref: 002C49F2

Strings

c4, xrefs: 0028F94B
%1, xrefs: 0028F8F6, 0028F908, 0028FACE, 0028FBB1
<g4, xrefs: 0028FA90
\d4, xrefs: 0028F957

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
String ID: <g4$\d4$%1$c4
API String ID: 3094916012-506416625
Opcode ID: d0652943d737cc5b47e090de942038669115f22e5a92443b1633867923a8fec6
Instruction ID: 65f57a0e0f16732186e826f8f2ad8de7f8fadb17d52152f9d7f5b72ff2f238ee
Opcode Fuzzy Hash: d0652943d737cc5b47e090de942038669115f22e5a92443b1633867923a8fec6
Instruction Fuzzy Hash: 8481BEBC9113808FCB86DF2AE9576557AECEB8B714B10812A9019CF372EF316454CF12

Function 017B2710 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 017B27E1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 017B2A07

Memory Dump Source

Source File: 00000000.00000002.2069036950.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17b0000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 9782f307f6eb729223afc4200fcf877bc30ae92d5641e87cd3ac28d39805c76c
Instruction ID: 5d84f21122b73897c759111df106eb82f018b46956067873efd4f24681c0aea1
Opcode Fuzzy Hash: 9782f307f6eb729223afc4200fcf877bc30ae92d5641e87cd3ac28d39805c76c
Instruction Fuzzy Hash: 9CA10A70E05209EBDB14CFA4C898BEEFBB5FF48704F108159E605BB281D775AA81CB55

Function 002839E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00283A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00283A36
ShowWindow.USER32(00000000,?,?), ref: 00283A4A
ShowWindow.USER32(00000000,?,?), ref: 00283A53

Strings

edit, xrefs: 00283A30
AutoIt v3, xrefs: 00283A0D, 00283A12, 00283A13

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 12b86848398b5a9421a0a2f35a38389446efdfc7fa00a67ffbdba224003015d2
Instruction ID: 99a39fedd678c5593ee1f813d49f7b7e0a57aaa17d64ccf3f47d912ea6c48e9d
Opcode Fuzzy Hash: 12b86848398b5a9421a0a2f35a38389446efdfc7fa00a67ffbdba224003015d2
Instruction Fuzzy Hash: A7F030746412907EEB321B176C1AE673E7DD7C7F50F00042AB900A61B0CAE52800CA71

Function 017B24E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 017B2603
VirtualAlloc.KERNELBASE(00000000,000000FF,00003000,00000004), ref: 017B2638
ReadFile.KERNELBASE(000000FF,00000000,000000FF,?,00000000), ref: 017B265B
ExitProcess.KERNEL32(00000000), ref: 017B26BC

Strings

FJL1PYSAERGK, xrefs: 017B2666, 017B2669

Memory Dump Source

Source File: 00000000.00000002.2069036950.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17b0000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: File$AllocCreateExitProcessReadVirtual
String ID: FJL1PYSAERGK
API String ID: 1333605300-3162956194
Opcode ID: d0c71725ae548e8885831267f7822981509575ead0855d1286ad7dd0001d5cb1
Instruction ID: f220405fa7e4645a775c2f658b792698e7f01a87c70a4ebe8c78afe53a10b852
Opcode Fuzzy Hash: d0c71725ae548e8885831267f7822981509575ead0855d1286ad7dd0001d5cb1
Instruction Fuzzy Hash: DC519031D01249DBEF11EBA4C899BEFFB78AF04304F004599E609BB2C1D7796A45CBA5

Function 0028410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 002BD5EC

Part of subcall function 00287D2C: _memmove.LIBCMT ref: 00287D66

_memset.LIBCMT ref: 0028418D
_wcscpy.LIBCMT ref: 002841E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002841F1

Strings

Line: , xrefs: 002BD615

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: f47e2af47073708f60f4c18af3b9a7e1de9331e51c3791c875c7da7343c3e2a7
Instruction ID: fdc8c65b149294b3a7c43b3abb1367b4e1ed7a89973a9c12a4509e4a7ae951e9
Opcode Fuzzy Hash: f47e2af47073708f60f4c18af3b9a7e1de9331e51c3791c875c7da7343c3e2a7
Instruction Fuzzy Hash: C131A07502A3056BD722FF60DC46BDA77ECAB45300F10491AF588960E1EFB4A6688B93

Function 002A564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 002A56AB
_memcpy_s.LIBCMT ref: 002A571D
__read_nolock.LIBCMT ref: 002A577B
__filbuf.LIBCMT ref: 002A579E
_memset.LIBCMT ref: 002A57E2

Part of subcall function 002A8D68: __getptd_noexit.LIBCMT ref: 002A8D68

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: a0605e16bb5f51f6f624cc59ed6365fc761fe863394df1e4f5bf7ef3814ca32b
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: 90519831A20B26DBDB249F79CC8466FB7A5AF42720F648729F825A61D0DF749D708F40

Function 002869CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00284F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,003462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00284F6F

_free.LIBCMT ref: 002BE68C
_free.LIBCMT ref: 002BE6D3

Part of subcall function 00286BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00286D0D

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 002BE462
Bad directive syntax error, xrefs: 002BE6BB

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: b02dffdbed710dbabb9f74b3b73f67756c7d76c6a478d7ffe7f779887e7858f8
Instruction ID: a0d23d6aa29c4f812775cee2f03fad9db0c77e84de374c97d0c97a9bf2a68eca
Opcode Fuzzy Hash: b02dffdbed710dbabb9f74b3b73f67756c7d76c6a478d7ffe7f779887e7858f8
Instruction Fuzzy Hash: 68919E75920219AFCF14EFA4CC919EDB7B8FF19354F14442AF816AB291EB70A924CF50

Function 002835B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,002835A1,SwapMouseButtons,00000004,?), ref: 002835D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,002835A1,SwapMouseButtons,00000004,?,?,?,?,00282754), ref: 002835F5
RegCloseKey.KERNELBASE(00000000,?,?,002835A1,SwapMouseButtons,00000004,?,?,?,?,00282754), ref: 00283617

Strings

Control Panel\Mouse, xrefs: 002835D2

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: a11f9c45775acd88ae8efb39d884ced9cb3741949d173ed49f7ca2bcf582f876
Instruction ID: 58baa4c3a8a2bbc9948e88851cab6f0d2f494ebef55a2acf3a9e871fbbdbe6d7
Opcode Fuzzy Hash: a11f9c45775acd88ae8efb39d884ced9cb3741949d173ed49f7ca2bcf582f876
Instruction Fuzzy Hash: 72114C75522218BFDB21DF68DC409AEB7BCFF04B40F004469E805D7250E2719E509764

Function 017B1300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 017B1B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 017B1B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 017B1B73

Memory Dump Source

Source File: 00000000.00000002.2069036950.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17b0000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 5ae7e6e0dd3a6464af4ceb31d3ba1ad0151e7030dc369dbde652ede20194780f
Instruction ID: a63eb4282822383054b538da3feff23dc2d281f7855b978f001f1e4a63782ac7
Opcode Fuzzy Hash: 5ae7e6e0dd3a6464af4ceb31d3ba1ad0151e7030dc369dbde652ede20194780f
Instruction Fuzzy Hash: 66622A30A14258DBEB24CFA4D890BDEB372EF58300F5091A9D20DEB394E7759E81CB59

Function 002E97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00285045: _fseek.LIBCMT ref: 0028505D

Part of subcall function 002E99BE: _wcscmp.LIBCMT ref: 002E9AAE
Part of subcall function 002E99BE: _wcscmp.LIBCMT ref: 002E9AC1

_free.LIBCMT ref: 002E992C
_free.LIBCMT ref: 002E9933
_free.LIBCMT ref: 002E999E

Part of subcall function 002A2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,002A9C64), ref: 002A2FA9
Part of subcall function 002A2F95: GetLastError.KERNEL32(00000000,?,002A9C64), ref: 002A2FBB

_free.LIBCMT ref: 002E99A6

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 922d4df5b64e1696f8af207ae7c752e1e6b30532c460fe4269bae0bb53f03174
Instruction ID: 3329cbe899b1d7da26210df5ed50f01df01d58e7a8c5d0e9c8c789b1c620b3db
Opcode Fuzzy Hash: 922d4df5b64e1696f8af207ae7c752e1e6b30532c460fe4269bae0bb53f03174
Instruction Fuzzy Hash: FE5172B1D14258AFDF249F65CC41A9EBBB9EF48300F00049EF649A7282DB715D90CF58

Function 002A493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002A49D0
__flush.LIBCMT ref: 002A49F0
__write.LIBCMT ref: 002A4A23
__flsbuf.LIBCMT ref: 002A4A51

Part of subcall function 002A8D68: __getptd_noexit.LIBCMT ref: 002A8D68

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: f1277b671fa78d9af14f350d7dd03fb738cabd73e3edd103b5c182c897ce7700
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: 0041E5306207079BDB18AEA9C8909AF77AAEFC6360B24813DE855C7641DFF0DD708B44

Function 00284DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00284E1A

Strings

EA06, xrefs: 002BDCF5
AU3!P/1, xrefs: 00284E14

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/1$EA06
API String ID: 4104443479-2507073696
Opcode ID: 30a8abb98c2d9b0d563bb9dbc8f44d0512151c571d449f88bdf98703de36f1fc
Instruction ID: b09e43a458d2241beb1dc41d30f4c9d233cd03124e9a3bf173f1f20bfaf7001e
Opcode Fuzzy Hash: 30a8abb98c2d9b0d563bb9dbc8f44d0512151c571d449f88bdf98703de36f1fc
Instruction Fuzzy Hash: 8841AF39A3526A5BDF22BF64C8517BE7FA2AB05300F584075FD829B1C2D6708D6087E1

Function 002873E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002BEE62
7516D0D0.COMDLG32(?), ref: 002BEEAC

Part of subcall function 002848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002848A1,?,?,002837C0,?), ref: 002848CE

Part of subcall function 002A09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002A09F4

Strings

X, xrefs: 002BEE7A

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: NamePath$7516FullLong_memset
String ID: X
API String ID: 3926756254-3081909835
Opcode ID: 8b389c9610fee3d03906383960bc8101a17fd084837ce9d07b2061c315fe5933
Instruction ID: 10bcfd6ddf769d8ac17d46555d25deb8c330ff8bdc16fe10288faa675c53c1c9
Opcode Fuzzy Hash: 8b389c9610fee3d03906383960bc8101a17fd084837ce9d07b2061c315fe5933
Instruction Fuzzy Hash: 4E21D534A212589BDF11EF94CC45BEE7BFC9F49314F14401AE408E7281DBF899998FA1

Function 002E901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002E9036
__fread_nolock.LIBCMT ref: 002E904B

Strings

EA06, xrefs: 002E907D

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: dc1506ab1bb7644680e2bb5af23c3cb826bd2d05cf17f436912d7f9a430e1c85
Instruction ID: db862ce84d863d497baa9fc70e439ae038949c910ee439827fc18afc9a76a12b
Opcode Fuzzy Hash: dc1506ab1bb7644680e2bb5af23c3cb826bd2d05cf17f436912d7f9a430e1c85
Instruction Fuzzy Hash: B601F9718142586FDB28CBA9C856EEE7BF89B01301F00419BF552D2181E9B9A6188B60

Function 002A0FF6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 002A594C: __FF_MSGBANNER.LIBCMT ref: 002A5963
Part of subcall function 002A594C: __NMSG_WRITE.LIBCMT ref: 002A596A
Part of subcall function 002A594C: RtlAllocateHeap.NTDLL(017D0000,00000000,00000001), ref: 002A598F

std::exception::exception.LIBCMT ref: 002A102C
__CxxThrowException@8.LIBCMT ref: 002A1041

Part of subcall function 002A87DB: RaiseException.KERNEL32(?,?,00000000,0033BAF8,?,00000001,?,?,?,002A1046,00000000,0033BAF8,00289FEC,00000001), ref: 002A8830

Strings

bad allocation, xrefs: 002A1021

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID: bad allocation
API String ID: 3902256705-2104205924
Opcode ID: ad519a65d5e8b343495255782bd32df1211647a045ec0275e0bb58d247d704cd
Instruction ID: 6209d804d0127c52c9c1e6d42dd4ac6eb9627c7e56dd953a9727489d428b4cdf
Opcode Fuzzy Hash: ad519a65d5e8b343495255782bd32df1211647a045ec0275e0bb58d247d704cd
Instruction Fuzzy Hash: ECF0C83951031EA7CB25BE59EC059DFB7AC9F06360F100426FC14A6591EFB18AF48AD0

Function 002E9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 002E9B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 002E9B99

Strings

aut, xrefs: 002E9B93

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 669a4d7693efa5285931769bb4613eb12d35e42b8e7e30a17d07e6fbf5a547e6
Instruction ID: 35517d25869127f94288adaedd4994f929ddb6fd53b6e43a249a93632bfba174
Opcode Fuzzy Hash: 669a4d7693efa5285931769bb4613eb12d35e42b8e7e30a17d07e6fbf5a547e6
Instruction Fuzzy Hash: 9CD05E7954130DAFDB219B90EC4EFEA772CE704700F0046A2BE94915A1DEB065988B91

Function 002FCDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fa19b8471caf350b2dce1a793bd2ead012c27d8c4a743f2160cfccbe3ed5be6
Instruction ID: f516a177e244ab84a86f92d7c066a58b101d0ea7bf1eb1ef4d78612395b113a3
Opcode Fuzzy Hash: 7fa19b8471caf350b2dce1a793bd2ead012c27d8c4a743f2160cfccbe3ed5be6
Instruction Fuzzy Hash: FDF157749183059FC714DF28C480A2AFBE5BF88354F14892EF99A9B352DB31E955CF82

Function 002843DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00284401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 002844A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 002844C3

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 49ab9f9c2e0b3966489b649a228f104bdb5dd05131ee404ebf32898181ccbd16
Instruction ID: 5c20dd88f9a6c912ae4ecdbaf5d152954ae7e05b3fc341624a330498b775880a
Opcode Fuzzy Hash: 49ab9f9c2e0b3966489b649a228f104bdb5dd05131ee404ebf32898181ccbd16
Instruction Fuzzy Hash: D93193B45167029FD721EF24D885797BBF8FB4A304F00092EF59A87290E7B1A958CB52

Function 002A594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 002A5963

Part of subcall function 002AA3AB: __NMSG_WRITE.LIBCMT ref: 002AA3D2
Part of subcall function 002AA3AB: __NMSG_WRITE.LIBCMT ref: 002AA3DC

__NMSG_WRITE.LIBCMT ref: 002A596A

Part of subcall function 002AA408: GetModuleFileNameW.KERNEL32(00000000,003443BA,00000104,00000000,00000001,00000000), ref: 002AA49A
Part of subcall function 002AA408: ___crtMessageBoxW.LIBCMT ref: 002AA548

Part of subcall function 002A32DF: ___crtCorExitProcess.LIBCMT ref: 002A32E5
Part of subcall function 002A32DF: ExitProcess.KERNEL32 ref: 002A32EE

Part of subcall function 002A8D68: __getptd_noexit.LIBCMT ref: 002A8D68

RtlAllocateHeap.NTDLL(017D0000,00000000,00000001), ref: 002A598F

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 7fae14dc5963268489c151e5047f5a7d6f809416f239f6d48cfb07e33d83630f
Instruction ID: 529275a7753fefdcfc6afb4431d174d2a4d67267e56d851b35a3717ac27b0f21
Opcode Fuzzy Hash: 7fae14dc5963268489c151e5047f5a7d6f809416f239f6d48cfb07e33d83630f
Instruction Fuzzy Hash: 59019235231B27DFE6216B74E842B6F73989F43770F51003AF501AE181DFB49D218AA1

Function 002E9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,002E97D2,?,?,?,?,?,00000004), ref: 002E9B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,002E97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 002E9B5B
CloseHandle.KERNEL32(00000000,?,002E97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 002E9B62

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 0dca048a36b89108c0939ab6b5223e13340049118ddb27f78d7ea81abc37ceda
Instruction ID: c68118754dab6ebfc4f538e30ff643653781ab4bdd14921808b5abf1c8063138
Opcode Fuzzy Hash: 0dca048a36b89108c0939ab6b5223e13340049118ddb27f78d7ea81abc37ceda
Instruction Fuzzy Hash: 70E08632181314BBD7321F54EC09FDA7B1CAB05B75F104121FB14690E087B125219798

Function 002E8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002E8FA5

Part of subcall function 002A2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,002A9C64), ref: 002A2FA9
Part of subcall function 002A2F95: GetLastError.KERNEL32(00000000,?,002A9C64), ref: 002A2FBB

_free.LIBCMT ref: 002E8FB6
_free.LIBCMT ref: 002E8FC8

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 180ac2cc07007adee99720b26c657bf09b4177bae862674a470a9d0e5fc62c6e
Instruction ID: cf7ca34e46eda282e45858ad7970ef473348eb16999389f056be085abbd22df5
Opcode Fuzzy Hash: 180ac2cc07007adee99720b26c657bf09b4177bae862674a470a9d0e5fc62c6e
Instruction Fuzzy Hash: 52E0C2A13287028FCA20A93DAD00A8317EE0F48350788080DB44DEB942CE20E8608428

Function 0028AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 002C002B

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: c08e19c916a259bc4656ad5b754ec4fa849381d3b507bc3431c91b884980b12d
Instruction ID: f4c72257bafe0b902d26531cad1869204b80d06d31f1adbed331ec3b2e2157f5
Opcode Fuzzy Hash: c08e19c916a259bc4656ad5b754ec4fa849381d3b507bc3431c91b884980b12d
Instruction Fuzzy Hash: 1C226C78529201CFD725EF14C494B2AB7E0BF45300F15895EE8968B3A2DB71EDA1CF82

Function 0028492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

745AC8D0.UXTHEME ref: 00284992

Part of subcall function 002A35AC: __lock.LIBCMT ref: 002A35B2
Part of subcall function 002A35AC: RtlDecodePointer.NTDLL(00000001), ref: 002A35BE
Part of subcall function 002A35AC: RtlEncodePointer.NTDLL(?), ref: 002A35C9

Part of subcall function 00284A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00284A73
Part of subcall function 00284A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00284A88

Part of subcall function 00283B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00283B7A
Part of subcall function 00283B4C: IsDebuggerPresent.KERNEL32 ref: 00283B8C
Part of subcall function 00283B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,003462F8,003462E0,?,?), ref: 00283BFD
Part of subcall function 00283B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00283C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 002849D2

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$DebuggerDecodeEncodeFullNamePathPresent__lock
String ID:
API String ID: 2688871447-0
Opcode ID: 1e60a056278ab2fd9b11d2408f112f2d8a64a21e1e053fc7dc009e52ee463680
Instruction ID: ba9f0a857bffc6e6a961347a197dbe9a8455fc3450ebb8a5e9376f701e680436
Opcode Fuzzy Hash: 1e60a056278ab2fd9b11d2408f112f2d8a64a21e1e053fc7dc009e52ee463680
Instruction Fuzzy Hash: 3D11AE75925301AFC301EF69DC4691ABBF8EB96750F00491EF0458B2A1DBB0A568CF92

Function 00285DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00285981,?,?,?,?), ref: 00285E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00285981,?,?,?,?), ref: 002BE19C

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8ad46e1f7254df699c689445d74133ea2760f2a6e9fae0504a8e1d4e7122acc8
Instruction ID: f38f3a84b221345ad9e2721bc70b3353067a6a3ffdda6137328bb3da18e0a975
Opcode Fuzzy Hash: 8ad46e1f7254df699c689445d74133ea2760f2a6e9fae0504a8e1d4e7122acc8
Instruction Fuzzy Hash: EA01F574251319BEF7241E28CC8AFA23B9CEF0076CF108319BAE55A1E0C6B01E598F10

Function 002A582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 002A585C
__lock_file.LIBCMT ref: 002A587D

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 7a788a5c76a90ff658e0ce8331b78802d3189c08273ca750787685bebd961a15
Instruction ID: 7201eb573f5d9787b1540303343d62211719b4489d864f0072bbcd27954c2ed1
Opcode Fuzzy Hash: 7a788a5c76a90ff658e0ce8331b78802d3189c08273ca750787685bebd961a15
Instruction Fuzzy Hash: 9D018471C20A19EFCF22AF698C0599F7B61AF42760F144215F8145A1A1DF358A71DF91

Function 002A55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 002A8D68: __getptd_noexit.LIBCMT ref: 002A8D68

__lock_file.LIBCMT ref: 002A561B

Part of subcall function 002A6E4E: __lock.LIBCMT ref: 002A6E71

__fclose_nolock.LIBCMT ref: 002A5626

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 0470be5a0fac2134245734f2a15035515c488675eb43ee594ae2467f27cdaac6
Instruction ID: 8040ddd744a5e4342196b320f78e6fd6462195bc9489db6a4e5fc4772924fffd
Opcode Fuzzy Hash: 0470be5a0fac2134245734f2a15035515c488675eb43ee594ae2467f27cdaac6
Instruction Fuzzy Hash: 69F0F031830A219BD720AF34880276F77A42F03B34F548209E410AB0C1CFBC89219F55

Function 017B12FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 017B1B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 017B1B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 017B1B73

Memory Dump Source

Source File: 00000000.00000002.2069036950.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17b0000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 17d4f485e3cbe02709bfd650bfd307fb48a557be1e2bb839bed51db5958bda08
Instruction ID: 1e7d54acd452ee2bd9dec229f291ea80357773898054e67bcb0d73e5719ce92e
Opcode Fuzzy Hash: 17d4f485e3cbe02709bfd650bfd307fb48a557be1e2bb839bed51db5958bda08
Instruction Fuzzy Hash: 6112CD24E24658C6EB24DF64D8507DEB232EF68300F1091E9910DEB7A5E77A4F81CF5A

Function 00292123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6711d1c2337702ecd9bdb46bac420bc6d9e77c9d2318a58c857ae6aefe35ea9
Instruction ID: 91db9aa6c755b918a80f424a1b05f6a1c00e323f5b405a82fa5e843efee1b96b
Opcode Fuzzy Hash: c6711d1c2337702ecd9bdb46bac420bc6d9e77c9d2318a58c857ae6aefe35ea9
Instruction Fuzzy Hash: B8517C39620614AFCF14EF64C995FAE77A6AF45310F148168F806AB392DB31ED24CB51

Function 00285C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00285CF6

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: aa130f2d3c9e93f02c1618c3c1c47b5c0a5bc22befd467ce765ae19d1a8b9cf2
Instruction ID: c8257118e0476700be5901334a29f0ca84acae9c0b9c27b873ee809ad1ee2d48
Opcode Fuzzy Hash: aa130f2d3c9e93f02c1618c3c1c47b5c0a5bc22befd467ce765ae19d1a8b9cf2
Instruction Fuzzy Hash: 6B316B75A21B2AAFCB18EF2DC48469DB7B5BF48310F14862AE81993750D770BD60DF90

Function 002C00D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 002C00E1

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 0f295b4ab9dafa350f38345bab8668458b45d0075a01eaa38c7ee5677e336b23
Instruction ID: 7765eac815a52b73fe64d8b8232f52863a74f196588b732b73c3e60fc1acd481
Opcode Fuzzy Hash: 0f295b4ab9dafa350f38345bab8668458b45d0075a01eaa38c7ee5677e336b23
Instruction Fuzzy Hash: F9415978515351CFDB24DF14C484B1ABBE0BF45314F0989ACE8998B7A2C772E8A5CF42

Function 00285B19 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00285B61

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: d257bf4f2f8e3f81359f0f7aca9fce2ae7e96b97642ad6a7216f5cd9268e9376
Instruction ID: b847da54071874867a2638b2177d44027c7e8c46185406fbb1239900e9c2f62f
Opcode Fuzzy Hash: d257bf4f2f8e3f81359f0f7aca9fce2ae7e96b97642ad6a7216f5cd9268e9376
Instruction Fuzzy Hash: 3121D530A30A18EBDF106F55E8C56EA7FBCFF10390F22886AE485E1051EBB094F08B45

Function 00284F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00284D13: FreeLibrary.KERNEL32(00000000,?), ref: 00284D4D

Part of subcall function 002A548B: __wfsopen.LIBCMT ref: 002A5496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,003462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00284F6F

Part of subcall function 00284CC8: FreeLibrary.KERNEL32(00000000), ref: 00284D02

Part of subcall function 00284DD0: _memmove.LIBCMT ref: 00284E1A

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: d276397c7c641dcc9f70f22cc98fca5ffb403d2c853e1cec391b58f47a552050
Instruction ID: 9330f3cf6a3bbfce5f1f037dab9279a6a30ee0b3bde2d593044cd1a429f00904
Opcode Fuzzy Hash: d276397c7c641dcc9f70f22cc98fca5ffb403d2c853e1cec391b58f47a552050
Instruction Fuzzy Hash: FF11E736622317ABCB11FF70CC12FAE77A99F44700F10842EF941A65D1DA759A359F90

Function 002C01AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 002C01BB

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: bfe21afc9d9f73c0379fa6f7cbc2fea7c04a7980b6cd81510caf70626a9f3245
Instruction ID: 9ef5e4ce9ad3c22a20fa00ac58f52307f890b79674c6d50d93007f83758b5cb6
Opcode Fuzzy Hash: bfe21afc9d9f73c0379fa6f7cbc2fea7c04a7980b6cd81510caf70626a9f3245
Instruction Fuzzy Hash: 6D216478529342CFDB24EF14C484B1ABBE0BF88314F05896DE89A477A1CB71E865CF52

Function 00285D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00285807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00285D76

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: b49dcd7cc3b6f435af0cd914255b8e88456c3472b290baa2a8f8d14e160b2db2
Instruction ID: e4b9f0282aaa05b573b33b18035f5d1cb662862376fb7c7bf3808bdd9dfb9c79
Opcode Fuzzy Hash: b49dcd7cc3b6f435af0cd914255b8e88456c3472b290baa2a8f8d14e160b2db2
Instruction Fuzzy Hash: AE116A39211B019FD3309F15C484B62B7E8EF44710F14C92EE8AA86A90D7B0F954CF60

Function 00285BDA Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002BE141

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 9b54afcf07a23b9ff4e0bf05bec20c5cd47f57aecc711df460a32f44145caaaf
Instruction ID: 4e7aebebc249e3440a9caa21fcb8f0f864d289239e7eb388ed4bd29a282a1522
Opcode Fuzzy Hash: 9b54afcf07a23b9ff4e0bf05bec20c5cd47f57aecc711df460a32f44145caaaf
Instruction Fuzzy Hash: 8C01DFB8210542AFC305EB28C881D2AFBA9FF8A3143108119F819C7B02DB30EC31CBE0

Function 002A4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 002A4AD6

Part of subcall function 002A8D68: __getptd_noexit.LIBCMT ref: 002A8D68

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: d12eccf7b87255c64f7ccc1714d605b1d756c96da4e84de5ec305048e6a2de8f
Instruction ID: 76596d75c3c8bedb369d356d0468a548c650d9183a2874a30dab370ae8e8702b
Opcode Fuzzy Hash: d12eccf7b87255c64f7ccc1714d605b1d756c96da4e84de5ec305048e6a2de8f
Instruction Fuzzy Hash: ECF0A43196020A9BDF51BFB48C067DF7661AF42329F044514F414AA1D2CFB8CA70DF55

Function 00284FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,003462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00284FDE

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 2f65b05293d89a0f1b084858f02c13adbc81a4d8f446241ae54a688240f4c69c
Instruction ID: 18dba931309e8151574133e21caf857ea672d10f879e8fc5248de56347a2acf1
Opcode Fuzzy Hash: 2f65b05293d89a0f1b084858f02c13adbc81a4d8f446241ae54a688240f4c69c
Instruction Fuzzy Hash: B8F03075526723CFCB34BF64D494812BBE5BF253253208A3EE2D782A50C771A860DF40

Function 002A09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002A09F4

Part of subcall function 00287D2C: _memmove.LIBCMT ref: 00287D66

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 405afabe588e42f063d250d83386095059ac4104c7a74ecfb5d7c8c1a9057455
Instruction ID: 716264b001554177e4c95f506eca427e460ee1e6a752c27537f556ae05a2a5c6
Opcode Fuzzy Hash: 405afabe588e42f063d250d83386095059ac4104c7a74ecfb5d7c8c1a9057455
Instruction Fuzzy Hash: 93E0CD369152285BC721E6589C05FFA77EDDF887D0F0401B6FD0CD7249D960AC918A90

Function 002E9129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 002E914B

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: e3aafec1dac1cee82e494e92c895ec83517b7e204c3f2aeb96c92a633e60c668
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: 06E092B0114B415FDB348E24D8107E373E0BB06315F00081DF29A87341EB6278918B59

Function 00285DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,002BE16B,?,?,00000000), ref: 00285DBF

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: cbaffce6294b22a21a77e30467082871f4e606ee95cae62ee664296359407d5b
Instruction ID: 51866748b981457f13660f8626b2780a6395c0d008dc9fa6c7855901c7d2d956
Opcode Fuzzy Hash: cbaffce6294b22a21a77e30467082871f4e606ee95cae62ee664296359407d5b
Instruction Fuzzy Hash: 1AD0C77464020CBFE714DB80DC46FA9777CDB05710F100195FD0456690D6B27D508795

Function 002A548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 002A5496

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 4febe7c12d5e441ca253a205c99a6e270cde56f00514333712eb9f7e8574fcf8
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 15B0927684020C7BDE012E82EC02A5A3F199B45778F808020FB0C18162AA73A6B0AA89

Function 002ED2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 002ED46A

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 8d2fae3a084c7cad5a01e81d739400cbdc6bac275db2548673e5f66843fb6060
Instruction ID: 2e0a2f7518b2598db08708671cd19c9f09c10120140cd83246f751979cf29126
Opcode Fuzzy Hash: 8d2fae3a084c7cad5a01e81d739400cbdc6bac275db2548673e5f66843fb6060
Instruction Fuzzy Hash: 707192382653428FC714EF25C4D1A6AB7E0AF98314F58496DF8868B2E2DB30ED55CF52

Function 002A0E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 002A0EF7

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 6196cb629554331bbafb2ec6f0ce1ad40670a1c3e10fb309d1c6b4aa6532b4c6
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 7531E270A20106DFCB18DF58C6C0969F7A6FF5A300B248AA5E409CB651DB70EDE1DBC0

Function 017B29BB Relevance: 1.3, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 017B2A07

Memory Dump Source

Source File: 00000000.00000002.2069036950.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17b0000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: a5be354ace2fd74823a058b84efc814aad15d7f4b5131ecd8a831a61df0f01cb
Instruction ID: 411e8bb452e7e00e53a5a00baf3d5ff99d79e02f9f2174c79e5a24c60ca8026d
Opcode Fuzzy Hash: a5be354ace2fd74823a058b84efc814aad15d7f4b5131ecd8a831a61df0f01cb
Instruction Fuzzy Hash: 0A014B75E09108EFDB00CF98C594BEDF7B0EF55304F2480AAD949AB282CB75AE05DB00

Function 017B2300 Relevance: 1.3, APIs: 1, Instructions: 34sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 017B2312

Memory Dump Source

Source File: 00000000.00000002.2069036950.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17b0000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: dce1e67ee7a905aee1ad479c7a3e30644d0bd5a7b1fbfaf3e5e7a496efc26c57
Instruction ID: e97053dbae5179ff969bbffc0e81fb3c61f978367d96e4b53de7502826217028
Opcode Fuzzy Hash: dce1e67ee7a905aee1ad479c7a3e30644d0bd5a7b1fbfaf3e5e7a496efc26c57
Instruction Fuzzy Hash: 7FF0C43194110EAFCF00EFA4C989AEEBBB4FF04311F504595FA1AA3181DB30AA51CBA1

Non-executed Functions

Function 0030CDAC Relevance: 70.6, APIs: 37, Strings: 3, Instructions: 637windowkeyboardnativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00282612: GetWindowLongW.USER32(?,000000EB), ref: 00282623

NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 0030CE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0030CE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0030CED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0030CF00
SendMessageW.USER32 ref: 0030CF29
_wcsncpy.LIBCMT ref: 0030CFA1
GetKeyState.USER32(00000011), ref: 0030CFC2
GetKeyState.USER32(00000009), ref: 0030CFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0030CFE5
GetKeyState.USER32(00000010), ref: 0030CFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0030D018
SendMessageW.USER32 ref: 0030D03F
SendMessageW.USER32(?,00001030,?,0030B602), ref: 0030D145
SetCapture.USER32(?), ref: 0030D177
ClientToScreen.USER32(?,?), ref: 0030D1DC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0030D203
ReleaseCapture.USER32 ref: 0030D20E
GetCursorPos.USER32(?), ref: 0030D248
ScreenToClient.USER32(?,?), ref: 0030D255
SendMessageW.USER32(?,00001012,00000000,?), ref: 0030D2B1
SendMessageW.USER32 ref: 0030D2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 0030D31C
SendMessageW.USER32 ref: 0030D34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0030D36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0030D37B
GetCursorPos.USER32(?), ref: 0030D39B
ScreenToClient.USER32(?,?), ref: 0030D3A8
GetParent.USER32(?), ref: 0030D3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 0030D431
SendMessageW.USER32 ref: 0030D462
ClientToScreen.USER32(?,?), ref: 0030D4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0030D4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 0030D51A
SendMessageW.USER32 ref: 0030D53D
ClientToScreen.USER32(?,?), ref: 0030D58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0030D5C3

Part of subcall function 002825DB: GetWindowLongW.USER32(?,000000EB), ref: 002825EC

GetWindowLongW.USER32(?,000000F0), ref: 0030D65F

Strings

F, xrefs: 0030D543
@GUI_DRAGID, xrefs: 0030D1AA
pr4, xrefs: 0030D1BD

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pr4
API String ID: 302779176-1763515693
Opcode ID: 316e6603730915a4eac74665bf673aeff588700a676115bbf9aa31cfc9c44b84
Instruction ID: bcd56b5d67bfa6b7396b0ef9a4354b1b51650a4ebb1e99d079ac4a3944e182c3
Opcode Fuzzy Hash: 316e6603730915a4eac74665bf673aeff588700a676115bbf9aa31cfc9c44b84
Instruction Fuzzy Hash: BC42BC34206341AFC726CF68C864AAABBE9FF49314F15061DF69587AE0C731A855CB92

Function 0030804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0030873F

Strings

%d/%02d/%02d, xrefs: 00308478

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 3830462d675f047db6576f3a3847087090f263eec5741e9fecbdbacc0d845136
Instruction ID: 9002a12414bc6b202f9d94c5337199288eddf0e196cd257756e90307a8b11638
Opcode Fuzzy Hash: 3830462d675f047db6576f3a3847087090f263eec5741e9fecbdbacc0d845136
Instruction Fuzzy Hash: A212C071502208AFEB269F24CC59FAB7BB8EF45710F21416AF995EB6E1DF708941CB10

