Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LisectAVT_2403002B_378.exe

Overview

General Information

Sample name:LisectAVT_2403002B_378.exe
Analysis ID:1481740
MD5:c9783829730e4c84ad8b33a76ae980b2
SHA1:24e0ae4b35a18ca3eb4e184c65e0bbe5c2a1fabc
SHA256:38865ba97b92daf6924fdc4eafacd97aa5d9886c26a8a03ebfc8b17543888e9e
Tags:exe
Infos:

Detection

PureLog Stealer, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Opens the same file many times (likely Sandbox evasion)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • LisectAVT_2403002B_378.exe (PID: 7440 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002B_378.exe" MD5: C9783829730E4C84AD8B33A76AE980B2)
    • powershell.exe (PID: 7636 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002B_378.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7976 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 7680 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IVsIyeJQN.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7716 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IVsIyeJQN" /XML "C:\Users\user\AppData\Local\Temp\tmp712.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • LisectAVT_2403002B_378.exe (PID: 7888 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002B_378.exe" MD5: C9783829730E4C84AD8B33A76AE980B2)
  • IVsIyeJQN.exe (PID: 8032 cmdline: C:\Users\user\AppData\Roaming\IVsIyeJQN.exe MD5: C9783829730E4C84AD8B33A76AE980B2)
    • schtasks.exe (PID: 2132 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IVsIyeJQN" /XML "C:\Users\user\AppData\Local\Temp\tmp1599.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • IVsIyeJQN.exe (PID: 6200 cmdline: "C:\Users\user\AppData\Roaming\IVsIyeJQN.exe" MD5: C9783829730E4C84AD8B33A76AE980B2)
    • IVsIyeJQN.exe (PID: 5276 cmdline: "C:\Users\user\AppData\Roaming\IVsIyeJQN.exe" MD5: C9783829730E4C84AD8B33A76AE980B2)
    • IVsIyeJQN.exe (PID: 7140 cmdline: "C:\Users\user\AppData\Roaming\IVsIyeJQN.exe" MD5: C9783829730E4C84AD8B33A76AE980B2)
    • IVsIyeJQN.exe (PID: 5916 cmdline: "C:\Users\user\AppData\Roaming\IVsIyeJQN.exe" MD5: C9783829730E4C84AD8B33A76AE980B2)
    • IVsIyeJQN.exe (PID: 3988 cmdline: "C:\Users\user\AppData\Roaming\IVsIyeJQN.exe" MD5: C9783829730E4C84AD8B33A76AE980B2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["fat221.ddns.net"], "Port": "6565", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.1434288856.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000012.00000002.1434288856.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0xb6cf:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0xb76c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0xb881:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0xafa7:$cnc4: POST / HTTP/1.1
    0000000B.00000002.1407209620.0000000002FA8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      0000000B.00000002.1407209620.0000000002FA8000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x18fbf:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x2629f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x3711b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x1905c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x2633c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x371b8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x19171:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x26451:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x372cd:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x18897:$cnc4: POST / HTTP/1.1
      • 0x25b77:$cnc4: POST / HTTP/1.1
      • 0x369f3:$cnc4: POST / HTTP/1.1
      00000000.00000002.1370500424.0000000004E90000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        Click to see the 9 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        18.2.IVsIyeJQN.exe.400000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
          18.2.IVsIyeJQN.exe.400000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xb8cf:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0xb96c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0xba81:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xb1a7:$cnc4: POST / HTTP/1.1
          0.2.LisectAVT_2403002B_378.exe.4e90000.10.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            11.2.IVsIyeJQN.exe.2f63bb4.1.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0.2.LisectAVT_2403002B_378.exe.24f3bd4.7.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                Click to see the 19 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002B_378.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002B_378.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\LisectAVT_2403002B_378.exe", ParentImage: C:\Users\user\Desktop\LisectAVT_2403002B_378.exe, ParentProcessId: 7440, ParentProcessName: LisectAVT_2403002B_378.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002B_378.exe", ProcessId: 7636, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002B_378.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002B_378.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\LisectAVT_2403002B_378.exe", ParentImage: C:\Users\user\Desktop\LisectAVT_2403002B_378.exe, ParentProcessId: 7440, ParentProcessName: LisectAVT_2403002B_378.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002B_378.exe", ProcessId: 7636, ProcessName: powershell.exe
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IVsIyeJQN" /XML "C:\Users\user\AppData\Local\Temp\tmp1599.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IVsIyeJQN" /XML "C:\Users\user\AppData\Local\Temp\tmp1599.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\IVsIyeJQN.exe, ParentImage: C:\Users\user\AppData\Roaming\IVsIyeJQN.exe, ParentProcessId: 8032, ParentProcessName: IVsIyeJQN.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IVsIyeJQN" /XML "C:\Users\user\AppData\Local\Temp\tmp1599.tmp", ProcessId: 2132, ProcessName: schtasks.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IVsIyeJQN" /XML "C:\Users\user\AppData\Local\Temp\tmp712.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IVsIyeJQN" /XML "C:\Users\user\AppData\Local\Temp\tmp712.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\LisectAVT_2403002B_378.exe", ParentImage: C:\Users\user\Desktop\LisectAVT_2403002B_378.exe, ParentProcessId: 7440, ParentProcessName: LisectAVT_2403002B_378.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IVsIyeJQN" /XML "C:\Users\user\AppData\Local\Temp\tmp712.tmp", ProcessId: 7716, ProcessName: schtasks.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002B_378.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002B_378.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\LisectAVT_2403002B_378.exe", ParentImage: C:\Users\user\Desktop\LisectAVT_2403002B_378.exe, ParentProcessId: 7440, ParentProcessName: LisectAVT_2403002B_378.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002B_378.exe", ProcessId: 7636, ProcessName: powershell.exe

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IVsIyeJQN" /XML "C:\Users\user\AppData\Local\Temp\tmp712.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IVsIyeJQN" /XML "C:\Users\user\AppData\Local\Temp\tmp712.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\LisectAVT_2403002B_378.exe", ParentImage: C:\Users\user\Desktop\LisectAVT_2403002B_378.exe, ParentProcessId: 7440, ParentProcessName: LisectAVT_2403002B_378.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IVsIyeJQN" /XML "C:\Users\user\AppData\Local\Temp\tmp712.tmp", ProcessId: 7716, ProcessName: schtasks.exe

                Snort Signatures

                No Snort rule has matched

                Suricata Signatures

                Timestamp:2024-07-25T13:45:21.957397+0200
                SID:2022930
                Source Port:443
                Destination Port:49711
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-25T13:45:41.736202+0200
                SID:2022930
                Source Port:443
                Destination Port:61575
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-07-25T13:45:40.406990+0200
                SID:2022930
                Source Port:443
                Destination Port:61574
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: LisectAVT_2403002B_378.exeAvira: detected
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeAvira: detection malicious, Label: TR/Kryptik.kukgx
                Found malware configuration
                Source: 0000000B.00000002.1407209620.0000000002FA8000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["fat221.ddns.net"], "Port": "6565", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: LisectAVT_2403002B_378.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.raw.unpackString decryptor: fat221.ddns.net
                Source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.raw.unpackString decryptor: 6565
                Source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.raw.unpackString decryptor: <123456789>
                Source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.raw.unpackString decryptor: <Xwormmm>
                Source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.raw.unpackString decryptor: USB.exe
                Source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.raw.unpackString decryptor: 3LAuuF9hR7aXoBNzJvhi9iR1NDTQwgv99R
                Source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.raw.unpackString decryptor: 0xe101B4c9283F485f241fCf957dE7b2f2bc71387E
                Source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.raw.unpackString decryptor: TQs5zem3KJxSsgEaRo4wRihfzMaAEUVfVa
                Source: LisectAVT_2403002B_378.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: LisectAVT_2403002B_378.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: EEGp.pdb source: LisectAVT_2403002B_378.exe, IVsIyeJQN.exe.0.dr
                Source: Binary string: EEGp.pdbSHA256 source: LisectAVT_2403002B_378.exe, IVsIyeJQN.exe.0.dr

                Networking

                barindex
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: fat221.ddns.net
                Uses dynamic DNS services
                Source: unknownDNS query: name: fat221.ddns.net
                Source: unknownDNS traffic detected: query: 18.31.95.13.in-addr.arpa replaycode: Name error (3)
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: fat221.ddns.net
                Source: global trafficDNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
                Source: LisectAVT_2403002B_378.exe, IVsIyeJQN.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: LisectAVT_2403002B_378.exe, IVsIyeJQN.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                Source: LisectAVT_2403002B_378.exe, IVsIyeJQN.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                Source: LisectAVT_2403002B_378.exe, 00000000.00000002.1364817927.0000000002538000.00000004.00000800.00020000.00000000.sdmp, IVsIyeJQN.exe, 0000000B.00000002.1407209620.0000000002FA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: LisectAVT_2403002B_378.exe, IVsIyeJQN.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 18.2.IVsIyeJQN.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 11.2.IVsIyeJQN.exe.2fb56f0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 11.2.IVsIyeJQN.exe.2fc29d0.3.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.2.LisectAVT_2403002B_378.exe.25498ec.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 11.2.IVsIyeJQN.exe.2fc29d0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 11.2.IVsIyeJQN.exe.2fb56f0.5.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.2.LisectAVT_2403002B_378.exe.25498ec.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000012.00000002.1434288856.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0000000B.00000002.1407209620.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000000.00000002.1364817927.0000000002538000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeCode function: 0_2_0089E0AC0_2_0089E0AC
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeCode function: 0_2_069AB5F80_2_069AB5F8
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeCode function: 0_2_069AA2180_2_069AA218
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeCode function: 0_2_069A00060_2_069A0006
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeCode function: 0_2_069A00400_2_069A0040
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeCode function: 0_2_06AD77C00_2_06AD77C0
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeCode function: 0_2_06AD3E300_2_06AD3E30
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeCode function: 0_2_06AD9CF80_2_06AD9CF8
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeCode function: 0_2_06AD35580_2_06AD3558
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeCode function: 0_2_06AD1A780_2_06AD1A78
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeCode function: 0_2_06AD31200_2_06AD3120
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeCode function: 0_2_06AD31100_2_06AD3110
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeCode function: 9_2_012ED53C9_2_012ED53C
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeCode function: 11_2_0122E0AC11_2_0122E0AC
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeCode function: 11_2_02F2013011_2_02F20130
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeCode function: 11_2_02F2012F11_2_02F2012F
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeCode function: 11_2_02F26F4811_2_02F26F48
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeCode function: 11_2_072465C811_2_072465C8
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeCode function: 11_2_07243E3011_2_07243E30
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeCode function: 11_2_0724355811_2_07243558
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeCode function: 11_2_07241A7811_2_07241A78
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeCode function: 11_2_0724312011_2_07243120
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeCode function: 11_2_0724311011_2_07243110
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeCode function: 11_2_072490C511_2_072490C5
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeCode function: 11_2_08ADB5F811_2_08ADB5F8
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeCode function: 11_2_08AD003311_2_08AD0033
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeCode function: 11_2_08AD004011_2_08AD0040
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeCode function: 11_2_08ADA21811_2_08ADA218
                Source: LisectAVT_2403002B_378.exe, 00000000.00000002.1364817927.00000000024D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWagon.dll> vs LisectAVT_2403002B_378.exe
                Source: LisectAVT_2403002B_378.exe, 00000000.00000002.1372170926.0000000006705000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEEGp.exe6 vs LisectAVT_2403002B_378.exe
                Source: LisectAVT_2403002B_378.exe, 00000000.00000002.1374120073.0000000006A70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs LisectAVT_2403002B_378.exe
                Source: LisectAVT_2403002B_378.exe, 00000000.00000002.1365360267.00000000036AE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs LisectAVT_2403002B_378.exe
                Source: LisectAVT_2403002B_378.exe, 00000000.00000002.1363465306.000000000072E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs LisectAVT_2403002B_378.exe
                Source: LisectAVT_2403002B_378.exe, 00000000.00000000.1338168175.0000000000092000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameEEGp.exe6 vs LisectAVT_2403002B_378.exe
                Source: LisectAVT_2403002B_378.exe, 00000000.00000002.1364817927.0000000002538000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs LisectAVT_2403002B_378.exe
                Source: LisectAVT_2403002B_378.exe, 00000000.00000002.1370500424.0000000004E90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameWagon.dll> vs LisectAVT_2403002B_378.exe
                Source: LisectAVT_2403002B_378.exe, 00000009.00000002.3811055744.0000000005519000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs LisectAVT_2403002B_378.exe
                Source: LisectAVT_2403002B_378.exeBinary or memory string: OriginalFilenameEEGp.exe6 vs LisectAVT_2403002B_378.exe
                Source: LisectAVT_2403002B_378.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 18.2.IVsIyeJQN.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 11.2.IVsIyeJQN.exe.2fb56f0.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 11.2.IVsIyeJQN.exe.2fc29d0.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.LisectAVT_2403002B_378.exe.25498ec.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 11.2.IVsIyeJQN.exe.2fc29d0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 11.2.IVsIyeJQN.exe.2fb56f0.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.LisectAVT_2403002B_378.exe.25498ec.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000012.00000002.1434288856.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0000000B.00000002.1407209620.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000000.00000002.1364817927.0000000002538000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: LisectAVT_2403002B_378.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: IVsIyeJQN.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.raw.unpack, buDOjITvpj8qXQ7Pg97.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.raw.unpack, buDOjITvpj8qXQ7Pg97.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.raw.unpack, IspD00af4W6xYwcXkcN.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.LisectAVT_2403002B_378.exe.24f3bd4.7.raw.unpack, ivtNue3aMakjbVsfus.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.LisectAVT_2403002B_378.exe.25498ec.0.raw.unpack, buDOjITvpj8qXQ7Pg97.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.LisectAVT_2403002B_378.exe.25498ec.0.raw.unpack, buDOjITvpj8qXQ7Pg97.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.LisectAVT_2403002B_378.exe.25498ec.0.raw.unpack, IspD00af4W6xYwcXkcN.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.LisectAVT_2403002B_378.exe.4e90000.10.raw.unpack, ivtNue3aMakjbVsfus.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.raw.unpack, fujogoRPAzzppXMxZDa5gotqO8p7hgDoRdbx6LmZ972TINxYaH3003z56SS0QGK63sYozBVDZojQv9ijpmgtH2vFAQw.csBase64 encoded string: 'IzP4LkVyvSS+ANZj4Rp1ELHXyuy/bLOyvijL9j/Q7RIk2jcuCUeBFCPhW61dM6TF'
                Source: 0.2.LisectAVT_2403002B_378.exe.25498ec.0.raw.unpack, fujogoRPAzzppXMxZDa5gotqO8p7hgDoRdbx6LmZ972TINxYaH3003z56SS0QGK63sYozBVDZojQv9ijpmgtH2vFAQw.csBase64 encoded string: 'IzP4LkVyvSS+ANZj4Rp1ELHXyuy/bLOyvijL9j/Q7RIk2jcuCUeBFCPhW61dM6TF'
                Source: 0.2.LisectAVT_2403002B_378.exe.6a70000.13.raw.unpack, EOrwwyBBPAjMFUdYSg.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.LisectAVT_2403002B_378.exe.6a70000.13.raw.unpack, EOrwwyBBPAjMFUdYSg.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.LisectAVT_2403002B_378.exe.6a70000.13.raw.unpack, EOrwwyBBPAjMFUdYSg.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.LisectAVT_2403002B_378.exe.37534b0.8.raw.unpack, EOrwwyBBPAjMFUdYSg.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.LisectAVT_2403002B_378.exe.37534b0.8.raw.unpack, EOrwwyBBPAjMFUdYSg.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.LisectAVT_2403002B_378.exe.37534b0.8.raw.unpack, EOrwwyBBPAjMFUdYSg.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.LisectAVT_2403002B_378.exe.6a70000.13.raw.unpack, MDJF7sWBG7HwB2ESrF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.LisectAVT_2403002B_378.exe.37534b0.8.raw.unpack, MDJF7sWBG7HwB2ESrF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.LisectAVT_2403002B_378.exe.25498ec.0.raw.unpack, 84tlsW9R6xJ1tvnji3MZNvWVVhxZSWqwLG.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.LisectAVT_2403002B_378.exe.25498ec.0.raw.unpack, 84tlsW9R6xJ1tvnji3MZNvWVVhxZSWqwLG.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.raw.unpack, 84tlsW9R6xJ1tvnji3MZNvWVVhxZSWqwLG.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.raw.unpack, 84tlsW9R6xJ1tvnji3MZNvWVVhxZSWqwLG.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.LisectAVT_2403002B_378.exe.257a184.2.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                Source: 0.2.LisectAVT_2403002B_378.exe.4ed0000.12.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                Source: 0.2.LisectAVT_2403002B_378.exe.2517518.5.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                Source: classification engineClassification label: mal100.troj.evad.winEXE@27/15@42/0
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeFile created: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7652:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7176:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7700:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:120:WilError_03
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeMutant created: \Sessions\1\BaseNamedObjects\A0eJKYktwB7oGGOr
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeFile created: C:\Users\user\AppData\Local\Temp\tmp712.tmpJump to behavior
                Source: LisectAVT_2403002B_378.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: LisectAVT_2403002B_378.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeFile read: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\LisectAVT_2403002B_378.exe "C:\Users\user\Desktop\LisectAVT_2403002B_378.exe"
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002B_378.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IVsIyeJQN.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IVsIyeJQN" /XML "C:\Users\user\AppData\Local\Temp\tmp712.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002B_378.exe "C:\Users\user\Desktop\LisectAVT_2403002B_378.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\IVsIyeJQN.exe C:\Users\user\AppData\Roaming\IVsIyeJQN.exe
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IVsIyeJQN" /XML "C:\Users\user\AppData\Local\Temp\tmp1599.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess created: C:\Users\user\AppData\Roaming\IVsIyeJQN.exe "C:\Users\user\AppData\Roaming\IVsIyeJQN.exe"
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess created: C:\Users\user\AppData\Roaming\IVsIyeJQN.exe "C:\Users\user\AppData\Roaming\IVsIyeJQN.exe"
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess created: C:\Users\user\AppData\Roaming\IVsIyeJQN.exe "C:\Users\user\AppData\Roaming\IVsIyeJQN.exe"
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess created: C:\Users\user\AppData\Roaming\IVsIyeJQN.exe "C:\Users\user\AppData\Roaming\IVsIyeJQN.exe"
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess created: C:\Users\user\AppData\Roaming\IVsIyeJQN.exe "C:\Users\user\AppData\Roaming\IVsIyeJQN.exe"
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002B_378.exe"Jump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IVsIyeJQN.exe"Jump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IVsIyeJQN" /XML "C:\Users\user\AppData\Local\Temp\tmp712.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002B_378.exe "C:\Users\user\Desktop\LisectAVT_2403002B_378.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IVsIyeJQN" /XML "C:\Users\user\AppData\Local\Temp\tmp1599.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess created: C:\Users\user\AppData\Roaming\IVsIyeJQN.exe "C:\Users\user\AppData\Roaming\IVsIyeJQN.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess created: C:\Users\user\AppData\Roaming\IVsIyeJQN.exe "C:\Users\user\AppData\Roaming\IVsIyeJQN.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess created: C:\Users\user\AppData\Roaming\IVsIyeJQN.exe "C:\Users\user\AppData\Roaming\IVsIyeJQN.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess created: C:\Users\user\AppData\Roaming\IVsIyeJQN.exe "C:\Users\user\AppData\Roaming\IVsIyeJQN.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess created: C:\Users\user\AppData\Roaming\IVsIyeJQN.exe "C:\Users\user\AppData\Roaming\IVsIyeJQN.exe"Jump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeSection loaded: sspicli.dll
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: LisectAVT_2403002B_378.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: LisectAVT_2403002B_378.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: LisectAVT_2403002B_378.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: EEGp.pdb source: LisectAVT_2403002B_378.exe, IVsIyeJQN.exe.0.dr
                Source: Binary string: EEGp.pdbSHA256 source: LisectAVT_2403002B_378.exe, IVsIyeJQN.exe.0.dr