Function 0029710E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002975C2
_memset.LIBCMT ref: 002976B1
_memmove.LIBCMT ref: 00297C4B
_memmove.LIBCMT ref: 00297E4F

Strings

[:<:]], xrefs: 002975F1
Oa), xrefs: 002D287E
DEFINE, xrefs: 002D25AF
[:>:]], xrefs: 0029760A
\b(?<=\w), xrefs: 002D3C41
Q\E, xrefs: 002981C1
0w3, xrefs: 002D1F5B
\b(?=\w), xrefs: 002D3C34

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: _memmove$_memset
String ID: 0w3$DEFINE$Oa)$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1624026230
Opcode ID: 32470c916cf83820182d67f6d9982e8419f9ae2ec6ec8813f0d54dd7b26350c0
Instruction ID: d698e8d9bc52e498c2bc7eda19bd52f57b0db6b49ad34e1507934c94e1d7f97c
Opcode Fuzzy Hash: 32470c916cf83820182d67f6d9982e8419f9ae2ec6ec8813f0d54dd7b26350c0
Instruction Fuzzy Hash: 41938F71A24216DBDF24CF58C881BADB7B1FF58310F25816BE955AB380E7709E91CB50

Function 00284A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00284A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002BDA8E
IsIconic.USER32(?), ref: 002BDA97
ShowWindow.USER32(?,00000009), ref: 002BDAA4
SetForegroundWindow.USER32(?), ref: 002BDAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 002BDAC4
GetCurrentThreadId.KERNEL32 ref: 002BDACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 002BDAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 002BDAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 002BDAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 002BDAF8
SetForegroundWindow.USER32(?), ref: 002BDAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 002BDB10
keybd_event.USER32(00000012,00000000), ref: 002BDB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 002BDB25
keybd_event.USER32(00000012,00000000), ref: 002BDB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 002BDB33
keybd_event.USER32(00000012,00000000), ref: 002BDB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 002BDB42
keybd_event.USER32(00000012,00000000), ref: 002BDB47
SetForegroundWindow.USER32(?), ref: 002BDB4A
AttachThreadInput.USER32(?,?,00000000), ref: 002BDB71

Strings

Shell_TrayWnd, xrefs: 002BDA89

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: f88a5fe5fbd93587e6d956638ca07c262dcbe16c485dc5d315cd2fcb4993384f
Instruction ID: 8584a743a79cf565aaeb9e0e972b4a041ff518328f712e3c75eac376a611b717
Opcode Fuzzy Hash: f88a5fe5fbd93587e6d956638ca07c262dcbe16c485dc5d315cd2fcb4993384f
Instruction Fuzzy Hash: 2E319671A91318BFEB316F619C49FBF7E6CEB44B90F114026FA04EA1D0D6B15D10ABA0

Function 002F425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0030F910), ref: 002F4284
IsClipboardFormatAvailable.USER32(0000000D), ref: 002F4292
GetClipboardData.USER32(0000000D), ref: 002F429A
CloseClipboard.USER32 ref: 002F42A6
GlobalFix.KERNEL32(00000000), ref: 002F42C2
CloseClipboard.USER32 ref: 002F42CC
GlobalUnWire.KERNEL32(00000000), ref: 002F42E1
IsClipboardFormatAvailable.USER32(00000001), ref: 002F42EE
GetClipboardData.USER32(00000001), ref: 002F42F6
GlobalFix.KERNEL32(00000000), ref: 002F4303
GlobalUnWire.KERNEL32(00000000), ref: 002F4337
CloseClipboard.USER32 ref: 002F4447

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatWire$Open
String ID:
API String ID: 941120096-0
Opcode ID: c49a1c5a92895a6d88bd1665afa0b938ece947fbd56a6745d05963a70d68bbc8
Instruction ID: 83d4c809f29a1ba7e6bae20ed12e5a34494522959a261a33d1a8718c3ed59ecb
Opcode Fuzzy Hash: c49a1c5a92895a6d88bd1665afa0b938ece947fbd56a6745d05963a70d68bbc8
Instruction Fuzzy Hash: 10518D3521520AAFD311FF64DC95F7FB6ACAF84B40F10053ABA56922E1DBB0D9148B62

Function 002D8858 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 002D8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002D8D0D
Part of subcall function 002D8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002D8D3A
Part of subcall function 002D8CC3: GetLastError.KERNEL32 ref: 002D8D47

_memset.LIBCMT ref: 002D889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 002D88ED
CloseHandle.KERNEL32(?), ref: 002D88FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002D8915
GetProcessWindowStation.USER32 ref: 002D892E
SetProcessWindowStation.USER32(00000000), ref: 002D8938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 002D8952

Part of subcall function 002D8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002D8851), ref: 002D8728
Part of subcall function 002D8713: CloseHandle.KERNEL32(?,?,002D8851), ref: 002D873A

Strings

winsta0, xrefs: 002D8910
, xrefs: 002D88AA
default, xrefs: 002D894D

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: daa8927f1e395f58896405a81763e67c3e474d4452e3f2c9557049a8632b27be
Instruction ID: e6c11a92a3f460c2db7a0e1dfe33bc1aaa2d15b550837ca18f8bac38a82f52b2
Opcode Fuzzy Hash: daa8927f1e395f58896405a81763e67c3e474d4452e3f2c9557049a8632b27be
Instruction Fuzzy Hash: 1F814F7191120AAFDF22DFA4DC45AEE7B78EF04744F18416BF910A6261DB718E24DF60

Function 002EC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 002EC9F8
FindClose.KERNEL32(00000000), ref: 002ECA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002ECA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002ECA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 002ECAAF
__swprintf.LIBCMT ref: 002ECAFB
__swprintf.LIBCMT ref: 002ECB3E

Part of subcall function 00287F41: _memmove.LIBCMT ref: 00287F82

__swprintf.LIBCMT ref: 002ECB92

Part of subcall function 002A38D8: __woutput_l.LIBCMT ref: 002A3931

__swprintf.LIBCMT ref: 002ECBE0

Part of subcall function 002A38D8: __flsbuf.LIBCMT ref: 002A3953
Part of subcall function 002A38D8: __flsbuf.LIBCMT ref: 002A396B

__swprintf.LIBCMT ref: 002ECC2F
__swprintf.LIBCMT ref: 002ECC7E
__swprintf.LIBCMT ref: 002ECCCD

Strings

%4d, xrefs: 002ECB38
%02d, xrefs: 002ECB86, 002ECB90, 002ECBDE, 002ECC2D, 002ECC7C, 002ECCCB
%4d%02d%02d%02d%02d%02d, xrefs: 002ECAF5

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 4d881b52b79d56bdc31628017c229c764794604ca27eedde3af95f50dc5679c6
Instruction ID: 914d01d1176872f77b66968a7503410e306f443474ce1c1d4af9a26ef76462ca
Opcode Fuzzy Hash: 4d881b52b79d56bdc31628017c229c764794604ca27eedde3af95f50dc5679c6
Instruction Fuzzy Hash: A4A15CB5429304AFC714FFA4C886DAFB7ECBF94704F444929B58682191EB34DA58CB62

Function 002EF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 002EF221
_wcscmp.LIBCMT ref: 002EF236
_wcscmp.LIBCMT ref: 002EF24D
GetFileAttributesW.KERNEL32(?), ref: 002EF25F
SetFileAttributesW.KERNEL32(?,?), ref: 002EF279
FindNextFileW.KERNEL32(00000000,?), ref: 002EF291
FindClose.KERNEL32(00000000), ref: 002EF29C
FindFirstFileW.KERNEL32(*.*,?), ref: 002EF2B8
_wcscmp.LIBCMT ref: 002EF2DF
_wcscmp.LIBCMT ref: 002EF2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 002EF308
SetCurrentDirectoryW.KERNEL32(0033A5A0), ref: 002EF326
FindNextFileW.KERNEL32(00000000,00000010), ref: 002EF330
FindClose.KERNEL32(00000000), ref: 002EF33D
FindClose.KERNEL32(00000000), ref: 002EF34F

Strings

*.*, xrefs: 002EF2B3

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 72cd8a8785404252261a0269d5e2e7cda489d9551f19fb96711cfeceaae2b839
Instruction ID: 355d15817cfde0745c3c0c0d7e3375e00d7442f10213797199ddb42e90045bae
Opcode Fuzzy Hash: 72cd8a8785404252261a0269d5e2e7cda489d9551f19fb96711cfeceaae2b839
Instruction Fuzzy Hash: 3431293654128A6FDB61DFB5DC98AEE73ACAF09320F5001B6F904D3090EB30DA55CE10

Function 00300AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00300BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,0030F910,00000000,?,00000000,?,?), ref: 00300C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00300C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00300D1D
RegCloseKey.ADVAPI32(?), ref: 0030103D
RegCloseKey.ADVAPI32(00000000), ref: 0030104A

Strings

REG_DWORD, xrefs: 00300F0E
REG_MULTI_SZ, xrefs: 00300E05
REG_BINARY, xrefs: 00300FD8
REG_SZ, xrefs: 00300D5B
REG_QWORD, xrefs: 00300F8B
REG_EXPAND_SZ, xrefs: 00300CBA

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: d041fd589f1ad219142c1170adf2619180a7dacdac57c7957d8fdd5feefd690a
Instruction ID: cd552c94f4cbf7564f3eb5bc126e5cf6eca760c41c918e2cae72d42c71bcf479
Opcode Fuzzy Hash: d041fd589f1ad219142c1170adf2619180a7dacdac57c7957d8fdd5feefd690a
Instruction Fuzzy Hash: 210258752116119FCB15EF24C891A2AB7E5FF89710F04885DF88A9B7A2CB30ED51CF81

Function 0030C8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfilenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00282612: GetWindowLongW.USER32(?,000000EB), ref: 00282623

DragQueryPoint.SHELL32(?,?), ref: 0030C917

Part of subcall function 0030ADF1: ClientToScreen.USER32(?,?), ref: 0030AE1A
Part of subcall function 0030ADF1: GetWindowRect.USER32(?,?), ref: 0030AE90
Part of subcall function 0030ADF1: PtInRect.USER32(?,?,0030C304), ref: 0030AEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 0030C980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0030C98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0030C9AE
_wcscat.LIBCMT ref: 0030C9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0030C9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 0030CA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 0030CA25
SendMessageW.USER32(?,000000B1,?,?), ref: 0030CA47
DragFinish.SHELL32(?), ref: 0030CA4E
NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 0030CB41

Strings

pr4, xrefs: 0030CA8B
@GUI_DRAGFILE, xrefs: 0030CAF0
@GUI_DRAGID, xrefs: 0030CAB9
@GUI_DROPID, xrefs: 0030CA6E

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pr4
API String ID: 2166380349-4066227453
Opcode ID: d7318144cd53680d2016878a4eb1e1e12fcd820b7e41bf769b1e8313bd471c7c
Instruction ID: 565d0223f5107923a840e09dc052b979e7711a3318f01a1e199cc1cc422c8e9d
Opcode Fuzzy Hash: d7318144cd53680d2016878a4eb1e1e12fcd820b7e41bf769b1e8313bd471c7c
Instruction Fuzzy Hash: D9616975119301AFC712EF64CC95DAFBBE8EF89710F000A2EF592961A1DB709A49CB52

Function 002EF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 002EF37E
_wcscmp.LIBCMT ref: 002EF393
_wcscmp.LIBCMT ref: 002EF3AA

Part of subcall function 002E45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 002E45DC

FindNextFileW.KERNEL32(00000000,?), ref: 002EF3D9
FindClose.KERNEL32(00000000), ref: 002EF3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 002EF400
_wcscmp.LIBCMT ref: 002EF427
_wcscmp.LIBCMT ref: 002EF43E
SetCurrentDirectoryW.KERNEL32(?), ref: 002EF450
SetCurrentDirectoryW.KERNEL32(0033A5A0), ref: 002EF46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 002EF478
FindClose.KERNEL32(00000000), ref: 002EF485
FindClose.KERNEL32(00000000), ref: 002EF497

Strings

*.*, xrefs: 002EF3FB

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 9bb116b7389e620dc3062bb4f06b785a95d438e1d1fbbd18fff85a929f33657b
Instruction ID: a6cc0394d066deade6f8c2c2b13514b69bb90d9812eca152ce38881afa357af4
Opcode Fuzzy Hash: 9bb116b7389e620dc3062bb4f06b785a95d438e1d1fbbd18fff85a929f33657b
Instruction Fuzzy Hash: 2231077655129A6FDB21EF65EC98ADE73AC9F49324F5001B5F940A30E0DB30DA64CE60

Function 0030C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00282612: GetWindowLongW.USER32(?,000000EB), ref: 00282623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0030C4EC
GetFocus.USER32 ref: 0030C4FC
GetDlgCtrlID.USER32(00000000), ref: 0030C507
_memset.LIBCMT ref: 0030C632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0030C65D
GetMenuItemCount.USER32(?), ref: 0030C67D
GetMenuItemID.USER32(?,00000000), ref: 0030C690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0030C6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0030C70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0030C744
NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 0030C779

Strings

0, xrefs: 0030C62A

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
String ID: 0
API String ID: 3616455698-4108050209
Opcode ID: 80f93b330f00b1e9101958e23189ebf9940287206a2e48133443e9df102a22d2
Instruction ID: 2707344b2b0bfceed4aafb853ae6354c3e67f3dd27b33b0937d8912274f79170
Opcode Fuzzy Hash: 80f93b330f00b1e9101958e23189ebf9940287206a2e48133443e9df102a22d2
Instruction Fuzzy Hash: 3981CE7421A3059FD722CF14C8A4A6BBBE8FF89714F01162EF99597291D731E805CFA2

Function 002D81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002D874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002D8766
Part of subcall function 002D874A: GetLastError.KERNEL32(?,002D822A,?,?,?), ref: 002D8770
Part of subcall function 002D874A: GetProcessHeap.KERNEL32(00000008,?,?,002D822A,?,?,?), ref: 002D877F
Part of subcall function 002D874A: RtlAllocateHeap.NTDLL(00000000,?,002D822A), ref: 002D8786
Part of subcall function 002D874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002D879D

Part of subcall function 002D87E7: GetProcessHeap.KERNEL32(00000008,002D8240,00000000,00000000,?,002D8240,?), ref: 002D87F3
Part of subcall function 002D87E7: RtlAllocateHeap.NTDLL(00000000,?,002D8240), ref: 002D87FA
Part of subcall function 002D87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,002D8240,?), ref: 002D880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 002D825B
_memset.LIBCMT ref: 002D8270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 002D828F
GetLengthSid.ADVAPI32(?), ref: 002D82A0
GetAce.ADVAPI32(?,00000000,?), ref: 002D82DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 002D82F9
GetLengthSid.ADVAPI32(?), ref: 002D8316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 002D8325
RtlAllocateHeap.NTDLL(00000000), ref: 002D832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 002D834D
CopySid.ADVAPI32(00000000), ref: 002D8354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 002D8385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 002D83AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 002D83BF

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 2347767575-0
Opcode ID: 97b5a32421c37520c08d8d4374eb96369bef5ba7c77cfd0b7efdc45c9c97d805
Instruction ID: 4072333f8cf3f6d3332c85c02215a0f170a073020b193f329ea3f099db126c49
Opcode Fuzzy Hash: 97b5a32421c37520c08d8d4374eb96369bef5ba7c77cfd0b7efdc45c9c97d805
Instruction Fuzzy Hash: 14615B7191020AAFDF11DFA4DC54AAEBBB9FF04700F04816AF915A7291DB319E25CB60

Function 00296843 Relevance: 20.9, Strings: 16, Instructions: 883COMMON

Download Yara Rule

Strings

ANYCRLF), xrefs: 002D1734
LIMIT_MATCH=, xrefs: 002D15A9
CR), xrefs: 002D16C0
ata, xrefs: 002D159C
UTF), xrefs: 002D1533
UTF16), xrefs: 002D1508
BSR_ANYCRLF), xrefs: 002D1757
ANY), xrefs: 002D1717
LIMIT_RECURSION=, xrefs: 002D1635
BSR_UNICODE), xrefs: 002D1771
Oa), xrefs: 002D1888, 002D192F, 002D19DD
CRLF), xrefs: 002D16FA
UCP), xrefs: 002D1546
NO_AUTO_POSSESS), xrefs: 002D1567
NO_START_OPT), xrefs: 002D1588
LF), xrefs: 002D16DD

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oa)$UCP)$UTF)$UTF16)$ata
API String ID: 0-197031660
Opcode ID: a8695231e954b93b6b3f8422ff727e5fe95a68a5b346fb16c8cdae1abb754c00
Instruction ID: a2e6c02f14ddb52a1b2b297f5f383b2c5eac9d0f9ccd703d37d01a323726d7c1
Opcode Fuzzy Hash: a8695231e954b93b6b3f8422ff727e5fe95a68a5b346fb16c8cdae1abb754c00
Instruction Fuzzy Hash: 24728075E2021A9BDF24CF58C8947AEB7F5EF48310F14816AE849EB790D7709DA1CB90

Function 00300665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 003010A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00300038,?,?), ref: 003010BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00300737

Part of subcall function 00289997: __itow.LIBCMT ref: 002899C2
Part of subcall function 00289997: __swprintf.LIBCMT ref: 00289A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 003007D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0030086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00300AAD
RegCloseKey.ADVAPI32(00000000), ref: 00300ABA

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 8acb238c38558aef9ba11afec0b5e2eec41352d76129dab774b9c119dd982f0f
Instruction ID: 40679a8b91a5ee0fc74dbbdb5da9b983a27a8a9e5ff56b79d7ada0c8948115e8
Opcode Fuzzy Hash: 8acb238c38558aef9ba11afec0b5e2eec41352d76129dab774b9c119dd982f0f
Instruction Fuzzy Hash: 81E15C35215210AFCB15DF28C895E6ABBE8EF89714F04856DF48ADB2A2DB30ED11CF51

Function 002E0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 002E0241
GetAsyncKeyState.USER32(000000A0), ref: 002E02C2
GetKeyState.USER32(000000A0), ref: 002E02DD
GetAsyncKeyState.USER32(000000A1), ref: 002E02F7
GetKeyState.USER32(000000A1), ref: 002E030C
GetAsyncKeyState.USER32(00000011), ref: 002E0324
GetKeyState.USER32(00000011), ref: 002E0336
GetAsyncKeyState.USER32(00000012), ref: 002E034E
GetKeyState.USER32(00000012), ref: 002E0360
GetAsyncKeyState.USER32(0000005B), ref: 002E0378
GetKeyState.USER32(0000005B), ref: 002E038A

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 28de34167f1fcf9a3e23d5663a2020fe2e4c976692122348f2df42b17ad914ed
Instruction ID: be189fcaf91d9e718c0c75172084e1710f1383fab2bea4e0fe6e67ab4e9b8c61
Opcode Fuzzy Hash: 28de34167f1fcf9a3e23d5663a2020fe2e4c976692122348f2df42b17ad914ed
Instruction Fuzzy Hash: 84410E205947CB6EFF314EA288983B5BFE06F12340F8840DEDAC5465C2D7E45DE987A1

Function 00294140 Relevance: 15.1, APIs: 1, Strings: 7, Instructions: 1132COMMON

Download Yara Rule

Strings

Oa), xrefs: 00294984, 002C8173
ata, xrefs: 002945E5
VUUU, xrefs: 00294520
VUUU, xrefs: 002C7B0C
VUUU, xrefs: 002944DB
ERCP, xrefs: 0029421F
VUUU, xrefs: 002944ED

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID:
String ID: ERCP$Oa)$VUUU$VUUU$VUUU$VUUU$ata
API String ID: 0-3703000377
Opcode ID: 52aeeadcb46f00027fe554d819e108c373420fd4e8b1df138b946d6cd2890da4
Instruction ID: d68355ea9aec85ed7fa439fe30051c8870a173bfad1eb0752a3e1133c8072401
Opcode Fuzzy Hash: 52aeeadcb46f00027fe554d819e108c373420fd4e8b1df138b946d6cd2890da4
Instruction Fuzzy Hash: F1A27470E2421ACBDF24DF58C990FADB7B1BF54314F1482AAD85AA7240D7709EA2CF50

Function 002F4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 002F447F
EmptyClipboard.USER32 ref: 002F4485
GlobalAlloc.KERNEL32(00000002,?), ref: 002F449A
CloseClipboard.USER32 ref: 002F4539

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 6c0f21baa2b838cd4e022bcee23be0f93630906e11bf2480786e4ec0fc5cfb51
Instruction ID: 66deae959d80f20600020a365440859907a30dc14b4e522ccbc35012370f05dc
Opcode Fuzzy Hash: 6c0f21baa2b838cd4e022bcee23be0f93630906e11bf2480786e4ec0fc5cfb51
Instruction Fuzzy Hash: 7121D3392122159FDB21BF60EC59B7AB7ACEF04354F148027F946DB2A1CBB1AC10CB94

Function 002E3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 002848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002848A1,?,?,002837C0,?), ref: 002848CE

Part of subcall function 002E4CD3: GetFileAttributesW.KERNEL32(?,002E3947), ref: 002E4CD4

FindFirstFileW.KERNEL32(?,?), ref: 002E3ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 002E3B87
MoveFileW.KERNEL32(?,?), ref: 002E3B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 002E3BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 002E3BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 002E3BF5

Strings

\*.*, xrefs: 002E3A8A, 002E3A93, 002E3AA8

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 21838cf009470b75d369824bc74cbcb1dcb591d7b5fedc7256c2b2ca102067eb
Instruction ID: 389ee45fdb3d99cced3ba151b43290987ac38e71c8443acc775a416afe1f8bb9
Opcode Fuzzy Hash: 21838cf009470b75d369824bc74cbcb1dcb591d7b5fedc7256c2b2ca102067eb
Instruction Fuzzy Hash: E151B1358521899ACF15FBA1CD968EDB7B8AF14305FA441A9E402771D2DF30AF29CF60

Function 0030C27C Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 149nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00282612: GetWindowLongW.USER32(?,000000EB), ref: 00282623

Part of subcall function 00282344: GetCursorPos.USER32(?), ref: 00282357
Part of subcall function 00282344: ScreenToClient.USER32(003467B0,?), ref: 00282374
Part of subcall function 00282344: GetAsyncKeyState.USER32(00000001), ref: 00282399
Part of subcall function 00282344: GetAsyncKeyState.USER32(00000002), ref: 002823A7

ReleaseCapture.USER32 ref: 0030C2F0
SetWindowTextW.USER32(?,00000000), ref: 0030C39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0030C3AD
NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?,?), ref: 0030C48F

Strings

@GUI_DRAGFILE, xrefs: 0030C424
pr4, xrefs: 0030C3FD
@GUI_DROPID, xrefs: 0030C3E1
pr4, xrefs: 0030C438

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$pr4$pr4
API String ID: 973565025-3142934028
Opcode ID: 467e301bbdf38c55d049f0625573f0d7817a9b5e20c157c7e34579482f6011e2
Instruction ID: fa39307e95cc7f6c35b3a2a3df90cf7623e15c2dc9aafb31c74278cddbfe59f2
Opcode Fuzzy Hash: 467e301bbdf38c55d049f0625573f0d7817a9b5e20c157c7e34579482f6011e2
Instruction Fuzzy Hash: A751BF78215304AFD716EF14CCA6FAA7BE4FB89310F00462DF5918B2E1CB70A958CB52

Function 002EF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00287F41: _memmove.LIBCMT ref: 00287F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 002EF6AB
Sleep.KERNEL32(0000000A), ref: 002EF6DB
_wcscmp.LIBCMT ref: 002EF6EF
_wcscmp.LIBCMT ref: 002EF70A
FindNextFileW.KERNEL32(?,?), ref: 002EF7A8
FindClose.KERNEL32(00000000), ref: 002EF7BE

Strings

*.*, xrefs: 002EF690

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 1958886239cc2715a4d4f647343e6ad59988a33537361b0a726ca99ddec556cf
Instruction ID: b74e7febb729f7552892438460827c709995ed9f211d8357d80ddaeb177a0f94
Opcode Fuzzy Hash: 1958886239cc2715a4d4f647343e6ad59988a33537361b0a726ca99ddec556cf
Instruction Fuzzy Hash: 1541D27596120A9FCF51EF64CD99AEEBBB8FF05310F504566E814A31A0DB309E64CF90

Function 0030D74C Relevance: 12.3, APIs: 8, Instructions: 257windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00282612: GetWindowLongW.USER32(?,000000EB), ref: 00282623

GetSystemMetrics.USER32(0000000F), ref: 0030D78A
GetSystemMetrics.USER32(0000000F), ref: 0030D7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0030D9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0030DA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0030DA24
ShowWindow.USER32(00000003,00000000), ref: 0030DA43
InvalidateRect.USER32(?,00000000,00000001), ref: 0030DA68
NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 0030DA8B

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
String ID:
API String ID: 830902736-0
Opcode ID: 729b0ee537830d62e92e7975248f940596905f2773fdc53284e2f37b17898c8e
Instruction ID: 7281dc7414dc2f1f51d11f6608db37064496d38ce85b4975ebeff67c96083702
Opcode Fuzzy Hash: 729b0ee537830d62e92e7975248f940596905f2773fdc53284e2f37b17898c8e
Instruction Fuzzy Hash: 16B19935601229EFDF16CFA8C9A57BE7BF5BF44700F098069EC489B695D730A950CB50

Function 002958C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00295A05
_memmove.LIBCMT ref: 00295A55
_memmove.LIBCMT ref: 00295ABB

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: fef3216d1156cb70cbed909f69b35e40e7ad59ef968bd5bd63bed7dba875b9d2
Instruction ID: 657bc4923331953e805c1b9930602fbc3a4ae9affaf720b6a66515a51fa57310
Opcode Fuzzy Hash: fef3216d1156cb70cbed909f69b35e40e7ad59ef968bd5bd63bed7dba875b9d2
Instruction Fuzzy Hash: 22128B70A20619DFDF14DFA5D981AAEB7F5FF48300F10452AE806E72A1EB35AD21CB50

Function 00295680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 002A0FF6: std::exception::exception.LIBCMT ref: 002A102C
Part of subcall function 002A0FF6: __CxxThrowException@8.LIBCMT ref: 002A1041

_memmove.LIBCMT ref: 002D062F
_memmove.LIBCMT ref: 002D0744
_memmove.LIBCMT ref: 002D07EB

Strings

yZ), xrefs: 002D0881, 002D07FF

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID: yZ)
API String ID: 1300846289-2793908095
Opcode ID: 3da762c6506ddd79a2bac895c9d849c204c4ecaf156c2d2357ec57d73343bab1
Instruction ID: 9cf48f8f03d673e18e5876402c22b694e8b6eb12c251532ed0a616ead7fe59b9
Opcode Fuzzy Hash: 3da762c6506ddd79a2bac895c9d849c204c4ecaf156c2d2357ec57d73343bab1
Instruction Fuzzy Hash: FD025E70A20215DBDF05DF64D981AAEBBB5FF44300F14806AE806DB3A5EB35DE61CB91

Function 002E545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 002D8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002D8D0D
Part of subcall function 002D8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002D8D3A
Part of subcall function 002D8CC3: GetLastError.KERNEL32 ref: 002D8D47

ExitWindowsEx.USER32(?,00000000), ref: 002E549B

Strings

, xrefs: 002E5489
SeShutdownPrivilege, xrefs: 002E546B
@, xrefs: 002E548E

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 888184a3f6542a2c88f755d61a6471690f34df0fa0c732935938d8eb58ad1d58
Instruction ID: f64877f60dd58431ed1989a4da8633244bec61e86ad7bf17356cec26a4b94fba
Opcode Fuzzy Hash: 888184a3f6542a2c88f755d61a6471690f34df0fa0c732935938d8eb58ad1d58
Instruction Fuzzy Hash: EE0147316F5A666EF7385E76DC4ABBA725CEB01757FA00122FC06D20D3DA900CA082A0

Function 00293190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON

Download Yara Rule

Strings

Oa), xrefs: 00293482

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: __itow__swprintf
String ID: Oa)
API String ID: 674341424-3134443877
Opcode ID: 4e65e0113d2f37a6ceee641e1eb9504ade974fd2ba182843da665758d9f02d40
Instruction ID: 22919f6b6c2ec98da894aade5a782f0351c0c13545dfe6741bde8631ac52d2e1
Opcode Fuzzy Hash: 4e65e0113d2f37a6ceee641e1eb9504ade974fd2ba182843da665758d9f02d40
Instruction Fuzzy Hash: 88228C715283019FCB24EF24C881B6FB7E4AF88714F14491DF89A97291DB71EA64CF92

Function 002F6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 002F65EF
WSAGetLastError.WS2_32(00000000), ref: 002F65FE
bind.WS2_32(00000000,?,00000010), ref: 002F661A
listen.WS2_32(00000000,00000005), ref: 002F6629
WSAGetLastError.WS2_32(00000000), ref: 002F6643
closesocket.WS2_32(00000000), ref: 002F6657

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 6e07730de4fafae0c7bef6f56c2978e7a249937e196db99648d834de0f3a41ed
Instruction ID: a7b0c3059da7f478dfb353f7a75c5bce72a348bc85517330fcbbef7900d1b6f4
Opcode Fuzzy Hash: 6e07730de4fafae0c7bef6f56c2978e7a249937e196db99648d834de0f3a41ed
Instruction Fuzzy Hash: 5821CC342102099FCB10EF64C889B7EF7ADEF48760F14816AEA56E73D1CB70AD518B51

Function 00281287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00282612: GetWindowLongW.USER32(?,000000EB), ref: 00282623

NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 002819FA
GetSysColor.USER32(0000000F), ref: 00281A4E
SetBkColor.GDI32(?,00000000), ref: 00281A61

Part of subcall function 00281290: NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 002812D8

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ColorDialogNtdllProc_$LongWindow
String ID:
API String ID: 591255283-0
Opcode ID: c4c94ea3b665fb87d45562096bdfcc2d396443a30653747d9105d329edbfd672
Instruction ID: b132f2c49d408e2a0b7779011047fa8afb2e1d826ee6314510b36ac62b909a6e
Opcode Fuzzy Hash: c4c94ea3b665fb87d45562096bdfcc2d396443a30653747d9105d329edbfd672
Instruction Fuzzy Hash: 0AA12479133556BEE62EBF28CC59DBB299CDB46385B14021AF402DA1D2CA949C33D372

Function 002F6A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 002F80A0: inet_addr.WS2_32(00000000), ref: 002F80CB

socket.WS2_32(00000002,00000002,00000011), ref: 002F6AB1
WSAGetLastError.WS2_32(00000000), ref: 002F6ADA
bind.WS2_32(00000000,?,00000010), ref: 002F6B13
WSAGetLastError.WS2_32(00000000), ref: 002F6B20
closesocket.WS2_32(00000000), ref: 002F6B34

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: c680a4e8f173988ecb9b6faeca87ef3d4455ccd1e2dba6e0a8b7cf08e3800cff
Instruction ID: 78289c4b1c7c3f5ec759b5326edfbf8681294d7cd24aec0fd1671dd7eaeb7fa1
Opcode Fuzzy Hash: c680a4e8f173988ecb9b6faeca87ef3d4455ccd1e2dba6e0a8b7cf08e3800cff
Instruction Fuzzy Hash: 0441E639711214AFEB10BF64DC86F7EB7A8DB04710F44805DFA5AAB3C2DA705D218B91

Function 003055FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0030564C
IsWindowEnabled.USER32 ref: 0030565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00305667
IsIconic.USER32 ref: 00305675
IsZoomed.USER32 ref: 00305683

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 93d5313eff818c4d4a41259bae4a99a07690119c11da081e4e7c58d26a1abf7f
Instruction ID: 9a44846a68827eb21bbd9f834d6555c9bdfe1eb58036a506117f88b61aa00090
Opcode Fuzzy Hash: 93d5313eff818c4d4a41259bae4a99a07690119c11da081e4e7c58d26a1abf7f
Instruction Fuzzy Hash: 0D11B2313039186FE7236F26DC64A2BB79CEF44721F455429E806D7281CB3299018EA5

Function 002FF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 002FF151
Process32FirstW.KERNEL32(00000000,?), ref: 002FF15F

Part of subcall function 00287F41: _memmove.LIBCMT ref: 00287F82

Process32NextW.KERNEL32(00000000,?), ref: 002FF21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 002FF22E

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 0f21c624316df870bcdeeb8264365649046cd4fc4c2cac53e269d10ebb9f5a76
Instruction ID: 761f0f0038be0e68462b154b4c20d71b614dc22d289c073d1043e47405930693
Opcode Fuzzy Hash: 0f21c624316df870bcdeeb8264365649046cd4fc4c2cac53e269d10ebb9f5a76
Instruction Fuzzy Hash: 06519C755153119FD314EF20CC81A6BB7E8BF94740F14482DF596832A2EB70E918CB92

Function 0030C788 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00282612: GetWindowLongW.USER32(?,000000EB), ref: 00282623

GetCursorPos.USER32(?), ref: 0030C7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,002BBBFB,?,?,?,?,?), ref: 0030C7D7
GetCursorPos.USER32(?), ref: 0030C824
NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,002BBBFB,?,?,?), ref: 0030C85E

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
String ID:
API String ID: 1423138444-0
Opcode ID: fde5e52a849bc7f51f2fb1d1a4a51611a67e1cd253aac172383fdb009bcb21a4
Instruction ID: 35d5f33ed237d048296bbd2a0de5cd97e855749a07e02066635204a5b1fba74a
Opcode Fuzzy Hash: fde5e52a849bc7f51f2fb1d1a4a51611a67e1cd253aac172383fdb009bcb21a4
Instruction Fuzzy Hash: CF319635511018EFCB26CF58CCA8EEA7BB9EB4A710F044169F9058B6A1D7316D50DF64

Function 00281290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00282612: GetWindowLongW.USER32(?,000000EB), ref: 00282623

NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 002812D8
GetClientRect.USER32(?,?), ref: 002BB84B
GetCursorPos.USER32(?), ref: 002BB855
ScreenToClient.USER32(?,?), ref: 002BB860

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
String ID:
API String ID: 1010295502-0
Opcode ID: f21ce104d5b3342daec5922a0401f2477b4da832817e0bcf9f34985c85334b84
Instruction ID: c6e6937fbfcef8c3821116c75f8be212b29b6189d56b4949a89bc9ac17d2fa05
Opcode Fuzzy Hash: f21ce104d5b3342daec5922a0401f2477b4da832817e0bcf9f34985c85334b84
Instruction Fuzzy Hash: BC113A39912129AFDB11EF94DC859EE77BCEB06311F000456F901E7191D730BA628BA5