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.raw.unpack, WO6zlpYOsT6wAwb3FV3vHb4ASgiBo7zR5m.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{fujogoRPAzzppXMxZDa5gotqO8p7hgDoRdbx6LmZ972TINxYaH3003z56SS0QGK63sYozBVDZojQv9ijpmgtH2vFAQw.dqouWE41fIyasodnUSkvDPBjCLKJ9t3RTb1AyOSFc67u9Rli9A79eLFyXbaHGd8CeVttlzjiJsWNXLD0UJbv04YBTZj,fujogoRPAzzppXMxZDa5gotqO8p7hgDoRdbx6LmZ972TINxYaH3003z56SS0QGK63sYozBVDZojQv9ijpmgtH2vFAQw.whLulYKyrl0okk6UMI4bhnZFdJ68f7uHh6y2bQqAtmUF5uL7DSlf8KZV7bFwarB1gwuXl8bjxJ6qlKjfZ3UOsgLI4Cv,fujogoRPAzzppXMxZDa5gotqO8p7hgDoRdbx6LmZ972TINxYaH3003z56SS0QGK63sYozBVDZojQv9ijpmgtH2vFAQw.C6CEMVk3ezKv76cJzpm9XvBRaDrJXoXzG5w7aFip00OMGSbVQQ4pL0U0v2dcOSqLCNCKmS5qpGDsklJQO0BIxRmOa93,fujogoRPAzzppXMxZDa5gotqO8p7hgDoRdbx6LmZ972TINxYaH3003z56SS0QGK63sYozBVDZojQv9ijpmgtH2vFAQw.ujAXhYfP4tXF85m9MOmJlDdP2Dqx8vTMstCkrf21mGUyvMk08M1BevkacN6LVpSRoiAgmxNuhDpVfqc96DLta1Y5dQx,buDOjITvpj8qXQ7Pg97.NLkxNVr0PyUQ9dCHwdP()}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.raw.unpack, WO6zlpYOsT6wAwb3FV3vHb4ASgiBo7zR5m.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Tovx0YgnL5TGCNWKFEH[2],buDOjITvpj8qXQ7Pg97.MQfgbig6dYu2G6IMwD4(buDOjITvpj8qXQ7Pg97._1GwKRNR897LQYWBsz4x(Tovx0YgnL5TGCNWKFEH[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.raw.unpack, WO6zlpYOsT6wAwb3FV3vHb4ASgiBo7zR5m.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Tovx0YgnL5TGCNWKFEH[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 0.2.LisectAVT_2403002B_378.exe.24f3bd4.7.raw.unpack, ivtNue3aMakjbVsfus.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 0.2.LisectAVT_2403002B_378.exe.25498ec.0.raw.unpack, WO6zlpYOsT6wAwb3FV3vHb4ASgiBo7zR5m.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{fujogoRPAzzppXMxZDa5gotqO8p7hgDoRdbx6LmZ972TINxYaH3003z56SS0QGK63sYozBVDZojQv9ijpmgtH2vFAQw.dqouWE41fIyasodnUSkvDPBjCLKJ9t3RTb1AyOSFc67u9Rli9A79eLFyXbaHGd8CeVttlzjiJsWNXLD0UJbv04YBTZj,fujogoRPAzzppXMxZDa5gotqO8p7hgDoRdbx6LmZ972TINxYaH3003z56SS0QGK63sYozBVDZojQv9ijpmgtH2vFAQw.whLulYKyrl0okk6UMI4bhnZFdJ68f7uHh6y2bQqAtmUF5uL7DSlf8KZV7bFwarB1gwuXl8bjxJ6qlKjfZ3UOsgLI4Cv,fujogoRPAzzppXMxZDa5gotqO8p7hgDoRdbx6LmZ972TINxYaH3003z56SS0QGK63sYozBVDZojQv9ijpmgtH2vFAQw.C6CEMVk3ezKv76cJzpm9XvBRaDrJXoXzG5w7aFip00OMGSbVQQ4pL0U0v2dcOSqLCNCKmS5qpGDsklJQO0BIxRmOa93,fujogoRPAzzppXMxZDa5gotqO8p7hgDoRdbx6LmZ972TINxYaH3003z56SS0QGK63sYozBVDZojQv9ijpmgtH2vFAQw.ujAXhYfP4tXF85m9MOmJlDdP2Dqx8vTMstCkrf21mGUyvMk08M1BevkacN6LVpSRoiAgmxNuhDpVfqc96DLta1Y5dQx,buDOjITvpj8qXQ7Pg97.NLkxNVr0PyUQ9dCHwdP()}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 0.2.LisectAVT_2403002B_378.exe.25498ec.0.raw.unpack, WO6zlpYOsT6wAwb3FV3vHb4ASgiBo7zR5m.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Tovx0YgnL5TGCNWKFEH[2],buDOjITvpj8qXQ7Pg97.MQfgbig6dYu2G6IMwD4(buDOjITvpj8qXQ7Pg97._1GwKRNR897LQYWBsz4x(Tovx0YgnL5TGCNWKFEH[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 0.2.LisectAVT_2403002B_378.exe.25498ec.0.raw.unpack, WO6zlpYOsT6wAwb3FV3vHb4ASgiBo7zR5m.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Tovx0YgnL5TGCNWKFEH[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                Source: 0.2.LisectAVT_2403002B_378.exe.4e90000.10.raw.unpack, ivtNue3aMakjbVsfus.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                .NET source code contains potential unpacker
                Source: LisectAVT_2403002B_378.exe, MainForm.cs.Net Code: InitializeComponent contains xor as well as GetObject
                Source: LisectAVT_2403002B_378.exe, MainForm.cs.Net Code: InitializeComponent
                Source: IVsIyeJQN.exe.0.dr, MainForm.cs.Net Code: InitializeComponent contains xor as well as GetObject
                Source: IVsIyeJQN.exe.0.dr, MainForm.cs.Net Code: InitializeComponent
                Source: 0.2.LisectAVT_2403002B_378.exe.6a70000.13.raw.unpack, EOrwwyBBPAjMFUdYSg.cs.Net Code: cv3qW5iIUs System.Reflection.Assembly.Load(byte[])
                Source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.raw.unpack, WO6zlpYOsT6wAwb3FV3vHb4ASgiBo7zR5m.cs.Net Code: AyB7CsHNgaYtxLbQKqpXuje2JhVaxi9OVp System.AppDomain.Load(byte[])
                Source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.raw.unpack, WO6zlpYOsT6wAwb3FV3vHb4ASgiBo7zR5m.cs.Net Code: qgnag7PAd9G0Gal2xbl System.AppDomain.Load(byte[])
                Source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.raw.unpack, WO6zlpYOsT6wAwb3FV3vHb4ASgiBo7zR5m.cs.Net Code: qgnag7PAd9G0Gal2xbl
                Source: 0.2.LisectAVT_2403002B_378.exe.25498ec.0.raw.unpack, WO6zlpYOsT6wAwb3FV3vHb4ASgiBo7zR5m.cs.Net Code: AyB7CsHNgaYtxLbQKqpXuje2JhVaxi9OVp System.AppDomain.Load(byte[])
                Source: 0.2.LisectAVT_2403002B_378.exe.25498ec.0.raw.unpack, WO6zlpYOsT6wAwb3FV3vHb4ASgiBo7zR5m.cs.Net Code: qgnag7PAd9G0Gal2xbl System.AppDomain.Load(byte[])
                Source: 0.2.LisectAVT_2403002B_378.exe.25498ec.0.raw.unpack, WO6zlpYOsT6wAwb3FV3vHb4ASgiBo7zR5m.cs.Net Code: qgnag7PAd9G0Gal2xbl
                Source: 0.2.LisectAVT_2403002B_378.exe.37534b0.8.raw.unpack, EOrwwyBBPAjMFUdYSg.cs.Net Code: cv3qW5iIUs System.Reflection.Assembly.Load(byte[])
                Source: LisectAVT_2403002B_378.exeStatic PE information: 0x93CF3F60 [Fri Jul 31 18:28:48 2048 UTC]
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeCode function: 0_2_069A6257 push es; iretd 0_2_069A6258
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeCode function: 0_2_069A611A push es; ret 0_2_069A616C
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeCode function: 0_2_069A5FE7 push es; iretd 0_2_069A5FEC
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeCode function: 0_2_069A5F4B push es; ret 0_2_069A5F4C
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeCode function: 0_2_069A5DA3 push es; iretd 0_2_069A5DA4
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeCode function: 0_2_069A5D47 push es; ret 0_2_069A5D48
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeCode function: 0_2_06AD1566 push es; ret 0_2_06AD15E8
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeCode function: 11_2_08AD71E8 pushad ; iretd 11_2_08AD7441
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeCode function: 11_2_08AD7443 push esp; iretd 11_2_08AD7449
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeCode function: 11_2_08AD73B8 pushad ; iretd 11_2_08AD7441
                Source: LisectAVT_2403002B_378.exeStatic PE information: section name: .text entropy: 7.632997783630316
                Source: IVsIyeJQN.exe.0.drStatic PE information: section name: .text entropy: 7.632997783630316
                Source: 0.2.LisectAVT_2403002B_378.exe.6a70000.13.raw.unpack, VKmOJojSdUEWlQ8J84.csHigh entropy of concatenated method names: 'ToString', 'QE6yipdLcg', 'd4my6AZgMK', 'zOoyj7Kt63', 'tAYybncPHi', 'DG4yTNHYPL', 'GXgyJqE9jS', 'qJFyA5YSKc', 'QaRyH2AFk1', 'bRyyNPXI5D'
                Source: 0.2.LisectAVT_2403002B_378.exe.6a70000.13.raw.unpack, F69ZiIRh2U9d1mkxar.csHigh entropy of concatenated method names: 'agU2EAmqy1', 'EBZ2pSU9XW', 'yYo2q5sRE4', 'cED2UbpyYQ', 'N432GwphGB', 'HtT2S3slrB', 'Aq32QMuGhq', 'vmXFn4Znb0', 'rdxFYPhDeU', 'eJYFtLg5KY'
                Source: 0.2.LisectAVT_2403002B_378.exe.6a70000.13.raw.unpack, hPD4Zw9WMrxaJreajw.csHigh entropy of concatenated method names: 'fsPQhZHr0M', 'JsQQG8NrIP', 'N9aQSH8Zag', 'El4Qu1FSaQ', 'uBhQkfVDtb', 'ifRSm2phNr', 'z0mSw8Qffb', 'KZMSnrv9cy', 'tMWSYEELKh', 'DgBStwCxpj'
                Source: 0.2.LisectAVT_2403002B_378.exe.6a70000.13.raw.unpack, zKgGtk2SjIAuCtV3AQ.csHigh entropy of concatenated method names: 'voX5YUSlDi', 'mrS53aTTr7', 'XHNFDhdrO1', 'LDLFEgxTsD', 'goG5i1DFP3', 'trf5dyhluN', 'DxS50LV3b3', 'VkD5RUahbZ', 'rF35f8jmsZ', 'X4i5cuFknP'
                Source: 0.2.LisectAVT_2403002B_378.exe.6a70000.13.raw.unpack, IBWHAgXK9nTYxmXdx4.csHigh entropy of concatenated method names: 'rrPuUj9D0T', 'QXaugCjcMV', 'waAuQIDo67', 'oKGQ3NvcDC', 'EAJQz4B9ff', 'iVguDjyYi3', 'UgouE7jWxu', 'xZNuX730xt', 'wYSupBUl82', 'awiuqsA2B9'
                Source: 0.2.LisectAVT_2403002B_378.exe.6a70000.13.raw.unpack, F28PMNfAEUgn7J4itW.csHigh entropy of concatenated method names: 'Dispose', 'p3mEtAaUSL', 'R9hX6uduPa', 'QFkIImXPpL', 'GaME3KdsmE', 'Fl7EzESPgM', 'ProcessDialogKey', 'VUtXDHZmkq', 'hAOXEtrZnS', 'Y2UXXnySCX'
                Source: 0.2.LisectAVT_2403002B_378.exe.6a70000.13.raw.unpack, Fu7f0SwXK7GwNVl2n1.csHigh entropy of concatenated method names: 'PuTav96YSk', 'LV9adF6MYh', 'bSYaRhRiwH', 'aonafZ0OtX', 'gJJa61LBRj', 'UcTaj5lhRo', 'Mfxab7G65u', 'lo6aTyDYlY', 'uFyaJaVuHa', 'nk7aAYR8PT'
                Source: 0.2.LisectAVT_2403002B_378.exe.6a70000.13.raw.unpack, Ldm2iA38klhHrM9JCr.csHigh entropy of concatenated method names: 'FSrQov7FYt', 'wHDQ1Z8e0U', 'vlYQWljfAx', 'KPcQsCGJZW', 'HIsQZRZ9gy', 'JRoQBpUM1r', 'P7iQeuNaAq', 'YlcQCoMm4k', 'K5r6ThsKWfmu2nLlJKY', 'wQBt3Gst1yOGPsdVOTE'
                Source: 0.2.LisectAVT_2403002B_378.exe.6a70000.13.raw.unpack, NvTTwGzYn9mkBcCAFk.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GQN2VMVT6p', 'Nj32aQiN1j', 'W5Q2yGBhlC', 'BAQ25hiPKx', 'dWm2F2CSjT', 'uxn22E9Jcb', 'glO2le1ALF'
                Source: 0.2.LisectAVT_2403002B_378.exe.6a70000.13.raw.unpack, B6QYw2xNavsnX6VuI5.csHigh entropy of concatenated method names: 'ugt58FcduI', 'xfD5LidPjT', 'ToString', 'LYg5UfkMi0', 'NRg5GjmexQ', 'xVH5gF130W', 'hEL5SxYWdQ', 'VF95QOnHMg', 'xMe5uDOd4K', 'AVm5kva0U0'
                Source: 0.2.LisectAVT_2403002B_378.exe.6a70000.13.raw.unpack, gNZMg1rkomVQv3GwUl.csHigh entropy of concatenated method names: 'HyySrCJZHX', 'g8JSBJhqg7', 'Y2RgjMauRP', 'pQsgbWJqnN', 'vQ5gTr4KlI', 'b8bgJ7u29q', 'gVugAUCkyx', 'LgigHbkCL8', 'DsegNbbGfQ', 'Y3vgvmsTt3'
                Source: 0.2.LisectAVT_2403002B_378.exe.6a70000.13.raw.unpack, NhMCPriZPheolNF1s4F.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'l50lR8kkHx', 'KtTlfVJyOn', 'cJslcEWXnQ', 'DVFlOW5P5Y', 'D67lm07O91', 'uuglwP4mon', 'uSEln9Ocmg'
                Source: 0.2.LisectAVT_2403002B_378.exe.6a70000.13.raw.unpack, Cus2wJyfukdVF16BqV.csHigh entropy of concatenated method names: 'fJQV9rHEVw', 'zcwVeahZ1v', 'A2RVKIGDht', 'Y2JV6tJFD3', 'm9NVbsneUU', 'CTvVTbGYVf', 'lQhVAgBT6B', 'QyUVHD7ill', 'sKOVvrwjEW', 'HO5VietRbN'
                Source: 0.2.LisectAVT_2403002B_378.exe.6a70000.13.raw.unpack, PDETBjEvjjWW5KY9cC.csHigh entropy of concatenated method names: 'amou1htXuU', 'Mhgu7Spf7x', 'lZ3uW3ytId', 'r14usS0Q8f', 'F9survTpYn', 'WnGuZxJctU', 'o3IuBPmnGv', 'vUEu9y3Ojs', 'TmxuelQrWk', 'lk8uCDOx1G'
                Source: 0.2.LisectAVT_2403002B_378.exe.6a70000.13.raw.unpack, PABOU0sdhtGnZnjnEv.csHigh entropy of concatenated method names: 'G7EWgmYf1', 'kCtsqtl6x', 'pcBZTJDCa', 'LW9BDvL2L', 'eexerhIyc', 'siJCpygu9', 'foJvQBJrKxTgXVKk8V', 'pb02rd2d13QWCO9hEL', 'radFfmV2P', 'VF1lYkN6c'
                Source: 0.2.LisectAVT_2403002B_378.exe.6a70000.13.raw.unpack, MDJF7sWBG7HwB2ESrF.csHigh entropy of concatenated method names: 'B57GRVAelv', 'xuSGfoLahc', 'lhjGcrGjAr', 'fHTGOqkr8H', 'QjPGmtdruW', 'jmNGw51ebQ', 'mDXGnXUYfy', 'YC5GYy55QX', 'RXxGtmNh4L', 'VZPG3KThKL'
                Source: 0.2.LisectAVT_2403002B_378.exe.6a70000.13.raw.unpack, EOrwwyBBPAjMFUdYSg.csHigh entropy of concatenated method names: 'yd6phxD5lB', 'NmGpUdvyRD', 'bvEpGE7uSC', 'wBxpg97pRi', 'msApSdZ1UE', 'VXdpQicO4R', 'uwdpuRBypY', 'XFipkInwh9', 'zN1pM1quFE', 'IAHp8t7a9L'
                Source: 0.2.LisectAVT_2403002B_378.exe.6a70000.13.raw.unpack, eDABA8ieAJdVgN3wEk0.csHigh entropy of concatenated method names: 'rx821DF31C', 'P5R27N94sW', 'hA12WtfVyX', 'UxH2smMFYY', 'G722rDLNov', 'w2l2ZVZroF', 'qov2B06xTM', 'D0M29QIANP', 'xRV2eLBMtW', 'mZ92CaSGsD'
                Source: 0.2.LisectAVT_2403002B_378.exe.6a70000.13.raw.unpack, eL1J6TKq6yPLtN2fxW.csHigh entropy of concatenated method names: 'WfDFUn34IE', 'LvMFGSVZ7J', 'sqRFgDY2mI', 'NFJFSGWceK', 'bSDFQjhYG6', 'ycCFuB00HK', 'Q8DFkPV6QH', 'ck4FMYpmbR', 'TxuF8xv7wK', 'IvxFLMi03v'
                Source: 0.2.LisectAVT_2403002B_378.exe.6a70000.13.raw.unpack, tDv1sqdMy4ceBgj0ga.csHigh entropy of concatenated method names: 'KrJEuwdGeT', 'FQPEkxODjI', 'GiuE8HIZSN', 'Ty8ELq7HSM', 'o8MEaIXtoK', 'bdnEyPCRaH', 'rJBL7rIhqZafKFPgm2', 'tTaX5brRkWgiAZPoMc', 'jAHEEVi3ED', 'aPtEpcNeJT'
                Source: 0.2.LisectAVT_2403002B_378.exe.6a70000.13.raw.unpack, lxZXrCYn0AdcuXlJkT.csHigh entropy of concatenated method names: 'OnFgsgiaRR', 'k7AgZVVWdH', 'u9jg94Qudl', 'WkUgeL4Bx9', 'K5Sga0kpS6', 'OFWgyDB49a', 'zIeg5KQNB3', 'KfsgFugOGr', 'plAg2W1pPI', 'gWDglFIatU'
                Source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.raw.unpack, 4KpVih0POJ9T7PHs8eo.csHigh entropy of concatenated method names: 'kt5SO1Hs2CF0D7TWCM9', 'qHRhP1TAsKFHSqR2rto', '_2883JfGuxiPIhTSvAha', 'ZZaPe2XAONc', 'QJosAcPdQjA', 'ENvGggBDJvp', 'V87xUnQtVn2', '_6wzln4yuLVW', 'kXJ5Mjqz4Bu', 'zHlj066R18V'
                Source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.raw.unpack, fujogoRPAzzppXMxZDa5gotqO8p7hgDoRdbx6LmZ972TINxYaH3003z56SS0QGK63sYozBVDZojQv9ijpmgtH2vFAQw.csHigh entropy of concatenated method names: 'AEfdfGyJCKYWMFLGb1SmjFtIyNSJ6fVu2fqfiw9tduKamViNJB96wCuU0T7qiyrcqYtev', 'jETtaGXJo3eYAa2kmX9AIPjhbXVokz0ZPOaW6n52FwVmGtG7bR1HocVfDBbGwqCNwtQlE', 'yVZhUkqRbsI25LwZwF5rV87mEryKyDrCbpVtgVCEzqn7rYn2kH1WMfTUmNvn66TeJXmmM', 'tn07HmL7bR1Py0JDOduGSy2t5xyNyN14mTa6Z4lMsl9VJafAezRV2M5rfUzdZf5453r9p'
                Source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.raw.unpack, 4sG1oJmbrcudEiZj.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'R0dEJ8zgMmATNfPWXypWgyiAhbCfeftWvc3T4q84enAKwH0GZoDwjTrhSqb8Yqfd2gAKm', '_4zjqXImocKM1EXsalnz8cYoyU9gTRYvgVC9Acj8qz6xlqru28QI6l7IuQK5zYEiol03ba', 'rws0kHtgDByif0UcFnAYs8rf4KKh8RJF6YkYRKbdm0IwJOTqlJoRt63Mapr2CDcW591Tf', '_8Jtja2WaxWcC0yIuCeyE3yJB4OCCcQt40Swf35gCWhEBBGWX8HESFR38OlQG2IAbWrOds'
                Source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.raw.unpack, 84tlsW9R6xJ1tvnji3MZNvWVVhxZSWqwLG.csHigh entropy of concatenated method names: '_90jTNm9nVMjHp0mnb6raBPguFU7bEzOxaQ', '_1ZqIYM71E4B4nSoQCN1C3QNmHd8UkBC1RH', 'zItiJ9WM0gnhPxlbXkfclPHOt4YiVTRtJ5', 'W3o1Qbs1fqJsR4fcpc7FlGT8zGEacLqnnp', 'GYNv0HmC4Nbc0IDaOXQYhdsdSCLmRAT8Hm', 'PfUzQbTdCpYTLY8NhrOOLoOu3iTCSd4H9t', 'mtYZHL1VxpHIBHHENj4HUc4DbvqGx95lj7', 'Zud8LMo1qwzXvgC9xt6mU1CwDGhq42Jsik', 'eXryMkWUsmKgwCeWc2YTbJ32CHzyf205lS', '_2h0SXRahUs1t7VERbBtfOqzjsjCkAyvrbQ'
                Source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.raw.unpack, Uu2Pr8wPTDjNs1Qh5zcye03RP2yKTHs2D3aoSE8tAfxLEaB8L6fQd543LIEQtShxjc2YUsqbJ6hQRagHiczp3Ytz4YN.csHigh entropy of concatenated method names: 'l2HaEFRSkOZnBW5haYnIqLMdsova4VH3wQkuYbPUZm9xSGKArxaNLYtT1q7bwQHnSVQDqvbM2XhRKoJcepHHiGd20Dc', 'Xfe1GH6UsOHQTYVgkejqpmpK9Nt8TcNVL5VNtKQIlq2DtuxgD8oUFztEY2rY7qbpGxnfrYCxtaXI5B0oJevuhnAXGxa', 'myPkkUgEeX9LK0l07ohpSVb5p3rhefxiif', 'wYiBmT0x3ngzOvOWi0YKD51qxCT032iEA7', 'UxITb4fZt9GfBCQFpNHieIgis61KMVpBFw', 'f2lPgYTSQpmKKyS2ZpwmsGIaUTXckE7uR04IxGSbmnL5bHnuNwASWq5BxLSnaKuA9uJFL', 'WgqD4McOYLZCMWG9yD89vgHYIFzFPkvFIbl0FNnrYT7XxvZzX1dAKrrePNzQi3lIkhO9C', 'lalAKvKQuyz', 'LBQAyUwMVmy', 'p9fkQ2S89G6'
                Source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.raw.unpack, F47v9Ek83Djn752r65T.csHigh entropy of concatenated method names: '_0Wbv1P0fDwBPqvOECil', 'dtv1ezoCWMOagTM4GqB', 'vjZxIsrob27bOncsqgp', 'o9Kaazdk3TfUUKIwP01', 'm4VAFCgqBYineYpW11j', 'Ulevrgxy4r8CKRJMB0z', 'dkTYxt4GowHkjMRqpqa', '_7E6aiVhRo7QLs6D5Iop', 'OSMZ7ENX4CMN7FFHmvz', 'ZqLZRWkGub4h3ymoagr'
                Source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.raw.unpack, WO6zlpYOsT6wAwb3FV3vHb4ASgiBo7zR5m.csHigh entropy of concatenated method names: 'Ls4g1WbLA8hkoYhsfamIRvQb6JaaALUSqj', 'AyB7CsHNgaYtxLbQKqpXuje2JhVaxi9OVp', 'tWRjriIGDcZ4Zz5VAI963ayR4sJm2FEa50', 'elgqvkFp7tyoqk3xXe6HwT66f0Vvr4XlkW', 'rJaEVU92OY2NuoWwa83CpuC5I4SduMMUvJ', 'GvpP56hA8kuWQ7YmbYzEIrGYZoNPIjFIwP', '_0flEvTcbfD8u4wDVg6ywzuqRBPCa2bhSjs', 'ABJYAupfINzbumByqdZcpRbogJneMz7vza', 'W5gxrcGighabfFWKmXmPmjjnLVejzoadVK', 'GuUKyV8YLYwFPKvm8RU'
                Source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.raw.unpack, buDOjITvpj8qXQ7Pg97.csHigh entropy of concatenated method names: '_67uMoMZlTjKxPNuCWYm', 'EJW4lrXd2HXNVQZ7TmF', 'hyOZTUBA9AmHSZjbczj', 'RRDAbamLrQPhcPO9M6R', '_8VFuaIlRm4UbmmgKQA8', 'jHThnvlIsXtxayiKYpy', 'oKRc4f0FH0weczSGVrT', 'sgdou2WTObkv1emVC5F', 'GAJr4TbSUNdm7aDCy5R', '_1GwKRNR897LQYWBsz4x'
                Source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.raw.unpack, IspD00af4W6xYwcXkcN.csHigh entropy of concatenated method names: '_9ngSFYQyuYUAqddI6DQ', 'Kst8msOutaLybz4ymmz', 'aDUCNHyPrpPXOr2L7IE', 'ULntZJXXOc6', 'uQgE1f4qR9A', 'ZRSj3a6w7xj', '_2ulzFRlE8X7', '_5BVAob5LzwK', 'NSwwHagNw9Q', 'VoH6LLaFyPQ'
                Source: 0.2.LisectAVT_2403002B_378.exe.24f3bd4.7.raw.unpack, H8RxCCTG2lqB13Rl08.csHigh entropy of concatenated method names: 'BWXySrfaKk', 'O1uyJIJkvJ', 'FYuy29LETE', 'Nr6yB8b3kD', 'tquyCnxVtm', 'xG3y49hv1M', 'aMxypkVXs0', 'zXZyj69DS7', 'VfeyH0y2yr', 'ARhyKeRyuC'
                Source: 0.2.LisectAVT_2403002B_378.exe.24f3bd4.7.raw.unpack, ivtNue3aMakjbVsfus.csHigh entropy of concatenated method names: 'hayyrDbcfV', 'RgtTUJcyZL', 'gT8yhPI3jg', 'D4SyXwSaZ8', 'eGDyD0eGyP', 'Q1my3V6pua', 'HJq5kCF3PwuIZ', 'v2v9oltHw', 'V3yxNksFn', 'LmcVIqhFH'
                Source: 0.2.LisectAVT_2403002B_378.exe.25498ec.0.raw.unpack, 4KpVih0POJ9T7PHs8eo.csHigh entropy of concatenated method names: 'kt5SO1Hs2CF0D7TWCM9', 'qHRhP1TAsKFHSqR2rto', '_2883JfGuxiPIhTSvAha', 'ZZaPe2XAONc', 'QJosAcPdQjA', 'ENvGggBDJvp', 'V87xUnQtVn2', '_6wzln4yuLVW', 'kXJ5Mjqz4Bu', 'zHlj066R18V'
                Source: 0.2.LisectAVT_2403002B_378.exe.25498ec.0.raw.unpack, fujogoRPAzzppXMxZDa5gotqO8p7hgDoRdbx6LmZ972TINxYaH3003z56SS0QGK63sYozBVDZojQv9ijpmgtH2vFAQw.csHigh entropy of concatenated method names: 'AEfdfGyJCKYWMFLGb1SmjFtIyNSJ6fVu2fqfiw9tduKamViNJB96wCuU0T7qiyrcqYtev', 'jETtaGXJo3eYAa2kmX9AIPjhbXVokz0ZPOaW6n52FwVmGtG7bR1HocVfDBbGwqCNwtQlE', 'yVZhUkqRbsI25LwZwF5rV87mEryKyDrCbpVtgVCEzqn7rYn2kH1WMfTUmNvn66TeJXmmM', 'tn07HmL7bR1Py0JDOduGSy2t5xyNyN14mTa6Z4lMsl9VJafAezRV2M5rfUzdZf5453r9p'
                Source: 0.2.LisectAVT_2403002B_378.exe.25498ec.0.raw.unpack, 4sG1oJmbrcudEiZj.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'R0dEJ8zgMmATNfPWXypWgyiAhbCfeftWvc3T4q84enAKwH0GZoDwjTrhSqb8Yqfd2gAKm', '_4zjqXImocKM1EXsalnz8cYoyU9gTRYvgVC9Acj8qz6xlqru28QI6l7IuQK5zYEiol03ba', 'rws0kHtgDByif0UcFnAYs8rf4KKh8RJF6YkYRKbdm0IwJOTqlJoRt63Mapr2CDcW591Tf', '_8Jtja2WaxWcC0yIuCeyE3yJB4OCCcQt40Swf35gCWhEBBGWX8HESFR38OlQG2IAbWrOds'
                Source: 0.2.LisectAVT_2403002B_378.exe.25498ec.0.raw.unpack, 84tlsW9R6xJ1tvnji3MZNvWVVhxZSWqwLG.csHigh entropy of concatenated method names: '_90jTNm9nVMjHp0mnb6raBPguFU7bEzOxaQ', '_1ZqIYM71E4B4nSoQCN1C3QNmHd8UkBC1RH', 'zItiJ9WM0gnhPxlbXkfclPHOt4YiVTRtJ5', 'W3o1Qbs1fqJsR4fcpc7FlGT8zGEacLqnnp', 'GYNv0HmC4Nbc0IDaOXQYhdsdSCLmRAT8Hm', 'PfUzQbTdCpYTLY8NhrOOLoOu3iTCSd4H9t', 'mtYZHL1VxpHIBHHENj4HUc4DbvqGx95lj7', 'Zud8LMo1qwzXvgC9xt6mU1CwDGhq42Jsik', 'eXryMkWUsmKgwCeWc2YTbJ32CHzyf205lS', '_2h0SXRahUs1t7VERbBtfOqzjsjCkAyvrbQ'
                Source: 0.2.LisectAVT_2403002B_378.exe.25498ec.0.raw.unpack, Uu2Pr8wPTDjNs1Qh5zcye03RP2yKTHs2D3aoSE8tAfxLEaB8L6fQd543LIEQtShxjc2YUsqbJ6hQRagHiczp3Ytz4YN.csHigh entropy of concatenated method names: 'l2HaEFRSkOZnBW5haYnIqLMdsova4VH3wQkuYbPUZm9xSGKArxaNLYtT1q7bwQHnSVQDqvbM2XhRKoJcepHHiGd20Dc', 'Xfe1GH6UsOHQTYVgkejqpmpK9Nt8TcNVL5VNtKQIlq2DtuxgD8oUFztEY2rY7qbpGxnfrYCxtaXI5B0oJevuhnAXGxa', 'myPkkUgEeX9LK0l07ohpSVb5p3rhefxiif', 'wYiBmT0x3ngzOvOWi0YKD51qxCT032iEA7', 'UxITb4fZt9GfBCQFpNHieIgis61KMVpBFw', 'f2lPgYTSQpmKKyS2ZpwmsGIaUTXckE7uR04IxGSbmnL5bHnuNwASWq5BxLSnaKuA9uJFL', 'WgqD4McOYLZCMWG9yD89vgHYIFzFPkvFIbl0FNnrYT7XxvZzX1dAKrrePNzQi3lIkhO9C', 'lalAKvKQuyz', 'LBQAyUwMVmy', 'p9fkQ2S89G6'
                Source: 0.2.LisectAVT_2403002B_378.exe.25498ec.0.raw.unpack, F47v9Ek83Djn752r65T.csHigh entropy of concatenated method names: '_0Wbv1P0fDwBPqvOECil', 'dtv1ezoCWMOagTM4GqB', 'vjZxIsrob27bOncsqgp', 'o9Kaazdk3TfUUKIwP01', 'm4VAFCgqBYineYpW11j', 'Ulevrgxy4r8CKRJMB0z', 'dkTYxt4GowHkjMRqpqa', '_7E6aiVhRo7QLs6D5Iop', 'OSMZ7ENX4CMN7FFHmvz', 'ZqLZRWkGub4h3ymoagr'
                Source: 0.2.LisectAVT_2403002B_378.exe.25498ec.0.raw.unpack, WO6zlpYOsT6wAwb3FV3vHb4ASgiBo7zR5m.csHigh entropy of concatenated method names: 'Ls4g1WbLA8hkoYhsfamIRvQb6JaaALUSqj', 'AyB7CsHNgaYtxLbQKqpXuje2JhVaxi9OVp', 'tWRjriIGDcZ4Zz5VAI963ayR4sJm2FEa50', 'elgqvkFp7tyoqk3xXe6HwT66f0Vvr4XlkW', 'rJaEVU92OY2NuoWwa83CpuC5I4SduMMUvJ', 'GvpP56hA8kuWQ7YmbYzEIrGYZoNPIjFIwP', '_0flEvTcbfD8u4wDVg6ywzuqRBPCa2bhSjs', 'ABJYAupfINzbumByqdZcpRbogJneMz7vza', 'W5gxrcGighabfFWKmXmPmjjnLVejzoadVK', 'GuUKyV8YLYwFPKvm8RU'
                Source: 0.2.LisectAVT_2403002B_378.exe.25498ec.0.raw.unpack, buDOjITvpj8qXQ7Pg97.csHigh entropy of concatenated method names: '_67uMoMZlTjKxPNuCWYm', 'EJW4lrXd2HXNVQZ7TmF', 'hyOZTUBA9AmHSZjbczj', 'RRDAbamLrQPhcPO9M6R', '_8VFuaIlRm4UbmmgKQA8', 'jHThnvlIsXtxayiKYpy', 'oKRc4f0FH0weczSGVrT', 'sgdou2WTObkv1emVC5F', 'GAJr4TbSUNdm7aDCy5R', '_1GwKRNR897LQYWBsz4x'
                Source: 0.2.LisectAVT_2403002B_378.exe.25498ec.0.raw.unpack, IspD00af4W6xYwcXkcN.csHigh entropy of concatenated method names: '_9ngSFYQyuYUAqddI6DQ', 'Kst8msOutaLybz4ymmz', 'aDUCNHyPrpPXOr2L7IE', 'ULntZJXXOc6', 'uQgE1f4qR9A', 'ZRSj3a6w7xj', '_2ulzFRlE8X7', '_5BVAob5LzwK', 'NSwwHagNw9Q', 'VoH6LLaFyPQ'
                Source: 0.2.LisectAVT_2403002B_378.exe.37534b0.8.raw.unpack, VKmOJojSdUEWlQ8J84.csHigh entropy of concatenated method names: 'ToString', 'QE6yipdLcg', 'd4my6AZgMK', 'zOoyj7Kt63', 'tAYybncPHi', 'DG4yTNHYPL', 'GXgyJqE9jS', 'qJFyA5YSKc', 'QaRyH2AFk1', 'bRyyNPXI5D'
                Source: 0.2.LisectAVT_2403002B_378.exe.37534b0.8.raw.unpack, F69ZiIRh2U9d1mkxar.csHigh entropy of concatenated method names: 'agU2EAmqy1', 'EBZ2pSU9XW', 'yYo2q5sRE4', 'cED2UbpyYQ', 'N432GwphGB', 'HtT2S3slrB', 'Aq32QMuGhq', 'vmXFn4Znb0', 'rdxFYPhDeU', 'eJYFtLg5KY'
                Source: 0.2.LisectAVT_2403002B_378.exe.37534b0.8.raw.unpack, hPD4Zw9WMrxaJreajw.csHigh entropy of concatenated method names: 'fsPQhZHr0M', 'JsQQG8NrIP', 'N9aQSH8Zag', 'El4Qu1FSaQ', 'uBhQkfVDtb', 'ifRSm2phNr', 'z0mSw8Qffb', 'KZMSnrv9cy', 'tMWSYEELKh', 'DgBStwCxpj'
                Source: 0.2.LisectAVT_2403002B_378.exe.37534b0.8.raw.unpack, zKgGtk2SjIAuCtV3AQ.csHigh entropy of concatenated method names: 'voX5YUSlDi', 'mrS53aTTr7', 'XHNFDhdrO1', 'LDLFEgxTsD', 'goG5i1DFP3', 'trf5dyhluN', 'DxS50LV3b3', 'VkD5RUahbZ', 'rF35f8jmsZ', 'X4i5cuFknP'
                Source: 0.2.LisectAVT_2403002B_378.exe.37534b0.8.raw.unpack, IBWHAgXK9nTYxmXdx4.csHigh entropy of concatenated method names: 'rrPuUj9D0T', 'QXaugCjcMV', 'waAuQIDo67', 'oKGQ3NvcDC', 'EAJQz4B9ff', 'iVguDjyYi3', 'UgouE7jWxu', 'xZNuX730xt', 'wYSupBUl82', 'awiuqsA2B9'
                Source: 0.2.LisectAVT_2403002B_378.exe.37534b0.8.raw.unpack, F28PMNfAEUgn7J4itW.csHigh entropy of concatenated method names: 'Dispose', 'p3mEtAaUSL', 'R9hX6uduPa', 'QFkIImXPpL', 'GaME3KdsmE', 'Fl7EzESPgM', 'ProcessDialogKey', 'VUtXDHZmkq', 'hAOXEtrZnS', 'Y2UXXnySCX'
                Source: 0.2.LisectAVT_2403002B_378.exe.37534b0.8.raw.unpack, Fu7f0SwXK7GwNVl2n1.csHigh entropy of concatenated method names: 'PuTav96YSk', 'LV9adF6MYh', 'bSYaRhRiwH', 'aonafZ0OtX', 'gJJa61LBRj', 'UcTaj5lhRo', 'Mfxab7G65u', 'lo6aTyDYlY', 'uFyaJaVuHa', 'nk7aAYR8PT'
                Source: 0.2.LisectAVT_2403002B_378.exe.37534b0.8.raw.unpack, Ldm2iA38klhHrM9JCr.csHigh entropy of concatenated method names: 'FSrQov7FYt', 'wHDQ1Z8e0U', 'vlYQWljfAx', 'KPcQsCGJZW', 'HIsQZRZ9gy', 'JRoQBpUM1r', 'P7iQeuNaAq', 'YlcQCoMm4k', 'K5r6ThsKWfmu2nLlJKY', 'wQBt3Gst1yOGPsdVOTE'
                Source: 0.2.LisectAVT_2403002B_378.exe.37534b0.8.raw.unpack, NvTTwGzYn9mkBcCAFk.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GQN2VMVT6p', 'Nj32aQiN1j', 'W5Q2yGBhlC', 'BAQ25hiPKx', 'dWm2F2CSjT', 'uxn22E9Jcb', 'glO2le1ALF'
                Source: 0.2.LisectAVT_2403002B_378.exe.37534b0.8.raw.unpack, B6QYw2xNavsnX6VuI5.csHigh entropy of concatenated method names: 'ugt58FcduI', 'xfD5LidPjT', 'ToString', 'LYg5UfkMi0', 'NRg5GjmexQ', 'xVH5gF130W', 'hEL5SxYWdQ', 'VF95QOnHMg', 'xMe5uDOd4K', 'AVm5kva0U0'
                Source: 0.2.LisectAVT_2403002B_378.exe.37534b0.8.raw.unpack, gNZMg1rkomVQv3GwUl.csHigh entropy of concatenated method names: 'HyySrCJZHX', 'g8JSBJhqg7', 'Y2RgjMauRP', 'pQsgbWJqnN', 'vQ5gTr4KlI', 'b8bgJ7u29q', 'gVugAUCkyx', 'LgigHbkCL8', 'DsegNbbGfQ', 'Y3vgvmsTt3'
                Source: 0.2.LisectAVT_2403002B_378.exe.37534b0.8.raw.unpack, NhMCPriZPheolNF1s4F.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'l50lR8kkHx', 'KtTlfVJyOn', 'cJslcEWXnQ', 'DVFlOW5P5Y', 'D67lm07O91', 'uuglwP4mon', 'uSEln9Ocmg'
                Source: 0.2.LisectAVT_2403002B_378.exe.37534b0.8.raw.unpack, Cus2wJyfukdVF16BqV.csHigh entropy of concatenated method names: 'fJQV9rHEVw', 'zcwVeahZ1v', 'A2RVKIGDht', 'Y2JV6tJFD3', 'm9NVbsneUU', 'CTvVTbGYVf', 'lQhVAgBT6B', 'QyUVHD7ill', 'sKOVvrwjEW', 'HO5VietRbN'
                Source: 0.2.LisectAVT_2403002B_378.exe.37534b0.8.raw.unpack, PDETBjEvjjWW5KY9cC.csHigh entropy of concatenated method names: 'amou1htXuU', 'Mhgu7Spf7x', 'lZ3uW3ytId', 'r14usS0Q8f', 'F9survTpYn', 'WnGuZxJctU', 'o3IuBPmnGv', 'vUEu9y3Ojs', 'TmxuelQrWk', 'lk8uCDOx1G'
                Source: 0.2.LisectAVT_2403002B_378.exe.37534b0.8.raw.unpack, PABOU0sdhtGnZnjnEv.csHigh entropy of concatenated method names: 'G7EWgmYf1', 'kCtsqtl6x', 'pcBZTJDCa', 'LW9BDvL2L', 'eexerhIyc', 'siJCpygu9', 'foJvQBJrKxTgXVKk8V', 'pb02rd2d13QWCO9hEL', 'radFfmV2P', 'VF1lYkN6c'
                Source: 0.2.LisectAVT_2403002B_378.exe.37534b0.8.raw.unpack, MDJF7sWBG7HwB2ESrF.csHigh entropy of concatenated method names: 'B57GRVAelv', 'xuSGfoLahc', 'lhjGcrGjAr', 'fHTGOqkr8H', 'QjPGmtdruW', 'jmNGw51ebQ', 'mDXGnXUYfy', 'YC5GYy55QX', 'RXxGtmNh4L', 'VZPG3KThKL'
                Source: 0.2.LisectAVT_2403002B_378.exe.37534b0.8.raw.unpack, EOrwwyBBPAjMFUdYSg.csHigh entropy of concatenated method names: 'yd6phxD5lB', 'NmGpUdvyRD', 'bvEpGE7uSC', 'wBxpg97pRi', 'msApSdZ1UE', 'VXdpQicO4R', 'uwdpuRBypY', 'XFipkInwh9', 'zN1pM1quFE', 'IAHp8t7a9L'
                Source: 0.2.LisectAVT_2403002B_378.exe.37534b0.8.raw.unpack, eDABA8ieAJdVgN3wEk0.csHigh entropy of concatenated method names: 'rx821DF31C', 'P5R27N94sW', 'hA12WtfVyX', 'UxH2smMFYY', 'G722rDLNov', 'w2l2ZVZroF', 'qov2B06xTM', 'D0M29QIANP', 'xRV2eLBMtW', 'mZ92CaSGsD'
                Source: 0.2.LisectAVT_2403002B_378.exe.37534b0.8.raw.unpack, eL1J6TKq6yPLtN2fxW.csHigh entropy of concatenated method names: 'WfDFUn34IE', 'LvMFGSVZ7J', 'sqRFgDY2mI', 'NFJFSGWceK', 'bSDFQjhYG6', 'ycCFuB00HK', 'Q8DFkPV6QH', 'ck4FMYpmbR', 'TxuF8xv7wK', 'IvxFLMi03v'
                Source: 0.2.LisectAVT_2403002B_378.exe.37534b0.8.raw.unpack, tDv1sqdMy4ceBgj0ga.csHigh entropy of concatenated method names: 'KrJEuwdGeT', 'FQPEkxODjI', 'GiuE8HIZSN', 'Ty8ELq7HSM', 'o8MEaIXtoK', 'bdnEyPCRaH', 'rJBL7rIhqZafKFPgm2', 'tTaX5brRkWgiAZPoMc', 'jAHEEVi3ED', 'aPtEpcNeJT'
                Source: 0.2.LisectAVT_2403002B_378.exe.37534b0.8.raw.unpack, lxZXrCYn0AdcuXlJkT.csHigh entropy of concatenated method names: 'OnFgsgiaRR', 'k7AgZVVWdH', 'u9jg94Qudl', 'WkUgeL4Bx9', 'K5Sga0kpS6', 'OFWgyDB49a', 'zIeg5KQNB3', 'KfsgFugOGr', 'plAg2W1pPI', 'gWDglFIatU'
                Source: 0.2.LisectAVT_2403002B_378.exe.4e90000.10.raw.unpack, H8RxCCTG2lqB13Rl08.csHigh entropy of concatenated method names: 'BWXySrfaKk', 'O1uyJIJkvJ', 'FYuy29LETE', 'Nr6yB8b3kD', 'tquyCnxVtm', 'xG3y49hv1M', 'aMxypkVXs0', 'zXZyj69DS7', 'VfeyH0y2yr', 'ARhyKeRyuC'
                Source: 0.2.LisectAVT_2403002B_378.exe.4e90000.10.raw.unpack, ivtNue3aMakjbVsfus.csHigh entropy of concatenated method names: 'hayyrDbcfV', 'RgtTUJcyZL', 'gT8yhPI3jg', 'D4SyXwSaZ8', 'eGDyD0eGyP', 'Q1my3V6pua', 'HJq5kCF3PwuIZ', 'v2v9oltHw', 'V3yxNksFn', 'LmcVIqhFH'
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeFile created: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IVsIyeJQN" /XML "C:\Users\user\AppData\Local\Temp\tmp712.tmp"