Function 002DEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 002DEB19

Strings

(, xrefs: 002DEB5F
|, xrefs: 002DEB49

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: a4fe38f3cd96de5f11ee7dc05fd5b481aad352fe57c6c1a506e5d97bcd058b10
Instruction ID: 1d871d379bf972339b9f68e99e10a4b4089569000d85e95b3aec992a2745bead
Opcode Fuzzy Hash: a4fe38f3cd96de5f11ee7dc05fd5b481aad352fe57c6c1a506e5d97bcd058b10
Instruction Fuzzy Hash: 0C324674A147059FCB28DF19C481A6AB7F0FF48320B12C46EE89ADB7A1DB70E951CB44

Function 002F25E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 002F26D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 002F270C

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: fbd59bb1793ab194ca13692e4fb6f77766ff56d3e9494e5e522a09257832438d
Instruction ID: 6122c84d0e0b4fffa31e18219cd17cec032bdefdc3992822a6c7541ae8e537f5
Opcode Fuzzy Hash: fbd59bb1793ab194ca13692e4fb6f77766ff56d3e9494e5e522a09257832438d
Instruction Fuzzy Hash: 9141D47152020EFFEB21DE54CC85EBBF7ACEB42794F10407AF701E6140EAB19D699A50

Function 002EB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002EB5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 002EB608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 002EB655

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 55d311d79a22d6847162bb5a61fb404ccc56310980e93f608e301bc5a410d4c6
Instruction ID: 3e986ef794e8a8fc32a2c1a9228168c5dc3513a639fcb0a181530e85590256ae
Opcode Fuzzy Hash: 55d311d79a22d6847162bb5a61fb404ccc56310980e93f608e301bc5a410d4c6
Instruction Fuzzy Hash: 53216035A11518EFCB00EFA5D884AAEBBB8FF48310F1480AAE905AB351DB319955CF51

Function 002D8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 002A0FF6: std::exception::exception.LIBCMT ref: 002A102C
Part of subcall function 002A0FF6: __CxxThrowException@8.LIBCMT ref: 002A1041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002D8D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002D8D3A
GetLastError.KERNEL32 ref: 002D8D47

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 76c5298fcb9c85780ba8b20df3f8eb1aa8fd3b64117727900762df59ecd9679e
Instruction ID: fc7f0123ec042de409626754a5cf522e56192051db2b228e69e61c5ae7c0ff0d
Opcode Fuzzy Hash: 76c5298fcb9c85780ba8b20df3f8eb1aa8fd3b64117727900762df59ecd9679e
Instruction Fuzzy Hash: 771191B1424209AFE728DF64DC85D6BB7BDFB44710B20852FF45693681EF70BC508A60

Function 002E4021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 002E404B
DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 002E4088
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 002E4091

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 6e2efda11da81e34ec7594abf4be0c48f253a41e7accc27f0ec201acf163f75d
Instruction ID: 67b3a167a89e11a214347f623ec44e389242404579434abca6e06ef74107b817
Opcode Fuzzy Hash: 6e2efda11da81e34ec7594abf4be0c48f253a41e7accc27f0ec201acf163f75d
Instruction Fuzzy Hash: 5411C2B1D50229BEE720EBE9DC04FBFBBBCEB08750F400666BA04E7190C2B45D1087A1

Function 002E4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 002E4C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 002E4C43
FreeSid.ADVAPI32(?), ref: 002E4C53

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: eb01a364a3ed236943854161ed26d93f1883eb6e8661fd8cfb7abaa07cb756e8
Instruction ID: adebd09815a31a678bf1e7eb1ea7e98e1f70ffd758ed05ea3797e77259c21fb1
Opcode Fuzzy Hash: eb01a364a3ed236943854161ed26d93f1883eb6e8661fd8cfb7abaa07cb756e8
Instruction Fuzzy Hash: 9AF04975A5230DBFDF04DFF0DC99ABEBBBCEF08301F5044AAA901E2581E6746A048B50

Function 002E8B13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 002E8B25

Part of subcall function 002A543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,002E91F8,00000000,?,?,?,?,002E93A9,00000000,?), ref: 002A5443
Part of subcall function 002A543A: __aulldiv.LIBCMT ref: 002A5463

Strings

0u4, xrefs: 002E8B1C

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0u4
API String ID: 2893107130-2832614788
Opcode ID: 03737a6670cbb524fafdbccdf6c3cb5e27774f68a5a532b0af85cd5ba8471763
Instruction ID: a22b82c5c97e3d24c5b43094ac757d7a302af37f0dffc8f833168d0dfaf482c5
Opcode Fuzzy Hash: 03737a6670cbb524fafdbccdf6c3cb5e27774f68a5a532b0af85cd5ba8471763
Instruction Fuzzy Hash: CA21E4766356108FC32ACF25D441A52B3E5EBA6321F688E6CD0E9CF2D0CE74B945CB94

Function 0028E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4699a6494cbba53ac2f47b0d16cd15062083feefbe242eb1db0657bc0468576
Instruction ID: 6fbb05ba56ce9aea22f9e78b036d82b6b65532f3ee502684848c7b46ea1cf1d5
Opcode Fuzzy Hash: e4699a6494cbba53ac2f47b0d16cd15062083feefbe242eb1db0657bc0468576
Instruction Fuzzy Hash: 8922AD78A21216CFDF24EF54C480ABEB7B0FF05300F158569E856AB381E774ADA1CB91

Function 002816DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00282612: GetWindowLongW.USER32(?,000000EB), ref: 00282623

Part of subcall function 002825DB: GetWindowLongW.USER32(?,000000EB), ref: 002825EC

GetParent.USER32(?), ref: 002BBA0A
NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,002819B3,?,?,?,00000006,?), ref: 002BBA84

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: LongWindow$DialogNtdllParentProc_
String ID:
API String ID: 314495775-0
Opcode ID: b1a16eedf25568bd2bedb55cc592391671da7fc55331ef21cb0e235518ffe0f8
Instruction ID: d153de2b9005c0f2ff698ed1bfd4851f0f633a1816f5fee4a326c9b0e3e895c3
Opcode Fuzzy Hash: b1a16eedf25568bd2bedb55cc592391671da7fc55331ef21cb0e235518ffe0f8
Instruction Fuzzy Hash: ED21F838612105AFCB229F28CC85DE93BDAEF0A360F584268F5155B2F1C7716D32DB51

Function 002EC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 002EC966
FindClose.KERNEL32(00000000), ref: 002EC996

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 80950c6b7db1553ce121fdf280b9b14b2859affe4aa80af757c174d2bb55b102
Instruction ID: ee88fa0fc6b059bb0b978218a0057c83605e1e544e463e7aef926ac454cc96ce
Opcode Fuzzy Hash: 80950c6b7db1553ce121fdf280b9b14b2859affe4aa80af757c174d2bb55b102
Instruction Fuzzy Hash: 1C118E366202009FD710EF69C845A3AF7E9EF84324F14891EF8AAD7291DB30AC11CF81

Function 0030C86D Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00282612: GetWindowLongW.USER32(?,000000EB), ref: 00282623

NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,002BBB8A,?,?,?), ref: 0030C8E1

Part of subcall function 002825DB: GetWindowLongW.USER32(?,000000EB), ref: 002825EC

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0030C8C7

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: LongWindow$DialogMessageNtdllProc_Send
String ID:
API String ID: 1273190321-0
Opcode ID: 55b67c0847460c2e7801e7225e554362031e3ee15a9bea63a0f24cdf66debe8e
Instruction ID: eda253a549825448fccb24a61eabffc7e49d5c87e62a64dd8414f3d74fb84afe
Opcode Fuzzy Hash: 55b67c0847460c2e7801e7225e554362031e3ee15a9bea63a0f24cdf66debe8e
Instruction Fuzzy Hash: A301D835202214AFCB23AF14DC65F663BAAFF86324F144129F9510B6E0CB316812EB92

Function 0030CC2E Relevance: 3.0, APIs: 2, Instructions: 33nativeCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0030CC51
NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,002BBC66,?,?,?,?,?), ref: 0030CC7A

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ClientDialogNtdllProc_Screen
String ID:
API String ID: 3420055661-0
Opcode ID: 28e4d8d135a0dcaa8309d89c7affd0a3cb37c963f2c913de2f0d528250f39f1b
Instruction ID: 0f06114327a08b3913d77fbafae7d1e5ed42d4b02f7eaf36463599bc801257fb
Opcode Fuzzy Hash: 28e4d8d135a0dcaa8309d89c7affd0a3cb37c963f2c913de2f0d528250f39f1b
Instruction Fuzzy Hash: 60F09A3240021CFFEF16CF85DC09AAE7BBCFB08311F00416AF801A2160C3716A20EBA0

Function 002EA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,002F977D,?,0030FB84,?), ref: 002EA302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,002F977D,?,0030FB84,?), ref: 002EA314

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 05f7e9f527a504dcfa7f5388ca544baa4ead4ecc7cd976e49c7321539b3c7b6a
Instruction ID: 0516b000e02cd2dfff9ca68db19df67e22e370dd62e9d4fcd2c34a2142079032
Opcode Fuzzy Hash: 05f7e9f527a504dcfa7f5388ca544baa4ead4ecc7cd976e49c7321539b3c7b6a
Instruction Fuzzy Hash: 58F0E23555522DABDB21AFA4CC49FEA736CBF08361F0081A6B908D2180D630A910CBA1

Function 0030CD6C Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0030CD74
NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,002BBBE5,?,?,?,?), ref: 0030CDA2

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 33bb9fa3effae780517bdc0cbabe30a9ccfd08216c9b76aade8f2f5ca9cfe676
Instruction ID: e124636ff8d926d8cfd32007294442152abd6d73ca2421a2b5eb201a591bbf87
Opcode Fuzzy Hash: 33bb9fa3effae780517bdc0cbabe30a9ccfd08216c9b76aade8f2f5ca9cfe676
Instruction Fuzzy Hash: 71E08670100258BFEB269F19DC29FBA3B58EB05750F408226F956D94E1C771D850D760

Function 002D8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002D8851), ref: 002D8728
CloseHandle.KERNEL32(?,?,002D8851), ref: 002D873A

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: fa51010838eea197a9571aa29872e0d156935445741544b8b01974162991c71b
Instruction ID: 2eb20b9bb03850217328a0b0b2b5caa1f2d534ab93fcaae81e6822af34f8b90f
Opcode Fuzzy Hash: fa51010838eea197a9571aa29872e0d156935445741544b8b01974162991c71b
Instruction Fuzzy Hash: EDE0BF75011611EFE7362B60EC05D7777ADEB04760B15842AB8A680470DB615CA0DB10

Function 002AA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,00314178,002A8F97,t of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.,?,?,00000001), ref: 002AA39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 002AA3A3

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 85678bc0601788ebf099a3c7fb518441d47632fabd5c91c36303bfe1d9aec77b
Instruction ID: 4f74bdc27aa0ac847b3d69e9ddad2e98348717d29b1b8a59a2a42b82ccfa2bb2
Opcode Fuzzy Hash: 85678bc0601788ebf099a3c7fb518441d47632fabd5c91c36303bfe1d9aec77b
Instruction Fuzzy Hash: EEB09235059208AFCA122B91EC19B883F6CEB45BB2F4040A2F60D84860CB6254508A91

Function 002AF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53f44287c0eff9c2b195b7f6c8aecc63975be99ae9d17229cadd1dba2534ea06
Instruction ID: dcca67bb33e0bb52bccfaeff33efc07315bc29cfef76d3dcb2f380636eba8ec6
Opcode Fuzzy Hash: 53f44287c0eff9c2b195b7f6c8aecc63975be99ae9d17229cadd1dba2534ea06
Instruction Fuzzy Hash: EF320222D79F014ED7639A34D932365A25DAFBB3D4F15D737E81AB5AA6EF2884830100

Function 002B267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4031a18808742c570fcedf001053595bbb4387689daedc83ffbf20880ff3c590
Instruction ID: 6b2e8b1945dc077f518df1bba2a6fffe15f93e27bc2d890aefbbdd3c7c96f01f
Opcode Fuzzy Hash: 4031a18808742c570fcedf001053595bbb4387689daedc83ffbf20880ff3c590
Instruction Fuzzy Hash: B5B1DE20E2AF514DD62396398831336FA5CAFBB3D6F91D71BFC2674E62EB2185834141

Function 0030D6C6 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 002825DB: GetWindowLongW.USER32(?,000000EB), ref: 002825EC

NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,002BBBA2,?,?,?,?,00000000,?), ref: 0030D740

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 44dea51d9a3e9e1e0aa1b4be8fdfcbbd0f106e3c0576018490a59009e7adb22d
Instruction ID: 47ca0538af206f2f887fae68ffbb4f165b7a5b6632ceb44d820da2e8f79b7399
Opcode Fuzzy Hash: 44dea51d9a3e9e1e0aa1b4be8fdfcbbd0f106e3c0576018490a59009e7adb22d
Instruction Fuzzy Hash: 76012839601118AFDB169F6DD8A5AFA3BD5EF42724F050125F9561B1D1C331BC21D7A0

Function 0030C220 Relevance: 1.5, APIs: 1, Instructions: 31nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00282612: GetWindowLongW.USER32(?,000000EB), ref: 00282623

Part of subcall function 00282344: GetCursorPos.USER32(?), ref: 00282357
Part of subcall function 00282344: ScreenToClient.USER32(003467B0,?), ref: 00282374
Part of subcall function 00282344: GetAsyncKeyState.USER32(00000001), ref: 00282399
Part of subcall function 00282344: GetAsyncKeyState.USER32(00000002), ref: 002823A7

NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,002BBC4F,?,?,?,?,?,00000001,?), ref: 0030C272

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
String ID:
API String ID: 2356834413-0
Opcode ID: 2270a23c6a393650eaf8cc8854b9d7e778718367f0e31870e75ef1353807f475
Instruction ID: 84c18a7a002481ec5dec49bb7b9a024d05f50c329ef2b276a32476cb3d89afd8
Opcode Fuzzy Hash: 2270a23c6a393650eaf8cc8854b9d7e778718367f0e31870e75ef1353807f475
Instruction Fuzzy Hash: 3CF0E234200228EFCF05AF48CC16EAA3B99EB05710F004015F9465B2D1CB71A820EFE0

Function 0028189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00282612: GetWindowLongW.USER32(?,000000EB), ref: 00282623

NtdllDialogWndProc_W.NTDLL(?,00000006,00000000,?,?,?,00281B04,?,?,?,?,?), ref: 002818E2

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 12aece33baaa7ad57f02f2e4c094396c5b11e2e308d100b070aa95966dd31768
Instruction ID: 2689d4062cc0675f4c17b1787da615f1b3b2b4727795a36caa8f9b074ace3fad
Opcode Fuzzy Hash: 12aece33baaa7ad57f02f2e4c094396c5b11e2e308d100b070aa95966dd31768
Instruction Fuzzy Hash: 7FF0BE386112299FEB19EF04C8529663BEAEB02310F004529F8524F2E1DB31E870DB50

Function 002F41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 002F4218

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 78ae446247d1f459463b03c3b42b0ff801c16e1044d19ad1bb8fd9f79d34b90f
Instruction ID: 425fa5a31d1ad1ef7da2692d6784b3eacc600ae2c0fa036d527dcabfac90d627
Opcode Fuzzy Hash: 78ae446247d1f459463b03c3b42b0ff801c16e1044d19ad1bb8fd9f79d34b90f
Instruction Fuzzy Hash: 2DE012352601185FD710AF59D844A6AF7D8AF947A0F048026FD49D7351DAB1A8508B90

Function 0030CBAE Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 0030CBEE

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: c8943e46c5c13cd07eb5a178678b4c840568593f7bb58d89022a09b118f1d7c8
Instruction ID: cdcf0d36e15cc06276e91d4aa57552cdaae47496d5f621f45114fec2fbe81b60
Opcode Fuzzy Hash: c8943e46c5c13cd07eb5a178678b4c840568593f7bb58d89022a09b118f1d7c8
Instruction Fuzzy Hash: 9EF09235241259BFDB22DF58DC16FC63B99EB0A720F044059FA112B2E2CF707820D7A1

Function 002E4EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 002E4F18

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: fcaf96b28933c953f55a696ddc9c6f03978c172e10e1a1b4892b7316112467a6
Instruction ID: 4190c5f209a8e20c42807ea8622ade46440005948bf86b475d818eddf7cd8768
Opcode Fuzzy Hash: fcaf96b28933c953f55a696ddc9c6f03978c172e10e1a1b4892b7316112467a6
Instruction Fuzzy Hash: 23D09EB41F86867DFC286F22AC1FF761109E391F91FD45989720195DC298E5B870A435

Function 002D8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,002D88D1), ref: 002D8CB3

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 7a49aff4d23ee552eb6e55bbc9dbf2b9bff01d8d4fefc35e1eb9666dcb037132
Instruction ID: 8f643d92b5102c45e8898d03851b5a439849037fd500699d569cfff3b1e64bd2
Opcode Fuzzy Hash: 7a49aff4d23ee552eb6e55bbc9dbf2b9bff01d8d4fefc35e1eb9666dcb037132
Instruction Fuzzy Hash: 47D05E3226050EAFEF018EA4DC01EBF3B69EB04B01F408111FE15C50A1C775D835AB60

Function 0030CBF9 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,002BBC0C,?,?,?,?,?,?), ref: 0030CC24

Part of subcall function 0030B8EF: _memset.LIBCMT ref: 0030B8FE
Part of subcall function 0030B8EF: _memset.LIBCMT ref: 0030B90D
Part of subcall function 0030B8EF: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00347F20,00347F64), ref: 0030B93C
Part of subcall function 0030B8EF: CloseHandle.KERNEL32 ref: 0030B94E

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
String ID:
API String ID: 2364484715-0
Opcode ID: b252d22d7d292d9aa5838bc81627dcc0740d91f037f2f22dccf00a52fb007750
Instruction ID: 5cab42422d0c97965ae2653a92e40b6603bdc29112be655dcbf41767c7a71af4
Opcode Fuzzy Hash: b252d22d7d292d9aa5838bc81627dcc0740d91f037f2f22dccf00a52fb007750
Instruction Fuzzy Hash: 80E04635110208DFDB02EF08DD21E8537A9FB0D300F018011FA051B2B2CB31A961EF51

Function 0028167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00282612: GetWindowLongW.USER32(?,000000EB), ref: 00282623

NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?,?,00281AEE,?,?,?), ref: 002816AB

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: d8a2ea92f51720bc4e22c78e625aed68f9d27bf2527519b9fbae3335151be35f
Instruction ID: 22e7cc8cfb3ec4c3d090326a429bea15deca199846e85de735fb35dadd273dea
Opcode Fuzzy Hash: d8a2ea92f51720bc4e22c78e625aed68f9d27bf2527519b9fbae3335151be35f
Instruction Fuzzy Hash: 7AE0EC39500218FBCF16AF90DC22E643B2AFB4A714F108459FA451E2A1CE32A522DB51

Function 0030CB7F Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 0030CBA4

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: a7364a26dae51dd2783e09ce7997b17743f5bcdbb2e495256ad89b1980de4422
Instruction ID: 5239ddc71ca0808fe24e555c55fb8bbbd1ea1fa39891283466f4866f49720878
Opcode Fuzzy Hash: a7364a26dae51dd2783e09ce7997b17743f5bcdbb2e495256ad89b1980de4422
Instruction Fuzzy Hash: 4AE0427924024DEFDB02DF88D955DD63BA9AB1E700F014055FA155B262CB71A860EBA2

Function 0030CB50 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 0030CB75

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 0bee3cce5c6c66127d8d6fae46b95da73b7c20d339e0575a000dd8803be3587a
Instruction ID: 2b71a298a1c9699f010a0dccbf84d2ab3973f28e0ac77fde64e5f698f4aa589f
Opcode Fuzzy Hash: 0bee3cce5c6c66127d8d6fae46b95da73b7c20d339e0575a000dd8803be3587a
Instruction Fuzzy Hash: D7E0427924424DAFDB02DF88DC95E963BA9AB1E700F014055FA155B262CB71A820EB62

Function 002816B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00282612: GetWindowLongW.USER32(?,000000EB), ref: 00282623

Part of subcall function 0028201B: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 002820D3
Part of subcall function 0028201B: KillTimer.USER32(-00000001,?,?,?,?,002816CB,00000000,?,?,00281AE2,?,?), ref: 0028216E

NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,00281AE2,?,?), ref: 002816D4

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Window$DestroyDialogKillLongNtdllProc_Timer
String ID:
API String ID: 2797419724-0
Opcode ID: c0d2f55b37991aedaaa26594d3b8f6684a2a24053d092444badddb37a859a87e
Instruction ID: 07bc06e0719bdf15231135b878ebb9fad616cc29e92bb92e8d3918fed79e5d38
Opcode Fuzzy Hash: c0d2f55b37991aedaaa26594d3b8f6684a2a24053d092444badddb37a859a87e
Instruction Fuzzy Hash: DDD01274141328BBDA217F50DC17F493E1D9B15B50F408021BA04691D3DA716820AA59

Function 002C2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 002C2242

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 52229e8361fe5bab24ef7aacfd9a5df3b67eefc5d4093718225f3a8ace1d095c
Instruction ID: b77ec06501355694a2cdf05af4346d3f5bf739dafaaa7353991b3f78b9691c04
Opcode Fuzzy Hash: 52229e8361fe5bab24ef7aacfd9a5df3b67eefc5d4093718225f3a8ace1d095c
Instruction Fuzzy Hash: 64C04CF1C11109DBDB15DB90DA98DEF77BCAB04304F104156A101F2141D7749B548E71

Function 002AA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 002AA36A

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 313b5ebc22cb762747e42d05c8190a166402a679240e6363ac7bc6cc3e5795fd
Instruction ID: a0cad361b4280d83ee91a824bceb959544008486ad315264bc67242690d3cb2a
Opcode Fuzzy Hash: 313b5ebc22cb762747e42d05c8190a166402a679240e6363ac7bc6cc3e5795fd
Instruction Fuzzy Hash: 02A0123000410CABCA011B41EC044447F5CD6002A0B004061F40C40421873254104580

Function 00298A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 120810ed506995833f866f06b338a51237a752ba39302447eec58a43daaaf70e
Instruction ID: 0f53dcd524cc6165b601229bcff8639d09069149cd82b48a85d0031bff6daccb
Opcode Fuzzy Hash: 120810ed506995833f866f06b338a51237a752ba39302447eec58a43daaaf70e
Instruction Fuzzy Hash: B022F5309356278BDF2C8F28C49467DB7A1EB02304F6C446BD946DB291DBB4DDA1DB60

Function 002A2405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 70c29d664e399f44d31b5aafa9f0a64c8fb163ee04329ad6f7ae7a5d707191b2
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 0FC182322251A34BDB6D8A3D943413EFBE15AA37B131A075DE4B2CB9C4EF20D578D620

Function 002A283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 8881919d5a341054e86d88891a6f70d92c85f88ce24332b7583ae2d2566c3c47
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 96C193322251A34FDF6D4A3D843413EBBE15AA37B131A0B6DE4B2DB5D5EF20D5389620

Function 017B3730 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2069036950.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17b0000_LisectAVT_2403002A_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 97a477bb122760b1d1a89c0f3ed2ccdcff9d7d2ed209e4e3415cea9ddcd8f0b5
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 1D41C2B1D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB50

Function 017B35C0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2069036950.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17b0000_LisectAVT_2403002A_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: f7eb90d4c1b29bb8e6154493e6d2c8d85b85ff8193d9519bff5be59e7bd8681c
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 37019278A01109EFCB44DF98C5909AEF7B5FF48310F208599E809A7301E734AE81DB80

Function 017B3620 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2069036950.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17b0000_LisectAVT_2403002A_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: e09684a1576a4a8e5c5e36750275218d23a2a27a688c60e045c318e96ad065ba
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 87019278A01109EFCB45DF98C5909AEF7B5FB48314F208699E809A7301E734AE81DB80

Function 017B1ED0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2069036950.00000000017B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_17b0000_LisectAVT_2403002A_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 003037F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0030F910), ref: 003038AF
IsWindowVisible.USER32(?), ref: 003038D3

Strings

GETLINECOUNT, xrefs: 00303B4E
UNCHECK, xrefs: 00303B0B
ISVISIBLE, xrefs: 003038BF
SHOWDROPDOWN, xrefs: 00303968
ADDSTRING, xrefs: 0030399E
ISCHECKED, xrefs: 00303AC1
CURRENTTAB, xrefs: 00303945
SENDCOMMANDID, xrefs: 00303C62
GETSELECTED, xrefs: 00303B2B
TABLEFT, xrefs: 0030390F
ISENABLED, xrefs: 003038F3
FINDSTRING, xrefs: 003039FE
GETLINE, xrefs: 00303C23
HIDEDROPDOWN, xrefs: 00303988
EDITPASTE, xrefs: 00303BE7
TABRIGHT, xrefs: 00303925
DELSTRING, xrefs: 003039D1
SETCURRENTSELECTION, xrefs: 00303A3E
GETCURRENTCOL, xrefs: 00303BB0
GETCURRENTLINE, xrefs: 00303B75
GETCURRENTSELECTION, xrefs: 00303A6B
CHECK, xrefs: 00303AF5
SELECTSTRING, xrefs: 00303A8E

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 2b139b2f97c8c3776aec481799d07d6aaf8915a3d43cfd38073a5605105e89f3
Instruction ID: bdc7c0f19d98610a0001beefafa6972901ba0758a5f383352e3d18cfdd252ebe
Opcode Fuzzy Hash: 2b139b2f97c8c3776aec481799d07d6aaf8915a3d43cfd38073a5605105e89f3
Instruction Fuzzy Hash: 5CD1B0342153058FCB16EF10C4A1A6EB7A9EF98344F154459F8869B7E2CB31EE5ACF81

Function 0030A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0030A89F
GetSysColorBrush.USER32(0000000F), ref: 0030A8D0
GetSysColor.USER32(0000000F), ref: 0030A8DC
SetBkColor.GDI32(?,000000FF), ref: 0030A8F6
SelectObject.GDI32(?,?), ref: 0030A905
InflateRect.USER32(?,000000FF,000000FF), ref: 0030A930
GetSysColor.USER32(00000010), ref: 0030A938
CreateSolidBrush.GDI32(00000000), ref: 0030A93F
FrameRect.USER32(?,?,00000000), ref: 0030A94E
DeleteObject.GDI32(00000000), ref: 0030A955
InflateRect.USER32(?,000000FE,000000FE), ref: 0030A9A0
FillRect.USER32(?,?,?), ref: 0030A9D2
GetWindowLongW.USER32(?,000000F0), ref: 0030A9FD

Part of subcall function 0030AB60: GetSysColor.USER32(00000012), ref: 0030AB99
Part of subcall function 0030AB60: SetTextColor.GDI32(?,?), ref: 0030AB9D
Part of subcall function 0030AB60: GetSysColorBrush.USER32(0000000F), ref: 0030ABB3
Part of subcall function 0030AB60: GetSysColor.USER32(0000000F), ref: 0030ABBE
Part of subcall function 0030AB60: GetSysColor.USER32(00000011), ref: 0030ABDB
Part of subcall function 0030AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0030ABE9
Part of subcall function 0030AB60: SelectObject.GDI32(?,00000000), ref: 0030ABFA
Part of subcall function 0030AB60: SetBkColor.GDI32(?,00000000), ref: 0030AC03
Part of subcall function 0030AB60: SelectObject.GDI32(?,?), ref: 0030AC10
Part of subcall function 0030AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0030AC2F
Part of subcall function 0030AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0030AC46
Part of subcall function 0030AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0030AC5B

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 85644c24a283352eff8f959f700dbcdef422c1fa4c675a690cc11446d4129c0b
Instruction ID: 34235d5fe3bb2d8f611c424f3a2ba0ec0cf330c959353f325820c444b3764391
Opcode Fuzzy Hash: 85644c24a283352eff8f959f700dbcdef422c1fa4c675a690cc11446d4129c0b
Instruction Fuzzy Hash: 3BA1B07210A705AFD7229F64DC18E6B7BADFF89321F104A2AF962965E0D730D840CB52

Function 002F77BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 002F77F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 002F78B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 002F78EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 002F7900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 002F7946
GetClientRect.USER32(00000000,?), ref: 002F7952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 002F7996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 002F79A5
GetStockObject.GDI32(00000011), ref: 002F79B5
SelectObject.GDI32(00000000,00000000), ref: 002F79B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 002F79C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 002F79D2
DeleteDC.GDI32(00000000), ref: 002F79DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 002F7A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 002F7A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 002F7A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 002F7A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 002F7A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 002F7AAE
GetStockObject.GDI32(00000011), ref: 002F7AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 002F7AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 002F7ACE

Strings

msctls_progress32, xrefs: 002F7A4F
DISPLAY, xrefs: 002F799B
static, xrefs: 002F7990, 002F7AA8
AutoIt v3, xrefs: 002F793E

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 45b8d82970924a219aea036729df990e44744b6b4b04d92e4a3464c768d5e43f
Instruction ID: 25da1d61937199c99b20604f2d745f4f478a80d6fd802a59968ba6eafd78dbdd
Opcode Fuzzy Hash: 45b8d82970924a219aea036729df990e44744b6b4b04d92e4a3464c768d5e43f
Instruction Fuzzy Hash: CDA19175A11209BFEB15DF64DC4AFAABBADEB45710F004115FA14AB2E0CBB0AD10CF60

Function 002EAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002EAF89
GetDriveTypeW.KERNEL32(?,0030FAC0,?,\\.\,0030F910), ref: 002EB066
SetErrorMode.KERNEL32(00000000,0030FAC0,?,\\.\,0030F910), ref: 002EB1C4

Strings

Fixed, xrefs: 002EB0AE
Virtual, xrefs: 002EB18C
Unknown, xrefs: 002EB086, 002EB12A
\\.\, xrefs: 002EAFDB
USB, xrefs: 002EB15B
Fibre, xrefs: 002EB154
SCSI, xrefs: 002EB131
Network, xrefs: 002EB0A4
ATA, xrefs: 002EB13F
FileBackedVirtual, xrefs: 002EB193
SAS, xrefs: 002EB170
MMC, xrefs: 002EB185
CDROM, xrefs: 002EB09A
SATA, xrefs: 002EB177
RAID, xrefs: 002EB162
1394, xrefs: 002EB146
ATAPI, xrefs: 002EB138
iSCSI, xrefs: 002EB169
RAMDisk, xrefs: 002EB090
PhysicalDrive, xrefs: 002EB012
SSA, xrefs: 002EB14D
SSD, xrefs: 002EB0F1
Removable, xrefs: 002EB0B8

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: f0281f97e994170b91b6540e6d001685194beb9776bf48fb3bd4bea162c950be
Instruction ID: 3402dabcc3bcfb8684c1df25e4578042bb89e399daee66215353089ef252f612
Opcode Fuzzy Hash: f0281f97e994170b91b6540e6d001685194beb9776bf48fb3bd4bea162c950be
Instruction Fuzzy Hash: AB51E7346F4785ABCB07EF52C9E29BE73B0AB18351BA04015E44EAB290C775AD61DB42

Function 00286A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00286A91
__wcsnicmp.LIBCMT ref: 00286AA9
__wcsnicmp.LIBCMT ref: 00286AC1
__wcsnicmp.LIBCMT ref: 00286AD9
__wcsnicmp.LIBCMT ref: 00286AF1
__wcsnicmp.LIBCMT ref: 00286B09
__wcsnicmp.LIBCMT ref: 00286B21
__wcsnicmp.LIBCMT ref: 00286B35
__wcsnicmp.LIBCMT ref: 00286B76
__wcsnicmp.LIBCMT ref: 00286B8A
__wcsnicmp.LIBCMT ref: 00286B9E
__wcsnicmp.LIBCMT ref: 00286BB2

Strings

#ce, xrefs: 00286BAC
#include-once, xrefs: 00286AEB
#requireadmin, xrefs: 00286ABB
#OnAutoItStartRegister, xrefs: 00286AD3
#notrayicon, xrefs: 00286AA3
#comments-start, xrefs: 00286B1B, 00286B70
Cannot parse #include, xrefs: 002BE819
Unterminated group of comments, xrefs: 002BE82C
#include, xrefs: 00286B03
#pragma compile, xrefs: 00286A8B
#cs, xrefs: 00286B2F, 00286B84
#comments-end, xrefs: 00286B98
Bad directive syntax error, xrefs: 002BE743

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 27540b07a994da05f7c8b42837d9fb0bf755c03e70dec43367151320848cde9e
Instruction ID: b6049fed24f96c027e4a44044b34f7a841f018e392373f89f6693246952f6e4e
Opcode Fuzzy Hash: 27540b07a994da05f7c8b42837d9fb0bf755c03e70dec43367151320848cde9e
Instruction Fuzzy Hash: 41813975631216ABCB25BE60CC87FEB7768AF15744F044024F941AA1C2EF70EA71DB91

Function 00282C18 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00282CA2
DeleteObject.GDI32(00000000), ref: 00282CE8
DeleteObject.GDI32(00000000), ref: 00282CF3
DestroyCursor.USER32(00000000), ref: 00282CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00282D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 002BC68B
6F560200.COMCTL32(?,000000FF,?), ref: 002BC6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 002BCAED

Part of subcall function 00281B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00282036,?,00000000,?,?,?,?,002816CB,00000000,?), ref: 00281B9A

SendMessageW.USER32(?,00001053), ref: 002BCB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 002BCB41

Strings

0, xrefs: 002BC981

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: DestroyMessageSendWindow$DeleteObject$CursorF560200InvalidateMoveRect
String ID: 0
API String ID: 3972741187-4108050209
Opcode ID: 97ad564f2576cc4a2a9283e75ba0753ddec2f144d5a7c80f1165d6a6afcfed67
Instruction ID: 276f1ec5f3422333fefc917050b9cc7d2603e56e0247ea142c1442f79221e64f
Opcode Fuzzy Hash: 97ad564f2576cc4a2a9283e75ba0753ddec2f144d5a7c80f1165d6a6afcfed67
Instruction Fuzzy Hash: 0212BF34221202EFDB25DF24C884BB9B7E5BF05340F64456AF496DB6A2CB71E865CF90