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002B_378.exe PID: 7440, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: IVsIyeJQN.exe PID: 8032, type: MEMORYSTR
                Opens the same file many times (likely Sandbox evasion)
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeFile opened: \Device\RasAcd count: 49243Jump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeMemory allocated: 890000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeMemory allocated: 24D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeMemory allocated: AE0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeMemory allocated: 82F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeMemory allocated: 92F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeMemory allocated: 82F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeMemory allocated: 12E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeMemory allocated: 2DB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeMemory allocated: 4DB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeMemory allocated: 1220000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeMemory allocated: 2F40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeMemory allocated: 2D70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeMemory allocated: 8BA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeMemory allocated: 7050000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeMemory allocated: 9BA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeMemory allocated: ABA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeMemory allocated: 19B0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeMemory allocated: 32C0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeMemory allocated: 1A50000 memory reserve | memory write watch
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7499Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 837Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8192Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1389Jump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeWindow / User API: threadDelayed 461Jump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeWindow / User API: threadDelayed 7520Jump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exe TID: 7460Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7784Thread sleep count: 7499 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7788Thread sleep count: 837 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7944Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7900Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7948Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exe TID: 8136Thread sleep time: -115000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exe TID: 8136Thread sleep time: -7520000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exe TID: 8080Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exe TID: 7256Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeThread delayed: delay time: 922337203685477
                Source: LisectAVT_2403002B_378.exe, 00000000.00000002.1374120073.0000000006A70000.00000004.08000000.00040000.00000000.sdmp, LisectAVT_2403002B_378.exe, 00000000.00000002.1365360267.00000000036AE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Mv28MAox7JpKwHhGfs
                Source: LisectAVT_2403002B_378.exe, 00000000.00000002.1374120073.0000000006A70000.00000004.08000000.00040000.00000000.sdmp, LisectAVT_2403002B_378.exe, 00000000.00000002.1365360267.00000000036AE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PABOU0sdhtGnZnjnEveDbWrYib8lvYZHUDgIvIP3BRZMVCB5jeabettDv1sqdMy4ceBgj0gaKI34AdCekJCGoJgOEfBs3uB5IFhDEGUkvIkOF28PMNfAEUgn7J4itWUserControlSystem.Windows.FormsTL3SNQJuJXy4nVxu9CUITypeEditorSystem.Drawing.DesignSystem.DrawingcYsBxHnviVVL2ejwXAEnumYRqIESNJUM66cm8xgmKSrS63Tj4FGHMvqU10EOrwwyBBPAjMFUdYSgY3RLTvQ2e7UmCAn43AMulticastDelegateuGHuusSUphMUEpprUJHSe5rJAeXQHhUGBsJZMv28MAox7JpKwHhGfsYUc4S3PDNCet7N0fgoGnx7OSHN4vB0j7FehmwFZ3JgDB3lJhg7GeloXZx6Mw1XjVTqepYKqRnAW6SC6tPNFIXOs8NFpUfd3DFMR1ZiXeCw7qMCLGiyLWflsPx23NpOGbVdATg88JZu3a8VXgn9JXZGVKU3HTVa5SERhgDw2NGV6JF8m18CfSEVLRo3hJA4xk9qRNsHkbCf4pm4ZNlLlonM72pQm4ZruM6OxZBdEp8ZBfoK1cl9K3aV6miWQnFWoEL4cvtH2Um2TlpEtG0pAoO2jPmpJtfdKKWeGg8A7G70gISQbI0hMDJF7sWBG7HwB2ESrFlxZXrCYn0AdcuXlJkTgNZMg1rkomVQv3GwUlhPD4Zw9WMrxaJreajwYCNRu70SOtrDmspu9OuFrpV2M4WgAZQmkcUZLdm2iA38klhHrM9JCrzbixygtHPldQoXt4A9E1KPLpbvBltl3yLosqIBWHAgXK9nTYxmXdx4zkNkYZUprtSUHrN7bBPDETBjEvjjWW5KY9cCU71eK9vkmAPBFy1qF1otPau6kFTdq8BrqLXgEventArgsHBbf2lpdEE3bVOKnjTApplicationExceptionCus2wJyfukdVF16BqVFu7f0SwXK7GwNVl2n1t9TpUoqSY0O3P14ShtVKmOJojSdUEWlQ8J84B6QYw2xNavsnX6VuI5g9YIjP8rEaikF8JnK2zKgGtk2SjIAuCtV3AQETWKle5655NZcWAUCweL1J6TKq6yPLtN2fxWFkkSQSapA4m2jcRE3IRandomF69ZiIRh2U9d1mkxarNvTTwGzYn9mkBcCAFkExpandableObjectConverterSystem.ComponentModeleDABA8ieAJdVgN3wEk0p0qDJriiY8jlkKHlBDlIRAqi6isxs7SWbnlXRONhMCPriZPheolNF1s4F<Module>{443BE8D2-569B-47E4-9FDF-B7ABBC850E02}mQtLiyidHZE4okoh8s0LUnQrliCk5ujTfjWBWUGoLo7CiJU2bgoj3UN3N<PrivateImplementationDetails>{4E407A87-1619-4D71-A2FA-AC49E8A54950}__StaticArrayInitTypeSize=256__StaticArrayInitTypeSize=40__StaticArrayInitTypeSize=30__StaticArrayInitTypeSize=32__StaticArrayInitTypeSize=16__StaticArrayInitTypeSize=64__StaticArrayInitTypeSize=18
                Source: LisectAVT_2403002B_378.exe, 00000009.00000002.3802486603.0000000001207000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002B_378.exe"
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IVsIyeJQN.exe"
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002B_378.exe"Jump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IVsIyeJQN.exe"Jump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeMemory written: C:\Users\user\Desktop\LisectAVT_2403002B_378.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeMemory written: C:\Users\user\AppData\Roaming\IVsIyeJQN.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002B_378.exe"Jump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IVsIyeJQN.exe"Jump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IVsIyeJQN" /XML "C:\Users\user\AppData\Local\Temp\tmp712.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002B_378.exe "C:\Users\user\Desktop\LisectAVT_2403002B_378.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IVsIyeJQN" /XML "C:\Users\user\AppData\Local\Temp\tmp1599.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess created: C:\Users\user\AppData\Roaming\IVsIyeJQN.exe "C:\Users\user\AppData\Roaming\IVsIyeJQN.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess created: C:\Users\user\AppData\Roaming\IVsIyeJQN.exe "C:\Users\user\AppData\Roaming\IVsIyeJQN.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess created: C:\Users\user\AppData\Roaming\IVsIyeJQN.exe "C:\Users\user\AppData\Roaming\IVsIyeJQN.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess created: C:\Users\user\AppData\Roaming\IVsIyeJQN.exe "C:\Users\user\AppData\Roaming\IVsIyeJQN.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeProcess created: C:\Users\user\AppData\Roaming\IVsIyeJQN.exe "C:\Users\user\AppData\Roaming\IVsIyeJQN.exe"Jump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002B_378.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002B_378.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeQueries volume information: C:\Users\user\AppData\Roaming\IVsIyeJQN.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeQueries volume information: C:\Users\user\AppData\Roaming\IVsIyeJQN.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\IVsIyeJQN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\Desktop\LisectAVT_2403002B_378.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 0.2.LisectAVT_2403002B_378.exe.4e90000.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.IVsIyeJQN.exe.2f63bb4.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.LisectAVT_2403002B_378.exe.24f3bd4.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.LisectAVT_2403002B_378.exe.24f3bd4.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.IVsIyeJQN.exe.2f63bb4.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.LisectAVT_2403002B_378.exe.4e90000.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1370500424.0000000004E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1364817927.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1407209620.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected XWorm
                Source: Yara matchFile source: 18.2.IVsIyeJQN.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.IVsIyeJQN.exe.2fb56f0.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.IVsIyeJQN.exe.2fc29d0.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.LisectAVT_2403002B_378.exe.25498ec.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.IVsIyeJQN.exe.2fc29d0.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.IVsIyeJQN.exe.2fb56f0.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.LisectAVT_2403002B_378.exe.25498ec.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000012.00000002.1434288856.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1407209620.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1364817927.0000000002538000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002B_378.exe PID: 7440, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: IVsIyeJQN.exe PID: 8032, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: IVsIyeJQN.exe PID: 3988, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 0.2.LisectAVT_2403002B_378.exe.4e90000.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.IVsIyeJQN.exe.2f63bb4.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.LisectAVT_2403002B_378.exe.24f3bd4.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.LisectAVT_2403002B_378.exe.24f3bd4.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.IVsIyeJQN.exe.2f63bb4.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.LisectAVT_2403002B_378.exe.4e90000.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1370500424.0000000004E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1364817927.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1407209620.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected XWorm
                Source: Yara matchFile source: 18.2.IVsIyeJQN.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.IVsIyeJQN.exe.2fb56f0.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.IVsIyeJQN.exe.2fc29d0.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.LisectAVT_2403002B_378.exe.25498ec.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.IVsIyeJQN.exe.2fc29d0.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.LisectAVT_2403002B_378.exe.2556bcc.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.IVsIyeJQN.exe.2fb56f0.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.LisectAVT_2403002B_378.exe.25498ec.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000012.00000002.1434288856.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.1407209620.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1364817927.0000000002538000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002B_378.exe PID: 7440, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: IVsIyeJQN.exe PID: 8032, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: IVsIyeJQN.exe PID: 3988, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		111
                Process Injection                		1
                Masquerading                		OS Credential Dumping1
                Security Software Discovery                		Remote Services11
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                DLL Side-Loading                		1
                Scheduled Task/Job                		11
                Disable or Modify Tools                		LSASS Memory1
                Process Discovery                		Remote Desktop Protocol1
                Clipboard Data                		1
                Non-Application Layer Protocol                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		131
                Virtualization/Sandbox Evasion                		Security Account Manager131
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive21
                Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
                Obfuscated Files or Information                		Cached Domain Credentials13
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                Software Packing                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                Timestomp                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1481740 Sample: LisectAVT_2403002B_378.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 49 fat221.ddns.net 2->49 51 18.31.95.13.in-addr.arpa 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Antivirus / Scanner detection for submitted sample 2->57 61 11 other signatures 2->61 8 LisectAVT_2403002B_378.exe 7 2->8         started        12 IVsIyeJQN.exe 5 2->12         started        signatures3 59 Uses dynamic DNS services 49->59 process4 file5 41 C:\Users\user\AppData\Roaming\IVsIyeJQN.exe, PE32 8->41 dropped 43 C:\Users\...\IVsIyeJQN.exe:Zone.Identifier, ASCII 8->43 dropped 45 C:\Users\user\AppData\Local\Temp\tmp712.tmp, XML 8->45 dropped 47 C:\Users\...\LisectAVT_2403002B_378.exe.log, ASCII 8->47 dropped 63 Uses schtasks.exe or at.exe to add and modify task schedules 8->63 65 Adds a directory exclusion to Windows Defender 8->65 67 Injects a PE file into a foreign processes 8->67 14 powershell.exe 23 8->14         started        17 powershell.exe 23 8->17         started        19 LisectAVT_2403002B_378.exe 2 8->19         started        21 schtasks.exe 1 8->21         started        69 Antivirus detection for dropped file 12->69 71 Machine Learning detection for dropped file 12->71 23 schtasks.exe 12->23         started        25 IVsIyeJQN.exe 12->25         started        27 IVsIyeJQN.exe 12->27         started        29 3 other processes 12->29 signatures6 process7 signatures8 73 Loading BitLocker PowerShell Module 14->73 31 WmiPrvSE.exe 14->31         started        33 conhost.exe 14->33         started        35 conhost.exe 17->35         started        75 Opens the same file many times (likely Sandbox evasion) 19->75 37 conhost.exe 21->37         started        39 conhost.exe 23->39         started        process9