Function 0030AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0030AB99
SetTextColor.GDI32(?,?), ref: 0030AB9D
GetSysColorBrush.USER32(0000000F), ref: 0030ABB3
GetSysColor.USER32(0000000F), ref: 0030ABBE
CreateSolidBrush.GDI32(?), ref: 0030ABC3
GetSysColor.USER32(00000011), ref: 0030ABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0030ABE9
SelectObject.GDI32(?,00000000), ref: 0030ABFA
SetBkColor.GDI32(?,00000000), ref: 0030AC03
SelectObject.GDI32(?,?), ref: 0030AC10
InflateRect.USER32(?,000000FF,000000FF), ref: 0030AC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0030AC46
GetWindowLongW.USER32(00000000,000000F0), ref: 0030AC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0030ACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0030ACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 0030ACEC
DrawFocusRect.USER32(?,?), ref: 0030ACF7
GetSysColor.USER32(00000011), ref: 0030AD05
SetTextColor.GDI32(?,00000000), ref: 0030AD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0030AD21
SelectObject.GDI32(?,0030A869), ref: 0030AD38
DeleteObject.GDI32(?), ref: 0030AD43
SelectObject.GDI32(?,?), ref: 0030AD49
DeleteObject.GDI32(?), ref: 0030AD4E
SetTextColor.GDI32(?,?), ref: 0030AD54
SetBkColor.GDI32(?,?), ref: 0030AD5E

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 9ee6b02cc86d903e6ff3cd5313c528575df7128b7904b20d026b0a18102f0dfd
Instruction ID: db6fd9615211c9ce6a934654cc2667e754ffe8220d91cb7a61d905ef3b449deb
Opcode Fuzzy Hash: 9ee6b02cc86d903e6ff3cd5313c528575df7128b7904b20d026b0a18102f0dfd
Instruction Fuzzy Hash: 12616E71902618EFDB22DFA4DC58EAE7B79EB08320F114126F911AB6E1D6719D40DB90

Function 00308C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00308D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00308D45
CharNextW.USER32(0000014E), ref: 00308D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00308DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00308DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00308DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00308DF9
SetWindowTextW.USER32(?,0000014E), ref: 00308E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00308E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00308E8C
_memset.LIBCMT ref: 00308EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00308EFA
_memset.LIBCMT ref: 00308F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00308F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00308FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00309088
InvalidateRect.USER32(?,00000000,00000001), ref: 003090AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003090F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00309121
DrawMenuBar.USER32(?), ref: 00309130
SetWindowTextW.USER32(?,0000014E), ref: 00309158

Strings

0, xrefs: 003090C2

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: c3ffd26463abc6414d312db1a7e238999ac962eec14ff50bb9006811c2e943fd
Instruction ID: 8563fb68ca5901e44da3554aaf084a6ad768814a3b780dcfc04312730dd017ce
Opcode Fuzzy Hash: c3ffd26463abc6414d312db1a7e238999ac962eec14ff50bb9006811c2e943fd
Instruction Fuzzy Hash: BAE18E70902209AFDF22DF64CC94AEFBBB9EF05710F108156F955AA2D1DB709A81DF60

Function 00304B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00304C51
GetDesktopWindow.USER32 ref: 00304C66
GetWindowRect.USER32(00000000), ref: 00304C6D
GetWindowLongW.USER32(?,000000F0), ref: 00304CCF
DestroyWindow.USER32(?), ref: 00304CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00304D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00304D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00304D68
SendMessageW.USER32(?,00000421,?,?), ref: 00304D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00304D90
IsWindowVisible.USER32(?), ref: 00304DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00304DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00304DDF
GetWindowRect.USER32(?,?), ref: 00304DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00304E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00304E37
CopyRect.USER32(?,?), ref: 00304E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00304EB9

Strings

tooltips_class32, xrefs: 00304D1D
(, xrefs: 00304E2A
0, xrefs: 00304BFC

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 6945af3685f1de7cad023d53ddeb05694d1f280cb2e47c962246ef482eeda8e6
Instruction ID: 8dfffaf6e1d977ad7fa5049b4db649b41803e320954760aa8a7bf377613bbdb7
Opcode Fuzzy Hash: 6945af3685f1de7cad023d53ddeb05694d1f280cb2e47c962246ef482eeda8e6
Instruction Fuzzy Hash: C0B19BB161A340AFDB05DF24C854B6ABBE4FF88310F00891DF6899B2A1DB71ED55CB91

Function 002827D9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002828BC
GetSystemMetrics.USER32(00000007), ref: 002828C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002828EF
GetSystemMetrics.USER32(00000008), ref: 002828F7
GetSystemMetrics.USER32(00000004), ref: 0028291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00282939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00282949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0028297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00282990
GetClientRect.USER32(00000000,000000FF), ref: 002829AE
GetStockObject.GDI32(00000011), ref: 002829CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 002829D5

Part of subcall function 00282344: GetCursorPos.USER32(?), ref: 00282357
Part of subcall function 00282344: ScreenToClient.USER32(003467B0,?), ref: 00282374
Part of subcall function 00282344: GetAsyncKeyState.USER32(00000001), ref: 00282399
Part of subcall function 00282344: GetAsyncKeyState.USER32(00000002), ref: 002823A7

SetTimer.USER32(00000000,00000000,00000028,00281256), ref: 002829FC

Strings

ata, xrefs: 0028284F
AutoIt v3 GUI, xrefs: 00282974

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI$ata
API String ID: 1458621304-4054051933
Opcode ID: 1e31f839b28a50ae7afe108be025caf74edafec9cc9b8130cf81126082010fdf
Instruction ID: 290802c1f1eaaaee62f29c861815b6bde4178486de233f8703da844a701bf58a
Opcode Fuzzy Hash: 1e31f839b28a50ae7afe108be025caf74edafec9cc9b8130cf81126082010fdf
Instruction Fuzzy Hash: 39B18E75A1120AEFDB15EFA8DC55BED7BB8FB09710F108129FA15A72D0CB70A860CB51

Function 002E46D6 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 002E473C
_wcscmp.LIBCMT ref: 002E4747
_wcscat.LIBCMT ref: 002E475D
_wcsstr.LIBCMT ref: 002E4768
74D31560.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 002E4784
_wcscat.LIBCMT ref: 002E47CD
_wcscat.LIBCMT ref: 002E47D4
_wcsncpy.LIBCMT ref: 002E47FF

Strings

04090000, xrefs: 002E47BA
StringFileInfo\, xrefs: 002E4757
%u.%u.%u.%u, xrefs: 002E4862
DefaultLangCodepage, xrefs: 002E47E7
\VarFileInfo\Translation, xrefs: 002E477C

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: _wcscat$D31560_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 390803403-1459072770
Opcode ID: ae502798c69073e1f9f5f637e81a42f506780780beb75ac330670b730cddda04
Instruction ID: b6fb20d61fe1c727f02693c728e2b82ab0688e50d3deaf55d2501ce54082ad7d
Opcode Fuzzy Hash: ae502798c69073e1f9f5f637e81a42f506780780beb75ac330670b730cddda04
Instruction Fuzzy Hash: 5E41F672660241BFEB11FB658C43EBF77ACDF46750F00016AF904E6182EF74DA219AA5

Function 00304069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003040F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 003041B6

Strings

GETTEXT, xrefs: 0030415F
SELECTINVERT, xrefs: 00304286
SELECT, xrefs: 00304250
DESELECT, xrefs: 003042A4
SELECTALL, xrefs: 0030421D
GETSELECTED, xrefs: 003042E4
FINDITEM, xrefs: 00304329
GETITEMCOUNT, xrefs: 00304128
ISSELECTED, xrefs: 003041C1
GETSUBITEMCOUNT, xrefs: 00304141
VIEWCHANGE, xrefs: 00304375
SELECTCLEAR, xrefs: 00304235
GETSELECTEDCOUNT, xrefs: 00304199

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 89c5f73b3ccc6aa19eeaef7986760a6603ccb58ae34eb55cbd5eb54b60530646
Instruction ID: 1439aacf95c819d3a13accc06d44ebffd1d2a3b247781d201ab500983a81275e
Opcode Fuzzy Hash: 89c5f73b3ccc6aa19eeaef7986760a6603ccb58ae34eb55cbd5eb54b60530646
Instruction Fuzzy Hash: 34A1D1B42252019FCB15EF10C8A1A7AB3A9FF89310F14486DB9969B7D2DB30ED55CF41

Function 002F52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 002F5309
LoadCursorW.USER32(00000000,00007F8A), ref: 002F5314
LoadCursorW.USER32(00000000,00007F00), ref: 002F531F
LoadCursorW.USER32(00000000,00007F03), ref: 002F532A
LoadCursorW.USER32(00000000,00007F8B), ref: 002F5335
LoadCursorW.USER32(00000000,00007F01), ref: 002F5340
LoadCursorW.USER32(00000000,00007F81), ref: 002F534B
LoadCursorW.USER32(00000000,00007F88), ref: 002F5356
LoadCursorW.USER32(00000000,00007F80), ref: 002F5361
LoadCursorW.USER32(00000000,00007F86), ref: 002F536C
LoadCursorW.USER32(00000000,00007F83), ref: 002F5377
LoadCursorW.USER32(00000000,00007F85), ref: 002F5382
LoadCursorW.USER32(00000000,00007F82), ref: 002F538D
LoadCursorW.USER32(00000000,00007F84), ref: 002F5398
LoadCursorW.USER32(00000000,00007F04), ref: 002F53A3
LoadCursorW.USER32(00000000,00007F02), ref: 002F53AE
GetCursorInfo.USER32(?), ref: 002F53BE
GetLastError.KERNEL32(00000001,00000000), ref: 002F53E9

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: ffd48cc92b7bb8d1f6cc11e95ee99f8be4dd37d43c9609603831934ae32a4fff
Instruction ID: fa8c764c2d47e83dfbacfcc8acf99069f1b8cdfc445869109d711df1ab92fe86
Opcode Fuzzy Hash: ffd48cc92b7bb8d1f6cc11e95ee99f8be4dd37d43c9609603831934ae32a4fff
Instruction Fuzzy Hash: 09415470E143296ADB109FBA8C4996EFFF8EF51B50B10453FE609E7290DAB8A4018E51

Function 002DAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 002DAAA5
__swprintf.LIBCMT ref: 002DAB46
_wcscmp.LIBCMT ref: 002DAB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 002DABAE
_wcscmp.LIBCMT ref: 002DABEA
GetClassNameW.USER32(?,?,00000400), ref: 002DAC21
GetDlgCtrlID.USER32(?), ref: 002DAC73
GetWindowRect.USER32(?,?), ref: 002DACA9
GetParent.USER32(?), ref: 002DACC7
ScreenToClient.USER32(00000000), ref: 002DACCE
GetClassNameW.USER32(?,?,00000100), ref: 002DAD48
_wcscmp.LIBCMT ref: 002DAD5C
GetWindowTextW.USER32(?,?,00000400), ref: 002DAD82
_wcscmp.LIBCMT ref: 002DAD96

Part of subcall function 002A386C: _iswctype.LIBCMT ref: 002A3874

Strings

%s%u, xrefs: 002DAB40

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 6b966c38a496bb66359acddd734b00c031997784a20ba66164db27789fb44265
Instruction ID: b26a5b5ba52dabb442d6c575561701dd1f4f5d315e574eb6e15eb4166e20848f
Opcode Fuzzy Hash: 6b966c38a496bb66359acddd734b00c031997784a20ba66164db27789fb44265
Instruction Fuzzy Hash: D8A1CE71224707AFDB15DF24C884FAAB7E9FF04315F10462AF99982690DB30ED65CB92

Function 002DB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 002DB3DB
_wcscmp.LIBCMT ref: 002DB3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 002DB414
CharUpperBuffW.USER32(?,00000000), ref: 002DB431
_wcscmp.LIBCMT ref: 002DB44F
_wcsstr.LIBCMT ref: 002DB460
GetClassNameW.USER32(00000018,?,00000400), ref: 002DB498
_wcscmp.LIBCMT ref: 002DB4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 002DB4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 002DB518
_wcscmp.LIBCMT ref: 002DB528
GetClassNameW.USER32(00000010,?,00000400), ref: 002DB550
GetWindowRect.USER32(00000004,?), ref: 002DB5B9

Strings

ThumbnailClass, xrefs: 002DB4A3, 002DB523
@, xrefs: 002DB3BC

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: a6de3aed4294a2534b0a788aaf4402dd1058adce34596f78d273adc3453b6d69
Instruction ID: 487f909df8c920db29623cc738ff88c3bba0b29d3998c56a2e0960c22cea8625
Opcode Fuzzy Hash: a6de3aed4294a2534b0a788aaf4402dd1058adce34596f78d273adc3453b6d69
Instruction Fuzzy Hash: B681CF71028206DFDB12DF10D8A5FAA77ECEF44714F04846AFD858A292DB30DD65CBA1

Function 002DB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 002DB23F

Strings

CLASSNAME=, xrefs: 002DB27C
[ACTIVE, xrefs: 002DB22C
[LAST, xrefs: 002DB2EC
[CLASS:, xrefs: 002DB28F
ACTIVE, xrefs: 002DB21A
HANDLE=, xrefs: 002DB238
LAST, xrefs: 002DB204
REGEXP=, xrefs: 002DB254
[ALL, xrefs: 002DB2E5
[REGEXPTITLE:, xrefs: 002DB267
ALL, xrefs: 002DB2D3
[HANDLE:, xrefs: 002DB24B

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: c0c1c4b8be7e91d16af6950b1ec7e8f91b4d278e0a1a4d0f959acd574c273e04
Instruction ID: 2821ea0cc58daa7e2917605daa320b6889b90cb3bc4c56c633f388dc4cee0d31
Opcode Fuzzy Hash: c0c1c4b8be7e91d16af6950b1ec7e8f91b4d278e0a1a4d0f959acd574c273e04
Instruction Fuzzy Hash: 3031A336A35205E6DB16FE60CD97FEE77A49F24750F60001BF841711D2EFA1AE24CA51

Function 002DC4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 002DC4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 002DC4E6
SetWindowTextW.USER32(?,?), ref: 002DC4FD
GetDlgItem.USER32(?,000003EA), ref: 002DC512
SetWindowTextW.USER32(00000000,?), ref: 002DC518
GetDlgItem.USER32(?,000003E9), ref: 002DC528
SetWindowTextW.USER32(00000000,?), ref: 002DC52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 002DC54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 002DC569
GetWindowRect.USER32(?,?), ref: 002DC572
SetWindowTextW.USER32(?,?), ref: 002DC5DD
GetDesktopWindow.USER32 ref: 002DC5E3
GetWindowRect.USER32(00000000), ref: 002DC5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 002DC636
GetClientRect.USER32(?,?), ref: 002DC643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 002DC668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 002DC693

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 030d49118d516d863fad5b0dd0cec3833cd286a59cb9ef55375b94d13c029d72
Instruction ID: 8e427175d328206f2c0d563de136d8e2792cc5e832a094396e30b1c8aca324f9
Opcode Fuzzy Hash: 030d49118d516d863fad5b0dd0cec3833cd286a59cb9ef55375b94d13c029d72
Instruction Fuzzy Hash: 1F51607090070AAFDB21DFA8DD85B6EBBB9FF04705F10452AE682A26A0C775ED14CB50

Function 0030A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0030A4C8
DestroyWindow.USER32(?,?), ref: 0030A542

Part of subcall function 00287D2C: _memmove.LIBCMT ref: 00287D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0030A5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0030A5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0030A5F1
DestroyWindow.USER32(00000000), ref: 0030A613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00280000,00000000), ref: 0030A64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0030A663
GetDesktopWindow.USER32 ref: 0030A67C
GetWindowRect.USER32(00000000), ref: 0030A683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0030A69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0030A6B3

Part of subcall function 002825DB: GetWindowLongW.USER32(?,000000EB), ref: 002825EC

Strings

tooltips_class32, xrefs: 0030A5B5, 0030A643
0, xrefs: 0030A4DE

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 859f5755edb2bee125068ea3e0209c9007c81c1b8fe653be909d8079a1ba6984
Instruction ID: 098d1543b96fd22efbad28cfc0a1e5265608a2e8b507282f6a557e96f56bd11d
Opcode Fuzzy Hash: 859f5755edb2bee125068ea3e0209c9007c81c1b8fe653be909d8079a1ba6984
Instruction Fuzzy Hash: 2E718974151709AFD722DF28DC59F667BF9EB89300F08052DF9858B2A1CB72E942CB12

Function 00304619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003046AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003046F6

Strings

GETSELECTED, xrefs: 00304806
GETTOTALCOUNT, xrefs: 003046DD
GETTEXT, xrefs: 00304849
EXISTS, xrefs: 0030475F
SELECT, xrefs: 003048A7
UNCHECK, xrefs: 003048D2
GETITEMCOUNT, xrefs: 003047D8
ISCHECKED, xrefs: 00304879
EXPAND, xrefs: 003047A8
CHECK, xrefs: 00304716
COLLAPSE, xrefs: 0030473C

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 950e1c441c03ba4265ae1c251425d422f3db36441ee78bddb42ef0493013e31b
Instruction ID: e0e5f4b2395bc6ec74592a336214d5ed858fd412576a6634b00cbc858f56e505
Opcode Fuzzy Hash: 950e1c441c03ba4265ae1c251425d422f3db36441ee78bddb42ef0493013e31b
Instruction Fuzzy Hash: A991D3B82157018FCB15EF10C491A6AB7E5AF89310F04886DF9965B7E2CB31EE56CF41

Function 0030BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0030BB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00309431), ref: 0030BBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0030BC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0030BC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0030BC7D
FreeLibrary.KERNEL32(?), ref: 0030BC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0030BC99
DestroyCursor.USER32(?), ref: 0030BCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0030BCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0030BCD1

Part of subcall function 002A313D: __wcsicmp_l.LIBCMT ref: 002A31C6

Strings

.exe, xrefs: 0030BB04
.icl, xrefs: 0030BAE4
.dll, xrefs: 0030BB27

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 3907162815-1154884017
Opcode ID: f486f93645721b26ede94ef8e0717381f51e892259cd0feaf28ee8c007a74b45
Instruction ID: c8c5e2e7795cd7e9e113eefd6e5d20e21fa8fda75d6dfa47f671b3bd645f97ea
Opcode Fuzzy Hash: f486f93645721b26ede94ef8e0717381f51e892259cd0feaf28ee8c007a74b45
Instruction Fuzzy Hash: BB61DD71601219FFEB26DF64CC95BBAB7ACEB08710F10421AF915D61C0DB74AA90CBA0

Function 002EA0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,0030FB78), ref: 002EA0FC

Part of subcall function 00287F41: _memmove.LIBCMT ref: 00287F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 002EA11E
__swprintf.LIBCMT ref: 002EA177
__swprintf.LIBCMT ref: 002EA190
_wprintf.LIBCMT ref: 002EA246
_wprintf.LIBCMT ref: 002EA264

Strings

Line %d (File "%s"):, xrefs: 002EA171, 002EA18A
%1, xrefs: 002EA0C9
"%s" (%d) : ==> %s:, xrefs: 002EA25F
^ ERROR, xrefs: 002EA1E8
"%s" (%d) : ==> %s:%s%s, xrefs: 002EA241
Error: , xrefs: 002EA20E

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%1
API String ID: 311963372-874380935
Opcode ID: 24e20bd28f371df675da9426a2e1a9252dd2272eb9746f88a703937709c1ab2a
Instruction ID: 2a02b2ecaeeddc6eaa4aeadc99e906397ed47f67abb72ad2fb0e467ad373d9e8
Opcode Fuzzy Hash: 24e20bd28f371df675da9426a2e1a9252dd2272eb9746f88a703937709c1ab2a
Instruction Fuzzy Hash: 4E518E35915209ABCF16FBA0CD86EEEB778AF05300F600165F905721A1EB71AF68CF61

Function 002EA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00289997: __itow.LIBCMT ref: 002899C2
Part of subcall function 00289997: __swprintf.LIBCMT ref: 00289A0C

CharLowerBuffW.USER32(?,?), ref: 002EA636
GetDriveTypeW.KERNEL32 ref: 002EA683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002EA6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002EA702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002EA730

Part of subcall function 00287D2C: _memmove.LIBCMT ref: 00287D66

Strings

type cdaudio alias cd wait, xrefs: 002EA6AE
closed, xrefs: 002EA64A, 002EA653
close cd wait, xrefs: 002EA71B
wait, xrefs: 002EA6ED
close, xrefs: 002EA63C
open, xrefs: 002EA65D
open , xrefs: 002EA692
set cd door , xrefs: 002EA6D1

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 38050bb4179f6e79f2394cfd2091ad27bbf5c744dafddea6c30fffd3e883cbc2
Instruction ID: 90e0a5d9c441037506f01f6615e660355e102ef8ea50a5b8422550dfd307ffdf
Opcode Fuzzy Hash: 38050bb4179f6e79f2394cfd2091ad27bbf5c744dafddea6c30fffd3e883cbc2
Instruction Fuzzy Hash: D55157791246059FC700EF21C8C186AB7E8FF98718F54496DF886572A1DB31EE1ACF42

Function 002EA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 002EA47A
__swprintf.LIBCMT ref: 002EA49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 002EA4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 002EA4FE
_memset.LIBCMT ref: 002EA51D
_wcsncpy.LIBCMT ref: 002EA559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 002EA58E
CloseHandle.KERNEL32(00000000), ref: 002EA599
RemoveDirectoryW.KERNEL32(?), ref: 002EA5A2
CloseHandle.KERNEL32(00000000), ref: 002EA5AC

Strings

\, xrefs: 002EA4B2
\??\%s, xrefs: 002EA496
:, xrefs: 002EA4BD

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 7fae36ef3eb6b87e5c561c3c028ab83e784e4d2307edeebaf268f9e810f55db1
Instruction ID: 266cba371d6610f3caed7049add2004b95fa0cc2cf3cd41851fcb64fc3c5591a
Opcode Fuzzy Hash: 7fae36ef3eb6b87e5c561c3c028ab83e784e4d2307edeebaf268f9e810f55db1
Instruction Fuzzy Hash: 2C31E5B595024AABDB21DFA1DC48FEB77BCEF89700F5040B6F908D2050EB7097548B25

Function 002D83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002D874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002D8766
Part of subcall function 002D874A: GetLastError.KERNEL32(?,002D822A,?,?,?), ref: 002D8770
Part of subcall function 002D874A: GetProcessHeap.KERNEL32(00000008,?,?,002D822A,?,?,?), ref: 002D877F
Part of subcall function 002D874A: RtlAllocateHeap.NTDLL(00000000,?,002D822A), ref: 002D8786
Part of subcall function 002D874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002D879D

Part of subcall function 002D87E7: GetProcessHeap.KERNEL32(00000008,002D8240,00000000,00000000,?,002D8240,?), ref: 002D87F3
Part of subcall function 002D87E7: RtlAllocateHeap.NTDLL(00000000,?,002D8240), ref: 002D87FA
Part of subcall function 002D87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,002D8240,?), ref: 002D880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 002D8458
_memset.LIBCMT ref: 002D846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 002D848C
GetLengthSid.ADVAPI32(?), ref: 002D849D
GetAce.ADVAPI32(?,00000000,?), ref: 002D84DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 002D84F6
GetLengthSid.ADVAPI32(?), ref: 002D8513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 002D8522
RtlAllocateHeap.NTDLL(00000000), ref: 002D8529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 002D854A
CopySid.ADVAPI32(00000000), ref: 002D8551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 002D8582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 002D85A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 002D85BC

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 2347767575-0
Opcode ID: cc33d9ea3804ea7a1d85fb9bd25b8d62281f0b5b6200a58c522599b54d8c2252
Instruction ID: d2e8d09361686ab1f32745cf42805c3660e7de68cbec18836311d36b8d68647f
Opcode Fuzzy Hash: cc33d9ea3804ea7a1d85fb9bd25b8d62281f0b5b6200a58c522599b54d8c2252
Instruction Fuzzy Hash: 4F615A7191020AAFDF11DFA5EC45AAEBBB9FF04300F44816AF915A7291DB319E24CF60

Function 002F762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 002F76A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 002F76AE
CreateCompatibleDC.GDI32(?), ref: 002F76BA
SelectObject.GDI32(00000000,?), ref: 002F76C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 002F771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 002F7757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 002F777B
SelectObject.GDI32(00000006,?), ref: 002F7783
DeleteObject.GDI32(?), ref: 002F778C
DeleteDC.GDI32(00000006), ref: 002F7793
ReleaseDC.USER32(00000000,?), ref: 002F779E

Strings

(, xrefs: 002F7723

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: eca7c18b5f099cd425aa476760a159ef48fe4e0b4cc311f6c142cb3d3c723463
Instruction ID: 7ab7e50c934072a6b2abb0deae98675af0374b9e23833662a34b958fbd23ffd3
Opcode Fuzzy Hash: eca7c18b5f099cd425aa476760a159ef48fe4e0b4cc311f6c142cb3d3c723463
Instruction Fuzzy Hash: 27516C75914309EFCB25CFA8CC84EAEBBB9EF48750F14842EFA4997210D771A850CB60

Function 00286BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 002A0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00286C6C,?,00008000), ref: 002A0BB7

Part of subcall function 002848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002848A1,?,?,002837C0,?), ref: 002848CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00286D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00286E5A

Part of subcall function 002859CD: _wcscpy.LIBCMT ref: 00285A05

Part of subcall function 002A387D: _iswctype.LIBCMT ref: 002A3885

Strings

#include depth exceeded. Make sure there are no recursive includes, xrefs: 002BE84A
EA06, xrefs: 002BE87B
AU3!, xrefs: 00286CC1
>>>AUTOIT SCRIPT<<<, xrefs: 002BE8BF
Bad directive syntax error, xrefs: 002BEBC6
Error opening the file, xrefs: 002BE866, 002BE8E1
Unterminated string, xrefs: 002BEC0D

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: bdcd8e2eeea187a591d2a2fc4e444894e534ee84490f2308088a221e457df697
Instruction ID: 54e0160b5ee646ee54a2acdf3835842d54d420272084c66ae4e507ee61d77167
Opcode Fuzzy Hash: bdcd8e2eeea187a591d2a2fc4e444894e534ee84490f2308088a221e457df697
Instruction Fuzzy Hash: 5202C0341293419FCB24EF24C881AAFBBE5BF95354F14491EF486972A1DB30D969CF42

Function 002845DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002845F9
GetMenuItemCount.USER32(00346890), ref: 002BD7CD
GetMenuItemCount.USER32(00346890), ref: 002BD87D
GetCursorPos.USER32(?), ref: 002BD8C1
SetForegroundWindow.USER32(00000000), ref: 002BD8CA
TrackPopupMenuEx.USER32(00346890,00000000,?,00000000,00000000,00000000), ref: 002BD8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 002BD8E9

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: a1a54967e8cb46448faad2f2ac783fd595057277f46a7ebe4636c71ecd7e92d8
Instruction ID: 588c703a8e888825be25c9c3bd7d257a2e86044dbb41150ee7ced7def9a69bf5
Opcode Fuzzy Hash: a1a54967e8cb46448faad2f2ac783fd595057277f46a7ebe4636c71ecd7e92d8
Instruction Fuzzy Hash: CD71F230661216BFEB21AF15DC45FEAFF69FF053A4F200216F524661E0DBB16820DB90

Function 003010A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00300038,?,?), ref: 003010BC

Strings

HKEY_CURRENT_USER, xrefs: 0030119B
HKEY_USERS, xrefs: 003011BD
HKEY_CURRENT_CONFIG, xrefs: 00301179
HKEY_LOCAL_MACHINE, xrefs: 00301125
HKCU, xrefs: 003011AC
HKEY_CLASSES_ROOT, xrefs: 0030114F
HKLM, xrefs: 0030113A
HKU, xrefs: 003011CE
HKCC, xrefs: 0030118A
HKCR, xrefs: 00301164

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: fa67d0a4dfb50e2606e5f7643a11df047d18d32c1ad55704edc87b0681792547
Instruction ID: a90209d3b3a2868f4d428e5b5a98c367a6a00580261fd86059f852f99c679876
Opcode Fuzzy Hash: fa67d0a4dfb50e2606e5f7643a11df047d18d32c1ad55704edc87b0681792547
Instruction Fuzzy Hash: 2F417E7552224A8BCF1AEF90D8E1AEA7768FF1A300F104414FD915B292DB30E92ACB50

Function 002E5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00287D2C: _memmove.LIBCMT ref: 00287D66

Part of subcall function 00287A84: _memmove.LIBCMT ref: 00287B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 002E55D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 002E55E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002E55F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 002E560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 002E561C

Strings

close PlayMe, xrefs: 002E55E3, 002E5610
play PlayMe, xrefs: 002E5617
play PlayMe wait, xrefs: 002E5606
status PlayMe mode, xrefs: 002E55CD
alias PlayMe, xrefs: 002E55AB
open , xrefs: 002E5581

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 979124b775fd88b07d1f49d48b4fc94bdfbf4b04ddea3b6305d29c057ef3819f
Instruction ID: b64a8c25210bc3bc59ea494ec0ec7353b35fbf7999280fbd986e206bc5a9a41c
Opcode Fuzzy Hash: 979124b775fd88b07d1f49d48b4fc94bdfbf4b04ddea3b6305d29c057ef3819f
Instruction Fuzzy Hash: 4E110428AB156979D721B662CCCACFFBB7CEF91F10F800429B804A20D1DEA04D15CAB1

Function 002E48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 002E490E
gethostname.WS2_32(?,00000100), ref: 002E4928
gethostbyname.WS2_32(?), ref: 002E4935
_wcscpy.LIBCMT ref: 002E495D
_memmove.LIBCMT ref: 002E4970
inet_ntoa.WS2_32(?), ref: 002E497B
_strcat.LIBCMT ref: 002E4989
_wcscpy.LIBCMT ref: 002E49A0
WSACleanup.WS2_32 ref: 002E49AE
_wcscpy.LIBCMT ref: 002E49BC

Strings

0.0.0.0, xrefs: 002E4957

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 53b427a02d7f7c4833b3455d77bb79f78c290f1b1e06612d20546c81f6491d57
Instruction ID: 38e2dc9cb618d0a25f3bb713f51f4fcbcab79e89738825d7c79c681755034668
Opcode Fuzzy Hash: 53b427a02d7f7c4833b3455d77bb79f78c290f1b1e06612d20546c81f6491d57
Instruction Fuzzy Hash: 4511D231964115AFCB31FB299C4AEDB77ACAB41720F4441B6F444A6092EFB09AA18A61

Function 002E5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 002E521C

Part of subcall function 002A0719: timeGetTime.WINMM(?,75A8B400,00290FF9), ref: 002A071D

Sleep.KERNEL32(0000000A), ref: 002E5248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 002E526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 002E528E
SetActiveWindow.USER32 ref: 002E52AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 002E52BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 002E52DA
Sleep.KERNEL32(000000FA), ref: 002E52E5
IsWindow.USER32 ref: 002E52F1
EndDialog.USER32(00000000), ref: 002E5302

Strings

BUTTON, xrefs: 002E5280

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: db1eb3e138e6e04ea52b1783709f3aea0f5339287fb5317d092feb71e8496907
Instruction ID: bfe585a44626dcfc7b43c3b9a0b563e1b3ebfe01dc6c78e7e4c7df5797dbdf6f
Opcode Fuzzy Hash: db1eb3e138e6e04ea52b1783709f3aea0f5339287fb5317d092feb71e8496907
Instruction Fuzzy Hash: AE21F6745A5745AFE7135F31EC99B263B6DEB0734AF8004A9F5018A5B0CFB1AC608B62

Function 002E052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 002E05A7
SetKeyboardState.USER32(?), ref: 002E0612
GetAsyncKeyState.USER32(000000A0), ref: 002E0632
GetKeyState.USER32(000000A0), ref: 002E0649
GetAsyncKeyState.USER32(000000A1), ref: 002E0678
GetKeyState.USER32(000000A1), ref: 002E0689
GetAsyncKeyState.USER32(00000011), ref: 002E06B5
GetKeyState.USER32(00000011), ref: 002E06C3
GetAsyncKeyState.USER32(00000012), ref: 002E06EC
GetKeyState.USER32(00000012), ref: 002E06FA
GetAsyncKeyState.USER32(0000005B), ref: 002E0723
GetKeyState.USER32(0000005B), ref: 002E0731

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 6035259b48b088991e70f91b6cf97a725daea7ad6670ee1f3c535fd19b72610b
Instruction ID: 8b7f22e41bad96fa8fe1a1ec7814e7790978d416d91d284077f511c08c0103a1
Opcode Fuzzy Hash: 6035259b48b088991e70f91b6cf97a725daea7ad6670ee1f3c535fd19b72610b
Instruction Fuzzy Hash: C1514A30A543C519FB34DFA188947EABFB49F01340F88459A85C61A1C2DAE4AAEDCF61

Function 002DC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 002DC746
GetWindowRect.USER32(00000000,?), ref: 002DC758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 002DC7B6
GetDlgItem.USER32(?,00000002), ref: 002DC7C1
GetWindowRect.USER32(00000000,?), ref: 002DC7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 002DC827
GetDlgItem.USER32(?,000003E9), ref: 002DC835
GetWindowRect.USER32(00000000,?), ref: 002DC846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 002DC889
GetDlgItem.USER32(?,000003EA), ref: 002DC897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 002DC8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 002DC8C1

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: fd85cd381ea674c3975b4375f1c3806d8d1bc0e5de76eb65793ee04ab7f74460
Instruction ID: f1166552da09cee6e74ad31a6c9d9fd308c0aa461ee6163a3827b730a51ad4c5
Opcode Fuzzy Hash: fd85cd381ea674c3975b4375f1c3806d8d1bc0e5de76eb65793ee04ab7f74460
Instruction Fuzzy Hash: F9513071B10206AFDB19CF69DD99AAEBBBAFB88710F24812EF515D7290D7709D00CB50

Function 002821A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 002825DB: GetWindowLongW.USER32(?,000000EB), ref: 002825EC

GetSysColor.USER32(0000000F), ref: 002821D3

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 878ec604f420ea1d947c7a11117c0a42c485787059d3c61a2a505e452b349844
Instruction ID: 3132801e8e6a77ff021d8e56c71f7a5eb23a5b0285eaee40c2de9ea89302be05
Opcode Fuzzy Hash: 878ec604f420ea1d947c7a11117c0a42c485787059d3c61a2a505e452b349844
Instruction Fuzzy Hash: A1411634012100EFDB266F28DC98BB93B69EB06331F284366FD658A1E6C7318C56CB61

Function 002EAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0030F910), ref: 002EAB76
GetDriveTypeW.KERNEL32(00000061,0033A620,00000061), ref: 002EAC40
_wcscpy.LIBCMT ref: 002EAC6A

Strings

unknown, xrefs: 002EAC01
fixed, xrefs: 002EABBE
network, xrefs: 002EABD4
cdrom, xrefs: 002EAB92
all, xrefs: 002EAB7C
ramdisk, xrefs: 002EABEA
removable, xrefs: 002EABA8

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 71970bd94f79ec5e42f53b5999294550516020edebcddd297ceaf2b3fdfbee02
Instruction ID: 42cba67d9cbc4f393017e9852d17baac1dfb96d5c10a1c5d00f14813eb81949f
Opcode Fuzzy Hash: 71970bd94f79ec5e42f53b5999294550516020edebcddd297ceaf2b3fdfbee02
Instruction Fuzzy Hash: 4851FC351683429FC310EF15C8C2AAEB7A5EF95304F94482DF486972E2DB30E969CB53

Function 00289997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 002899C2
__swprintf.LIBCMT ref: 00289A0C
__i64tow.LIBCMT ref: 002BFA0F

Strings

False, xrefs: 002BF9D7
%.15g, xrefs: 00289A06
True, xrefs: 002BF9D0
0x%p, xrefs: 002BF9F1

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 1e210dc6eca89e5f3c19b84edcc6b8b998c7b7fb5c22e0a1cce3b4dc33c7b2e2
Instruction ID: 3258e1b869b98749ebf67880623bbd919b12a3443ce7095122fe4e9dd65adf30
Opcode Fuzzy Hash: 1e210dc6eca89e5f3c19b84edcc6b8b998c7b7fb5c22e0a1cce3b4dc33c7b2e2
Instruction Fuzzy Hash: D9411535634606AFEB24EF38DD42EBAB3E8EB45300F24446EF549D6281EE719861CB11

Function 003073C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003073D9
CreateMenu.USER32 ref: 003073F4
SetMenu.USER32(?,00000000), ref: 00307403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00307490
IsMenu.USER32(?), ref: 003074A6
CreatePopupMenu.USER32 ref: 003074B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003074DD
DrawMenuBar.USER32 ref: 003074E5

Strings

F, xrefs: 003074D1
0, xrefs: 003073CF

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 1377a04f3fbd384bd5b24ea36d900bcb779f3b52f4759eea7e047d920b0a5bff
Instruction ID: a51046608f4f5333b32c270cf95b4baeb2235a75ce73075afd18cfb9c23aa8ff
Opcode Fuzzy Hash: 1377a04f3fbd384bd5b24ea36d900bcb779f3b52f4759eea7e047d920b0a5bff
Instruction Fuzzy Hash: 47415B78A02205EFDB22DF65D854EAABBF9FF4A300F154029F95597390DB30A920CF50

Function 0030772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 003077CD
CreateCompatibleDC.GDI32(00000000), ref: 003077D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 003077E7
SelectObject.GDI32(00000000,00000000), ref: 003077EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 003077FA
DeleteDC.GDI32(00000000), ref: 00307803
GetWindowLongW.USER32(?,000000EC), ref: 0030780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00307821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0030782D

Strings

static, xrefs: 00307765

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 008a7e9c308d36d79fb66836c6654607c8166233b3ed55c691eec061c46d8289
Instruction ID: 255eb6e976e59402591e32d49aab898a28a779181b1ab738f5af96d42e90bff9
Opcode Fuzzy Hash: 008a7e9c308d36d79fb66836c6654607c8166233b3ed55c691eec061c46d8289
Instruction Fuzzy Hash: 7A315A31506215AFDB239F64DC29FEA3B6DEF09764F114225FA15A60E0C731E821DBA4

Function 002A7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002A707B

Part of subcall function 002A8D68: __getptd_noexit.LIBCMT ref: 002A8D68

__gmtime64_s.LIBCMT ref: 002A7114
__gmtime64_s.LIBCMT ref: 002A714A
__gmtime64_s.LIBCMT ref: 002A7167
__allrem.LIBCMT ref: 002A71BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002A71D9
__allrem.LIBCMT ref: 002A71F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002A720E
__allrem.LIBCMT ref: 002A7225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002A7243
__invoke_watson.LIBCMT ref: 002A72B4

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: 672c2e8a87aa834cf432938f37e114fc747bcb5d301d8d66ae4bdddfe00d09c8
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: 5D71EB71A24717ABE714DE79CC4179AB3A8EF12360F14423AF914D7681EF70DD608B94

Function 002E2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002E2A31
GetMenuItemInfoW.USER32(00346890,000000FF,00000000,00000030), ref: 002E2A92
SetMenuItemInfoW.USER32(00346890,00000004,00000000,00000030), ref: 002E2AC8
Sleep.KERNEL32(000001F4), ref: 002E2ADA
GetMenuItemCount.USER32(?), ref: 002E2B1E
GetMenuItemID.USER32(?,00000000), ref: 002E2B3A
GetMenuItemID.USER32(?,-00000001), ref: 002E2B64
GetMenuItemID.USER32(?,?), ref: 002E2BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002E2BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002E2C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002E2C24

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: dbbf1902064d86a598030851cddc042f3ee2ce88110e5dba4cd0ca8272eb6abf
Instruction ID: 6774aca62ee7be3076f8a18a511eb871e9c0d7e7aabe7ce688a5aa45a9b013a3
Opcode Fuzzy Hash: dbbf1902064d86a598030851cddc042f3ee2ce88110e5dba4cd0ca8272eb6abf
Instruction Fuzzy Hash: B96105B096028AEFDB21CF55CC88EBE7BBCFB01308F50045AE84297251D770AD69CB21

Function 00307192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00307214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00307217
GetWindowLongW.USER32(?,000000F0), ref: 0030723B
_memset.LIBCMT ref: 0030724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0030725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 003072D6

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 3542e83cbaab77e2cd9a73b80645a14cad2a138cc5de876e3d5a115a2a8a227d
Instruction ID: 546b2476eb75771c5d0ab2bfcd175f6492f587968c5e1a95143be2135d62acc5
Opcode Fuzzy Hash: 3542e83cbaab77e2cd9a73b80645a14cad2a138cc5de876e3d5a115a2a8a227d
Instruction Fuzzy Hash: 3B615B75900208AFDB22DFA4CC91EEE77F8AB09710F144199FA15AB2E1D770B945DBA0

Function 002D710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 002D7135
SafeArrayAllocData.OLEAUT32(?), ref: 002D718E
VariantInit.OLEAUT32(?), ref: 002D71A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 002D71C0
VariantCopy.OLEAUT32(?,?), ref: 002D7213
SafeArrayUnaccessData.OLEAUT32(?), ref: 002D7227
VariantClear.OLEAUT32(?), ref: 002D723C
SafeArrayDestroyData.OLEAUT32(?), ref: 002D7249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002D7252
VariantClear.OLEAUT32(?), ref: 002D7264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002D726F

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 56aac6a315e51625ed39470e0f9d668bf4784688ffc84a5bd6b080c216533041
Instruction ID: 55b55792d384e770c899b1971b58ebb0844bd5932627850cf06fda6e6a3fc7bb
Opcode Fuzzy Hash: 56aac6a315e51625ed39470e0f9d668bf4784688ffc84a5bd6b080c216533041
Instruction Fuzzy Hash: 24416035910219AFCB11EF65D8989AEBBB8FF08354F00806AF905A7361DB34ED55CF90

Function 002F5A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 002F5AA6
inet_addr.WS2_32(?), ref: 002F5AEB
gethostbyname.WS2_32(?), ref: 002F5AF7
IcmpCreateFile.IPHLPAPI ref: 002F5B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 002F5B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 002F5B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 002F5C00
WSACleanup.WS2_32 ref: 002F5C06

Strings

Ping, xrefs: 002F5B29

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 8a75869d4e6ede607adb864211b88f6bfe38ae3e70cf02984fc743c60f4d73f2
Instruction ID: ddbb3553c03de7f2a8fdce1d3231f58f021bce2faca33fdf4fa1d50ac663e2c5
Opcode Fuzzy Hash: 8a75869d4e6ede607adb864211b88f6bfe38ae3e70cf02984fc743c60f4d73f2
Instruction Fuzzy Hash: F951AE312247119FD721AF24CC89B3AB7E4EF48754F14892AF656DB2E1DB70E8608F42

Function 002EB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002EB73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 002EB7B1
GetLastError.KERNEL32 ref: 002EB7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 002EB828

Strings

UNKNOWN, xrefs: 002EB7E0
READONLY, xrefs: 002EB7F3
READY, xrefs: 002EB801
NOTREADY, xrefs: 002EB7E7
INVALID, xrefs: 002EB7FA

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 83f34f477ba01a433440327673c01736e95021b5d1e5320ca6158f4f437e9450
Instruction ID: c48db97d2673f9b00668824e554e651722c661a516500f106b5b8585bc62a056
Opcode Fuzzy Hash: 83f34f477ba01a433440327673c01736e95021b5d1e5320ca6158f4f437e9450
Instruction Fuzzy Hash: 6131E439A602059FDB12EF65C885AFFBBB8EF48700F54402AE401DB691DB719D52CB51

Function 002D9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00287F41: _memmove.LIBCMT ref: 00287F82

Part of subcall function 002DB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 002DB0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 002D94F6
GetDlgCtrlID.USER32 ref: 002D9501
GetParent.USER32 ref: 002D951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 002D9520
GetDlgCtrlID.USER32(?), ref: 002D9529
GetParent.USER32(?), ref: 002D9545
SendMessageW.USER32(00000000,?,?,00000111), ref: 002D9548

Strings

ListBox, xrefs: 002D94B3
ComboBox, xrefs: 002D947E

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: e431bc23864e79ba2c4606a3a4e9c76d248421eab312253fc4cf6e6afb6131ef
Instruction ID: 000578ed58502ead5eaa6665e91ec0937b93752769c1c88f03e2aa2c53bf4eca
Opcode Fuzzy Hash: e431bc23864e79ba2c4606a3a4e9c76d248421eab312253fc4cf6e6afb6131ef
Instruction Fuzzy Hash: 2121E274911108AFCF06AF60CCD5EFEBBA8EF45300F104226B521972E2DB7599699B20

Function 002D955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00287F41: _memmove.LIBCMT ref: 00287F82

Part of subcall function 002DB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 002DB0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 002D95DF
GetDlgCtrlID.USER32 ref: 002D95EA
GetParent.USER32 ref: 002D9606
SendMessageW.USER32(00000000,?,00000111,?), ref: 002D9609
GetDlgCtrlID.USER32(?), ref: 002D9612
GetParent.USER32(?), ref: 002D962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 002D9631

Strings

ListBox, xrefs: 002D959E
ComboBox, xrefs: 002D9569

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: c950d5e824238465f885716d0a70148d3d504b6effd1ad95ff7676ba77920864
Instruction ID: 9f4fcea528d5ac646e15ffaba49798b8a5709191eed44b95b569810ffff8b311
Opcode Fuzzy Hash: c950d5e824238465f885716d0a70148d3d504b6effd1ad95ff7676ba77920864
Instruction Fuzzy Hash: 9221C174911208BFDF06AF60CCD5EFEBBA8EF48300F104126F961972A1DB7599699B20

Function 002D9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 002D9651
GetClassNameW.USER32(00000000,?,00000100), ref: 002D9666
_wcscmp.LIBCMT ref: 002D9678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 002D96F3

Strings

details, xrefs: 002D96A1
largeicons, xrefs: 002D9687
SHELLDLL_DefView, xrefs: 002D9672
smallicons, xrefs: 002D96BB
list, xrefs: 002D96D5

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: a42b77d5f77844d1a5742b3b91d479304f03300aba15b785420b0f5616d330fd
Instruction ID: c436a32f31703df4b2dfb0900d0361e57506f178c19b3ba4bb25e68ec90ae3c5
Opcode Fuzzy Hash: a42b77d5f77844d1a5742b3b91d479304f03300aba15b785420b0f5616d330fd
Instruction Fuzzy Hash: 1E110A76268307BBFA122A20DC56EE6779C8B06760F200167F904A55D1FED2EDF14B98

Function 002E4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 002E419D
__swprintf.LIBCMT ref: 002E41AA

Part of subcall function 002A38D8: __woutput_l.LIBCMT ref: 002A3931

FindResourceW.KERNEL32(?,?,0000000E), ref: 002E41D4
LoadResource.KERNEL32(?,00000000), ref: 002E41E0
LockResource.KERNEL32(00000000), ref: 002E41ED
FindResourceW.KERNEL32(?,?,00000003), ref: 002E420D
LoadResource.KERNEL32(?,00000000), ref: 002E421F
SizeofResource.KERNEL32(?,00000000), ref: 002E422E
LockResource.KERNEL32(?), ref: 002E423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 002E429B

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: ba6f4921eab140fbe0bae71204317cbd40e2d123147bd9f7cbf824b6f6628609
Instruction ID: 190dc6a11c033634d8f514d12a7926543631f1c8477bce6cbe5e7cd7d8fc393a
Opcode Fuzzy Hash: ba6f4921eab140fbe0bae71204317cbd40e2d123147bd9f7cbf824b6f6628609
Instruction Fuzzy Hash: D731CE75A5224AAFDB12EF61DC58EBB7BACEF09301F004826FD05D6150DB30DA219BA4

Function 002E16DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 002E1700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,002E0778,?,00000001), ref: 002E1714
GetWindowThreadProcessId.USER32(00000000), ref: 002E171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002E0778,?,00000001), ref: 002E172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 002E173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002E0778,?,00000001), ref: 002E1755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002E0778,?,00000001), ref: 002E1767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,002E0778,?,00000001), ref: 002E17AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,002E0778,?,00000001), ref: 002E17C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,002E0778,?,00000001), ref: 002E17CC

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 243ddfa10f771d2b057f13f8172916dfd2d6a5982622a35e7a4b1be254a04a0b
Instruction ID: 3965ec683cf7d2ed484d5f9af289445f8d051023b201535aea8eb5153379eefb
Opcode Fuzzy Hash: 243ddfa10f771d2b057f13f8172916dfd2d6a5982622a35e7a4b1be254a04a0b
Instruction Fuzzy Hash: CA31C379650249BFEB22DF15DC84FB9B7EDEB1AB51F504025F800CA2A0DBB4AD64CB50

Function 002DA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,002DAA64), ref: 002DA9A2

Strings

TEXT, xrefs: 002DA8D9
REGEXPCLASS, xrefs: 002DA767
CLASSNN, xrefs: 002DA744
NAME, xrefs: 002DA7D4
CLASS, xrefs: 002DA721
INSTANCE, xrefs: 002DA8B0

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 5f0a6196093b58f646c79b213bbac9714d46163e9de8d8cf0c9fae280bb01f23
Instruction ID: 1299b4d75a00fc5e8ce6aefc36b0451c2b5a1b38d8e18febe0d0073f8c8581b1
Opcode Fuzzy Hash: 5f0a6196093b58f646c79b213bbac9714d46163e9de8d8cf0c9fae280bb01f23
Instruction Fuzzy Hash: CA919471A20506DBDB08DF60C492FE9FB75BF04314F50811AE89AA7291DF70AE79CB91

Function 00282E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00282EAE

Part of subcall function 00281DB3: GetClientRect.USER32(?,?), ref: 00281DDC
Part of subcall function 00281DB3: GetWindowRect.USER32(?,?), ref: 00281E1D
Part of subcall function 00281DB3: ScreenToClient.USER32(?,?), ref: 00281E45

GetDC.USER32 ref: 002BCF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 002BCF95
SelectObject.GDI32(00000000,00000000), ref: 002BCFA3
SelectObject.GDI32(00000000,00000000), ref: 002BCFB8
ReleaseDC.USER32(?,00000000), ref: 002BCFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 002BD04B

Strings

U, xrefs: 002BCF20

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 0d182c92234f6597b1b7777ad2093d279603f77c88a10fe9adca426fda85baad
Instruction ID: 8cf8ba53ebe3efa18de7397e0ce72bdc241d60fd981396aee90efcaa23722ca0
Opcode Fuzzy Hash: 0d182c92234f6597b1b7777ad2093d279603f77c88a10fe9adca426fda85baad
Instruction Fuzzy Hash: A471163441120ADFCF21EF64C880AFA3BB5FF493A0F2446AAED555A1A6D7319C61DF60

Function 002FF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002FF9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 002FFB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 002FFB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 002FFBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 002FFBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 002FFD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 002FFD90
CloseHandle.KERNEL32(?), ref: 002FFDBF
CloseHandle.KERNEL32(?), ref: 002FFE36

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 7e7485771c4a7a1ead25971406aa5ae51ae0b7344bb676716ad39f7d8e6bd52e
Instruction ID: e2192674eed6720117b7bdb7c516c7aab7ac70095a1e3be4725bf084400643a8
Opcode Fuzzy Hash: 7e7485771c4a7a1ead25971406aa5ae51ae0b7344bb676716ad39f7d8e6bd52e
Instruction Fuzzy Hash: 56E1C1312242059FCB54EF24C991B7ABBE0AF85354F18847DF9998B2A2DB31DC60CF52

Function 0028201B Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00281B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00282036,?,00000000,?,?,?,?,002816CB,00000000,?), ref: 00281B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 002820D3
KillTimer.USER32(-00000001,?,?,?,?,002816CB,00000000,?,?,00281AE2,?,?), ref: 0028216E
DestroyAcceleratorTable.USER32(00000000), ref: 002BBEF6
DeleteObject.GDI32(00000000), ref: 002BBF6C

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 2402799130-0
Opcode ID: 0916210235e03e0eecfcccabfe27e6bf0ba428b870e475d39999886cb19620c8
Instruction ID: 8a442d22c2c1bfd1dc1bedd6b14587936066fd0e5c19aa4af70606dfd88d59d7
Opcode Fuzzy Hash: 0916210235e03e0eecfcccabfe27e6bf0ba428b870e475d39999886cb19620c8
Instruction Fuzzy Hash: 4561DD38122711DFDB37AF14CD49B69B7F5FB12306F108429E0425A9A0CBB1B8A4CF42

Function 002E4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 002E48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002E38D3,?), ref: 002E48C7

Part of subcall function 002E48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002E38D3,?), ref: 002E48E0

Part of subcall function 002E4CD3: GetFileAttributesW.KERNEL32(?,002E3947), ref: 002E4CD4

lstrcmpiW.KERNEL32(?,?), ref: 002E4FE2
_wcscmp.LIBCMT ref: 002E4FFC
MoveFileW.KERNEL32(?,?), ref: 002E5017

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 0f4f6bfabbc7e0d488486b87b9aa8238b839f8bb2a67fb7062460bcf56ab1fc1
Instruction ID: 1709b2d051799c89ab4d8e32015779f3b8e449bc48719f4f057a7cda9947c157
Opcode Fuzzy Hash: 0f4f6bfabbc7e0d488486b87b9aa8238b839f8bb2a67fb7062460bcf56ab1fc1
Instruction Fuzzy Hash: 735173B20587859BC724EF50CC819DFB3ECAF85340F50492EB189C7152EF74E1988B66

Function 003088B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0030896E

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 5721697395d66c0a082d5804cb57e2d1cbb2275cee0925597c976bd2a050d670
Instruction ID: ddf9f043ec4d94f9a7d87ba2be034d9395e9f079265f728d390d5f3f78ecb2ea
Opcode Fuzzy Hash: 5721697395d66c0a082d5804cb57e2d1cbb2275cee0925597c976bd2a050d670
Instruction Fuzzy Hash: FA51B630602308BFDF329F28CCA5BA97B69FB15314F504116F991E69E1DF71A9908B41

Function 00282B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 002BC547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 002BC569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 002BC581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 002BC59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 002BC5C0
DestroyCursor.USER32(00000000), ref: 002BC5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 002BC5EC
DestroyCursor.USER32(?), ref: 002BC5FB

Part of subcall function 0030A71E: DeleteObject.GDI32(00000000), ref: 0030A757

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2975913752-0
Opcode ID: f702c205ab7213776d3a1ff4acdfefc582f367ec51833aa004cb7b59e42a4ee9
Instruction ID: 0b2187bd475deff27052d91fb5eff2abb8109d7e0ccc0ea8f255f893ac44e54b
Opcode Fuzzy Hash: f702c205ab7213776d3a1ff4acdfefc582f367ec51833aa004cb7b59e42a4ee9
Instruction Fuzzy Hash: 52518D78A22209EFDB21EF24CC45FAA77B9EB54750F100529F802A76D0DB70EDA0DB50

Function 002D8E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,002D8A84,00000B00,?,?), ref: 002D8E0C
RtlAllocateHeap.NTDLL(00000000,?,002D8A84), ref: 002D8E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,002D8A84,00000B00,?,?), ref: 002D8E28
GetCurrentProcess.KERNEL32(?,00000000,?,002D8A84,00000B00,?,?), ref: 002D8E30
DuplicateHandle.KERNEL32(00000000,?,002D8A84,00000B00,?,?), ref: 002D8E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,002D8A84,00000B00,?,?), ref: 002D8E43
GetCurrentProcess.KERNEL32(002D8A84,00000000,?,002D8A84,00000B00,?,?), ref: 002D8E4B
DuplicateHandle.KERNEL32(00000000,?,002D8A84,00000B00,?,?), ref: 002D8E4E
CreateThread.KERNEL32(00000000,00000000,002D8E74,00000000,00000000,00000000), ref: 002D8E68

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
String ID:
API String ID: 1422014791-0
Opcode ID: 43aa94190e933e4b684e6f13667656317efc748bf996f1d42e3387481d153fa2
Instruction ID: 1d2e801baabe5a162762ec11f77e437d20772092f9222fab0846928bff2194a2
Opcode Fuzzy Hash: 43aa94190e933e4b684e6f13667656317efc748bf996f1d42e3387481d153fa2
Instruction Fuzzy Hash: 5701A4B5241308FFE621ABA5DC49F6B3BACEB89711F004422FA05DB6A1CA7098008A20

Function 002F9428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002F947C
VariantInit.OLEAUT32(?), ref: 002F954D
VariantInit.OLEAUT32(?), ref: 002F964E
VariantClear.OLEAUT32(?), ref: 002F9658
VariantClear.OLEAUT32(?), ref: 002F96B5

Strings

Null Object assignment in FOR..IN loop, xrefs: 002F94DD, 002F960B, 002F96C3
Incorrect Object type in FOR..IN loop, xrefs: 002F9631

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: e3f9dac536b3b10dcf5f855c0f47c2f36cdaae420f66fa6c9680adae9d7583ef
Instruction ID: bba6a00bf585f6eeeb8c517e8c61b3921e41f954b64573288688e3ed8fd31ac0
Opcode Fuzzy Hash: e3f9dac536b3b10dcf5f855c0f47c2f36cdaae420f66fa6c9680adae9d7583ef
Instruction Fuzzy Hash: 4591BD70A20209ABDF25DFA5C884FAEF7B8EF45750F108129F605EB280D7709995CFA0

Function 00306FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00307093
SendMessageW.USER32(?,00001036,00000000,?), ref: 003070A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 003070C1
_wcscat.LIBCMT ref: 0030711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00307133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00307161

Strings

SysListView32, xrefs: 00307065

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: af622ddb0bd990a4954b190f53da7d15ad512634458ae5a35f66aa51b04594a7
Instruction ID: 604196aa7660408733fe0bc7f687a9cf9bf299abe81a872d03f3fa54f3af2102
Opcode Fuzzy Hash: af622ddb0bd990a4954b190f53da7d15ad512634458ae5a35f66aa51b04594a7
Instruction Fuzzy Hash: BE41A171A05308AFEB229F64CC95BEEB7A8EF08350F11052AF584E71D1D672AD958B60

Function 002FEC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 002E3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 002E3EB6
Part of subcall function 002E3E91: Process32FirstW.KERNEL32(00000000,?), ref: 002E3EC4
Part of subcall function 002E3E91: CloseHandle.KERNEL32(00000000), ref: 002E3F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 002FECB8
GetLastError.KERNEL32 ref: 002FECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 002FECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 002FED77
GetLastError.KERNEL32(00000000), ref: 002FED82
CloseHandle.KERNEL32(00000000), ref: 002FEDB7

Strings

SeDebugPrivilege, xrefs: 002FECD6

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 9de8669b95ef57dfb85644053d75f6a13dff6d7e7901e65de05547ba06152128
Instruction ID: 8fb476c8c3e783b12ee490e370c4a30d8b6293a1829a9d73fc7d588421bb420f
Opcode Fuzzy Hash: 9de8669b95ef57dfb85644053d75f6a13dff6d7e7901e65de05547ba06152128
Instruction Fuzzy Hash: 1141BF302242059FDB26EF14CC95F7DB7A9AF40714F188069F9429B6D2CBB5AC24CF91

Function 002E3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 002E32C5

Strings

info, xrefs: 002E3266
question, xrefs: 002E327E
blank, xrefs: 002E3247
warning, xrefs: 002E32AE
stop, xrefs: 002E3296

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: a9fb4b02059f333620ef56a3923bdf4ad0143e134faf48b52dd4cbf0b4885e42
Instruction ID: 9f66750cb53bee00d531fedf691c01787cf2e28c9535921d620012992b540aeb
Opcode Fuzzy Hash: a9fb4b02059f333620ef56a3923bdf4ad0143e134faf48b52dd4cbf0b4885e42
Instruction Fuzzy Hash: FF115B316A83C77BEB02DE56DC86CABB3DCDF19371F10002AFE4497181DAA59F2009A5

Function 002F8BC0 Relevance: 12.3, APIs: 8, Instructions: 324COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002F8BEC
CoInitialize.OLE32(00000000), ref: 002F8C19
GetRunningObjectTable.OLE32(00000000,?), ref: 002F8D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 002F8E50
CoGetObject.OLE32(?,00000000,00312C0C,?), ref: 002F8EA7
SetErrorMode.KERNEL32(00000000), ref: 002F8EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 002F8F3A
VariantClear.OLEAUT32(?), ref: 002F8F4A

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearInitInitializeRunningTable
String ID:
API String ID: 2437601815-0
Opcode ID: c1238e5b8899c6fed7966e9e61d42b17795a1a9b1566b1589ea7361c60f77e1f
Instruction ID: a1c61cb7f31b03a452c7bafa7714e0f0d70e2b5065910af9e007837c4d7ce6eb
Opcode Fuzzy Hash: c1238e5b8899c6fed7966e9e61d42b17795a1a9b1566b1589ea7361c60f77e1f
Instruction Fuzzy Hash: 21C13471218309AFD700EF24C88496BF7E9BF88788F00492DF68A9B251DB71ED55CB52

Function 002E4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 002E454E
LoadStringW.USER32(00000000), ref: 002E4555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 002E456B
LoadStringW.USER32(00000000), ref: 002E4572
_wprintf.LIBCMT ref: 002E4598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 002E45B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 002E4593

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: fca0e87708a53bb9243f9ee3b9da005690cab8751485cbafbb6a92dd0189d885
Instruction ID: b2ab9d9ad0a68bb6c27b0f031c3fd59bd5ba2d3faf9bd03f7aa9f85eeb2bda26
Opcode Fuzzy Hash: fca0e87708a53bb9243f9ee3b9da005690cab8751485cbafbb6a92dd0189d885
Instruction Fuzzy Hash: 680162F690120CBFE722EBA4DD89EE7776CEB08301F4005A6BB45D2051EA759E958F70

Function 00282A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,002BC417,00000004,00000000,00000000,00000000), ref: 00282ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,002BC417,00000004,00000000,00000000,00000000,000000FF), ref: 00282B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,002BC417,00000004,00000000,00000000,00000000), ref: 002BC46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,002BC417,00000004,00000000,00000000,00000000), ref: 002BC4D6

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: e7ea8ab753c78b434041000eb353b089811fd9a06cec70e8bd460fd7a20fff39
Instruction ID: dec77e142d323b1e0ab582b4bac2d6fb1ad593969df0079311aa027a85130370
Opcode Fuzzy Hash: e7ea8ab753c78b434041000eb353b089811fd9a06cec70e8bd460fd7a20fff39
Instruction Fuzzy Hash: 13412B3C236681DEC73EAF28CC987BB7BA5BF46304F24841EE097465E0C675A869D711

Function 002E7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 002E737F

Part of subcall function 002A0FF6: std::exception::exception.LIBCMT ref: 002A102C
Part of subcall function 002A0FF6: __CxxThrowException@8.LIBCMT ref: 002A1041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 002E73B6
RtlEnterCriticalSection.NTDLL(?), ref: 002E73D2
_memmove.LIBCMT ref: 002E7420
_memmove.LIBCMT ref: 002E743D
RtlLeaveCriticalSection.NTDLL(?), ref: 002E744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 002E7461
InterlockedExchange.KERNEL32(?,000001F6), ref: 002E7480

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 9da3010ba9bc88e048bd16f40c3c8f32ba2464d48933bb4ddae3a3741b2c0a63
Instruction ID: de8194db9f5a352d5911cfbeb2f8f05f7a8de716065178baae4a136103e9bdb0
Opcode Fuzzy Hash: 9da3010ba9bc88e048bd16f40c3c8f32ba2464d48933bb4ddae3a3741b2c0a63
Instruction Fuzzy Hash: F4316B35904205EFCB11EF65DC85AAABBB8EF45710F1441AAF904AB246DB709A20CBA0

Function 00306442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0030645A
GetDC.USER32(00000000), ref: 00306462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0030646D
ReleaseDC.USER32(00000000,00000000), ref: 00306479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 003064B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 003064C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00309299,?,?,000000FF,00000000,?,000000FF,?), ref: 00306500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00306520

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: ad2bc6d9a7297ed3fb8862f7428d19db581e44157a2634ff39d722947d2ab4ef
Instruction ID: ff5bd070de948e21c44c0b293a384e82e0236b4deeb592de170a404f97658cbf
Opcode Fuzzy Hash: ad2bc6d9a7297ed3fb8862f7428d19db581e44157a2634ff39d722947d2ab4ef
Instruction Fuzzy Hash: F0319F72202614BFEB228F10CC5AFEB3FADEF0A761F044066FE089A195C6759C51CB60

Function 002DC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 002DC087
_memcmp.LIBCMT ref: 002DC0A9
_memcmp.LIBCMT ref: 002DC0C1
_memcmp.LIBCMT ref: 002DC0D4
_memcmp.LIBCMT ref: 002DC0EE
_memcmp.LIBCMT ref: 002DC101
_memcmp.LIBCMT ref: 002DC119
_memcmp.LIBCMT ref: 002DC134

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c66d1719659ce199564fab4bae366799e2ca405dd4993d31fe8e66551338d258
Instruction ID: 0095a5a8487ab94f94c8e2002e918545f4de38ae9aa218165558fa7861b79ac6
Opcode Fuzzy Hash: c66d1719659ce199564fab4bae366799e2ca405dd4993d31fe8e66551338d258
Instruction Fuzzy Hash: 2B21D771670217BBD219A9209C42FEB235CAF257A5F284022FE09D6382EB51DD31C6E5

Function 002ED7F8 Relevance: 10.8, APIs: 7, Instructions: 283COMMON

Download Yara Rule

APIs

Part of subcall function 00289997: __itow.LIBCMT ref: 002899C2
Part of subcall function 00289997: __swprintf.LIBCMT ref: 00289A0C

CoInitialize.OLE32(00000000), ref: 002ED855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 002ED8E8
SHGetDesktopFolder.SHELL32(?), ref: 002ED8FC
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 002ED9B7
_memset.LIBCMT ref: 002EDA4C
SHBrowseForFolderW.SHELL32(?), ref: 002EDA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 002EDAAB

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Folder$BrowseCreateDesktopFromInitializeItemListLocationPathShellSpecial__itow__swprintf_memset
String ID:
API String ID: 3008154123-0
Opcode ID: fe8dcea6f23b9bb6b5b1d8ae3903505621d68306c0efc983a53946cb8e0a7f6f
Instruction ID: 5bbc4498c8a6f6db7bee8c699af19438d652dbc6ac24f3f5259c4f578a88eedf
Opcode Fuzzy Hash: fe8dcea6f23b9bb6b5b1d8ae3903505621d68306c0efc983a53946cb8e0a7f6f
Instruction Fuzzy Hash: AAB1F975A10109AFDB14DFA5C888EAEBBB9EF48304B148469F909EB251DB30EE51CF50

Function 00281424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62213c8c113e1606b13697bd972527b76e1b0d5f69c92ebc0c12968b3fc0aaa2
Instruction ID: b025df01c5afcb06fe5d8de7e277da6c8dbc9cb54a4d5c762a360d55b3203350
Opcode Fuzzy Hash: 62213c8c113e1606b13697bd972527b76e1b0d5f69c92ebc0c12968b3fc0aaa2
Instruction Fuzzy Hash: 66717B34911109EFCB15AF98CC48ABEBB78FF85310F108159F915AA2D1C774AA72CFA0

Function 0030B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(017E29F0), ref: 0030B6A5
IsWindowEnabled.USER32(017E29F0), ref: 0030B6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0030B795
SendMessageW.USER32(017E29F0,000000B0,?,?), ref: 0030B7CC
IsDlgButtonChecked.USER32(?,?), ref: 0030B809
GetWindowLongW.USER32(017E29F0,000000EC), ref: 0030B82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0030B843

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 81b15e18aaf3c226ce33c95d9b5232c8a0e4cd7984b35bd4087bed82d25bc110
Instruction ID: ef90336808d68b2c36fd618b54f6db4a4a356194b433955120ed516d8cfa67e1
Opcode Fuzzy Hash: 81b15e18aaf3c226ce33c95d9b5232c8a0e4cd7984b35bd4087bed82d25bc110
Instruction Fuzzy Hash: 6971A238602208AFDB23DF64C8B5FAAFBB9FF49700F154069E945972E1C732A851DB50

Function 002F86D0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 197COMMON

Download Yara Rule

APIs

Part of subcall function 00289997: __itow.LIBCMT ref: 002899C2
Part of subcall function 00289997: __swprintf.LIBCMT ref: 00289A0C

CoInitialize.OLE32 ref: 002F8718
VariantInit.OLEAUT32(?), ref: 002F8890
VariantClear.OLEAUT32(?), ref: 002F88F1

Strings

NULL Pointer assignment, xrefs: 002F87C8
Invalid parameter, xrefs: 002F880F
Failed to create object, xrefs: 002F878E, 002F8844

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Variant$ClearInitInitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 4106155388-1287834457
Opcode ID: c54aa1a5d6773b0673c82853a8889c64b8db0b1b49e3e69a24a4d36dbec3425e
Instruction ID: 0fc4d66d945a1d06e74c7e632c9db175e02ca87a7905198e7dd24ba22208e4b8
Opcode Fuzzy Hash: c54aa1a5d6773b0673c82853a8889c64b8db0b1b49e3e69a24a4d36dbec3425e
Instruction Fuzzy Hash: 0D61F3346287059FD710EF24C884B6BF7E8AF48794F14482DFA859B291DB70ED54CB92