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                LisectAVT_2403002B_378.exe100%AviraTR/Kryptik.kukgx
                LisectAVT_2403002B_378.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\IVsIyeJQN.exe100%AviraTR/Kryptik.kukgx
                C:\Users\user\AppData\Roaming\IVsIyeJQN.exe100%Joe Sandbox ML

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
                fat221.ddns.net0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                18.31.95.13.in-addr.arpa
                		unknown
                		unknowntrue
                  		unknown
                  fat221.ddns.net
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    fat221.ddns.nettrue
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameLisectAVT_2403002B_378.exe, 00000000.00000002.1364817927.0000000002538000.00000004.00000800.00020000.00000000.sdmp, IVsIyeJQN.exe, 0000000B.00000002.1407209620.0000000002FA8000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.chiark.greenend.org.uk/~sgtatham/putty/0LisectAVT_2403002B_378.exe, IVsIyeJQN.exe.0.drfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    No contacted IP infos

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1481740
                    Start date and time:2024-07-25 13:44:09 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 10m 34s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:23
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:LisectAVT_2403002B_378.exe
                    Detection:MAL
                    Classification:mal100.troj.evad.winEXE@27/15@42/0
                    EGA Information:
                    • Successful, ratio: 75%
                    HCA Information:
                    • Successful, ratio: 96%
                    • Number of executed functions: 149
                    • Number of non-executed functions: 10
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                    Warnings

                    • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                    • Execution Graph export aborted for target IVsIyeJQN.exe, PID 3988 because it is empty
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: LisectAVT_2403002B_378.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    07:45:02API Interceptor6309066x Sleep call for process: LisectAVT_2403002B_378.exe modified
                    07:45:04API Interceptor30x Sleep call for process: powershell.exe modified
                    07:45:06API Interceptor1x Sleep call for process: IVsIyeJQN.exe modified
                    12:45:06Task SchedulerRun new task: IVsIyeJQN path: C:\Users\user\AppData\Roaming\IVsIyeJQN.exe

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASNs

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IVsIyeJQN.exe.log

                    Download File
                    Process:C:\Users\user\AppData\Roaming\IVsIyeJQN.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):1216
                    Entropy (8bit):5.34331486778365
                    Encrypted:false
                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LisectAVT_2403002B_378.exe.log

                    Download File
                    Process:C:\Users\user\Desktop\LisectAVT_2403002B_378.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):1216
                    Entropy (8bit):5.34331486778365
                    Encrypted:false
                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                    Malicious:true
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):2232
                    Entropy (8bit):5.379401388151058
                    Encrypted:false
                    SSDEEP:48:fWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugeC/ZPUyus:fLHxvIIwLgZ2KRHWLOug8s
                    MD5:AF15464AFD6EB7D301162A1DC8E01662
                    SHA1:A974B8FEC71BF837B8E72FE43AB43E447FC43A86
                    SHA-256:103A67F6744C098E5121D2D732753DFA4B54FA0EFD918FEC3941A3C052F5E211
                    SHA-512:7B5B7B7F6EAE4544BAF61F9C02BF0138950E5D7D1B0457DE2FAB2C4C484220BDD1AB42D6884838E798AD46CE1B5B5426CEB825A1690B1190857D3B643ABFAB37
                    Malicious:false
                    Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ccb34kz.nxd.ps1

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ahnqglzn.00s.ps1

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bzdlkjwp.st3.ps1

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cf4iqlme.ord.ps1

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e1onvepp.gtc.psm1

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j4s0hg1m.itq.psm1

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tgwfs53v.zxt.psm1

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v1mdkgfk.4nh.psm1

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\tmp1599.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\IVsIyeJQN.exe
                    File Type:XML 1.0 document, ASCII text
                    Category:dropped
                    Size (bytes):1568
                    Entropy (8bit):5.089403242893544
                    Encrypted:false
                    SSDEEP:48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewB/v:HeLwYrFdOFzOz6dKrsuqk
                    MD5:3B8425CC3CBCA707BF47FAE68161ACCB
                    SHA1:DD0FB4D844B2F609D49BD6DFA1C96F5EE1D169FE
                    SHA-256:70B06A3C3AD00CDAA3BB8E2EA5BA81A98B55988CA7A0FF3A04F5A3C91214D7B6
                    SHA-512:B348FA477F8074FEE5FD0502F891E5734BB49DA83D0F0B2233D1D41EF519D06F4A33EED6CC7FAB67DF54FA2A7398BEBF8FC41A2ABD5BB3B4C115960926D1504C
                    Malicious:false
                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                    C:\Users\user\AppData\Local\Temp\tmp712.tmp

                    Download File
                    Process:C:\Users\user\Desktop\LisectAVT_2403002B_378.exe
                    File Type:XML 1.0 document, ASCII text
                    Category:dropped
                    Size (bytes):1568
                    Entropy (8bit):5.089403242893544
                    Encrypted:false
                    SSDEEP:48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewB/v:HeLwYrFdOFzOz6dKrsuqk
                    MD5:3B8425CC3CBCA707BF47FAE68161ACCB
                    SHA1:DD0FB4D844B2F609D49BD6DFA1C96F5EE1D169FE
                    SHA-256:70B06A3C3AD00CDAA3BB8E2EA5BA81A98B55988CA7A0FF3A04F5A3C91214D7B6
                    SHA-512:B348FA477F8074FEE5FD0502F891E5734BB49DA83D0F0B2233D1D41EF519D06F4A33EED6CC7FAB67DF54FA2A7398BEBF8FC41A2ABD5BB3B4C115960926D1504C
                    Malicious:true
                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                    C:\Users\user\AppData\Roaming\IVsIyeJQN.exe

                    Download File
                    Process:C:\Users\user\Desktop\LisectAVT_2403002B_378.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):710677
                    Entropy (8bit):7.633543640817736
                    Encrypted:false
                    SSDEEP:12288:0/Sr+pAQ3inVFaNVgHxG/JNeSPHCRe52z1dQe2SbCak:/+AQ32H4gHIBPiAkZ/C
                    MD5:C9783829730E4C84AD8B33A76AE980B2
                    SHA1:24E0AE4B35A18CA3EB4E184C65E0BBE5C2A1FABC
                    SHA-256:38865BA97B92DAF6924FDC4EAFACD97AA5D9886C26A8A03EBFC8B17543888E9E
                    SHA-512:796D2CADF18C6B9BB005E670AFAE01257ED03DC2DCD51C86CB946390099F9ABD2B1404AC401692437A672E1F2A92AE3F34277811FB803F671392E1F2663337A8
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`?...............0.................. ........@.. ....................................@.....................................O........................6.............p............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........2...!..........$T...T...........................................0..H........s....}.....r...p}.....r...p......%..^.(....}......}.....(.......(.....*...{....r...po......{....r...po......r...p}....*.0............s....}.....{....r#..po......{.....o......{....o...........,%...{....o....}.....{.....{....o.......{....o....o....,..{....o.......+....,..{.....o ....+..{.....o ....*..0..@.........{....rc..p.{....o....(!.....("........,..(#...&..{.....(.....*.0.................(

                    C:\Users\user\AppData\Roaming\IVsIyeJQN.exe:Zone.Identifier

                    Download File
                    Process:C:\Users\user\Desktop\LisectAVT_2403002B_378.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):26
                    Entropy (8bit):3.95006375643621
                    Encrypted:false
                    SSDEEP:3:ggPYV:rPYV
                    MD5:187F488E27DB4AF347237FE461A079AD
                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                    Malicious:true
                    Preview:[ZoneTransfer]....ZoneId=0

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Entropy (8bit):7.633543640817736
                    TrID:
                    • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    • Win32 Executable (generic) a (10002005/4) 49.97%
                    • Generic Win/DOS Executable (2004/3) 0.01%
                    • DOS Executable Generic (2002/1) 0.01%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:LisectAVT_2403002B_378.exe
                    File size:710'677 bytes
                    MD5:c9783829730e4c84ad8b33a76ae980b2
                    SHA1:24e0ae4b35a18ca3eb4e184c65e0bbe5c2a1fabc
                    SHA256:38865ba97b92daf6924fdc4eafacd97aa5d9886c26a8a03ebfc8b17543888e9e
                    SHA512:796d2cadf18c6b9bb005e670afae01257ed03dc2dcd51c86cb946390099f9abd2b1404ac401692437a672e1f2a92ae3f34277811fb803f671392e1f2663337a8
                    SSDEEP:12288:0/Sr+pAQ3inVFaNVgHxG/JNeSPHCRe52z1dQe2SbCak:/+AQ32H4gHIBPiAkZ/C
                    TLSH:69E4F196AB20C98ED0665F768C43A6A49675CE603E33C41EF42F733ECB757C86E41126
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`?................0.................. ........@.. ....................................@................................

                    File Icon

                    Icon Hash:00928e8e8686b000

                    Static PE Info

                    General

                    Entrypoint:0x4ab70a
                    Entrypoint Section:.text
                    Digitally signed:true
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Time Stamp:0x93CF3F60 [Fri Jul 31 18:28:48 2048 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                    Authenticode Signature

                    Signature Valid:
                    Signature Issuer:
                    Signature Validation Error:
                    Error Number:
                    Not Before, Not After
                      Subject Chain
                        Version:
                        Thumbprint MD5:
                        Thumbprint SHA-1:
                        Thumbprint SHA-256:
                        Serial:

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0xab6b50x4f.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xac0000x5a4.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0xaa2000x3608
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xae0000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0xaa8c40x70.text
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000xa97100xa9800960edb127274ad5eb864bfb01ac9eb3aFalse0.8002728037426253DOS executable (COM)7.632997783630316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rsrc0xac0000x5a40x600f78681f3b62e31351136d742c45dc556False0.419921875data4.068774018988319IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0xae0000xc0x2002834d70944274e5eff6c7c73d60537c2False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_VERSION0xac0900x314data0.43274111675126903
                        RT_MANIFEST0xac3b40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                        2024-07-25T13:45:21.957397+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971140.127.169.103192.168.2.9
                        2024-07-25T13:45:41.736202+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4436157540.68.123.157192.168.2.9
                        2024-07-25T13:45:40.406990+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4436157440.68.123.157192.168.2.9

                        Network Port Distribution

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jul 25, 2024 13:45:08.761852980 CEST5782753192.168.2.91.1.1.1
                        Jul 25, 2024 13:45:08.787296057 CEST53578271.1.1.1192.168.2.9
                        Jul 25, 2024 13:45:15.562855959 CEST5331353192.168.2.91.1.1.1
                        Jul 25, 2024 13:45:15.576361895 CEST53533131.1.1.1192.168.2.9
                        Jul 25, 2024 13:45:21.531352997 CEST5103553192.168.2.91.1.1.1
                        Jul 25, 2024 13:45:21.541906118 CEST53510351.1.1.1192.168.2.9
                        Jul 25, 2024 13:45:29.234677076 CEST5921653192.168.2.91.1.1.1
                        Jul 25, 2024 13:45:29.246010065 CEST53592161.1.1.1192.168.2.9
                        Jul 25, 2024 13:45:33.469039917 CEST5969453192.168.2.91.1.1.1
                        Jul 25, 2024 13:45:33.481096983 CEST53596941.1.1.1192.168.2.9
                        Jul 25, 2024 13:45:35.243050098 CEST5364941162.159.36.2192.168.2.9
                        Jul 25, 2024 13:45:35.750756979 CEST6299553192.168.2.91.1.1.1
                        Jul 25, 2024 13:45:35.759537935 CEST53629951.1.1.1192.168.2.9
                        Jul 25, 2024 13:45:38.252705097 CEST5570253192.168.2.91.1.1.1
                        Jul 25, 2024 13:45:38.264914036 CEST53557021.1.1.1192.168.2.9
                        Jul 25, 2024 13:45:45.672286034 CEST5991653192.168.2.91.1.1.1
                        Jul 25, 2024 13:45:45.687112093 CEST53599161.1.1.1192.168.2.9
                        Jul 25, 2024 13:45:51.844217062 CEST6340453192.168.2.91.1.1.1
                        Jul 25, 2024 13:45:51.854460955 CEST53634041.1.1.1192.168.2.9
                        Jul 25, 2024 13:45:56.849889040 CEST5789053192.168.2.91.1.1.1
                        Jul 25, 2024 13:45:56.859719038 CEST53578901.1.1.1192.168.2.9
                        Jul 25, 2024 13:46:01.734596014 CEST5271253192.168.2.91.1.1.1
                        Jul 25, 2024 13:46:02.017570972 CEST53527121.1.1.1192.168.2.9
                        Jul 25, 2024 13:46:06.781496048 CEST4965853192.168.2.91.1.1.1
                        Jul 25, 2024 13:46:06.793510914 CEST53496581.1.1.1192.168.2.9
                        Jul 25, 2024 13:46:11.374291897 CEST5111153192.168.2.91.1.1.1
                        Jul 25, 2024 13:46:11.385143995 CEST53511111.1.1.1192.168.2.9
                        Jul 25, 2024 13:46:16.875823975 CEST5039053192.168.2.91.1.1.1
                        Jul 25, 2024 13:46:16.887131929 CEST53503901.1.1.1192.168.2.9
                        Jul 25, 2024 13:46:22.939285040 CEST5860853192.168.2.91.1.1.1
                        Jul 25, 2024 13:46:23.188314915 CEST53586081.1.1.1192.168.2.9
                        Jul 25, 2024 13:46:27.374938965 CEST6374153192.168.2.91.1.1.1
                        Jul 25, 2024 13:46:27.389193058 CEST53637411.1.1.1192.168.2.9
                        Jul 25, 2024 13:46:34.922997952 CEST5757953192.168.2.91.1.1.1
                        Jul 25, 2024 13:46:34.932413101 CEST53575791.1.1.1192.168.2.9
                        Jul 25, 2024 13:46:39.374608994 CEST4927353192.168.2.91.1.1.1
                        Jul 25, 2024 13:46:39.385691881 CEST53492731.1.1.1192.168.2.9
                        Jul 25, 2024 13:46:45.407856941 CEST5121153192.168.2.91.1.1.1
                        Jul 25, 2024 13:46:45.417231083 CEST53512111.1.1.1192.168.2.9
                        Jul 25, 2024 13:46:55.063390017 CEST5355153192.168.2.91.1.1.1
                        Jul 25, 2024 13:46:55.220329046 CEST53535511.1.1.1192.168.2.9
                        Jul 25, 2024 13:47:02.492520094 CEST6407753192.168.2.91.1.1.1
                        Jul 25, 2024 13:47:02.503525972 CEST53640771.1.1.1192.168.2.9
                        Jul 25, 2024 13:47:07.578788996 CEST5485553192.168.2.91.1.1.1
                        Jul 25, 2024 13:47:07.589613914 CEST53548551.1.1.1192.168.2.9
                        Jul 25, 2024 13:47:15.625955105 CEST4990253192.168.2.91.1.1.1
                        Jul 25, 2024 13:47:15.635970116 CEST53499021.1.1.1192.168.2.9
                        Jul 25, 2024 13:47:23.704216957 CEST5901353192.168.2.91.1.1.1
                        Jul 25, 2024 13:47:23.720774889 CEST53590131.1.1.1192.168.2.9
                        Jul 25, 2024 13:47:29.627329111 CEST5272653192.168.2.91.1.1.1
                        Jul 25, 2024 13:47:29.640152931 CEST53527261.1.1.1192.168.2.9
                        Jul 25, 2024 13:47:34.830327988 CEST5990853192.168.2.91.1.1.1
                        Jul 25, 2024 13:47:34.848623037 CEST53599081.1.1.1192.168.2.9
                        Jul 25, 2024 13:47:41.455213070 CEST5856353192.168.2.91.1.1.1
                        Jul 25, 2024 13:47:41.464380980 CEST53585631.1.1.1192.168.2.9
                        Jul 25, 2024 13:47:46.595102072 CEST6337553192.168.2.91.1.1.1
                        Jul 25, 2024 13:47:46.897972107 CEST53633751.1.1.1192.168.2.9
                        Jul 25, 2024 13:47:51.375382900 CEST4994153192.168.2.91.1.1.1
                        Jul 25, 2024 13:47:51.770829916 CEST53499411.1.1.1192.168.2.9
                        Jul 25, 2024 13:47:56.955224037 CEST6456153192.168.2.91.1.1.1
                        Jul 25, 2024 13:47:56.974332094 CEST53645611.1.1.1192.168.2.9
                        Jul 25, 2024 13:48:01.374703884 CEST5755953192.168.2.91.1.1.1
                        Jul 25, 2024 13:48:01.383342981 CEST53575591.1.1.1192.168.2.9
                        Jul 25, 2024 13:48:08.877954960 CEST5286553192.168.2.91.1.1.1
                        Jul 25, 2024 13:48:08.889256001 CEST53528651.1.1.1192.168.2.9
                        Jul 25, 2024 13:48:13.375372887 CEST6232753192.168.2.91.1.1.1
                        Jul 25, 2024 13:48:13.393935919 CEST53623271.1.1.1192.168.2.9
                        Jul 25, 2024 13:48:19.330645084 CEST5233553192.168.2.91.1.1.1
                        Jul 25, 2024 13:48:19.339654922 CEST53523351.1.1.1192.168.2.9
                        Jul 25, 2024 13:48:23.374676943 CEST6512653192.168.2.91.1.1.1
                        Jul 25, 2024 13:48:23.414370060 CEST53651261.1.1.1192.168.2.9
                        Jul 25, 2024 13:48:29.782233000 CEST6037153192.168.2.91.1.1.1
                        Jul 25, 2024 13:48:29.888712883 CEST53603711.1.1.1192.168.2.9
                        Jul 25, 2024 13:48:35.376529932 CEST6329953192.168.2.91.1.1.1
                        Jul 25, 2024 13:48:35.385926962 CEST53632991.1.1.1192.168.2.9
                        Jul 25, 2024 13:48:40.374675989 CEST5927353192.168.2.91.1.1.1
                        Jul 25, 2024 13:48:40.390825033 CEST53592731.1.1.1192.168.2.9
                        Jul 25, 2024 13:48:49.613652945 CEST6544153192.168.2.91.1.1.1
                        Jul 25, 2024 13:48:49.622791052 CEST53654411.1.1.1192.168.2.9
                        Jul 25, 2024 13:48:54.374742985 CEST6223253192.168.2.91.1.1.1
                        Jul 25, 2024 13:48:54.383277893 CEST53622321.1.1.1192.168.2.9
                        Jul 25, 2024 13:49:00.939732075 CEST6015153192.168.2.91.1.1.1
                        Jul 25, 2024 13:49:00.948877096 CEST53601511.1.1.1192.168.2.9
                        Jul 25, 2024 13:49:15.439099073 CEST5702753192.168.2.91.1.1.1
                        Jul 25, 2024 13:49:15.448542118 CEST53570271.1.1.1192.168.2.9