Function 002FF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002FF75C
_memset.LIBCMT ref: 002FF825
ShellExecuteExW.SHELL32(?), ref: 002FF86A

Part of subcall function 00289997: __itow.LIBCMT ref: 002899C2
Part of subcall function 00289997: __swprintf.LIBCMT ref: 00289A0C

Part of subcall function 0029FEC6: _wcscpy.LIBCMT ref: 0029FEE9

GetProcessId.KERNEL32(00000000), ref: 002FF8E1
CloseHandle.KERNEL32(00000000), ref: 002FF910

Strings

@, xrefs: 002FF839

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 25e87c355404883dfc59b367d50c8367358bcc75c67fa554470dc6697950b74f
Instruction ID: 1f0a5ecd48f7a47e1e9a6d4a32b2fa8184c3346b53a903b0efc2211621022c34
Opcode Fuzzy Hash: 25e87c355404883dfc59b367d50c8367358bcc75c67fa554470dc6697950b74f
Instruction Fuzzy Hash: 0D618C79A106199FCB14EF94C580AAEFBF4FF48350F148469E956AB391CB30AD61CF90

Function 002E145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 002E149C
GetKeyboardState.USER32(?), ref: 002E14B1
SetKeyboardState.USER32(?), ref: 002E1512
PostMessageW.USER32(?,00000101,00000010,?), ref: 002E1540
PostMessageW.USER32(?,00000101,00000011,?), ref: 002E155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 002E15A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 002E15C8

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: c80da85cbd743fd548b4aefa04b8b9085730bb633362f350cbb71a3ec268dd17
Instruction ID: d9bc02164e84a6fe7fd5194fd2ecc03878a8282c79314f662d99269a932526b0
Opcode Fuzzy Hash: c80da85cbd743fd548b4aefa04b8b9085730bb633362f350cbb71a3ec268dd17
Instruction Fuzzy Hash: 335114B06A43D63EFB324A368C45BBABEA96B46304F8C44A9E1D5458C2C3F4DCB4D750

Function 002E1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 002E12B5
GetKeyboardState.USER32(?), ref: 002E12CA
SetKeyboardState.USER32(?), ref: 002E132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 002E1357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 002E1374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 002E13B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 002E13D9

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8004da8b61dc423e055abf9fb30386546a4959eb24b4747d59b5b38b4c858b73
Instruction ID: 4d7dcc5cd6fdcef76d1a250c2cfbd421dcc4ec3d309c1032c73c2e6a491ca485
Opcode Fuzzy Hash: 8004da8b61dc423e055abf9fb30386546a4959eb24b4747d59b5b38b4c858b73
Instruction Fuzzy Hash: F05105B05A42D63DFB328A268C55BBABFA95B07300F4845E9E1D446CC2D3A4ACB4D750

Function 002E589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 002E58AC
_wcsncpy.LIBCMT ref: 002E58E1
_wcsncpy.LIBCMT ref: 002E5913
_wcsncpy.LIBCMT ref: 002E5946
_wcsncpy.LIBCMT ref: 002E5988
_wcsncpy.LIBCMT ref: 002E59C2
_wcsncpy.LIBCMT ref: 002E59F1

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 624b2c768735b7cb3ef74afbb60239fd9805f2a0f91e3ae8e04ba7af47a23296
Instruction ID: 732e4f04a17c640e13cbb635e80b4e02cba94678c7aa693526f49d3efcaed819
Opcode Fuzzy Hash: 624b2c768735b7cb3ef74afbb60239fd9805f2a0f91e3ae8e04ba7af47a23296
Instruction Fuzzy Hash: 6D4195A5C30524B7DB10FBB58D86ACFB7AC9F05310F508562F914E3211EA34E764CBA5

Function 0030A2C5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

ata, xrefs: 0030A344

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID:
String ID: ata
API String ID: 0-3350369593
Opcode ID: 1d13d8206e729f0e286a7c368d559e2d54bb337f5815498af49d5e2c6c058b45
Instruction ID: f997751a127a6ccf8d3c9d98334db66852e7fff1617edc3b5cb2bd019059eec9
Opcode Fuzzy Hash: 1d13d8206e729f0e286a7c368d559e2d54bb337f5815498af49d5e2c6c058b45
Instruction Fuzzy Hash: 4441193D902704AFC722DF28EC64FA9BBA8FB09310F1641A5F855A72E1D770AD41DB51

Function 002E38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 002E48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002E38D3,?), ref: 002E48C7

Part of subcall function 002E48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002E38D3,?), ref: 002E48E0

lstrcmpiW.KERNEL32(?,?), ref: 002E38F3
_wcscmp.LIBCMT ref: 002E390F
MoveFileW.KERNEL32(?,?), ref: 002E3927
_wcscat.LIBCMT ref: 002E396F
SHFileOperationW.SHELL32(?), ref: 002E39DB

Strings

\*.*, xrefs: 002E3969

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 11121cc471fb574852ad8d23636f0b06daf9d4e349683417ae31dd74178aaa31
Instruction ID: 897902ac9fda7ac20b98d9451110d3b81cc5b1bb0afaae0d530797289b520f48
Opcode Fuzzy Hash: 11121cc471fb574852ad8d23636f0b06daf9d4e349683417ae31dd74178aaa31
Instruction Fuzzy Hash: B441C3710593859EC751EF65C4859DFB7ECAF89340F80082EF489C3152EB74D298CB52

Function 00307500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00307519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003075C0
IsMenu.USER32(?), ref: 003075D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00307620
DrawMenuBar.USER32 ref: 00307633

Strings

0, xrefs: 0030750D

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 40aed7b585f90e20f77904763b91ba285f61ea354e1fda201f7dc26cf7fc83f9
Instruction ID: 223981dba5062634513d7a54e87d984c1704be756f860aadc90bdbdcef14ed2d
Opcode Fuzzy Hash: 40aed7b585f90e20f77904763b91ba285f61ea354e1fda201f7dc26cf7fc83f9
Instruction Fuzzy Hash: 22414975A06608EFDB21DF54D894E9ABBF8FF09314F058029E9169B290D731BD50CFA0

Function 0030122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0030125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00301286
FreeLibrary.KERNEL32(00000000), ref: 0030133D

Part of subcall function 0030122D: RegCloseKey.ADVAPI32(?), ref: 003012A3
Part of subcall function 0030122D: FreeLibrary.KERNEL32(?), ref: 003012F5
Part of subcall function 0030122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00301318

RegDeleteKeyW.ADVAPI32(?,?), ref: 003012E0

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: dffb6b68bd6eaa01707ad53e23e70757dbb7a0894b218a76c07ba571ecd86068
Instruction ID: 6508ae36cd227f4d56ec3899fcc2e06956c384105b1c8dcf1732897f871333be
Opcode Fuzzy Hash: dffb6b68bd6eaa01707ad53e23e70757dbb7a0894b218a76c07ba571ecd86068
Instruction Fuzzy Hash: EA313E75902109BFDB16DB94DC99EFFB7BCEF08300F0001AAE501E2591DB749E859BA0

Function 0030653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0030655B
GetWindowLongW.USER32(017E29F0,000000F0), ref: 0030658E
GetWindowLongW.USER32(017E29F0,000000F0), ref: 003065C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 003065F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0030661F
GetWindowLongW.USER32(00000000,000000F0), ref: 00306630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0030664A

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: fadb544501631272a405f75563e1496d8fdf4844fe96c6012460d3d495993101
Instruction ID: a648f844ba4a1412d8b37f0a5c902db261e194ac0f04da74cc9b9b4327ac4460
Opcode Fuzzy Hash: fadb544501631272a405f75563e1496d8fdf4844fe96c6012460d3d495993101
Instruction Fuzzy Hash: 72310334606214AFDB228F18DCA6F5537E9FB4A710F1A0169F5018F2FACB62A850DB41

Function 002F6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 002F80A0: inet_addr.WS2_32(00000000), ref: 002F80CB

socket.WS2_32(00000002,00000001,00000006), ref: 002F64D9
WSAGetLastError.WS2_32(00000000), ref: 002F64E8
ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 002F6521
connect.WSOCK32(00000000,?,00000010), ref: 002F652A
WSAGetLastError.WS2_32 ref: 002F6534
closesocket.WS2_32(00000000), ref: 002F655D
ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 002F6576

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 82a13cddf013f04362a3ad4791ec55398b9fa7f6b134f0b2c8832fb185303c16
Instruction ID: e763dcef51581dad59bae0a6add19645e3bb6dc56b0e8be546e7943c6b0a7444
Opcode Fuzzy Hash: 82a13cddf013f04362a3ad4791ec55398b9fa7f6b134f0b2c8832fb185303c16
Instruction Fuzzy Hash: 9C31B531610218AFDB20AF64CC89BBEB7ADEB44754F048079FA05A7291CB70AD54CFA1

Function 0030783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00281D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00281D73
Part of subcall function 00281D35: GetStockObject.GDI32(00000011), ref: 00281D87
Part of subcall function 00281D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00281D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 003078A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 003078AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 003078B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 003078C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 003078D4

Strings

Msctls_Progress32, xrefs: 00307872

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 18fd5f0498a1c1963a61c73f29ae890f34129babdab509c67767650b22a519ba
Instruction ID: e2a087f5a9072794a6e787769766eb5065f877d5d8bbd27294275928d4ad0659
Opcode Fuzzy Hash: 18fd5f0498a1c1963a61c73f29ae890f34129babdab509c67767650b22a519ba
Instruction Fuzzy Hash: EB11B6B1511119BFEF159F60CC86EE77F5DEF08758F018115F604A6090C772AC21DBA0

Function 002A41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 002A41E3
GetProcAddress.KERNEL32(00000000), ref: 002A41EA
RtlEncodePointer.NTDLL(00000000), ref: 002A41F6
RtlDecodePointer.NTDLL(00000001), ref: 002A4213

Strings

RoInitialize, xrefs: 002A41D2
combase.dll, xrefs: 002A41DE

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 5f7b8cd6d209f3c12030892718be1b3d7dc4999edc9fba5896545d65b6e16634
Instruction ID: d4110519715ef1e54f86370167b91344b474ca8b782d8d88c2a4839dfa56bde9
Opcode Fuzzy Hash: 5f7b8cd6d209f3c12030892718be1b3d7dc4999edc9fba5896545d65b6e16634
Instruction Fuzzy Hash: 74E01AF8691341AFEB226FB0EC19B453AACB766706F108435F421E94E0DFB564E18F00

Function 002A429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,002A41B8), ref: 002A42B8
GetProcAddress.KERNEL32(00000000), ref: 002A42BF
RtlEncodePointer.NTDLL(00000000), ref: 002A42CA
RtlDecodePointer.NTDLL(002A41B8), ref: 002A42E5

Strings

RoUninitialize, xrefs: 002A42A7
combase.dll, xrefs: 002A42B3

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 8b8df7b0f06c4cf825f068825736578afac63091a13172987052c29ac0f6c8af
Instruction ID: ae6c351c47a4432f2509b7b0b538dd7dafe5856b8ca500725aa2ac159fdec285
Opcode Fuzzy Hash: 8b8df7b0f06c4cf825f068825736578afac63091a13172987052c29ac0f6c8af
Instruction Fuzzy Hash: FFE0BF7C5523019FDB269F60FC1EB453AACB715742F204436F411E54A0CFB49590CA14

Function 002F6E17 Relevance: 9.2, APIs: 6, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WS2_32(00000000,?), ref: 002F6F14
WSAGetLastError.WS2_32(00000000), ref: 002F6F48
htons.WS2_32(?), ref: 002F6FFE
inet_ntoa.WS2_32(?), ref: 002F6FBB

Part of subcall function 002DAE14: _strlen.LIBCMT ref: 002DAE1E
Part of subcall function 002DAE14: _memmove.LIBCMT ref: 002DAE40

_strlen.LIBCMT ref: 002F7058
_memmove.LIBCMT ref: 002F70C1

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: e04a454209d6158d35d31546b69561d3c44ea0637f59bfd467eb2b3f04f0d814
Instruction ID: 64fdc49108eb3cd9b36c84fedd62e69f3495129b3455a2199e69812bb5f04460
Opcode Fuzzy Hash: e04a454209d6158d35d31546b69561d3c44ea0637f59bfd467eb2b3f04f0d814
Instruction Fuzzy Hash: 2581DC36128204AFD710EF24CC86F7BB3E9AF84754F14492DF6569B2D2DA719D20CB92

Function 002E675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002E68AD
_memmove.LIBCMT ref: 002E67E8

Part of subcall function 00289997: __itow.LIBCMT ref: 002899C2
Part of subcall function 00289997: __swprintf.LIBCMT ref: 00289A0C

_memmove.LIBCMT ref: 002E685B
_memmove.LIBCMT ref: 002E6942
_memmove.LIBCMT ref: 002E695B
_memmove.LIBCMT ref: 002E6977

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 6369318ef1cbfef12513b9b6e259db3f107f4f6723b18a0a13404d987d40ca24
Instruction ID: d7880aa2637cda3f80dd839a854fb2c567821b355b31a58eba8f10da074acc9e
Opcode Fuzzy Hash: 6369318ef1cbfef12513b9b6e259db3f107f4f6723b18a0a13404d987d40ca24
Instruction Fuzzy Hash: 4D61993456029A9FCF11FF21CC86EFE77A8AF05348F484519F85A6B292DA70A865CF50

Function 0030046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00287F41: _memmove.LIBCMT ref: 00287F82

Part of subcall function 003010A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00300038,?,?), ref: 003010BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00300548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00300588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 003005AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 003005D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00300617
RegCloseKey.ADVAPI32(00000000), ref: 00300624

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: c2e70ecf2a7361f99ccb059bd893ca12ca94741491596ada9677765acbcb3649
Instruction ID: 6cbdfc0554922c207cd79b13c29d81800261bb232860ff70d8ca45279f5d83a6
Opcode Fuzzy Hash: c2e70ecf2a7361f99ccb059bd893ca12ca94741491596ada9677765acbcb3649
Instruction Fuzzy Hash: A9517731219200AFDB15EB24C895E6FBBE9FF89314F04492EF585872A2DB31E914CF52

Function 00305A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00305A82
GetMenuItemCount.USER32(00000000), ref: 00305AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00305AE1
GetMenuItemID.USER32(?,?), ref: 00305B50
GetSubMenu.USER32(?,?), ref: 00305B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00305BAF

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 44abf61a852cd26c0ce45fe0240e0175d165b5e07aebec09eb64569b1ece8125
Instruction ID: 4c4e523c345b3ff32fd6c27c5dbacf7f56fdd24f4f4602f4d2eebc7d6f54f031
Opcode Fuzzy Hash: 44abf61a852cd26c0ce45fe0240e0175d165b5e07aebec09eb64569b1ece8125
Instruction Fuzzy Hash: 91517F35A02615AFCB16EFA4C855AAEB7B4EF48310F15446AE812B7391CB70BE41CF90

Function 002DF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002DF3F7
VariantClear.OLEAUT32(00000013), ref: 002DF469
VariantClear.OLEAUT32(00000000), ref: 002DF4C4
_memmove.LIBCMT ref: 002DF4EE
VariantClear.OLEAUT32(?), ref: 002DF53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 002DF569

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: acf7741e5a6a1e1a0aea63c844f9fd81f5bc57495e220b7c78f197a1da188f4c
Instruction ID: af8173fe0ad250b3afead7c95e2d308b9b7cfb4d8338546890ed8912c206b1d4
Opcode Fuzzy Hash: acf7741e5a6a1e1a0aea63c844f9fd81f5bc57495e220b7c78f197a1da188f4c
Instruction Fuzzy Hash: F75158B5A1020AAFCB10CF58D880AAAB7F8FF4C314F15816AED59DB301D730E911CBA0

Function 002E26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002E2747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002E2792
IsMenu.USER32(00000000), ref: 002E27B2
CreatePopupMenu.USER32 ref: 002E27E6
GetMenuItemCount.USER32(000000FF), ref: 002E2844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 002E2875

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 822ae5731d650580fca19a765e2607132942f18a4aa4d600f1ad1d3f9ad1f746
Instruction ID: 81a93ca3f2fff7b945885a4b56472e262a4efcac7f361324d7d78ab88c3ff641
Opcode Fuzzy Hash: 822ae5731d650580fca19a765e2607132942f18a4aa4d600f1ad1d3f9ad1f746
Instruction Fuzzy Hash: 0851D470950386DFDF25CF6AC888BAEBBFCBF05314F50416AE4169B291D7708928CB61

Function 00281765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00282612: GetWindowLongW.USER32(?,000000EB), ref: 00282623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0028179A
GetWindowRect.USER32(?,?), ref: 002817FE
ScreenToClient.USER32(?,?), ref: 0028181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0028182C
EndPaint.USER32(?,?), ref: 00281876

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: c0f8d0cb69200da9009843d2bb37ace77eb6bf7f500ffc11c56a4278236bfd0e
Instruction ID: 6aba111e923ad38a2ede9834874031f3cb8c4d86603127779db232d014a429ce
Opcode Fuzzy Hash: c0f8d0cb69200da9009843d2bb37ace77eb6bf7f500ffc11c56a4278236bfd0e
Instruction Fuzzy Hash: 4B41D3745113019FD712EF24CC85FB67BECEB46724F040629F5548B1E1C771A866DB62

Function 0030B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(003467B0,00000000,017E29F0,?,?,003467B0,?,0030B862,?,?), ref: 0030B9CC
EnableWindow.USER32(00000000,00000000), ref: 0030B9F0
ShowWindow.USER32(003467B0,00000000,017E29F0,?,?,003467B0,?,0030B862,?,?), ref: 0030BA50
ShowWindow.USER32(00000000,00000004,?,0030B862,?,?), ref: 0030BA62
EnableWindow.USER32(00000000,00000001), ref: 0030BA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0030BAA9

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 8b960f20b54b52f1fbdd3d7b93bf25eb2d690cd98c97f533796c6cc5492745a5
Instruction ID: 5023ee6604a189a0320ef03bacfeb494de34f46acfc66c84afed86759bea1773
Opcode Fuzzy Hash: 8b960f20b54b52f1fbdd3d7b93bf25eb2d690cd98c97f533796c6cc5492745a5
Instruction Fuzzy Hash: 47415234602245AFDB27CF18C4A9B95BBE1FF05714F1942B9FA488F6E2C731A845CB61

Function 002F73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,002F5134,?,?,00000000,00000001), ref: 002F73BF

Part of subcall function 002F3C94: GetWindowRect.USER32(?,?), ref: 002F3CA7

GetDesktopWindow.USER32 ref: 002F73E9
GetWindowRect.USER32(00000000), ref: 002F73F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 002F7422

Part of subcall function 002E54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002E555E

GetCursorPos.USER32(?), ref: 002F744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 002F74AC

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: f728fe8f7aa82fff60c9d5d208429549dde9fcf8900f7a708a15de866fbdfe4f
Instruction ID: f859ff4bf971d14fc7ba20991025b18ca55e61c80fcfc520a104926fadcdc3e1
Opcode Fuzzy Hash: f728fe8f7aa82fff60c9d5d208429549dde9fcf8900f7a708a15de866fbdfe4f
Instruction Fuzzy Hash: C431D47251931AAFD720DF14DC49F6BBBA9FF89354F00092AF58897191CA30E919CB92

Function 002DE0B5 Relevance: 9.1, APIs: 6, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002DE0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002DE120
SysAllocString.OLEAUT32(00000000), ref: 002DE123
SysAllocString.OLEAUT32 ref: 002DE144
SysFreeString.OLEAUT32 ref: 002DE14D
SysAllocString.OLEAUT32(?), ref: 002DE175

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$Free
String ID:
API String ID: 1313759350-0
Opcode ID: 9f53be45c4f36368590436179efae6a2b89dd9f7de80a6c714fb54910b9a43a7
Instruction ID: cf0f65c822c49ddf8baa820a3df4625afd7b35c6a02cb11e022ee127d08d8b69
Opcode Fuzzy Hash: 9f53be45c4f36368590436179efae6a2b89dd9f7de80a6c714fb54910b9a43a7
Instruction Fuzzy Hash: B521A131211209AFDF20BFA8DC89CAB77ECEB09760B018126F918CB660DA70DC51CB60

Function 002EED8E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00289997: __itow.LIBCMT ref: 002899C2
Part of subcall function 00289997: __swprintf.LIBCMT ref: 00289A0C

Part of subcall function 0029FEC6: _wcscpy.LIBCMT ref: 0029FEE9

_wcstok.LIBCMT ref: 002EEEFF
_wcscpy.LIBCMT ref: 002EEF8E
_memset.LIBCMT ref: 002EEFC1

Strings

X, xrefs: 002EEFFE

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 517720f15758edf8e03ce1a4336c03ec977a2ed3124ccd886595e1506f9b7d57
Instruction ID: e507c46dc26a96bba4495b6aeb15f0092dbd1956aa6769f6f6f9f4cc5b0cd727
Opcode Fuzzy Hash: 517720f15758edf8e03ce1a4336c03ec977a2ed3124ccd886595e1506f9b7d57
Instruction Fuzzy Hash: 6FC1BD345293419FC724EF24C981A6AB7E4FF85310F54492DF8998B2A2DB70EC65CF82

Function 002D8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002D85F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002D8608
Part of subcall function 002D85F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002D8612
Part of subcall function 002D85F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 002D8621
Part of subcall function 002D85F1: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 002D8628
Part of subcall function 002D85F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 002D863E

GetLengthSid.ADVAPI32(?,00000000,002D8977), ref: 002D8DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 002D8DB8
RtlAllocateHeap.NTDLL(00000000), ref: 002D8DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 002D8DD8
GetProcessHeap.KERNEL32(00000000,00000000,002D8977), ref: 002D8DEC
HeapFree.KERNEL32(00000000), ref: 002D8DF3

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 169236558-0
Opcode ID: 78f13685cef85a405f6ace18ad6d5f5fca85f6a141d1413d2d5103ab95f8fd9d
Instruction ID: 91a38b40ad8d6aea9b525663dabfb39ff68f8340907701feca44e33ab77d060b
Opcode Fuzzy Hash: 78f13685cef85a405f6ace18ad6d5f5fca85f6a141d1413d2d5103ab95f8fd9d
Instruction Fuzzy Hash: 1B11DF72521605FFDB259F64CC18BAF777EEF54315F10406AE88593290CB319D10CB60

Function 0030C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 002812F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0028134D
Part of subcall function 002812F3: SelectObject.GDI32(?,00000000), ref: 0028135C
Part of subcall function 002812F3: BeginPath.GDI32(?), ref: 00281373
Part of subcall function 002812F3: SelectObject.GDI32(?,00000000), ref: 0028139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0030C1C4
LineTo.GDI32(00000000,00000003,?), ref: 0030C1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0030C1E6
LineTo.GDI32(00000000,00000000,?), ref: 0030C1F6
EndPath.GDI32(00000000), ref: 0030C206
StrokePath.GDI32(00000000), ref: 0030C216

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 4e459a9dc6e50a3f0066e88e0897c681881bd59b414558cdf4509eddebbd0898
Instruction ID: 1eb85d4e319d25c10a60a4ff784667934b30ff9c6cceedf5e64ba1226c682ef5
Opcode Fuzzy Hash: 4e459a9dc6e50a3f0066e88e0897c681881bd59b414558cdf4509eddebbd0898
Instruction Fuzzy Hash: 7211097640110CBFDF129F95DC88FAA7FADEB09354F048022BA184A5A1C7719D55DBA0

Function 002A03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 002A03D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 002A03DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 002A03E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 002A03F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 002A03F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 002A0401

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 25f7393cf2bb388e024e2e3a7d174a09d9dd5e00b3227d7f9b1b11acb1e362de
Instruction ID: 5d43f57b4ab7e428b8ac4b4a6e44501231f8ccbc376ee32b78dc364bc745f040
Opcode Fuzzy Hash: 25f7393cf2bb388e024e2e3a7d174a09d9dd5e00b3227d7f9b1b11acb1e362de
Instruction Fuzzy Hash: DE016CB09027597DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A864CBE5

Function 002E568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 002E569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 002E56B1
GetWindowThreadProcessId.USER32(?,?), ref: 002E56C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002E56CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002E56D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002E56E0

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 08c048e44b6b71b40290a23e96cdb1ab8c7c9fc9746b547ca965476c2386b7ca
Instruction ID: f78e3b58900ebb7ea709ded19f3be7083deb788728c1a8d322a65e3a13382006
Opcode Fuzzy Hash: 08c048e44b6b71b40290a23e96cdb1ab8c7c9fc9746b547ca965476c2386b7ca
Instruction Fuzzy Hash: A3F03032242159BFE7325BA2DC1EEEF7B7CEFC6B15F00016AFA04D1450DBA15A0186B5

Function 002E74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 002E74E5
RtlEnterCriticalSection.NTDLL(?), ref: 002E74F6
TerminateThread.KERNEL32(00000000,000001F6,?,00291044,?,?), ref: 002E7503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00291044,?,?), ref: 002E7510

Part of subcall function 002E6ED7: CloseHandle.KERNEL32(00000000,?,002E751D,?,00291044,?,?), ref: 002E6EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 002E7523
RtlLeaveCriticalSection.NTDLL(?), ref: 002E752A

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: a987ba8a37cce1c2a94a32f61b9299fb54351cbb6aaed33e224d534c17408493
Instruction ID: c99d66bc62d5fefa3eeb503b151dec5f19a1ce7dd83f9728de5f88eac2a3cfc4
Opcode Fuzzy Hash: a987ba8a37cce1c2a94a32f61b9299fb54351cbb6aaed33e224d534c17408493
Instruction Fuzzy Hash: 36F03A3A182712EFDB222B64FC9C9EB7B3EAF45302F400932F602918A4CB755811CA90

Function 002F8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002F8928
CharUpperBuffW.USER32(?,?), ref: 002F8A37
VariantClear.OLEAUT32(?), ref: 002F8BAF

Part of subcall function 002E7804: VariantInit.OLEAUT32(00000000), ref: 002E7844
Part of subcall function 002E7804: VariantCopy.OLEAUT32(00000000,?), ref: 002E784D
Part of subcall function 002E7804: VariantClear.OLEAUT32(00000000), ref: 002E7859

Strings

Incorrect Parameter format, xrefs: 002F8960, 002F8B22
AUTOIT.ERROR, xrefs: 002F8A3D

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: fa56b592ae765adfbc7c7977cb0e5d563427502f222a62a01db4c5ad64c25a39
Instruction ID: 9f2de36487c53a30bd79ba23ac1465905e3f989e1cacc515ebe489b4cf135326
Opcode Fuzzy Hash: fa56b592ae765adfbc7c7977cb0e5d563427502f222a62a01db4c5ad64c25a39
Instruction Fuzzy Hash: 2B917C756183059FC710EF24C48196AFBE4EF89744F04496EF98ACB3A2DB30E956CB52

Function 002E2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0029FEC6: _wcscpy.LIBCMT ref: 0029FEE9

_memset.LIBCMT ref: 002E3077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002E30A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002E3159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 002E3187

Strings

0, xrefs: 002E3063

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 46b91989b6eb53a133457b7f5fa30ad8ba256859c9e522e2476fd853ae243b0e
Instruction ID: 9e1ba10c4f0720901253b7d98af64192884221926e2b95a3892d4c033803fe31
Opcode Fuzzy Hash: 46b91989b6eb53a133457b7f5fa30ad8ba256859c9e522e2476fd853ae243b0e
Instruction Fuzzy Hash: BF5134312683829FD725DF29C84966BB7E8EF45361F44092DF889DB190DB70CE248B52

Function 002E2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002E2CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 002E2CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 002E2D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00346890,00000000), ref: 002E2D5A

Strings

0, xrefs: 002E2CA4

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: befdb3256a6380cf1fc3101b3de6825c359d6fba6eeef81caa9ef5e4d88b6d28
Instruction ID: 43f16a238b8dd14671acf10c3f74e9eb19f10fc8dd19093e55ef177cebc94a24
Opcode Fuzzy Hash: befdb3256a6380cf1fc3101b3de6825c359d6fba6eeef81caa9ef5e4d88b6d28
Instruction Fuzzy Hash: AC41CE30255382DFD724DF25DC40B1ABBECAF85320F54461EFA6297291D770E918CBA2

Function 002D9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00287F41: _memmove.LIBCMT ref: 00287F82

Part of subcall function 002DB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 002DB0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 002D93F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 002D9409
SendMessageW.USER32(?,00000189,?,00000000), ref: 002D9439

Part of subcall function 00287D2C: _memmove.LIBCMT ref: 00287D66

Strings

ListBox, xrefs: 002D93B5
ComboBox, xrefs: 002D9380

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 47fc028eaee79a2b39a8125f18979c2807fde6c2adafe572a7ed610866dffdc0
Instruction ID: 2a2850bfe7f2d46604128fd4af81287f06e9cb0b1a9ce8ad4468808753372ebf
Opcode Fuzzy Hash: 47fc028eaee79a2b39a8125f18979c2807fde6c2adafe572a7ed610866dffdc0
Instruction Fuzzy Hash: A6210475911108AFDB15AB70CC858FFB7ACEF05360F10422AF921972E1DB754D6A8A10

Function 00306656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00281D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00281D73
Part of subcall function 00281D35: GetStockObject.GDI32(00000011), ref: 00281D87
Part of subcall function 00281D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00281D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 003066D0
LoadLibraryW.KERNEL32(?), ref: 003066D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 003066EC
DestroyWindow.USER32(?), ref: 003066F4

Strings

SysAnimate32, xrefs: 003066AB

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 6d0cf8bede063ac1ce06ebb4f8c23cd684f1ba2e5b294771d680733d45ce6bc1
Instruction ID: 2bdb9ddf85d8479945751788c5f5c38267a3cd9622f747188a9fd3c65096700c
Opcode Fuzzy Hash: 6d0cf8bede063ac1ce06ebb4f8c23cd684f1ba2e5b294771d680733d45ce6bc1
Instruction Fuzzy Hash: EF21CD7120120AAFEF124F64ECA2EBB77ADEB19728F110229F910960E4D772CC619760

Function 002E703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 002E705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002E7091
GetStdHandle.KERNEL32(0000000C), ref: 002E70A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 002E70DD

Strings

nul, xrefs: 002E70D8

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: d2ebd788d943d4b74d8fa1b7b30e164c966418f895639a9778a26384bb8fef11
Instruction ID: 88862617e782291fe8df6f156e880ef48a264f2c44424cb782ede84d883b305f
Opcode Fuzzy Hash: d2ebd788d943d4b74d8fa1b7b30e164c966418f895639a9778a26384bb8fef11
Instruction Fuzzy Hash: F92181745A424AABDF209F3ADC05A9A77B8AF54720F604A19FCA1D72D0E7B099608B50

Function 002E710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 002E712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002E715D
GetStdHandle.KERNEL32(000000F6), ref: 002E716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 002E71A8

Strings

nul, xrefs: 002E71A3

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: cd094dde4aa2a03956d2e2d3230f52ffa23408c9601a163a08ba43e3f19da987
Instruction ID: 8a2bd4e5a3f21eeddcfbedd99903d273980977cad7db03e87ddf6e8dc88ca8c9
Opcode Fuzzy Hash: cd094dde4aa2a03956d2e2d3230f52ffa23408c9601a163a08ba43e3f19da987
Instruction Fuzzy Hash: A0210334594386ABDF209F2ADC04A9AB7ECAF55330F600A19FCB4DB2D0D7B09861CB50

Function 002EAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002EAEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 002EAF13
__swprintf.LIBCMT ref: 002EAF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,0030F910), ref: 002EAF6A

Strings

%lu, xrefs: 002EAF26

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 7b778c20ab55e74f0873b544f77161f1403c1182deceda287583140e034e97d6
Instruction ID: f7e92c136bc09ad1ae4bec43fc654f02a58e9f06a684cf1ccd347f2e8a0fce58
Opcode Fuzzy Hash: 7b778c20ab55e74f0873b544f77161f1403c1182deceda287583140e034e97d6
Instruction Fuzzy Hash: FD217134A00209AFCB10EF65CC85EEE7BB8EF89704B004069F909EB251DB71EA51CF61

Function 002DA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00287D2C: _memmove.LIBCMT ref: 00287D66

Part of subcall function 002DA37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 002DA399
Part of subcall function 002DA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 002DA3AC
Part of subcall function 002DA37C: GetCurrentThreadId.KERNEL32 ref: 002DA3B3
Part of subcall function 002DA37C: AttachThreadInput.USER32(00000000), ref: 002DA3BA

GetFocus.USER32 ref: 002DA554

Part of subcall function 002DA3C5: GetParent.USER32(?), ref: 002DA3D3

GetClassNameW.USER32(?,?,00000100), ref: 002DA59D
EnumChildWindows.USER32(?,002DA615), ref: 002DA5C5
__swprintf.LIBCMT ref: 002DA5DF

Strings

%s%d, xrefs: 002DA5D9

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 490649bc6dde6a7ec7f5c89c880f0184f958d57f19db22cabee8f037526e922b
Instruction ID: 0079012eca888feb610f039fe4264ab2d7e6c217431d99d611ed688d8fbe96d4
Opcode Fuzzy Hash: 490649bc6dde6a7ec7f5c89c880f0184f958d57f19db22cabee8f037526e922b
Instruction Fuzzy Hash: 96119371610209BBDF117F64DC86FEA376D9F48700F1440B6B9089A292CB749D658B75

Function 002E2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002E2048

Strings

APPEND, xrefs: 002E2081
EXISTS, xrefs: 002E2070
KEYS, xrefs: 002E205F
REMOVE, xrefs: 002E204E

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 74505d3899b0e8506d296c438e79b90cc44c2a68a822f8c9a0affd22c3d94e82
Instruction ID: 28f6dfdde611d7ec1a0c4b6e83267d12dd294e69598ec56c66fe7c35ca1b0b26
Opcode Fuzzy Hash: 74505d3899b0e8506d296c438e79b90cc44c2a68a822f8c9a0affd22c3d94e82
Instruction Fuzzy Hash: 72115E7596010ACFCF00EFA4D8D14EEB7B4FF6A304F508469D85667292DB32592ACF50

Function 002F8F5B Relevance: 7.9, APIs: 5, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0030F910), ref: 002F903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0030F910), ref: 002F9071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 002F91EB
SysFreeString.OLEAUT32(?), ref: 002F9215

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 01566f7816185e58729f1609c1af97d330c3487a93c622f5500ce14b73f7d7ec
Instruction ID: 8734714bb7acdbe03b2e4b6567c3fbe9a78053fc197a667cf7277a2abc16f217
Opcode Fuzzy Hash: 01566f7816185e58729f1609c1af97d330c3487a93c622f5500ce14b73f7d7ec
Instruction Fuzzy Hash: B8F12B7191010AEFDB14DF94C888EBEB7B9FF49354F1080A9F615AB290DB31AD95CB50

Function 002FEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 002FEF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 002FEF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 002FF07E
CloseHandle.KERNEL32(?), ref: 002FF0FF

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 8259350b4c3aabf42acf167ddd2f9d350a820a97f7803ab6ec490d0baa611790
Instruction ID: 00b11f2f6943b4e13ca38ad1b40fb4e544d751386d82045396bbef9ec56d8097
Opcode Fuzzy Hash: 8259350b4c3aabf42acf167ddd2f9d350a820a97f7803ab6ec490d0baa611790
Instruction Fuzzy Hash: 718173756253019FD724EF28C886F2AB7E5AF48B10F14882DF59AD72D2DB70AC508F51

Function 003002C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00287F41: _memmove.LIBCMT ref: 00287F82

Part of subcall function 003010A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00300038,?,?), ref: 003010BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00300388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003003C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0030040E
RegCloseKey.ADVAPI32(?,?), ref: 0030043A
RegCloseKey.ADVAPI32(00000000), ref: 00300447

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: f4c85bc15552055f62b76e6315ed53e2d8d4014aa389d3bda02cfacbf79d9bc9
Instruction ID: e1188ea7842e99453b828029f3223401aa41e32d8166d0011b1e6c9f8c5c6e2b
Opcode Fuzzy Hash: f4c85bc15552055f62b76e6315ed53e2d8d4014aa389d3bda02cfacbf79d9bc9
Instruction Fuzzy Hash: 66516735219200AFD705EB68C891F6EB7E8FF88304F44896EB595872A2DB30E914CF52

Function 002EE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 002EE88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 002EE8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 002EE8F2

Part of subcall function 00289997: __itow.LIBCMT ref: 002899C2
Part of subcall function 00289997: __swprintf.LIBCMT ref: 00289A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 002EE917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 002EE91F

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: c55c64febebe0072fea5107041ef49fd7a9a4a9d981f61b2d6b46a76a6e3c561
Instruction ID: bf14f3a705c48e73c91f6440980921538c044bb940e3050979b8e4302d4800a7
Opcode Fuzzy Hash: c55c64febebe0072fea5107041ef49fd7a9a4a9d981f61b2d6b46a76a6e3c561
Instruction Fuzzy Hash: 62513D39A11215DFCF11EF65C9819ADBBF5EF09310B188099E849AB3A2CB31ED61CF50

Function 00282344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00282357
ScreenToClient.USER32(003467B0,?), ref: 00282374
GetAsyncKeyState.USER32(00000001), ref: 00282399
GetAsyncKeyState.USER32(00000002), ref: 002823A7

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: a45fb57368cb4a2a8bbfeee0e98b9174204d670e16006f455cd3d498a509f1b8
Instruction ID: de27d8d94e5d1e23a730f5e00c8679fcc608a4a243cceacf5bc2f0045da2c8a0
Opcode Fuzzy Hash: a45fb57368cb4a2a8bbfeee0e98b9174204d670e16006f455cd3d498a509f1b8
Instruction Fuzzy Hash: FA41C13952511AFFDF15AF68C854AE9BB74FB05360F20435AF828A62E0C7706964DF90

Function 002D6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002D695D
TranslateAcceleratorW.USER32(?,?,?), ref: 002D69A9
TranslateMessage.USER32(?), ref: 002D69D2
DispatchMessageW.USER32(?), ref: 002D69DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002D69EB

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 76af6d7a414a833a5814493607d1dcab93240fa9c832339ab7d88582d53b281a
Instruction ID: 9f12190c5a84afb3198d80e9995e1ddf263b31557a58f4efa00655c5e257da1b
Opcode Fuzzy Hash: 76af6d7a414a833a5814493607d1dcab93240fa9c832339ab7d88582d53b281a
Instruction Fuzzy Hash: 55310430520247AEDB21CF748C9DBF67BACAB03304F104127E461C66A1DB75ACA5D791

Function 002D8F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 002D8F12
PostMessageW.USER32(?,00000201,00000001), ref: 002D8FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 002D8FC4
PostMessageW.USER32(?,00000202,00000000), ref: 002D8FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 002D8FDA

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 1938164809c7939e7ad927e6b707ee29708858e30381c52b480eb253b70a3f21
Instruction ID: e531fe4e3e92b655bdb0c765f232de340761d56b857427b63008a86673dd20d2
Opcode Fuzzy Hash: 1938164809c7939e7ad927e6b707ee29708858e30381c52b480eb253b70a3f21
Instruction Fuzzy Hash: 3731CE7150021AEFDB14CF68DD4CAAE7BBAFB04315F10422AF925EA2D0C7B09D24DB91

Function 002DB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 002DB6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 002DB6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 002DB71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 002DB742
_wcsstr.LIBCMT ref: 002DB74C

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 627dc8015e94ad53c69ac979b2ed075bf1776b12f33ce7d77c6f4b5521ada8e0
Instruction ID: 9355f9244d3d389aea4fbf5da30f802dd2757239b956de598923d175433b77f3
Opcode Fuzzy Hash: 627dc8015e94ad53c69ac979b2ed075bf1776b12f33ce7d77c6f4b5521ada8e0
Instruction Fuzzy Hash: 2D210A32214245FBEB265F399C59E7BBB9CDF45760F01402BFC05CA2A1EF61DC6196A0

Function 0030B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00282612: GetWindowLongW.USER32(?,000000EB), ref: 00282623

GetWindowLongW.USER32(?,000000F0), ref: 0030B44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0030B471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0030B489
GetSystemMetrics.USER32(00000004), ref: 0030B4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,002F1184,00000000), ref: 0030B4D0

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 31cc1e0169d0dbcfba0eb930022574971d6f7a01aae9f6c4cf1ea67065c4e418
Instruction ID: 3aa8ace6f13caaffa0559ff5b7a0f47ca381f6ef51b84ca77191814078786d7d
Opcode Fuzzy Hash: 31cc1e0169d0dbcfba0eb930022574971d6f7a01aae9f6c4cf1ea67065c4e418
Instruction Fuzzy Hash: 1321B771516225AFCB229F39CC24A6A77A8FB05720F124739FD25D75E1E7309910DB50

Function 002D97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 002D9802

Part of subcall function 00287D2C: _memmove.LIBCMT ref: 00287D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 002D9834
__itow.LIBCMT ref: 002D984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 002D9874
__itow.LIBCMT ref: 002D9885

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 2572962a5e8e8ab2fbabc74d81c3ac95905f1581af1511c973af091b619582ca
Instruction ID: a1d507fb79938d024a109b86684fa90dc72e4bf0844ad9ebac795d194caaeed0
Opcode Fuzzy Hash: 2572962a5e8e8ab2fbabc74d81c3ac95905f1581af1511c973af091b619582ca
Instruction Fuzzy Hash: CE210A31B11208AFDB21AE658C86EEE7BACEF4AB14F040026FD05DB381D670CD919B91

Function 002812F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0028134D
SelectObject.GDI32(?,00000000), ref: 0028135C
BeginPath.GDI32(?), ref: 00281373
SelectObject.GDI32(?,00000000), ref: 0028139C

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: f4cdea0bd3f68f399a61d7fd181af5bd1f718f17c606fe6cc4532ce779cca150
Instruction ID: a02317cca5bc5d11e2eb4096f8c03c8ee260c9dadd444fbb300017f2ccd12abf
Opcode Fuzzy Hash: f4cdea0bd3f68f399a61d7fd181af5bd1f718f17c606fe6cc4532ce779cca150
Instruction Fuzzy Hash: 49217478811309DFDB129F25DC057697BBCFB12322F148266F8149A5F0DB71A8B2DB91

Function 002DC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 002DC176
_memcmp.LIBCMT ref: 002DC194
_memcmp.LIBCMT ref: 002DC1A7
_memcmp.LIBCMT ref: 002DC1BF
_memcmp.LIBCMT ref: 002DC1D7

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 480d0b1c4ae995b55b1ea39fe66229fc6c79639859b01d89d1ab38729e48cbf6
Instruction ID: f69695ca604b52205866ef9dae78ef76d1dc3c267735fbf3f66e9343222804bf
Opcode Fuzzy Hash: 480d0b1c4ae995b55b1ea39fe66229fc6c79639859b01d89d1ab38729e48cbf6
Instruction Fuzzy Hash: 8A01B9B16282277BD209A9245C42FEB735C9F167A4F144112FD08D6343EAA0DE31C7E0

Function 002E4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 002E4D5C
__beginthreadex.LIBCMT ref: 002E4D7A
MessageBoxW.USER32(?,?,?,?), ref: 002E4D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 002E4DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 002E4DAC

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: da214b0e278526119a29edf59b0c6a21f570269a0baad20fdc1c917eabe3fc79
Instruction ID: 88bfbdfe4459975c274c38dc493aba4d04657b6b5680dd31bd104b36a83dcff7
Opcode Fuzzy Hash: da214b0e278526119a29edf59b0c6a21f570269a0baad20fdc1c917eabe3fc79
Instruction Fuzzy Hash: 27116B76914248BFC7129FA8DC04ADB7FACEB46320F14436AF914D3250CAB18D1487A1

Function 002D874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002D8766
GetLastError.KERNEL32(?,002D822A,?,?,?), ref: 002D8770
GetProcessHeap.KERNEL32(00000008,?,?,002D822A,?,?,?), ref: 002D877F
RtlAllocateHeap.NTDLL(00000000,?,002D822A), ref: 002D8786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002D879D

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
String ID:
API String ID: 883493501-0
Opcode ID: e453813e331aa433a0b22859486c61301f655479ab959dccb9e3f829e9b63700
Instruction ID: d93abbdf07e1b2c816128f29750cd9affec112e6ff2ffc38c8add340bd60b0c8
Opcode Fuzzy Hash: e453813e331aa433a0b22859486c61301f655479ab959dccb9e3f829e9b63700
Instruction Fuzzy Hash: 37016275615205FFEB254FA5DC58D67BB6CFF89355B20047AF849C2260DA319C10CA60

Function 002E54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002E5502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 002E5510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 002E5518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 002E5522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002E555E

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: b5260bbbadfb4c31617e32472e2602489a9c48eefd6a51e959211e3140244046
Instruction ID: 9c6ab3d786cc870520f7b30b476e6f232c44c4c6d3b21159c51f672ad05c7892
Opcode Fuzzy Hash: b5260bbbadfb4c31617e32472e2602489a9c48eefd6a51e959211e3140244046
Instruction Fuzzy Hash: 4E016D35D61A29DBCF14DFEAE8986EDBB7DFB09705F800056E801B2540DB709560CBA1

Function 002D85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002D8608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002D8612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 002D8621
RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 002D8628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 002D863E

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: e832c749730016635479b3bc87579d5143db4981da82c1edd1d7ec16a7067c55
Instruction ID: d038d6233764419b9f297c275d001b5e8e4cd672587593c897527427795d8688
Opcode Fuzzy Hash: e832c749730016635479b3bc87579d5143db4981da82c1edd1d7ec16a7067c55
Instruction Fuzzy Hash: 26F06235216305AFEB210FA9DC9DE6B3BACEF89764F004427F945C6250CB71DC51DAA0

Function 002D8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 002D8669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 002D8673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002D8682
RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 002D8689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002D869F

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: 7beaf63714ebc718144572fb2b17958bda8e19c6d88c7b0f732b447e7fcb73c6
Instruction ID: 61a760f19b3b9d07658b6f5a6707d9a0b4bbcd9de2ec965665cef2e5d5b2b81a
Opcode Fuzzy Hash: 7beaf63714ebc718144572fb2b17958bda8e19c6d88c7b0f732b447e7fcb73c6
Instruction Fuzzy Hash: 60F04F75215305BFEB221FA5EC98E673BACEF89764F100027F945C7250CA71DD51DAA0

Function 002DC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 002DC6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 002DC6D1
MessageBeep.USER32(00000000), ref: 002DC6E9
KillTimer.USER32(?,0000040A), ref: 002DC705
EndDialog.USER32(?,00000001), ref: 002DC71F

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 596898bca45e0e39b07bd38fa66f180ab063e3eb81b9794371737472aac6c6e8
Instruction ID: 18f9688af022fd24f30c7772be91194bf50b2e8d1d0c93fa9c0f373facc4587c
Opcode Fuzzy Hash: 596898bca45e0e39b07bd38fa66f180ab063e3eb81b9794371737472aac6c6e8
Instruction Fuzzy Hash: CE018F30411309ABEB326F24DC5EB96B7BCBB00705F14066AB582A15E0DBE1AD64CF80

Function 002813B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 002813BF
StrokeAndFillPath.GDI32(?,?,002BBAD8,00000000,?), ref: 002813DB
SelectObject.GDI32(?,00000000), ref: 002813EE
DeleteObject.GDI32 ref: 00281401
StrokePath.GDI32(?), ref: 0028141C

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: f25e71e70a97aade191f15062dc3c5cf4ebfab648a5c6dcc0af46727af8a6886
Instruction ID: 70a65e66a07c0186fc11dd480213bb6587460d67eed0e5313865319f601f67c0
Opcode Fuzzy Hash: f25e71e70a97aade191f15062dc3c5cf4ebfab648a5c6dcc0af46727af8a6886
Instruction Fuzzy Hash: ABF0C97801670DEFDB276F26EC1D7583BACAB02326F04C225E429598F1CB3159A6DF51

Function 002D8E74 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 002D8E7F
CloseHandle.KERNEL32(?), ref: 002D8E94
CloseHandle.KERNEL32(?), ref: 002D8E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 002D8EA5
HeapFree.KERNEL32(00000000), ref: 002D8EAC

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessSingleWait
String ID:
API String ID: 3751786701-0
Opcode ID: c363f050661d414b6a6a824607bb24dd14f5533a2a1587ea8200403c0fa9b1a0
Instruction ID: ee6c5ca421a79b91e86d884785fcf96e0955ec565176d9d949dbdb1c6f95aae2
Opcode Fuzzy Hash: c363f050661d414b6a6a824607bb24dd14f5533a2a1587ea8200403c0fa9b1a0
Instruction Fuzzy Hash: 6BE0C236005201FFDA125FE1EC1C91ABB7DFB89B62B108232F21981870CB329460DB90

Function 00292E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 002A0FF6: std::exception::exception.LIBCMT ref: 002A102C
Part of subcall function 002A0FF6: __CxxThrowException@8.LIBCMT ref: 002A1041

Part of subcall function 00287F41: _memmove.LIBCMT ref: 00287F82

Part of subcall function 00287BB1: _memmove.LIBCMT ref: 00287C0B

__swprintf.LIBCMT ref: 0029302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00292EC6

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: c7e3b6e7d0a0e8108a2d440f78288c417d49a9869db5ff98b3a42d7b58b8829f
Instruction ID: 43aab34b8c401b6e986a7663fa59e63030767f106bc07e9cc9791aae132c7d4c
Opcode Fuzzy Hash: c7e3b6e7d0a0e8108a2d440f78288c417d49a9869db5ff98b3a42d7b58b8829f
Instruction Fuzzy Hash: 98919C351283029FCB18FF24D885D6EB7E4EF85750F10491DF886972A1DB60EE64CB52

Function 002DB7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 002DB981

Strings

%1, xrefs: 002DBA24
AutoIt3GUI, xrefs: 002DB8F9
Container, xrefs: 002DB8FE

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%1
API String ID: 3565006973-2747254892
Opcode ID: 4233a6413cf7f3996db6b20a62bd122137f360136dfc5348dc51150a485970ad
Instruction ID: 4a669d87459d71b84134247292816ad3ad7667cab2d787e85044b5e15139c396
Opcode Fuzzy Hash: 4233a6413cf7f3996db6b20a62bd122137f360136dfc5348dc51150a485970ad
Instruction Fuzzy Hash: CC913974620601DFDB25CF28C894B6AB7E8BF49710F25856EE94ACB791DBB0EC50CB50

Function 002A524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 002A52DD

Part of subcall function 002B0340: __87except.LIBCMT ref: 002B037B

Strings

pow, xrefs: 002A52B5, 002A52D2

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 3c3f8c307bb2427ad9bd5135a1635a8c62fe39724b5bd732d57ac3f76000f2ef
Instruction ID: a23455ef2cef2db96917189df3644fdda4546bef0091cd92d85acc36f432fc35
Opcode Fuzzy Hash: 3c3f8c307bb2427ad9bd5135a1635a8c62fe39724b5bd732d57ac3f76000f2ef
Instruction Fuzzy Hash: 23515B61E3C60387CB137F14D9813EF2BE49B41790F6489A8E495451E5EF748CF49A45

Function 002A023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 002A0280
+, xrefs: 002A0277

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: a8f6ce7ad5e5be3fe5bf209912bce2b30466b6ff65f88bb9c27eaced6f569508
Instruction ID: 60703505470255674f113ef0178216affec530a001d7fd1f04e96b0bb40c3941
Opcode Fuzzy Hash: a8f6ce7ad5e5be3fe5bf209912bce2b30466b6ff65f88bb9c27eaced6f569508
Instruction Fuzzy Hash: 795132345252669FCF25DF28C4886FA7BA6EF56310F144096FC919B3A0CBB09C62CB71

Function 00293297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002933D7
_memmove.LIBCMT ref: 00293470
_free.LIBCMT ref: 00293496
_memmove.LIBCMT ref: 00293549

Strings

Oa), xrefs: 00293482

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: _memmove$_free
String ID: Oa)
API String ID: 2620147621-3134443877
Opcode ID: ee705d3f49abb6e4126b796db8753d9f7076cd4b542262cb81886f7f3577d4bb
Instruction ID: 5b5fe2884300904e5c81b5e02379c567e830ce2666c11f767aa305d6a5a0eda1
Opcode Fuzzy Hash: ee705d3f49abb6e4126b796db8753d9f7076cd4b542262cb81886f7f3577d4bb
Instruction Fuzzy Hash: AA513A71A283429FDB24CF28C481B2BBBE5AF89314F45492DE989C7351DB31D921CF92

Function 002962F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002963A8
_memmove.LIBCMT ref: 00296446
_memset.LIBCMT ref: 0029646A

Strings

ERCP, xrefs: 00296313

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: fb0504941a479ca818de56fb224c3e2a51e67787d521f6552ec50edbbf196392
Instruction ID: f6b77488a402080a065d6802501987055a14ae95e3f0c07f5c0f894cc67d6c41
Opcode Fuzzy Hash: fb0504941a479ca818de56fb224c3e2a51e67787d521f6552ec50edbbf196392
Instruction Fuzzy Hash: 8851B47192070A9FDB24CFA5C8857AABBF4FF04714F20856EEA4AC7641E771D9A4CB40

Function 002DDA5D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121libraryloaderCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 002DDAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 002DDB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 002DDB8E

Strings

DllGetClassObject, xrefs: 002DDB01

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ErrorMode$AddressProc
String ID: DllGetClassObject
API String ID: 1548245697-1075368562
Opcode ID: 82d06e6a1662467f1641625ecda974c48bc9d28e5714ad0be55a0cb5f89ca64f
Instruction ID: dcd768b745fb6a9bff3f91b53c7ffb94dde4ce18c7983b4dd77fdb2c90be8907
Opcode Fuzzy Hash: 82d06e6a1662467f1641625ecda974c48bc9d28e5714ad0be55a0cb5f89ca64f
Instruction Fuzzy Hash: F341AEB1610608EFDB15CF54C884A9A7BA9EF48318F1181ABED059F305D7B0DD50CBA0

Function 00307648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 003076D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 003076E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00307708

Strings

SysMonthCal32, xrefs: 0030769B

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 2595f9693f0736ea55d952948e7f6794857f3c994f42f0d9f7748ab56fe36d69
Instruction ID: 64b56060db2136438d168a17cec67c751ae9b5a3ac625679774309e11da0aed2
Opcode Fuzzy Hash: 2595f9693f0736ea55d952948e7f6794857f3c994f42f0d9f7748ab56fe36d69
Instruction Fuzzy Hash: 1721A132511219BBDF22CFA4CC56FEA3B69EF48754F110214FE156B1D0DAB2B8518BA0

Function 00306F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00306FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00306FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00306FDF

Strings

Listbox, xrefs: 00306F77

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 10c61e2e90287d537350639f085a4191f7b649005c2ad946c92e02713d09a66b
Instruction ID: 03b097c9e03d691b7cd3f9e1684ca334d8d515ee8e7084338eeb0ebed4133692
Opcode Fuzzy Hash: 10c61e2e90287d537350639f085a4191f7b649005c2ad946c92e02713d09a66b
Instruction Fuzzy Hash: B321A732612119BFDF129F54DC96FAB37AEEF89754F018124F9149B1D0C671AC61CBA0

Function 0030797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 003079E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 003079F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00307A03

Strings

msctls_trackbar32, xrefs: 003079B8

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: a815ceda8e6e9388931212144454a99fa9cc6911ff07d0b3fce5fba67851add8
Instruction ID: ee30870976564bb43f762149c0a4f1f259e029e0a3b2b6c4d6e99f9780b09fe5
Opcode Fuzzy Hash: a815ceda8e6e9388931212144454a99fa9cc6911ff07d0b3fce5fba67851add8
Instruction Fuzzy Hash: B611E732644208BBEF119F64CC15FDB77ADEF89764F024519F641A61D0D671A811CB60

Function 002FC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,002C1D88,?), ref: 002FC312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 002FC324

Strings

kernel32.dll, xrefs: 002FC30D
GetSystemWow64DirectoryW, xrefs: 002FC31E

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 5d35e3c88f5748f6d1765318ec18e4737dc21bd4d29c8c4fe0e991b24510ba2b
Instruction ID: 549f5e5c96d809679479f53d10e6617402da0fac494752364b189d2aee103d0d
Opcode Fuzzy Hash: 5d35e3c88f5748f6d1765318ec18e4737dc21bd4d29c8c4fe0e991b24510ba2b
Instruction Fuzzy Hash: 42E08C7422130BCFCB3A4F29C814AD6B6D8EB0C3C4F90847AEA86C2650E770D850CBA0

Function 00284C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00284C2E), ref: 00284CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00284CB5

Strings

GetNativeSystemInfo, xrefs: 00284CAF
kernel32.dll, xrefs: 00284C9E

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 92ceee571257dc18d51916df81c01ca047c0468af86a8111e4e2f414242862a6
Instruction ID: 1e33f59e089e50702ba941db306129538f0d40fb70348987794715adec5c8796
Opcode Fuzzy Hash: 92ceee571257dc18d51916df81c01ca047c0468af86a8111e4e2f414242862a6
Instruction Fuzzy Hash: 17D01734522723CFD731BF35DA2864676E9AF05791F11883BD886D6990E674D880CB50

Function 00284D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00284D2E,?,00284F4F,?,003462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00284D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00284D81

Strings

Wow64DisableWow64FsRedirection, xrefs: 00284D7B
kernel32.dll, xrefs: 00284D6A

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: e42c460dada8c9484bb612bb95ee0ccdd8e255eeeda0ffa397c30f13b4328ef2
Instruction ID: d31728ccd3443082f2f23ea904147dd9f272399b0f40b2734b0dea9fe07fbdd7
Opcode Fuzzy Hash: e42c460dada8c9484bb612bb95ee0ccdd8e255eeeda0ffa397c30f13b4328ef2
Instruction Fuzzy Hash: 74D0C730522313CFC732AF30C81824272E8BF04752F108C3AD883C2A90E670C880CB50

Function 00284D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00284CE1,?), ref: 00284DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00284DB4

Strings

Wow64RevertWow64FsRedirection, xrefs: 00284DAE
kernel32.dll, xrefs: 00284D9D

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: e3301bfa83ec826fe6fdbad319cde3cc9407b0a47b05f4d9e6877bd27729dcda
Instruction ID: 24ea653a2fa5d062fa7391cf1771c0238a3f8e999e709b96afefd7405ffbefe5
Opcode Fuzzy Hash: e3301bfa83ec826fe6fdbad319cde3cc9407b0a47b05f4d9e6877bd27729dcda
Instruction Fuzzy Hash: 1BD0C730522313CFC731AF30C818A8672E8AF08340F00883AD8C2C2990E770C880CB50

Function 00301072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,003012C1), ref: 00301080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00301092

Strings

advapi32.dll, xrefs: 0030107B
RegDeleteKeyExW, xrefs: 0030108C

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 0b51cd3277d79b5493d3bbc2ec73533835abbe5fb619b587afce4c9e9471b03a
Instruction ID: d9cc2302ba7ad9b24fee198f69efa9c9f1946a233cfbd7673cc907401f8a07f6
Opcode Fuzzy Hash: 0b51cd3277d79b5493d3bbc2ec73533835abbe5fb619b587afce4c9e9471b03a
Instruction Fuzzy Hash: 8BD01230511712CFD7325F35D868557B6E8AF05351F118D3AE8CADA590D770C4C0C650

Function 002F93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,002F9009,?,0030F910), ref: 002F9403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 002F9415

Strings

kernel32.dll, xrefs: 002F93FE
GetModuleHandleExW, xrefs: 002F940F

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 2495a2f79cd0c9f5bb47646ba72b9eacfa346a75d80e82083f7374901f473ebf
Instruction ID: 436b791f242e15e9cd8b14144132d926ef5e8b2a899b6cfee2dd8edb0a3530b3
Opcode Fuzzy Hash: 2495a2f79cd0c9f5bb47646ba72b9eacfa346a75d80e82083f7374901f473ebf
Instruction Fuzzy Hash: 80D0C73052071BCFE7329F31C918242B2E8BF14381F00C83AE482E2990E670C8C0CA50

Function 002D76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da2671ccffd21b87b559a0e3e3c4142e7d9c5031e3d415ce45126fc4adc9e186
Instruction ID: dd2a021ce08f52e6e86707f1a9cbfcbbb3a10bee661abf4a73c00cdcd7a47ed6
Opcode Fuzzy Hash: da2671ccffd21b87b559a0e3e3c4142e7d9c5031e3d415ce45126fc4adc9e186
Instruction Fuzzy Hash: 17C18E75A14216EFDB14CFA4C894EAEB7B5FF48310B20859AE805EB350E734ED91DB90

Function 002FE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 002FE3D2
CharLowerBuffW.USER32(?,?), ref: 002FE415

Part of subcall function 002FDAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 002FDAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 002FE615
_memmove.LIBCMT ref: 002FE628

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 8cf2eb0645496b216f78a6a4c7ec851ba2df8d3fad513a0b170d44a685cb244d
Instruction ID: a4cee4fd6aa53b830b3d9f5595840a43ea79d4b19819d63a6a296dc2d7cd37d5
Opcode Fuzzy Hash: 8cf2eb0645496b216f78a6a4c7ec851ba2df8d3fad513a0b170d44a685cb244d
Instruction Fuzzy Hash: 3FC178746283058FCB05DF28C48092ABBE4FF88354F14896DF9999B361DB30E955CF82

Function 002D6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002D6E04
SysAllocString.OLEAUT32(00000000), ref: 002D6EAD
VariantCopy.OLEAUT32 ref: 002D6EDC
VariantClear.OLEAUT32(?), ref: 002D6F03

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: acf36be70a9ab82cdbfe5d3a8b85aab5fe7e1aa8ed56b23be30d7121bed521ca
Instruction ID: 606832138765c88761a9f31a7c670172332db6e5e0db79d8b8fbf8b9f88e6e4f
Opcode Fuzzy Hash: acf36be70a9ab82cdbfe5d3a8b85aab5fe7e1aa8ed56b23be30d7121bed521ca
Instruction Fuzzy Hash: 9351B6346387029EDB20AF65D895B2AB3E5AF08310F24881FE956CB7D1EA749C609F41

Function 00309A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(017F06D8,?), ref: 00309AD2
ScreenToClient.USER32(00000002,00000002), ref: 00309B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00309B72

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: aa0a018920e20c7bbe5bde284122196b0cdcef18808ba8eacb7ade755a90751f
Instruction ID: 9772f5f9dbf441658c31c751e509b652c95c294ab6f0522556a946d568b51d9e
Opcode Fuzzy Hash: aa0a018920e20c7bbe5bde284122196b0cdcef18808ba8eacb7ade755a90751f
Instruction Fuzzy Hash: 93514134A02209EFCF26DF58D891AAE7BB9FF45320F11815AF8159B2D1D730AD91CB90

Function 002EBA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 002EBB09
GetLastError.KERNEL32(?,00000000), ref: 002EBB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 002EBB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 002EBB80

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 9fd66105458466d00c62fb79abf36483bac478038c8e1699addf1cc8eb742751
Instruction ID: 31bddd14d64341179017ae7a8c02857c3342fe69c6426b63b29be0850948ed82
Opcode Fuzzy Hash: 9fd66105458466d00c62fb79abf36483bac478038c8e1699addf1cc8eb742751
Instruction Fuzzy Hash: 04413739211651DFCF21EF15C584A2ABBE1EF49310B198499EC4A9B7A2CB30FD51CF91

Function 00308AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00308B4D

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: a0ad665a7c75ea815f3efc699781cfb4d4935dda566afc032092ca169afa2bfd
Instruction ID: e9a3d822379677ca23f69efdce1083fdddbb5d53157ab68e41cf69e2be18bafb
Opcode Fuzzy Hash: a0ad665a7c75ea815f3efc699781cfb4d4935dda566afc032092ca169afa2bfd
Instruction Fuzzy Hash: D931B2B4602208BFEB279F18CC65FA93BA8EB06310F254516FAD1D66E1DE31A9409B51

Function 0030ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0030AE1A
GetWindowRect.USER32(?,?), ref: 0030AE90
PtInRect.USER32(?,?,0030C304), ref: 0030AEA0
MessageBeep.USER32(00000000), ref: 0030AF11

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: b343163b96bc18d897f294bc7714fea76f2b83ea742e48f4eb636fe696439d0f
Instruction ID: b410512ce43288b973b61541cfcb9bce7b790f8ced0b87f969f6b9ae8fe7a4ff
Opcode Fuzzy Hash: b343163b96bc18d897f294bc7714fea76f2b83ea742e48f4eb636fe696439d0f
Instruction Fuzzy Hash: 2941A074602719DFCB13CF58E8A4B997BF9FB4A340F1581A9E4148F291C731A841DF52

Function 002E0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 002E1037
SetKeyboardState.USER32(00000080,?,00000001), ref: 002E1053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 002E10B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 002E110B

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a1a1ca0897a01c09616e905ed20bc011eed0bb17d45602705813f1e86052d00c
Instruction ID: 8af2b1e3a74443fd825937cbbf33eec0a8a2de35e4b92614acbe0671cb59f02d
Opcode Fuzzy Hash: a1a1ca0897a01c09616e905ed20bc011eed0bb17d45602705813f1e86052d00c
Instruction Fuzzy Hash: 91315930EE06C9AEFF318E27CC05BF9BBA9AB45310F84423AE994521D0C37549F58751

Function 002E1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 002E1176
SetKeyboardState.USER32(00000080,?,00008000), ref: 002E1192
PostMessageW.USER32(00000000,00000101,00000000), ref: 002E11F1
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 002E1243

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5aa1787a4a5fff47562786eee69c7d1409fe9634552c0dfd1eb61cb8957f66b2
Instruction ID: 351acc473eb0fb0661b9f6a24665a055b9f7701872204db6eb08a9ec279e26a2
Opcode Fuzzy Hash: 5aa1787a4a5fff47562786eee69c7d1409fe9634552c0dfd1eb61cb8957f66b2
Instruction Fuzzy Hash: E1318B30AE029D5EEF308E678C047FABB6AAB49310F84433BE689861D0C37449B58751

Function 002B6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 002B644B
__isleadbyte_l.LIBCMT ref: 002B6479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 002B64A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 002B64DD

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 85c345293e51f489aba7e33147fc66750aeb8d22d9b35a34f42bd3794e4affe4
Instruction ID: adc43138cbf3ed070ca793f98b84a6cae37c46ed65b34bc522c6d6bcfc1b17ac
Opcode Fuzzy Hash: 85c345293e51f489aba7e33147fc66750aeb8d22d9b35a34f42bd3794e4affe4
Instruction Fuzzy Hash: A531CF31620647AFDB358F64C848BEA7BB9FF41390F194429E85487190EB39D860DB90

Function 00305175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00305189

Part of subcall function 002E387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 002E3897
Part of subcall function 002E387D: GetCurrentThreadId.KERNEL32 ref: 002E389E
Part of subcall function 002E387D: AttachThreadInput.USER32(00000000,?,002E52A7), ref: 002E38A5

GetCaretPos.USER32(?), ref: 0030519A
ClientToScreen.USER32(00000000,?), ref: 003051D5
GetForegroundWindow.USER32 ref: 003051DB

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 5c838bfb6bab791ee7fea5667c8b07e8095e9295a60a1397a375d6e4a60328f1
Instruction ID: d72018360451569d5253bc5e65f002819683c505ee4c0210d5d35260bb4f94ad
Opcode Fuzzy Hash: 5c838bfb6bab791ee7fea5667c8b07e8095e9295a60a1397a375d6e4a60328f1
Instruction Fuzzy Hash: 02314B75911108AFCB04EFA5C885AEFB7FDEF88300F14406AE406E7241EA759E50CFA0

Function 002D8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002D8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 002D8669
Part of subcall function 002D8652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 002D8673
Part of subcall function 002D8652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002D8682
Part of subcall function 002D8652: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 002D8689
Part of subcall function 002D8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002D869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 002D8BEB
_memcmp.LIBCMT ref: 002D8C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002D8C44
HeapFree.KERNEL32(00000000), ref: 002D8C4B

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 2182266621-0
Opcode ID: 7f577efbb769a69b5f26c75bcb72fa6d8f9b855e9ce741cf45ad5c0a23b12924
Instruction ID: 2999d307ee0df6bdbad1d9a00189a814d321df0c301e7ebe0f85870095330144
Opcode Fuzzy Hash: 7f577efbb769a69b5f26c75bcb72fa6d8f9b855e9ce741cf45ad5c0a23b12924
Instruction Fuzzy Hash: C1217C71E22209EFDB14DFA4C945BEEB7B8EF44354F14409AE554A7240EB31AE16CB60

Function 002A0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 002A0BF2

Part of subcall function 00285B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,002E7B20,?,?,00000000), ref: 00285B8C
Part of subcall function 00285B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,002E7B20,?,?,00000000,?,?), ref: 00285BB0