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Jul 25, 2024 13:45:08.761852980 CEST192.168.2.91.1.1.10x4bddStandard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:45:15.562855959 CEST192.168.2.91.1.1.10xf61cStandard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:45:21.531352997 CEST192.168.2.91.1.1.10xb135Standard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:45:29.234677076 CEST192.168.2.91.1.1.10x4981Standard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:45:33.469039917 CEST192.168.2.91.1.1.10x90e0Standard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:45:35.750756979 CEST192.168.2.91.1.1.10xc9Standard query (0)18.31.95.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                        Jul 25, 2024 13:45:38.252705097 CEST192.168.2.91.1.1.10x4220Standard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:45:45.672286034 CEST192.168.2.91.1.1.10xcd31Standard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:45:51.844217062 CEST192.168.2.91.1.1.10x5494Standard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:45:56.849889040 CEST192.168.2.91.1.1.10x5dc2Standard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:46:01.734596014 CEST192.168.2.91.1.1.10x185bStandard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:46:06.781496048 CEST192.168.2.91.1.1.10xe73fStandard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:46:11.374291897 CEST192.168.2.91.1.1.10x7ff8Standard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:46:16.875823975 CEST192.168.2.91.1.1.10x212fStandard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:46:22.939285040 CEST192.168.2.91.1.1.10x535dStandard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:46:27.374938965 CEST192.168.2.91.1.1.10x809eStandard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:46:34.922997952 CEST192.168.2.91.1.1.10xe695Standard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:46:39.374608994 CEST192.168.2.91.1.1.10x4767Standard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:46:45.407856941 CEST192.168.2.91.1.1.10xdffStandard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:46:55.063390017 CEST192.168.2.91.1.1.10x4776Standard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:47:02.492520094 CEST192.168.2.91.1.1.10xf08aStandard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:47:07.578788996 CEST192.168.2.91.1.1.10x83e6Standard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:47:15.625955105 CEST192.168.2.91.1.1.10x7472Standard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:47:23.704216957 CEST192.168.2.91.1.1.10x33a0Standard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:47:29.627329111 CEST192.168.2.91.1.1.10xcd41Standard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:47:34.830327988 CEST192.168.2.91.1.1.10x7177Standard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:47:41.455213070 CEST192.168.2.91.1.1.10xcc10Standard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:47:46.595102072 CEST192.168.2.91.1.1.10xc482Standard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:47:51.375382900 CEST192.168.2.91.1.1.10xfed6Standard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:47:56.955224037 CEST192.168.2.91.1.1.10x6b79Standard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:48:01.374703884 CEST192.168.2.91.1.1.10x4a21Standard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:48:08.877954960 CEST192.168.2.91.1.1.10x4fbfStandard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:48:13.375372887 CEST192.168.2.91.1.1.10xd142Standard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:48:19.330645084 CEST192.168.2.91.1.1.10x5a6aStandard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:48:23.374676943 CEST192.168.2.91.1.1.10xfa43Standard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:48:29.782233000 CEST192.168.2.91.1.1.10x7f29Standard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:48:35.376529932 CEST192.168.2.91.1.1.10x1e44Standard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:48:40.374675989 CEST192.168.2.91.1.1.10x792aStandard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:48:49.613652945 CEST192.168.2.91.1.1.10x6a67Standard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:48:54.374742985 CEST192.168.2.91.1.1.10xa7faStandard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:49:00.939732075 CEST192.168.2.91.1.1.10x195Standard query (0)fat221.ddns.netA (IP address)IN (0x0001)false
                        Jul 25, 2024 13:49:15.439099073 CEST192.168.2.91.1.1.10x4669Standard query (0)fat221.ddns.netA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Jul 25, 2024 13:45:35.759537935 CEST1.1.1.1192.168.2.90xc9Name error (3)18.31.95.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:07:45:01
                        Start date:25/07/2024
                        Path:C:\Users\user\Desktop\LisectAVT_2403002B_378.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\LisectAVT_2403002B_378.exe"
                        Imagebase:0x90000
                        File size:710'677 bytes
                        MD5 hash:C9783829730E4C84AD8B33A76AE980B2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1370500424.0000000004E90000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1364817927.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1364817927.0000000002538000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1364817927.0000000002538000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:3
                        Start time:07:45:03
                        Start date:25/07/2024
                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002B_378.exe"
                        Imagebase:0xdd0000
                        File size:433'152 bytes
                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:4
                        Start time:07:45:03
                        Start date:25/07/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff70f010000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:5
                        Start time:07:45:03
                        Start date:25/07/2024
                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IVsIyeJQN.exe"
                        Imagebase:0xdd0000
                        File size:433'152 bytes
                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:6
                        Start time:07:45:03
                        Start date:25/07/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff70f010000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:7
                        Start time:07:45:03
                        Start date:25/07/2024
                        Path:C:\Windows\SysWOW64\schtasks.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IVsIyeJQN" /XML "C:\Users\user\AppData\Local\Temp\tmp712.tmp"
                        Imagebase:0xb00000
                        File size:187'904 bytes
                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:8
                        Start time:07:45:03
                        Start date:25/07/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff70f010000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:9
                        Start time:07:45:04
                        Start date:25/07/2024
                        Path:C:\Users\user\Desktop\LisectAVT_2403002B_378.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\LisectAVT_2403002B_378.exe"
                        Imagebase:0xa10000
                        File size:710'677 bytes
                        MD5 hash:C9783829730E4C84AD8B33A76AE980B2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:false

                        General

                        Target ID:10
                        Start time:07:45:06
                        Start date:25/07/2024
                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                        Imagebase:0x7ff72d8c0000
                        File size:496'640 bytes
                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                        Has elevated privileges:true
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:11
                        Start time:07:45:06
                        Start date:25/07/2024
                        Path:C:\Users\user\AppData\Roaming\IVsIyeJQN.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\AppData\Roaming\IVsIyeJQN.exe
                        Imagebase:0xa40000
                        File size:710'677 bytes
                        MD5 hash:C9783829730E4C84AD8B33A76AE980B2
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000B.00000002.1407209620.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000002.1407209620.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.1407209620.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Antivirus matches:
                        • Detection: 100%, Avira
                        • Detection: 100%, Joe Sandbox ML
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:12
                        Start time:07:45:07
                        Start date:25/07/2024
                        Path:C:\Windows\SysWOW64\schtasks.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IVsIyeJQN" /XML "C:\Users\user\AppData\Local\Temp\tmp1599.tmp"
                        Imagebase:0xb00000
                        File size:187'904 bytes
                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:13
                        Start time:07:45:07
                        Start date:25/07/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff70f010000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:14
                        Start time:07:45:07
                        Start date:25/07/2024
                        Path:C:\Users\user\AppData\Roaming\IVsIyeJQN.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Users\user\AppData\Roaming\IVsIyeJQN.exe"
                        Imagebase:0x290000
                        File size:710'677 bytes
                        MD5 hash:C9783829730E4C84AD8B33A76AE980B2
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:15
                        Start time:07:45:08
                        Start date:25/07/2024
                        Path:C:\Users\user\AppData\Roaming\IVsIyeJQN.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Users\user\AppData\Roaming\IVsIyeJQN.exe"
                        Imagebase:0x380000
                        File size:710'677 bytes
                        MD5 hash:C9783829730E4C84AD8B33A76AE980B2
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:16
                        Start time:07:45:08
                        Start date:25/07/2024
                        Path:C:\Users\user\AppData\Roaming\IVsIyeJQN.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Users\user\AppData\Roaming\IVsIyeJQN.exe"
                        Imagebase:0x20000
                        File size:710'677 bytes
                        MD5 hash:C9783829730E4C84AD8B33A76AE980B2
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:17
                        Start time:07:45:08
                        Start date:25/07/2024
                        Path:C:\Users\user\AppData\Roaming\IVsIyeJQN.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Users\user\AppData\Roaming\IVsIyeJQN.exe"
                        Imagebase:0x1e0000
                        File size:710'677 bytes
                        MD5 hash:C9783829730E4C84AD8B33A76AE980B2
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:18
                        Start time:07:45:08
                        Start date:25/07/2024
                        Path:C:\Users\user\AppData\Roaming\IVsIyeJQN.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\AppData\Roaming\IVsIyeJQN.exe"
                        Imagebase:0xf50000
                        File size:710'677 bytes
                        MD5 hash:C9783829730E4C84AD8B33A76AE980B2
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000012.00000002.1434288856.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000012.00000002.1434288856.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                        Reputation:low
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:11.4%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:1.6%
                          Total number of Nodes:190
                          Total number of Limit Nodes:17
                          execution_graph 23241 894668 23242 89467a 23241->23242 23243 894686 23242->23243 23247 894779 23242->23247 23252 893e28 23243->23252 23245 8946a5 23248 89479d 23247->23248 23256 894879 23248->23256 23260 894888 23248->23260 23253 893e33 23252->23253 23268 897038 23253->23268 23255 89746a 23255->23245 23257 8948af 23256->23257 23258 89498c 23257->23258 23264 8944b0 23257->23264 23258->23258 23262 8948af 23260->23262 23261 89498c 23261->23261 23262->23261 23263 8944b0 CreateActCtxA 23262->23263 23263->23261 23265 895918 CreateActCtxA 23264->23265 23267 8959db 23265->23267 23269 897043 23268->23269 23272 89707c 23269->23272 23271 897575 23271->23255 23273 897087 23272->23273 23276 8970ac 23273->23276 23275 89765a 23275->23271 23277 8970b7 23276->23277 23280 8970dc 23277->23280 23279 89774d 23279->23275 23281 8970e7 23280->23281 23283 898b33 23281->23283 23286 89add8 23281->23286 23282 898b71 23282->23279 23283->23282 23290 89cec0 23283->23290 23295 89b208 23286->23295 23299 89b218 23286->23299 23287 89adee 23287->23283 23291 89cef1 23290->23291 23292 89cf15 23291->23292 23322 89d488 23291->23322 23326 89d478 23291->23326 23292->23282 23296 89b218 23295->23296 23302 89b2ff 23296->23302 23297 89b227 23297->23287 23301 89b2ff 2 API calls 23299->23301 23300 89b227 23300->23287 23301->23300 23303 89b321 23302->23303 23304 89b344 23302->23304 23303->23304 23310 89b598 23303->23310 23314 89b5a8 23303->23314 23304->23297 23305 89b33c 23305->23304 23306 89b548 GetModuleHandleW 23305->23306 23307 89b575 23306->23307 23307->23297 23311 89b5bc 23310->23311 23313 89b5e1 23311->23313 23318 89afc0 23311->23318 23313->23305 23315 89b5bc 23314->23315 23316 89b5e1 23315->23316 23317 89afc0 LoadLibraryExW 23315->23317 23316->23305 23317->23316 23319 89b788 LoadLibraryExW 23318->23319 23321 89b801 23319->23321 23321->23313 23323 89d495 23322->23323 23325 89d4cf 23323->23325 23330 89d250 23323->23330 23325->23292 23327 89d495 23326->23327 23328 89d4cf 23327->23328 23329 89d250 2 API calls 23327->23329 23328->23292 23329->23328 23331 89d255 23330->23331 23333 89dde0 23331->23333 23334 89d37c 23331->23334 23333->23333 23335 89d387 23334->23335 23336 8970dc 2 API calls 23335->23336 23337 89de4f 23336->23337 23337->23333 23338 89d7e8 DuplicateHandle 23339 89d871 23338->23339 23340 6ad74ca 23341 6ad7485 23340->23341 23343 6ad74d3 23340->23343 23356 6ad7d6d 23341->23356 23361 6ad7ad2 23341->23361 23365 6ad7c82 23341->23365 23375 6ad7b13 23341->23375 23380 6ad7ca3 23341->23380 23385 6ad77c0 23341->23385 23391 6ad80e6 23341->23391 23396 6ad7f35 23341->23396 23401 6ad7958 23341->23401 23407 6ad7cee 23341->23407 23412 6ad7e9c 23341->23412 23417 6ad7a9c 23341->23417 23342 6ad74be 23357 6ad8004 23356->23357 23421 6ad4400 23357->23421 23425 6ad43f8 23357->23425 23358 6ad81e1 23429 6ad44e8 23361->23429 23433 6ad44f0 23361->23433 23362 6ad7af4 23362->23342 23366 6ad7bfe 23365->23366 23368 6ad7d17 23365->23368 23369 6ad7a86 23366->23369 23437 6ad3d78 23366->23437 23441 6ad3d80 23366->23441 23367 6ad820d 23445 6ad4268 23367->23445 23449 6ad4260 23367->23449 23368->23366 23368->23367 23369->23342 23370 6ad8370 23376 6ad7b19 23375->23376 23377 6ad7a86 23376->23377 23378 6ad3d78 ResumeThread 23376->23378 23379 6ad3d80 ResumeThread 23376->23379 23377->23342 23378->23376 23379->23376 23381 6ad7bfe 23380->23381 23382 6ad7a86 23381->23382 23383 6ad3d78 ResumeThread 23381->23383 23384 6ad3d80 ResumeThread 23381->23384 23382->23342 23383->23381 23384->23381 23387 6ad77f3 23385->23387 23386 6ad83f0 23386->23342 23387->23386 23453 6ad4a7c 23387->23453 23457 6ad4a88 23387->23457 23392 6ad7b2a 23391->23392 23393 6ad7a86 23392->23393 23394 6ad3d78 ResumeThread 23392->23394 23395 6ad3d80 ResumeThread 23392->23395 23393->23342 23394->23392 23395->23392 23397 6ad7f3e 23396->23397 23399 6ad43f8 WriteProcessMemory 23397->23399 23400 6ad4400 WriteProcessMemory 23397->23400 23398 6ad7f88 23399->23398 23400->23398 23402 6ad7894 23401->23402 23403 6ad83f0 23402->23403 23405 6ad4a7c CreateProcessA 23402->23405 23406 6ad4a88 CreateProcessA 23402->23406 23403->23342 23404 6ad799f 23404->23342 23405->23404 23406->23404 23408 6ad7bf3 23407->23408 23409 6ad8220 23408->23409 23410 6ad43f8 WriteProcessMemory 23408->23410 23411 6ad4400 WriteProcessMemory 23408->23411 23410->23408 23411->23408 23413 6ad7eba 23412->23413 23461 6ad851f 23413->23461 23466 6ad8530 23413->23466 23414 6ad8081 23471 6ad4338 23417->23471 23475 6ad4340 23417->23475 23418 6ad7abd 23418->23342 23422 6ad4448 WriteProcessMemory 23421->23422 23424 6ad449f 23422->23424 23424->23358 23426 6ad4448 WriteProcessMemory 23425->23426 23428 6ad449f 23426->23428 23428->23358 23430 6ad44f0 ReadProcessMemory 23429->23430 23432 6ad457f 23430->23432 23432->23362 23434 6ad453b ReadProcessMemory 23433->23434 23436 6ad457f 23434->23436 23436->23362 23438 6ad3d81 ResumeThread 23437->23438 23440 6ad3df1 23438->23440 23440->23366 23442 6ad3dc0 ResumeThread 23441->23442 23444 6ad3df1 23442->23444 23444->23366 23446 6ad42ad Wow64SetThreadContext 23445->23446 23448 6ad42f5 23446->23448 23448->23370 23450 6ad4266 Wow64SetThreadContext 23449->23450 23452 6ad42f5 23450->23452 23452->23370 23454 6ad4b11 CreateProcessA 23453->23454 23456 6ad4cd3 23454->23456 23458 6ad4b11 CreateProcessA 23457->23458 23460 6ad4cd3 23458->23460 23462 6ad8530 23461->23462 23464 6ad4268 Wow64SetThreadContext 23462->23464 23465 6ad4260 Wow64SetThreadContext 23462->23465 23463 6ad855b 23463->23414 23464->23463 23465->23463 23467 6ad8545 23466->23467 23469 6ad4268 Wow64SetThreadContext 23467->23469 23470 6ad4260 Wow64SetThreadContext 23467->23470 23468 6ad855b 23468->23414 23469->23468 23470->23468 23472 6ad4380 VirtualAllocEx 23471->23472 23474 6ad43bd 23472->23474 23474->23418 23476 6ad4380 VirtualAllocEx 23475->23476 23478 6ad43bd 23476->23478 23478->23418 23479 89d5a0 23480 89d5e6 GetCurrentProcess 23479->23480 23482 89d638 GetCurrentThread 23480->23482 23483 89d631 23480->23483 23484 89d675 GetCurrentProcess 23482->23484 23485 89d66e 23482->23485 23483->23482 23488 89d6ab 23484->23488 23485->23484 23486 89d6d3 GetCurrentThreadId 23487 89d704 23486->23487 23488->23486 23489 6ad8640 23490 6ad8666 23489->23490 23491 6ad87cb 23489->23491 23490->23491 23493 6ad4730 23490->23493 23494 6ad88c0 PostMessageW 23493->23494 23495 6ad892c 23494->23495 23495->23490

                          Executed Functions

                          Function 06AD77C0 Relevance: .2, Instructions: 172COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374310726.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ad0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 11820a61554abc3f452c5507d1fede7b3ae306063f6b0f4d4808b68f97ac120f
                          • Instruction ID: 8de06dba9fbc8e1de1477940a98cf1d64846c786315075ac4a248ff6c6c2ac3c
                          • Opcode Fuzzy Hash: 11820a61554abc3f452c5507d1fede7b3ae306063f6b0f4d4808b68f97ac120f
                          • Instruction Fuzzy Hash: 68710571D05629CFEBA8DF66C8407EDFBB6BF89300F14D1AAD409A6250EB745A85CF40
                          Function 069AB5F8 Relevance: .2, Instructions: 167COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374058092.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_69a0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cfb5286aeb0ca3ee1339c60fd6c7e0925f6b863bba7abb628fae1b4afd200459
                          • Instruction ID: e98e93047b1885ee59f112e574077ab6efc44410c5249654d79128af78e803e6
                          • Opcode Fuzzy Hash: cfb5286aeb0ca3ee1339c60fd6c7e0925f6b863bba7abb628fae1b4afd200459
                          • Instruction Fuzzy Hash: C361B471E012199FEB44DFEAC9446AEBBF2FF89310F108029E519AB359D7355946CF80
                          Function 0089D590 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 0089D61E
                          • GetCurrentThread.KERNEL32 ref: 0089D65B
                          • GetCurrentProcess.KERNEL32 ref: 0089D698
                          • GetCurrentThreadId.KERNEL32 ref: 0089D6F1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1364200503.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_890000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: 61a552b703ada5f3c9eec9dc699381adcb514dbc75a74cc01ac0d7eec8af51ef
                          • Instruction ID: aa4e2cada3122236c3e19c084175b4de96b441b01e5381ea8ae3736dd7755a3d
                          • Opcode Fuzzy Hash: 61a552b703ada5f3c9eec9dc699381adcb514dbc75a74cc01ac0d7eec8af51ef
                          • Instruction Fuzzy Hash: 155155B09003499FDB55DFA9D448BEEBBF1FF88314F248059E009A73A0DB745944CB69
                          Function 0089D5A0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 0089D61E
                          • GetCurrentThread.KERNEL32 ref: 0089D65B
                          • GetCurrentProcess.KERNEL32 ref: 0089D698
                          • GetCurrentThreadId.KERNEL32 ref: 0089D6F1
                          Memory Dump Source
                          • Source File: 00000000.00000002.1364200503.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_890000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: faefdbe47216c20553bef98057d07d7d28f89660603c75653fffaac890bfefe6
                          • Instruction ID: 0eac0af26d8b33e54ded02702cb1a616a73611a79588258816b9ba5aabd29244
                          • Opcode Fuzzy Hash: faefdbe47216c20553bef98057d07d7d28f89660603c75653fffaac890bfefe6
                          • Instruction Fuzzy Hash: 145135B09003499FDB55DFA9D548BEEBBF1FB88314F248059E009A7360DB745984CB69
                          Function 06AD4A7C Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 44 6ad4a7c-6ad4b1d 46 6ad4b1f-6ad4b29 44->46 47 6ad4b56-6ad4b76 44->47 46->47 48 6ad4b2b-6ad4b2d 46->48 54 6ad4baf-6ad4bde 47->54 55 6ad4b78-6ad4b82 47->55 49 6ad4b2f-6ad4b39 48->49 50 6ad4b50-6ad4b53 48->50 52 6ad4b3d-6ad4b4c 49->52 53 6ad4b3b 49->53 50->47 52->52 56 6ad4b4e 52->56 53->52 61 6ad4c17-6ad4cd1 CreateProcessA 54->61 62 6ad4be0-6ad4bea 54->62 55->54 57 6ad4b84-6ad4b86 55->57 56->50 59 6ad4ba9-6ad4bac 57->59 60 6ad4b88-6ad4b92 57->60 59->54 63 6ad4b94 60->63 64 6ad4b96-6ad4ba5 60->64 75 6ad4cda-6ad4d60 61->75 76 6ad4cd3-6ad4cd9 61->76 62->61 65 6ad4bec-6ad4bee 62->65 63->64 64->64 66 6ad4ba7 64->66 67 6ad4c11-6ad4c14 65->67 68 6ad4bf0-6ad4bfa 65->68 66->59 67->61 70 6ad4bfc 68->70 71 6ad4bfe-6ad4c0d 68->71 70->71 71->71 72 6ad4c0f 71->72 72->67 86 6ad4d70-6ad4d74 75->86 87 6ad4d62-6ad4d66 75->87 76->75 89 6ad4d84-6ad4d88 86->89 90 6ad4d76-6ad4d7a 86->90 87->86 88 6ad4d68 87->88 88->86 92 6ad4d98-6ad4d9c 89->92 93 6ad4d8a-6ad4d8e 89->93 90->89 91 6ad4d7c 90->91 91->89 95 6ad4dae-6ad4db5 92->95 96 6ad4d9e-6ad4da4 92->96 93->92 94 6ad4d90 93->94 94->92 97 6ad4dcc 95->97 98 6ad4db7-6ad4dc6 95->98 96->95 100 6ad4dcd 97->100 98->97 100->100
                          APIs
                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06AD4CBE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374310726.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ad0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: 53cd95537a4ca585b4b556e9159ecd28ec2472ef42adb0a8251e8ba3419ba480
                          • Instruction ID: c3d543b6b4117f037948a2884cdfcd218a6a95b3db07ae9e2905fe9b50563763
                          • Opcode Fuzzy Hash: 53cd95537a4ca585b4b556e9159ecd28ec2472ef42adb0a8251e8ba3419ba480
                          • Instruction Fuzzy Hash: F9A14871D002198FEB64DF69C8417EEBBF2FF48314F1485A9E84AA7280DB749985CF91
                          Function 06AD4A88 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 101 6ad4a88-6ad4b1d 103 6ad4b1f-6ad4b29 101->103 104 6ad4b56-6ad4b76 101->104 103->104 105 6ad4b2b-6ad4b2d 103->105 111 6ad4baf-6ad4bde 104->111 112 6ad4b78-6ad4b82 104->112 106 6ad4b2f-6ad4b39 105->106 107 6ad4b50-6ad4b53 105->107 109 6ad4b3d-6ad4b4c 106->109 110 6ad4b3b 106->110 107->104 109->109 113 6ad4b4e 109->113 110->109 118 6ad4c17-6ad4cd1 CreateProcessA 111->118 119 6ad4be0-6ad4bea 111->119 112->111 114 6ad4b84-6ad4b86 112->114 113->107 116 6ad4ba9-6ad4bac 114->116 117 6ad4b88-6ad4b92 114->117 116->111 120 6ad4b94 117->120 121 6ad4b96-6ad4ba5 117->121 132 6ad4cda-6ad4d60 118->132 133 6ad4cd3-6ad4cd9 118->133 119->118 122 6ad4bec-6ad4bee 119->122 120->121 121->121 123 6ad4ba7 121->123 124 6ad4c11-6ad4c14 122->124 125 6ad4bf0-6ad4bfa 122->125 123->116 124->118 127 6ad4bfc 125->127 128 6ad4bfe-6ad4c0d 125->128 127->128 128->128 129 6ad4c0f 128->129 129->124 143 6ad4d70-6ad4d74 132->143 144 6ad4d62-6ad4d66 132->144 133->132 146 6ad4d84-6ad4d88 143->146 147 6ad4d76-6ad4d7a 143->147 144->143 145 6ad4d68 144->145 145->143 149 6ad4d98-6ad4d9c 146->149 150 6ad4d8a-6ad4d8e 146->150 147->146 148 6ad4d7c 147->148 148->146 152 6ad4dae-6ad4db5 149->152 153 6ad4d9e-6ad4da4 149->153 150->149 151 6ad4d90 150->151 151->149 154 6ad4dcc 152->154 155 6ad4db7-6ad4dc6 152->155 153->152 157 6ad4dcd 154->157 155->154 157->157
                          APIs
                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06AD4CBE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374310726.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ad0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: f70652731b8d80031264457285a857f970a9b7c0ea899702499bdbb14bde5cf6
                          • Instruction ID: 3151d800ba99be26f360667d7ef1c2163352e3944e59a720b83c08ca164f38b6
                          • Opcode Fuzzy Hash: f70652731b8d80031264457285a857f970a9b7c0ea899702499bdbb14bde5cf6
                          • Instruction Fuzzy Hash: A5915871D002198FEB54DF69C8417EEBBF2FF48314F1485A9E849A7280DB749985CF91
                          Function 0089B2FF Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 158 89b2ff-89b31f 159 89b34b-89b34f 158->159 160 89b321-89b32e call 899d84 158->160 162 89b351-89b35b 159->162 163 89b363-89b3a4 159->163 166 89b330 160->166 167 89b344 160->167 162->163 169 89b3b1-89b3bf 163->169 170 89b3a6-89b3ae 163->170 213 89b336 call 89b598 166->213 214 89b336 call 89b5a8 166->214 167->159 171 89b3c1-89b3c6 169->171 172 89b3e3-89b3e5 169->172 170->169 174 89b3c8-89b3cf call 89af74 171->174 175 89b3d1 171->175 177 89b3e8-89b3ef 172->177 173 89b33c-89b33e 173->167 176 89b480-89b540 173->176 179 89b3d3-89b3e1 174->179 175->179 208 89b548-89b573 GetModuleHandleW 176->208 209 89b542-89b545 176->209 180 89b3fc-89b403 177->180 181 89b3f1-89b3f9 177->181 179->177 184 89b410-89b419 call 89af84 180->184 185 89b405-89b40d 180->185 181->180 189 89b41b-89b423 184->189 190 89b426-89b42b 184->190 185->184 189->190 191 89b449-89b456 190->191 192 89b42d-89b434 190->192 199 89b479-89b47f 191->199 200 89b458-89b476 191->200 192->191 194 89b436-89b446 call 89af94 call 89afa4 192->194 194->191 200->199 210 89b57c-89b590 208->210 211 89b575-89b57b 208->211 209->208 211->210 213->173 214->173
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000), ref: 0089B566
                          Memory Dump Source
                          • Source File: 00000000.00000002.1364200503.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_890000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: e7bf7e5de8c2b55133e84ffb0f8f995fc0a3417e8077f3c9646f61400d46f348
                          • Instruction ID: e75c4dc992d9ffecc1debd2099f6b60ce23ba2d37cb0cf0d4643e4f2815e66a0
                          • Opcode Fuzzy Hash: e7bf7e5de8c2b55133e84ffb0f8f995fc0a3417e8077f3c9646f61400d46f348
                          • Instruction Fuzzy Hash: 93813370A00B058FDB24EF2AD54179ABBF2FF88310F04892AD08AD7A51DB74E845CB95
                          Function 0089590C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 215 89590c-8959d9 CreateActCtxA 217 8959db-8959e1 215->217 218 8959e2-895a3c 215->218 217->218 225 895a4b-895a4f 218->225 226 895a3e-895a41 218->226 227 895a51-895a5d 225->227 228 895a60 225->228 226->225 227->228 230 895a61 228->230 230->230
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 008959C9
                          Memory Dump Source
                          • Source File: 00000000.00000002.1364200503.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_890000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: 9c4ba67270801fde1ccac55f6e5ec13ab6555178a03fc7314b74eb1d5de771b6
                          • Instruction ID: 92405ed90685ede3b075192d6490e603ca78015530c61c1712057212fbeea8cf
                          • Opcode Fuzzy Hash: 9c4ba67270801fde1ccac55f6e5ec13ab6555178a03fc7314b74eb1d5de771b6
                          • Instruction Fuzzy Hash: 77410FB0C00718CBEB25DFA9C884BCEBBF6BF48304F24816AD408AB251DB716946CF50
                          Function 008944B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 231 8944b0-8959d9 CreateActCtxA 234 8959db-8959e1 231->234 235 8959e2-895a3c 231->235 234->235 242 895a4b-895a4f 235->242 243 895a3e-895a41 235->243 244 895a51-895a5d 242->244 245 895a60 242->245 243->242 244->245 247 895a61 245->247 247->247
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 008959C9
                          Memory Dump Source
                          • Source File: 00000000.00000002.1364200503.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_890000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: 74f676aa4d7af16fee69f89665772e3fb46d3e16c19118437828c7f849457274
                          • Instruction ID: 17fcbd0b846e47886ec775aa331032b33e80df0d863c617ee18358ad0a90c56d
                          • Opcode Fuzzy Hash: 74f676aa4d7af16fee69f89665772e3fb46d3e16c19118437828c7f849457274
                          • Instruction Fuzzy Hash: 5741EDB0C00718CBEB24DFA9C884B9EBBF5FF49304F24816AD408AB251DBB56945CF90
                          Function 06AD4260 Relevance: 1.6, APIs: 1, Instructions: 72threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 248 6ad4260-6ad42b3 252 6ad42b5-6ad42c1 248->252 253 6ad42c3-6ad42f3 Wow64SetThreadContext 248->253 252->253 255 6ad42fc-6ad432c 253->255 256 6ad42f5-6ad42fb 253->256 256->255
                          APIs
                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06AD42E6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374310726.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ad0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID: ContextThreadWow64
                          • String ID:
                          • API String ID: 983334009-0
                          • Opcode ID: 6e4442384e98ba767ab3032895b87661bc793e6d0c4617f05e80047b944ee59b
                          • Instruction ID: 34c7d0cbf6a1c225d7a5f572bdca263d3434cf68427a8c05fa89706ee976d648
                          • Opcode Fuzzy Hash: 6e4442384e98ba767ab3032895b87661bc793e6d0c4617f05e80047b944ee59b
                          • Instruction Fuzzy Hash: 42219871C003099FDB10DFAAC885BEFBBF4EF48214F10842AD419A7241C7789584CFA0
                          Function 06AD43F8 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 260 6ad43f8-6ad444e 262 6ad445e-6ad449d WriteProcessMemory 260->262 263 6ad4450-6ad445c 260->263 265 6ad449f-6ad44a5 262->265 266 6ad44a6-6ad44d6 262->266 263->262 265->266
                          APIs
                          • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06AD4490
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374310726.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ad0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: 41b3d14aff0f8cec3941e7fd6f4ccc471cfa64e420a9370eb178c4e538dd78fa
                          • Instruction ID: 235b0a67e829591c46e3ca1fd0eaaa8f5cb18230f52586e44abd376ad3ac6150
                          • Opcode Fuzzy Hash: 41b3d14aff0f8cec3941e7fd6f4ccc471cfa64e420a9370eb178c4e538dd78fa
                          • Instruction Fuzzy Hash: D92135B1D003499FDB10DFA9C881BEEBBF1FF48310F14842AE959A7640C7789981CBA4
                          Function 06AD44E8 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 280 6ad44e8-6ad457d ReadProcessMemory 284 6ad457f-6ad4585 280->284 285 6ad4586-6ad45b6 280->285 284->285
                          APIs
                          • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06AD4570
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374310726.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ad0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: 26edfec0c0b3c9a3721254f0684a7edb1c6714bd78772ccefc0aff656a6db9c0
                          • Instruction ID: 4e3154200abf78a5ca4b0b67fdad9dee66a3f4ab1a305635fd65c7fe5ed459df
                          • Opcode Fuzzy Hash: 26edfec0c0b3c9a3721254f0684a7edb1c6714bd78772ccefc0aff656a6db9c0
                          • Instruction Fuzzy Hash: C4211671C103499FDB10DFAAC881BEEBBF5FF48310F14842AE959A7250D779A940CBA5
                          Function 06AD4400 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 270 6ad4400-6ad444e 272 6ad445e-6ad449d WriteProcessMemory 270->272 273 6ad4450-6ad445c 270->273 275 6ad449f-6ad44a5 272->275 276 6ad44a6-6ad44d6 272->276 273->272 275->276
                          APIs
                          • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06AD4490
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374310726.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ad0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: d7647ddb88f37545bae7580701550cdef332ed90c136e450e85489b8ee8bc886
                          • Instruction ID: 727e2861d4e50249479cafcbdebcc74f9305a7398925d961d1ad2b4c1b8949e0
                          • Opcode Fuzzy Hash: d7647ddb88f37545bae7580701550cdef332ed90c136e450e85489b8ee8bc886
                          • Instruction Fuzzy Hash: BF212871D003499FDB10DFA9C845BEEBBF5FF48310F108429E959A7240D7789580CBA4
                          Function 0089D7E0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 289 89d7e0-89d86f DuplicateHandle 290 89d871-89d87c 289->290 291 89d87e-89d884 290->291 292 89d885-89d8a2 290->292 291->292
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0089D86F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1364200503.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_890000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 1f4031b8645e4e2c8882ea47837f85beae07dea4729aaf755cba51f3662d7436
                          • Instruction ID: 0999cf7ec47546b0d52de480920db91af0e1e1f78e6b8f449f3ba75bbe08f111
                          • Opcode Fuzzy Hash: 1f4031b8645e4e2c8882ea47837f85beae07dea4729aaf755cba51f3662d7436
                          • Instruction Fuzzy Hash: F721F4B5D102489FDB10CFA9D484AEEBBF5FB48320F14846AE914A3210C374A945CF65
                          Function 06AD44F0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 305 6ad44f0-6ad457d ReadProcessMemory 308 6ad457f-6ad4585 305->308 309 6ad4586-6ad45b6 305->309 308->309
                          APIs
                          • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06AD4570
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374310726.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ad0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: 03f4f3962c5b4fffaa267c20f7b436224d70c933da6136bc4c9f2c4e1eca41bd
                          • Instruction ID: badb965a650818c2e74d510d07d00392c9c3928b7819ad79bab90079a6ddbbf5
                          • Opcode Fuzzy Hash: 03f4f3962c5b4fffaa267c20f7b436224d70c933da6136bc4c9f2c4e1eca41bd
                          • Instruction Fuzzy Hash: 07212571C003499FDB10DFAAC880BEEBBF5FF48310F10842AE919A7240C7789940CBA5
                          Function 06AD4268 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 295 6ad4268-6ad42b3 297 6ad42b5-6ad42c1 295->297 298 6ad42c3-6ad42f3 Wow64SetThreadContext 295->298 297->298 300 6ad42fc-6ad432c 298->300 301 6ad42f5-6ad42fb 298->301 301->300
                          APIs
                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06AD42E6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374310726.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ad0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID: ContextThreadWow64
                          • String ID:
                          • API String ID: 983334009-0
                          • Opcode ID: 301b4d06d483f0e75461fa465a9f42790e653a6721d51dfdd2d55ecc05da4259
                          • Instruction ID: 3c86e40ec26669a66495de0fe6c158eb84ec1b0856fe58f2b621cc2c1897df44
                          • Opcode Fuzzy Hash: 301b4d06d483f0e75461fa465a9f42790e653a6721d51dfdd2d55ecc05da4259
                          • Instruction Fuzzy Hash: B3214971D003098FDB10DFAAC8857EEBBF4EF48314F14842AD459A7240C7789984CFA5
                          Function 0089D7E8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 313 89d7e8-89d86f DuplicateHandle 314 89d871-89d87c 313->314 315 89d87e-89d884 314->315 316 89d885-89d8a2 314->316 315->316
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0089D86F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1364200503.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_890000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 131763f267a3721c818b3224a679a47af11267e8942ae114a059b9ac2b81edda
                          • Instruction ID: 8f447c5d0442b784f2939a9b770688176cf5d4e7bcf8219cfc7db99294f3fee9
                          • Opcode Fuzzy Hash: 131763f267a3721c818b3224a679a47af11267e8942ae114a059b9ac2b81edda
                          • Instruction Fuzzy Hash: B921B3B5D102499FDB10CFAAD884AEEBBF5FB48310F14846AE914A7250D374A944CFA5
                          Function 06AD4338 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06AD43AE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374310726.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ad0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 470efb3a2e5babe5b42911037c1c63263eeaf24a6aaa9bf618375a3729da3ed4
                          • Instruction ID: 1d907e7fa7d619ca95e65d946c3b0780d1fb81c84b6263699b7280e62c0905c2
                          • Opcode Fuzzy Hash: 470efb3a2e5babe5b42911037c1c63263eeaf24a6aaa9bf618375a3729da3ed4
                          • Instruction Fuzzy Hash: 2C1156729002499FDB10DFAAC844BEFBBF6EF88320F24841AE519A7650C7759540CFA0
                          Function 0089AFC0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0089B5E1,00000800,00000000,00000000), ref: 0089B7F2
                          Memory Dump Source
                          • Source File: 00000000.00000002.1364200503.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_890000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: ddc1b005c1d80daf2b9da64877f8cdf73a1c216695e55e3d6181add18b951e0b
                          • Instruction ID: 43fffb1edb8712f4a8ad0e6f8a84bc1836cc9fa7c30756e1c0790a037df8bca9
                          • Opcode Fuzzy Hash: ddc1b005c1d80daf2b9da64877f8cdf73a1c216695e55e3d6181add18b951e0b
                          • Instruction Fuzzy Hash: 741133B68002489FDB10DF9AD444AEEFBF4FB88310F14812AE419A7600C3B4A945CFA5
                          Function 0089B780 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0089B5E1,00000800,00000000,00000000), ref: 0089B7F2
                          Memory Dump Source
                          • Source File: 00000000.00000002.1364200503.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_890000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: 04c488dff14ca78dfd923d40aceee0f3e105246f5470917ec669cf1d3e223324
                          • Instruction ID: b8d01932f1e31edfc57384d8c1436e5f892a360c0d132d958bbdbac281518c21
                          • Opcode Fuzzy Hash: 04c488dff14ca78dfd923d40aceee0f3e105246f5470917ec669cf1d3e223324
                          • Instruction Fuzzy Hash: 781114B6D002499FDB10CFAAD444AEEFBF5FB88320F14852AD419A7600C3B5A945CFA5
                          Function 06AD4340 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06AD43AE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374310726.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ad0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: e0cc95a39540b46abcfc304e6b0848275f228156101cdb8fa4ebb4682a95b8cb
                          • Instruction ID: 572f17c13556f53c29a994c119125ae9e4ad96341eed4b8755c198206a04e1a7
                          • Opcode Fuzzy Hash: e0cc95a39540b46abcfc304e6b0848275f228156101cdb8fa4ebb4682a95b8cb
                          • Instruction Fuzzy Hash: E61123729002499FDB10DFAAC844BEFBBF5EF48320F24841AE519A7250C775A940CFA5
                          Function 06AD3D78 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374310726.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ad0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: a5821dd281e7df21f7fd5ff8158f46f85bee4ad3e39087d8ed333a653ada291e
                          • Instruction ID: 66d8b13aa12f6758ed3d66167efe9cb0749526b12e52e6e837565979eb4f738e
                          • Opcode Fuzzy Hash: a5821dd281e7df21f7fd5ff8158f46f85bee4ad3e39087d8ed333a653ada291e
                          • Instruction Fuzzy Hash: EF114671D002498FEB10DFAAC8457EEBBF5AF48224F20842AD459A7240CB755940CFA5
                          Function 06AD3D80 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374310726.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ad0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: 2263657e9caeb1aaf54ae9f3d95c65cf6cd73f135ab8d4bc9b571cc3f4426b41
                          • Instruction ID: 240e04339dee534253dd80740cec7eb4af7a3debda68b923050368928449711a
                          • Opcode Fuzzy Hash: 2263657e9caeb1aaf54ae9f3d95c65cf6cd73f135ab8d4bc9b571cc3f4426b41
                          • Instruction Fuzzy Hash: 3E112871D003498BDB10DFAAC8457EFFBF5AF48224F24842AD559A7640C7756540CFA5
                          Function 06AD88BA Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 06AD891D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374310726.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ad0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: 60c94b223b484d90ed9931ca74394e9e509a9157aa0b4833f68580e7b2ad2b25
                          • Instruction ID: 3d7b83c2a8a4bba2039337387739cc0a91a49fa4de2c1727bf52f6bbaf7bc906
                          • Opcode Fuzzy Hash: 60c94b223b484d90ed9931ca74394e9e509a9157aa0b4833f68580e7b2ad2b25
                          • Instruction Fuzzy Hash: ED1133B5810349DFDB10DF9AD885BDEBFF8EB48324F20841AE558A7200C375A584CFA2
                          Function 06AD4730 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 06AD891D
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374310726.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ad0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: d2533b6c6de0c6e4f05ce243fbe66faa2e0363e06dd50c7c7137b74245dedd5f
                          • Instruction ID: 0eed4aad457388a5d4db4deb89c5315c1378cbed50f36d2e7bde5cfc5479a723
                          • Opcode Fuzzy Hash: d2533b6c6de0c6e4f05ce243fbe66faa2e0363e06dd50c7c7137b74245dedd5f
                          • Instruction Fuzzy Hash: 281106B58043499FDB10DF9AD845BEEBBF8EB48310F108459E555A7300C375A944CFA5
                          Function 0089B500 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000), ref: 0089B566
                          Memory Dump Source
                          • Source File: 00000000.00000002.1364200503.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_890000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: 9dd828875271f26c36b8e19847a29c54b5ce9bba5b1ddc95a9297adb54b95834
                          • Instruction ID: 222b6d0ab90c232223dcf9598def858f92ffb09031a567363ff122de4c6d5ddf
                          • Opcode Fuzzy Hash: 9dd828875271f26c36b8e19847a29c54b5ce9bba5b1ddc95a9297adb54b95834
                          • Instruction Fuzzy Hash: 7A11FDB6C002498FDB10DF9AD844ADEFBF5EB88324F15842AD418B7210C375A545CFA1
                          Function 069AEA68 Relevance: .3, Instructions: 264COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374058092.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_69a0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d188fa8afa0da36921b285b790a2988476b0f3e1a11a7557f87c15619409179b
                          • Instruction ID: 173b3b633e54ed0bc20a7ea12febeabfa18a7695af6b38ed8131b132a2229239
                          • Opcode Fuzzy Hash: d188fa8afa0da36921b285b790a2988476b0f3e1a11a7557f87c15619409179b
                          • Instruction Fuzzy Hash: 7EB11670E05229CFEB90DBA4D980AEDBBF6FF88310F109615E509AB745DB30AD45CB94
                          Function 069A68E0 Relevance: .2, Instructions: 152COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374058092.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_69a0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a082a0e7c3c7bdbddf5bff1d0ecdf9c58949259d3a8b3c749106eacc88692977
                          • Instruction ID: b6f0fe48a0b047b566c5e2f034ddee5f25b9aba897ebd999b9f3ed1ca05bbcc5
                          • Opcode Fuzzy Hash: a082a0e7c3c7bdbddf5bff1d0ecdf9c58949259d3a8b3c749106eacc88692977
                          • Instruction Fuzzy Hash: C051C030B103058FDB15DBB8D8549BEBBF6FFC82207258569E429DB391EB309D058BA1
                          Function 069AAA08 Relevance: .1, Instructions: 106COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374058092.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_69a0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8326d6ab9a86f57cea817fb5120839299a9a7ffb00f5f317311c3e2dcab4ada9
                          • Instruction ID: 14c2f99efa80159a339ade3437e162cca45f03518faf9d0c853c1df28cf8aea0
                          • Opcode Fuzzy Hash: 8326d6ab9a86f57cea817fb5120839299a9a7ffb00f5f317311c3e2dcab4ada9
                          • Instruction Fuzzy Hash: C8310171A1D384AFDB46DB748C658AD7FFA9E43100B1A80EFD844CB6A3EA348D02C351
                          Function 069A9548 Relevance: .1, Instructions: 97COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374058092.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_69a0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0f0777e31ee7b766b3ea8949417e97bbf46a5c31b4a1251daed02b585bfaf3a7
                          • Instruction ID: 5abd1e17dfd4420dfcd6735df19107e16f1b55deb2bf4287af3625e05586cb36
                          • Opcode Fuzzy Hash: 0f0777e31ee7b766b3ea8949417e97bbf46a5c31b4a1251daed02b585bfaf3a7
                          • Instruction Fuzzy Hash: 0D319A72A003089FDF00DFA9C844ADEBFF6EB48310F10842AE805E7210C734A940CFA5
                          Function 069A6745 Relevance: .1, Instructions: 95COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374058092.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_69a0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5c432ff035d88494bbd3acf7f415776e9751c5cb662d1083219e0c69494b7042
                          • Instruction ID: 47a48a0fb486c7d83f41f1d37e3cbb0a9716572420a71dc641c571dd76e45731
                          • Opcode Fuzzy Hash: 5c432ff035d88494bbd3acf7f415776e9751c5cb662d1083219e0c69494b7042
                          • Instruction Fuzzy Hash: 6031806641E7D1AFE7539B3858B59E13FB0AD63264B1E04C7D0D1CB0A3D508A80AD7BB
                          Function 069A6B30 Relevance: .1, Instructions: 80COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374058092.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_69a0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9a92bffd4114161eb8c43780365e94aca9b2fd9955b7fe31850ef1ac44b09f74
                          • Instruction ID: e564bb1ed67e459d328ea747db450b79da35a52c2995f8c1a8b137c8ee37a990
                          • Opcode Fuzzy Hash: 9a92bffd4114161eb8c43780365e94aca9b2fd9955b7fe31850ef1ac44b09f74
                          • Instruction Fuzzy Hash: F631AD75E012189FDB05DFAAD840AEEBBF2BF88310F14802AE505B7364EB3559428F94
                          Function 069A6B23 Relevance: .1, Instructions: 80COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374058092.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_69a0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c0b60caea5a229201a2b781a504ce1279fe8a038e2777f93d38bf8d0c3f6aa24
                          • Instruction ID: 406a4a156adf56bdb6a52a30e7808a88d2c0b0ec0baed35716d401c91c8fb4c2
                          • Opcode Fuzzy Hash: c0b60caea5a229201a2b781a504ce1279fe8a038e2777f93d38bf8d0c3f6aa24
                          • Instruction Fuzzy Hash: 3431DF75E002189FDB05DFA9D8406EEBBF2BF88310F14806AE505B7364EB355A42CF98
                          Function 069AC108 Relevance: .1, Instructions: 78COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374058092.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_69a0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 08121e6973800eb6d1eceb9de85a5a9d2ad58e4a3128c1687d8808e95cfe18a1
                          • Instruction ID: fb371bc76c8af06ee6912e9ddd2ca5981e58f31e97c1ad3abac9bffcd92f77e7
                          • Opcode Fuzzy Hash: 08121e6973800eb6d1eceb9de85a5a9d2ad58e4a3128c1687d8808e95cfe18a1
                          • Instruction Fuzzy Hash: C7310074E00218CFEB54DFA9D540AAEBBF6EF89710F10806AD915AB350DB35A941CFA1
                          Function 006FD1FC Relevance: .1, Instructions: 76COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1363088617.00000000006FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006FD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6fd000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fff47754bb4cb083f7dbfcffe2997f15bb3bf25700288750479d4bccc3065ed9
                          • Instruction ID: e807bc33956aac8826b78030a878dee526e90950560a7265cc610b015be3b8e6
                          • Opcode Fuzzy Hash: fff47754bb4cb083f7dbfcffe2997f15bb3bf25700288750479d4bccc3065ed9
                          • Instruction Fuzzy Hash: 9821F472504208DFDB05DF50D8C0B6ABBA7FB88314F20C569EA050B246C336E916CBA2
                          Function 006FD4C4 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1363088617.00000000006FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006FD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6fd000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 19b949da3e9d18c80ab705d3a415416d98a2a10082757bdff8252521d82001cb
                          • Instruction ID: 3935a94f4bd2ebfac40032679d0ba3cc11e62080d477acaed27da88a0977e552
                          • Opcode Fuzzy Hash: 19b949da3e9d18c80ab705d3a415416d98a2a10082757bdff8252521d82001cb
                          • Instruction Fuzzy Hash: 75212871504248EFDB15DF14D9C0B76BFA7FB84318F20C569EA050B256C336E856DAA2
                          Function 0070D1D4 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1363220009.000000000070D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_70d000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8241e6f4e60666507b26cc2907e2f26ea7f7bd84b71d8412f8f4da1955f891b7
                          • Instruction ID: 3ca5ca82dbba71722a92b1baea638d88e616294a26f9f693fbd1c45209ae3d21
                          • Opcode Fuzzy Hash: 8241e6f4e60666507b26cc2907e2f26ea7f7bd84b71d8412f8f4da1955f891b7
                          • Instruction Fuzzy Hash: 4921D471504304EFDB25DF94D9C0B26BBE5FB88324F24C6ADE8494B296C33ADC56CA61
                          Function 0070D01C Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1363220009.000000000070D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_70d000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 84c1cea9d845751b85eea31a9005784e8e61cbea1846c2b6a085b4c2a3253521
                          • Instruction ID: 8cc3f6eed4a35c87fe55eb6693c207ee0bef1f550c46ac47d9ccbb9815f66dd6
                          • Opcode Fuzzy Hash: 84c1cea9d845751b85eea31a9005784e8e61cbea1846c2b6a085b4c2a3253521
                          • Instruction Fuzzy Hash: 7421D371604304EFDB24DF54D984B16BBA5EB84314F20C669E84D4B286C37ADC47CA62
                          Function 069A8EB8 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374058092.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_69a0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b44e92c5cba5c8b02e23df3b01cbeae71012ffb2ff3c4131b49cdea0d7393037
                          • Instruction ID: fe4c5368202a41cbfec3efe5fcbf1c61d2987e17499534a373f6e28f05efb860
                          • Opcode Fuzzy Hash: b44e92c5cba5c8b02e23df3b01cbeae71012ffb2ff3c4131b49cdea0d7393037
                          • Instruction Fuzzy Hash: DF310470E04219DFEB84EFA8DA546AEBBF2FB88304F10806AE515B7354D7345A01CFA5
                          Function 069A69B4 Relevance: .1, Instructions: 67COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374058092.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_69a0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 988d96c102e9fdf6a880f05e21e27fbe5024011b60fa6121d0a31dc43ef9929b
                          • Instruction ID: f64297db4caefc914947271e7c2a696510afa03010eeb0a126e1a088f301c7be
                          • Opcode Fuzzy Hash: 988d96c102e9fdf6a880f05e21e27fbe5024011b60fa6121d0a31dc43ef9929b
                          • Instruction Fuzzy Hash: CF31F2B0C11318EFEB60DF99C584B9EBBF5BB48314F24842AE404BB640C3B59845CF95
                          Function 069A91A8 Relevance: .1, Instructions: 58COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374058092.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_69a0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: efedb0cb2332302d970bca3ae230144a2ab496175f72ec8bb7b383a668bc955f
                          • Instruction ID: e405f7a524fcd99314e91b00c83127f03a8690247c448413643b9c96f7982a76
                          • Opcode Fuzzy Hash: efedb0cb2332302d970bca3ae230144a2ab496175f72ec8bb7b383a668bc955f
                          • Instruction Fuzzy Hash: 67111F31F102198BCB54EFA998105FEB7F6BBC5710B604069C518FB240EB358D11DBE1
                          Function 006FD1F7 Relevance: .1, Instructions: 57COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1363088617.00000000006FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006FD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6fd000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6662bb42d93366c4ecdc741b35d58c024746bc4f1fd69c81d9866549e0b2d590
                          • Instruction ID: 63ec152a5350b0e0e32255436c4866784440bdeb59f4d527abe638c94f9ee439
                          • Opcode Fuzzy Hash: 6662bb42d93366c4ecdc741b35d58c024746bc4f1fd69c81d9866549e0b2d590
                          • Instruction Fuzzy Hash: DB21CD76404244CFCB16CF00D9C4B66BF63FB84314F24C1A9DE080B256C33AE926CBA1
                          Function 006FD4BF Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1363088617.00000000006FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006FD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6fd000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
                          • Instruction ID: c582ec4ee07d7f3c19b4baca665c55900b34a9f50a7ba3945242e50e8b950fee
                          • Opcode Fuzzy Hash: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
                          • Instruction Fuzzy Hash: E211E172404284CFCB12CF10D5C4B66BF72FB94318F24C6A9D9490B256C336E85ACBA2
                          Function 069A9558 Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374058092.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_69a0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8e3780bcc05cde4b4225168db755945f08fab127f1e413d42d1139115a41f44a
                          • Instruction ID: 78f6bf999434dc28544380ff2849020dc3e