_fprintf.LIBCMT ref: 002A0C29
OutputDebugStringW.KERNEL32(?), ref: 002D6331

Part of subcall function 002A4CDA: _flsall.LIBCMT ref: 002A4CF3

__setmode.LIBCMT ref: 002A0C5E

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 1523eac54027b6b240af37a9021ce33d034134b10998a91d4acbd187649b041d
Instruction ID: ac1585a64a14475456a9e8564f856d20f6d5a4cad8f66d9c75be152edd536237
Opcode Fuzzy Hash: 1523eac54027b6b240af37a9021ce33d034134b10998a91d4acbd187649b041d
Instruction Fuzzy Hash: A31166369242047FCB04B7B4AC879BEBB6D9F86320F14015BF204572C2DFA09CB68B91

Function 002F1A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002F1A97

Part of subcall function 002F1B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 002F1B40
Part of subcall function 002F1B21: InternetCloseHandle.WININET(00000000), ref: 002F1BDD

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 339e9c3ef25b7b84790b65a73c262abcde78aacf4be16e5b534cf79c1b29ef7f
Instruction ID: 51e399d406a75e84ee329537272ce5e43ec6d9cda3e86d7e518166b9db9506dc
Opcode Fuzzy Hash: 339e9c3ef25b7b84790b65a73c262abcde78aacf4be16e5b534cf79c1b29ef7f
Instruction Fuzzy Hash: F821B031211609FFEB129F60CC00FBAF7ADFF44B80F50002AFA0196550EB7198359B91

Function 002DE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 002DF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,002DE1C4,?,?,?,002DEFB7,00000000,000000EF,00000119,?,?), ref: 002DF5BC
Part of subcall function 002DF5AD: lstrcpyW.KERNEL32(00000000,?), ref: 002DF5E2
Part of subcall function 002DF5AD: lstrcmpiW.KERNEL32(00000000,?,002DE1C4,?,?,?,002DEFB7,00000000,000000EF,00000119,?,?), ref: 002DF613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,002DEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 002DE1DD
lstrcpyW.KERNEL32(00000000,?), ref: 002DE203
lstrcmpiW.KERNEL32(00000002,cdecl,?,002DEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 002DE237

Strings

cdecl, xrefs: 002DE22E

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: b46186ce4d1bdeb97ba183f5cf0be9d8893d7c55efd5442eb9714a8f7463dde8
Instruction ID: b1dcc5e87b19850b47d91924de0bc0961e508e55f288e5cf91629bc4de261ce2
Opcode Fuzzy Hash: b46186ce4d1bdeb97ba183f5cf0be9d8893d7c55efd5442eb9714a8f7463dde8
Instruction Fuzzy Hash: 5E118136110345EFCF25AF64DC4997A77B8FF45350B41402BF816CB250EB719C6197A4

Function 002B5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002B5351

Part of subcall function 002A594C: __FF_MSGBANNER.LIBCMT ref: 002A5963
Part of subcall function 002A594C: __NMSG_WRITE.LIBCMT ref: 002A596A
Part of subcall function 002A594C: RtlAllocateHeap.NTDLL(017D0000,00000000,00000001), ref: 002A598F

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 6a7544ceec6ab10aeb822a9003a9c44ada8e69689475c95737a4b6e24fe614f5
Instruction ID: b7b62d9cb3a04a9daed870b1123c86182978112ebf6371c6a29c8d0d0ca028b3
Opcode Fuzzy Hash: 6a7544ceec6ab10aeb822a9003a9c44ada8e69689475c95737a4b6e24fe614f5
Instruction Fuzzy Hash: FE11C432935E26AFCB312F74A85579E37D85F163E0F2004AAF9449E291DFB589708B90

Function 00284531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00284560

Part of subcall function 0028410D: _memset.LIBCMT ref: 0028418D
Part of subcall function 0028410D: _wcscpy.LIBCMT ref: 002841E1
Part of subcall function 0028410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002841F1

KillTimer.USER32(?,00000001,?,?), ref: 002845B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002845C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002BD6CE

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 987d5898202b69e95639b826382c7953558dfe184b89fc4374e8c110fd1b65e4
Instruction ID: 89f0710f18e2c1293355b935518b98b53d0ec8d1cc82477acbe3208125644731
Opcode Fuzzy Hash: 987d5898202b69e95639b826382c7953558dfe184b89fc4374e8c110fd1b65e4
Instruction Fuzzy Hash: E4216B74915384AFEB33AF24DC55BEBBBEC9F11304F04009EE29E56281D7B42A94CB41

Function 002E40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 002E40D1
_memset.LIBCMT ref: 002E40F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 002E4144
CloseHandle.KERNEL32(00000000), ref: 002E414D

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: a4a9a6d03c1b23e45be7d4fc5f3e291f8bfaa191ef5113402d3a8e1974504e9c
Instruction ID: 64f681c1607b2911b226b66ecaa9992c150645e30f31009a4d783ad9beb225db
Opcode Fuzzy Hash: a4a9a6d03c1b23e45be7d4fc5f3e291f8bfaa191ef5113402d3a8e1974504e9c
Instruction Fuzzy Hash: 4011E7759522287AD730ABA5AC4DFABBB7CEF45760F1041AAF908D7180D6744E808BA4

Function 002D8AF9 Relevance: 6.1, APIs: 4, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 002D8B2A
OpenProcessToken.ADVAPI32(00000000), ref: 002D8B31
CloseHandle.KERNEL32(00000004), ref: 002D8B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 002D8B7A

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
String ID:
API String ID: 2621361867-0
Opcode ID: 614c1abdc431943530fa7d90dde7807c95de1b7a97a5bb885abe8fc7de180714
Instruction ID: af060984f87ddddf8b7c3cef46f7238bc36a299812b312b562b11d6047f104a4
Opcode Fuzzy Hash: 614c1abdc431943530fa7d90dde7807c95de1b7a97a5bb885abe8fc7de180714
Instruction Fuzzy Hash: 01112CB250120AAFDF128FA4DD49FEE7BADEF08758F044066FE04A2160C7759D609B61

Function 002F667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00285B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,002E7B20,?,?,00000000), ref: 00285B8C
Part of subcall function 00285B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,002E7B20,?,?,00000000,?,?), ref: 00285BB0

gethostbyname.WS2_32(?), ref: 002F66AC
WSAGetLastError.WS2_32(00000000), ref: 002F66B7
_memmove.LIBCMT ref: 002F66E4
inet_ntoa.WS2_32(?), ref: 002F66EF

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 7457a775aae3b66addb702a8f0d02bdbbe420e42eb0b8d0ce3fc983979a85aa2
Instruction ID: d35fd55596935b1ffb96c2ede9c79dace60785e510f9c61cd4067eb33c88bdeb
Opcode Fuzzy Hash: 7457a775aae3b66addb702a8f0d02bdbbe420e42eb0b8d0ce3fc983979a85aa2
Instruction Fuzzy Hash: 50115E39521509AFCB05FBA4DD96DEEB7B8EF14310B144066F502A72A2DF30AE64CF61

Function 002D9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 002D9043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 002D9055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 002D906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 002D9086

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b541303f78bdacb8ac9afdbed714000363ac2266221ca218d652558bb0a99ea1
Instruction ID: 13e32015ffc9f56c762eb67de1ea0f96abe464f39012c20b7f89bc5b908a90fd
Opcode Fuzzy Hash: b541303f78bdacb8ac9afdbed714000363ac2266221ca218d652558bb0a99ea1
Instruction Fuzzy Hash: A5115E79901218FFDB11DFA5CC84E9DBB78FB48310F204096F904B7250D6726E51DB90

Function 002E1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,002E01FD,?,002E1250,?,00008000), ref: 002E166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,002E01FD,?,002E1250,?,00008000), ref: 002E1694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,002E01FD,?,002E1250,?,00008000), ref: 002E169E
Sleep.KERNEL32(?,?,?,?,?,?,?,002E01FD,?,002E1250,?,00008000), ref: 002E16D1

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 71aedf87c26db2026ea475921abc288623200676f7d57216071a4d4405837b6d
Instruction ID: 79c76998fab66345a3bd1b96ae581f5b5f5fdd0e4b852e346fe14c700e55ec99
Opcode Fuzzy Hash: 71aedf87c26db2026ea475921abc288623200676f7d57216071a4d4405837b6d
Instruction Fuzzy Hash: 14117C31C6151DDBCF04AFA6D888AEEBB7CFF0A701F44406AE940B6240CB7055708BD6

Function 002B7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 002B722B

Part of subcall function 002B7912: __fltout2.LIBCMT ref: 002B793B

__cftog_l.LIBCMT ref: 002B7251
__cftoe_l.LIBCMT ref: 002B7283

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 460dece249461c57b28da6bbbea7b1bda199a726118e6029d45abbb02e61aee3
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 21014C3606814ABBCF125E84CC018EE3F62BFA9391F598615FE1868031D237D9B1AB81

Function 0030B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0030B59E
ScreenToClient.USER32(?,?), ref: 0030B5B6
ScreenToClient.USER32(?,?), ref: 0030B5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0030B5F5

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: e42168cc6a433cd5023ddaf0bd022b25053dc124d5cd4bb64e4d878c79f14b19
Instruction ID: 12797652fed40a49e3208f7834d0554849658a6470d7effea7ca815b1307d8ac
Opcode Fuzzy Hash: e42168cc6a433cd5023ddaf0bd022b25053dc124d5cd4bb64e4d878c79f14b19
Instruction Fuzzy Hash: AC1146B5D0120DEFDB51CF99C8449EEFBB9FB08310F104166E914E3620D735AA558F50

Function 0030B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0030B8FE
_memset.LIBCMT ref: 0030B90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00347F20,00347F64), ref: 0030B93C
CloseHandle.KERNEL32 ref: 0030B94E

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 2769641a429cbdea89a0dc0183b33dded4172cefefa9c2ae24c49ea6b44622af
Instruction ID: afb90ce5ac2e1e82620436d220dffbaa4adaaf9039844085ce27bd46a066f1db
Opcode Fuzzy Hash: 2769641a429cbdea89a0dc0183b33dded4172cefefa9c2ae24c49ea6b44622af
Instruction Fuzzy Hash: 24F089B55443007FF2226765AC05F7B7B9CEB0A754F000461BF08D91A2DB716D1487A8

Function 002E6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 002E6E88

Part of subcall function 002E794E: _memset.LIBCMT ref: 002E7983

_memmove.LIBCMT ref: 002E6EAB
_memset.LIBCMT ref: 002E6EB8
RtlLeaveCriticalSection.NTDLL(?), ref: 002E6EC8

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 4763c7b3907c95413c113b805917e790e51a3ff3830cce7d8a94fa797e83eb4e
Instruction ID: e033e7de805618ee40ab84fdd012cd2baa5e6ab81f4821343b77ffad5de5610d
Opcode Fuzzy Hash: 4763c7b3907c95413c113b805917e790e51a3ff3830cce7d8a94fa797e83eb4e
Instruction Fuzzy Hash: 41F05E3A200200ABCF116F55DC85A8AFB2AEF45320F048061FE085E22BCB31E921CFB4

Function 0030C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 002812F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0028134D
Part of subcall function 002812F3: SelectObject.GDI32(?,00000000), ref: 0028135C
Part of subcall function 002812F3: BeginPath.GDI32(?), ref: 00281373
Part of subcall function 002812F3: SelectObject.GDI32(?,00000000), ref: 0028139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0030C030
LineTo.GDI32(00000000,?,?), ref: 0030C03D
EndPath.GDI32(00000000), ref: 0030C04D
StrokePath.GDI32(00000000), ref: 0030C05B

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 20c414b9d488b5b2ec6bad361ecde50b8d2ebea76d1bb2ae13a7f35f16563434
Instruction ID: 6ae1dc38c4fa65a69bb37c1d09d72c8745aeb48e044fec160dc370cef04df294
Opcode Fuzzy Hash: 20c414b9d488b5b2ec6bad361ecde50b8d2ebea76d1bb2ae13a7f35f16563434
Instruction Fuzzy Hash: C4F0EC36002229FBDB236F50AC0AFCE3F9CAF0A310F048101FA11254E28BB55661CFE6

Function 002DA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 002DA399
GetWindowThreadProcessId.USER32(?,00000000), ref: 002DA3AC
GetCurrentThreadId.KERNEL32 ref: 002DA3B3
AttachThreadInput.USER32(00000000), ref: 002DA3BA

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: b06fe18fb90af0676e59c1751db13be62932064aa3b5d4bbf0e8f808c8bd0b2f
Instruction ID: e60c6f2b490323376d2c377bf1b32c4fab93953131cc64694007867d4572c7f2
Opcode Fuzzy Hash: b06fe18fb90af0676e59c1751db13be62932064aa3b5d4bbf0e8f808c8bd0b2f
Instruction Fuzzy Hash: DDE03931146328BBDB215FA2DC0CED73F1CEF167A1F008026F50984460CA72C950CBA0

Function 00282218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00282231
SetTextColor.GDI32(?,000000FF), ref: 0028223B
SetBkMode.GDI32(?,00000001), ref: 00282250
GetStockObject.GDI32(00000005), ref: 00282258
GetWindowDC.USER32(?,00000000), ref: 002BC0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 002BC0E0
GetPixel.GDI32(00000000,?,00000000), ref: 002BC0F9
GetPixel.GDI32(00000000,00000000,?), ref: 002BC112
GetPixel.GDI32(00000000,?,?), ref: 002BC132
ReleaseDC.USER32(?,00000000), ref: 002BC13D

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: f07201cd4871812b8a6a2c90a39b76f253b8f6725ec0456e4858576da6b23bd3
Instruction ID: d43b01c093d010c2cfd3f5049f9770956f91557080a09171f025fa26d86c2a4c
Opcode Fuzzy Hash: f07201cd4871812b8a6a2c90a39b76f253b8f6725ec0456e4858576da6b23bd3
Instruction Fuzzy Hash: FBE06D32111245EEDB366F68FC0D7D83B18EB16332F108367FA69580E1877189A0DB11

Function 002D8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 002D8C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,002D882E), ref: 002D8C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,002D882E), ref: 002D8C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,002D882E), ref: 002D8C7E

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 89ea635d5a72d17c04856223f930b2bd3d196f680cdec4223f8d3f7c5c44f1c8
Instruction ID: c2c1be50bb6f4aff1319311f32cca1e3ee864d0859f1c8cf087feebde228362f
Opcode Fuzzy Hash: 89ea635d5a72d17c04856223f930b2bd3d196f680cdec4223f8d3f7c5c44f1c8
Instruction Fuzzy Hash: BDE08636653211DFD7315FB0AD0CB563BBCFF50792F04482AB245C9040DA348841CB71

Function 002C2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 002C2187
GetDC.USER32(00000000), ref: 002C2191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 002C21B1
ReleaseDC.USER32(?), ref: 002C21D2

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 464b713207e2c34b0f3c781e3602d1957f57d7b974e5cd06f3957cd207fe2c5a
Instruction ID: 4b5ce70a24168b3e39f8c2f2df67ebb8941a2d867e9f600a971ca19f3bad3a58
Opcode Fuzzy Hash: 464b713207e2c34b0f3c781e3602d1957f57d7b974e5cd06f3957cd207fe2c5a
Instruction Fuzzy Hash: 23E09274811608DFCB129F60C808B5D7BF9EF0C310F108026F80A93660CB7980419F00

Function 002C219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 002C219B
GetDC.USER32(00000000), ref: 002C21A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 002C21B1
ReleaseDC.USER32(?), ref: 002C21D2

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: caa712fbf2dd4842bfe9002272f3d7c160458a535c195540b3740b7d55a17d86
Instruction ID: ff19e2236aa11444109a1038f129997066ecf719038b2bdf4e4167d15f448baf
Opcode Fuzzy Hash: caa712fbf2dd4842bfe9002272f3d7c160458a535c195540b3740b7d55a17d86
Instruction Fuzzy Hash: EBE01A75811608AFCB62AFB0C81869D7BF9EF4C310F108026F95A97660CB7991419F40

Function 002863A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%1, xrefs: 002863AE

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID:
String ID: %1
API String ID: 0-1562133569
Opcode ID: e7193cf1a421393cf678880751d88a8b885154e76e0563eb4d57ff52888fd8d8
Instruction ID: 2da9632e461491ee3de9445f42dd78fe0803b77772735830578738d559545a99
Opcode Fuzzy Hash: e7193cf1a421393cf678880751d88a8b885154e76e0563eb4d57ff52888fd8d8
Instruction Fuzzy Hash: 49B1D47982210A9BCF24FF94C4899FEB7B9FF04310F544026E906A72D1EB349EA5CB51

Function 002FB1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 002FB2C3

Strings

xr4, xrefs: 002FB2F9
xr4, xrefs: 002FB325

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: __itow_s
String ID: xr4$xr4
API String ID: 3653519197-430906878
Opcode ID: f29ad4ef7f141084c3c1ee44f49319507422e11d06de26396b18c9f2e32a1306
Instruction ID: dab2197d1c69359ea450db247a99da30d70fa88dcb80fa918ad375a5e97cd9bd
Opcode Fuzzy Hash: f29ad4ef7f141084c3c1ee44f49319507422e11d06de26396b18c9f2e32a1306
Instruction Fuzzy Hash: 20B1B074A10109AFDB15EF54C890EBEF7B9FF58340F148069FA459B292EB70E961CB60

Function 002F9A72 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 002D7652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002D758C,80070057,?,?), ref: 002D7698

_memset.LIBCMT ref: 002F9B28
_memset.LIBCMT ref: 002F9C6B

Strings

NULL Pointer assignment, xrefs: 002F9CF0

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: _memset$lstrcmpi
String ID: NULL Pointer assignment
API String ID: 1020867613-2785691316
Opcode ID: a6446781a9960e0884b9cb7804a4ef63d1c3d811a72a7efd7f59a16af2139fd9
Instruction ID: f593e66f40fd50bf254a2a17a92359e5b6d06eb3c3617d801c4c9a4dce48079b
Opcode Fuzzy Hash: a6446781a9960e0884b9cb7804a4ef63d1c3d811a72a7efd7f59a16af2139fd9
Instruction Fuzzy Hash: 07914C71D1122D9BDB10DFA4DC84AEEFBB8AF08750F20416AF519A7281DB719A54CFA0

Function 002EB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0029FEC6: _wcscpy.LIBCMT ref: 0029FEE9

Part of subcall function 00289997: __itow.LIBCMT ref: 002899C2
Part of subcall function 00289997: __swprintf.LIBCMT ref: 00289A0C

__wcsnicmp.LIBCMT ref: 002EB298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 002EB361

Strings

LPT, xrefs: 002EB292

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 3d45e10120563de60c0c426907c41787499ea39562a25bf8b60004a84704bdad
Instruction ID: cb8662816da2601db6c275adbebac26034eca1b94cc18d0a489d0ddc40b68155
Opcode Fuzzy Hash: 3d45e10120563de60c0c426907c41787499ea39562a25bf8b60004a84704bdad
Instruction Fuzzy Hash: 0B61D575A60215EFCF15EF94C881EAEB7B4EF09310F15409AF946AB291DB70AE90CB50

Function 002C8A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002C8B1E
_memmove.LIBCMT ref: 002C8B78

Strings

Oa), xrefs: 002C8BF2, 002CE39A, 002CE3B6

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: _memmove
String ID: Oa)
API String ID: 4104443479-3134443877
Opcode ID: ac6072540da0efdabe0b83002f9914c9dfc2edebdaf038f587c2e2f1b56026e2
Instruction ID: 6a1a962454afb5cf02793b513c82c9609704968839e5c093cf237c0f78d94eb2
Opcode Fuzzy Hash: ac6072540da0efdabe0b83002f9914c9dfc2edebdaf038f587c2e2f1b56026e2
Instruction Fuzzy Hash: CE51307092060A9FCF24CF68C480AAEB7B5FF44318F14865EE85AD7250DB31A965CB51

Function 00292AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00292AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00292AE1

Strings

@, xrefs: 00292AD5

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 0e35d6d438f2c990feb75829bcea834fca022c1f6c0b64951225717d20a86e27
Instruction ID: e5ad277c2697bcff6a943d0092cd07977b8db9cb1df4d84388c3ef4c5d109091
Opcode Fuzzy Hash: 0e35d6d438f2c990feb75829bcea834fca022c1f6c0b64951225717d20a86e27
Instruction Fuzzy Hash: 0A5155724297449BD320BF50D886BABBBECFF84314F56885DF1DA410A1DB308579CB26

Function 002E99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0028506B: __fread_nolock.LIBCMT ref: 00285089

_wcscmp.LIBCMT ref: 002E9AAE
_wcscmp.LIBCMT ref: 002E9AC1

Strings

FILE, xrefs: 002E99FA

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 38dacab9b481ab3a7577bd7655ed4f098cd21c94ea59cb531fa53ef83112a65c
Instruction ID: 093974718ba5700a7ffb2fc90a2bbd8aa9f22ef608ba6b4ebdda44f2fd2d9ad7
Opcode Fuzzy Hash: 38dacab9b481ab3a7577bd7655ed4f098cd21c94ea59cb531fa53ef83112a65c
Instruction Fuzzy Hash: 48411871A5061ABADF20AEA5CC45FEFB7FDDF49714F00006AF900E71C1CA759A548BA1

Function 002C099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 002C09A9

Strings

Dt4, xrefs: 0028A2B1
Dt4, xrefs: 0028A477

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ClearVariant
String ID: Dt4$Dt4
API String ID: 1473721057-3676211895
Opcode ID: b54a8ecc2fbeff41b9e393440fc3c3a9de836dbfd757b68e2770d00e38a16059
Instruction ID: ae9cdd0a5c530d5eef93c3049853630215079310831c297c20adfb8319a229c4
Opcode Fuzzy Hash: b54a8ecc2fbeff41b9e393440fc3c3a9de836dbfd757b68e2770d00e38a16059
Instruction Fuzzy Hash: 30512778619342CFE754DF19C080A2ABBF1BB99344F54485EE9858B361DB71EC91CB82

Function 002F2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002F2892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 002F28C8

Strings

|, xrefs: 002F2899

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 979bedf2cd9c2602f774d7734a93879b833ca07fcd750727ad94d8a7372dc845
Instruction ID: 2c826789c1129bd9ed81d623b26ee96e52cb395344e17d24d9f4c2139ff938bc
Opcode Fuzzy Hash: 979bedf2cd9c2602f774d7734a93879b833ca07fcd750727ad94d8a7372dc845
Instruction Fuzzy Hash: 9A313B75811119AFCF01AFA0CC85EEEBFB8FF09340F104025F915A61A5DA319966DF60

Function 00306CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00306D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00306DC2

Strings

static, xrefs: 00306D22

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: af92ecae62387e26edba381384650ce2d94e7a4e370cf91df778de4de9cb2433
Instruction ID: 1b818968a5001aa33f4bb1768420652ad1391426149ad14e2f55c6b9e2a67d81
Opcode Fuzzy Hash: af92ecae62387e26edba381384650ce2d94e7a4e370cf91df778de4de9cb2433
Instruction Fuzzy Hash: E931B071211204AEEB119F24CC91BFB73ACFF48724F118519F89587190CB31ACA1CB60

Function 002E2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002E2E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002E2E3B

Strings

0, xrefs: 002E2DF9

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 96f405a875887ad5a9c8885779b912fafd67106c51ab096891e37e11d9d5469c
Instruction ID: c8770d084f2a939b284a015804f1d846c8e38a2c9e9ffbce3ceca7edb3cc82d2
Opcode Fuzzy Hash: 96f405a875887ad5a9c8885779b912fafd67106c51ab096891e37e11d9d5469c
Instruction Fuzzy Hash: 3A310B31950356DBDB24CF4ACC457AEBBBDFF06350F5C0069E987A61A0D770A958CB10

Function 00306943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 003069D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003069DB

Strings

Combobox, xrefs: 0030699D

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 9ae2c5b4fc1c3dd5e80e71a4cf3fb10d5a588408c4729d66fa6dc1fbf962e931
Instruction ID: 3e139a59b86c7c54af2cd127eca9c7d7c63f8e64cc979574b757fcc6c2edd619
Opcode Fuzzy Hash: 9ae2c5b4fc1c3dd5e80e71a4cf3fb10d5a588408c4729d66fa6dc1fbf962e931
Instruction Fuzzy Hash: 5211C8717012086FEF129F14CCA1EFB376EEB853A4F114125F9589B6D4D7719C6187A0

Function 00306E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00281D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00281D73
Part of subcall function 00281D35: GetStockObject.GDI32(00000011), ref: 00281D87
Part of subcall function 00281D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00281D91

GetWindowRect.USER32(00000000,?), ref: 00306EE0
GetSysColor.USER32(00000012), ref: 00306EFA

Strings

static, xrefs: 00306EBD

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: bb174bae706e2d52eea963f75574cea93fbff5bfcd6b8f6e14b14d628a8ec1f9
Instruction ID: 43c17c59ac15ce699885e3e72f129aa6e3c4e02f8788614393797b4f69d5fef0
Opcode Fuzzy Hash: bb174bae706e2d52eea963f75574cea93fbff5bfcd6b8f6e14b14d628a8ec1f9
Instruction Fuzzy Hash: 2F21677261120AAFDB05DFA8CD56AFA7BB8FB08314F014629FD55D3290E734E861DB60

Function 00306B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00306C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00306C20

Strings

edit, xrefs: 00306BF5

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: e30dd200e28b5e19773e64664946b73cab7256f1192096c99216ce15618bb1cc
Instruction ID: 661de1a20d116201c5bc1bf33236e776261a81cbbc95c6860859613eb89d1db9
Opcode Fuzzy Hash: e30dd200e28b5e19773e64664946b73cab7256f1192096c99216ce15618bb1cc
Instruction Fuzzy Hash: FB11BFB1502208AFEB128E64DC62AFB3B6DEB05378F114724F961D71E4C775DCA19B60

Function 002E2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002E2F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 002E2F30

Strings

0, xrefs: 002E2F07

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 2a1d6a459781380a6bd021a9e28ce93b3d9c16231fdbd74d0bae1d996ff0d71c
Instruction ID: 5deee42472503768d8a35e52aace6d016ffefeb0255f8de42787c13cb31fb9be
Opcode Fuzzy Hash: 2a1d6a459781380a6bd021a9e28ce93b3d9c16231fdbd74d0bae1d996ff0d71c
Instruction Fuzzy Hash: F911E631961265EBDB25DF59DC05B9D73BDFB02310F4800A1E846A72A0DBB0BD1CCB91

Function 002F24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 002F2520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 002F2549

Strings

<local>, xrefs: 002F2511

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: a9a0ed1297b647b8608eecce5685d4bcdecba0359b88c99a24da347fce4e43cb
Instruction ID: c135623e1e43fc77aacec49f70bad7932c0e898eeb3f7b1dc4be2429ae40af02
Opcode Fuzzy Hash: a9a0ed1297b647b8608eecce5685d4bcdecba0359b88c99a24da347fce4e43cb
Instruction Fuzzy Hash: 7811C1B012122AFADB288F518C95EBBFF6CEB06791F50813AF60546040D2B05969D6A1

Function 002F80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 002F830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,002F80C8,?,00000000,?,?), ref: 002F8322

inet_addr.WS2_32(00000000), ref: 002F80CB
htons.WS2_32(00000000), ref: 002F8108

Strings

255.255.255.255, xrefs: 002F80E3

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 3a6fc7c7f9f03822858e7fb9055786a3d058dc2ad6875a7a50ef3aa692395d72
Instruction ID: 976e42f27229c97feeb3a2bcca3d39c42728d5a898f3a5780c6689277571a1f6
Opcode Fuzzy Hash: 3a6fc7c7f9f03822858e7fb9055786a3d058dc2ad6875a7a50ef3aa692395d72
Instruction Fuzzy Hash: 4011E934510209ABDB20AF54CC46FBEF364FF04750F104527EA15572D1DB719821CB51

Function 00290A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00283C26,003462F8,?,?,?), ref: 00290ACE

Part of subcall function 00287D2C: _memmove.LIBCMT ref: 00287D66

_wcscat.LIBCMT ref: 002C50E1

Strings

c4, xrefs: 00290B0E

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: c4
API String ID: 257928180-2337626189
Opcode ID: 9ee475bcc42f3e78d2b04447182353e0d31ae6313bea605e2cd2a09d538e5d93
Instruction ID: 0d5bdf0bc0f85b2cbf1623b1b0fb5e966f129d7574775fbc166da43d375a1a14
Opcode Fuzzy Hash: 9ee475bcc42f3e78d2b04447182353e0d31ae6313bea605e2cd2a09d538e5d93
Instruction Fuzzy Hash: 7B118239A2520C9E8F11FFA4CC52ED973F8EF1C354F1000A5B94CD7291EA70EAA58B11

Function 002D92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00287F41: _memmove.LIBCMT ref: 00287F82

Part of subcall function 002DB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 002DB0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 002D9355

Strings

ListBox, xrefs: 002D931F
ComboBox, xrefs: 002D92F4

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: d476a67191c7f79f69b776ee39a35a4400293843c16a379a5f642a587bc85ba1
Instruction ID: 907dd24ddd69520beea517c5d9c7620ddde7bdfa650582d36e80755dd3b6f212
Opcode Fuzzy Hash: d476a67191c7f79f69b776ee39a35a4400293843c16a379a5f642a587bc85ba1
Instruction Fuzzy Hash: 3001F575A22214ABCB05FF60CC918FE73A9BF06320B10065AF932573D2DB315C6C8B50

Function 002D91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00287F41: _memmove.LIBCMT ref: 00287F82

Part of subcall function 002DB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 002DB0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 002D924D

Strings

ListBox, xrefs: 002D9217
ComboBox, xrefs: 002D91EC

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: c33a22b521050ce6d6bd632926688787a67486e8a975624345b85f0e10be3273
Instruction ID: 664c7cbea16ded955d1d10b70a5da2d4f61b133f4e34eba7219aec25514301e5
Opcode Fuzzy Hash: c33a22b521050ce6d6bd632926688787a67486e8a975624345b85f0e10be3273
Instruction Fuzzy Hash: 8401D875A51108BBCB05FBA0C8A6EFF73ACAF15700F140016B912633C1DA519F2C8A61

Function 002D9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00287F41: _memmove.LIBCMT ref: 00287F82

Part of subcall function 002DB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 002DB0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 002D92D0

Strings

ListBox, xrefs: 002D929C
ComboBox, xrefs: 002D9271

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 18988b287fe135d446324cef6f2224114ea7fdc9220f339238535f3adce42203
Instruction ID: b8c236c33d84e307cf1f5b4d0ad19747e321bfdf5cd7380bc7b66c3e47cf21fe
Opcode Fuzzy Hash: 18988b287fe135d446324cef6f2224114ea7fdc9220f339238535f3adce42203
Instruction Fuzzy Hash: 1501F775A62108BBCB05FAA4C896EFF73ACAF11701F240117B902637C2DB219E2C8671

Function 002A6DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 002A6DD0
__calloc_crt.LIBCMT ref: 002A6DE9

Strings

@R4, xrefs: 002A6E00

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: __calloc_crt
String ID: @R4
API String ID: 3494438863-652386225
Opcode ID: 526fead97df7f68ba74e7452ddfa7e3e9919327cf166e9a2cc2348295af05b10
Instruction ID: 4a16a04317a689e63e32db6a01b8290a957225bf0236201dd1cf8f7993574024
Opcode Fuzzy Hash: 526fead97df7f68ba74e7452ddfa7e3e9919327cf166e9a2cc2348295af05b10
Instruction Fuzzy Hash: D6F06879724B17AFF725CF28FD46A612799E703764F140827E100DE191EFB098554641

Function 002E51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 002E51E8
_wcscmp.LIBCMT ref: 002E51FA

Strings

#32770, xrefs: 002E51F4

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 304e525f25f0c6c818755d36d08e8810de4a539147948fd47f0ef32385361f1d
Instruction ID: f7433f9df7e5c4761898abe358d29f985b79a41821ca8fef80cfb60bd0c2077d
Opcode Fuzzy Hash: 304e525f25f0c6c818755d36d08e8810de4a539147948fd47f0ef32385361f1d
Instruction Fuzzy Hash: 2DE0613390022D1BD320DA959C45FA7F7ACEF41771F000057FD10D7040D660A9548BD1

Function 002D81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 002D81CA

Part of subcall function 002A3598: _doexit.LIBCMT ref: 002A35A2

Strings

Error allocating memory., xrefs: 002D81C3
AutoIt, xrefs: 002D81BE

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: f38926b871bc60aaeac3a26740266d4635b7366ebe4f6cc69f9c8444eea01f9f
Instruction ID: dd17714a2e49623480b6b8482b94b1213d79ae7a280ccebba4f4b39bc1e44113
Opcode Fuzzy Hash: f38926b871bc60aaeac3a26740266d4635b7366ebe4f6cc69f9c8444eea01f9f
Instruction Fuzzy Hash: A3D05B323D532937D21A72A96C07FC6764C4B09B51F404017FF08555D38DD299F146D9

Function 002BB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 002BB564: _memset.LIBCMT ref: 002BB571

Part of subcall function 002A0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(00345158,00000000,00345144,002BB540,?,?,?,0028100A), ref: 002A0B89

IsDebuggerPresent.KERNEL32(?,?,?,0028100A), ref: 002BB544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0028100A), ref: 002BB553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 002BB54E

Memory Dump Source

Source File: 00000000.00000002.2068561011.0000000000281000.00000040.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true

Associated: 00000000.00000002.2068507576.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000335000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.000000000033F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.0000000000373000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068561011.00000000003A8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068758299.00000000003AE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068773879.00000000003AF000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_280000_LisectAVT_2403002A_1.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 425038223dbcfe874b3bc4594b67fdf752496dd0212a980be75a672df662cded
Instruction ID: 833647f636a28ea9da91707432aa1ce999cf6dcd9faf76ff85089c1ef37f3c86
Opcode Fuzzy Hash: 425038223dbcfe874b3bc4594b67fdf752496dd0212a980be75a672df662cded
Instruction Fuzzy Hash: D6E06D782107118FD332DF38E9047827BE8AF00754F048D2DE446C6661DBF4E418CB62

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002A_1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\atule

C:\Users\user\AppData\Local\Temp\aut1D2B.tmp

C:\Users\user\AppData\Local\Temp\aut1D8A.tmp

C:\Users\user\AppData\Local\Temp\prespecialist

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
LisectAVT_2403002A_1.exe

Function 00283B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 00283633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
timewindowregistryCOMMON

Function 00284AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00284FE9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62
COMMON

Function 002E93DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 002871EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00283A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00283778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 00283015 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 73
registrywindowclipboardCOMMON

Function 00283041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54
registrywindowclipboardCOMMON

Function 0028F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Function 017B2710 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 002839E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 017B24E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148
filememoryCOMMON

Function 0028410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre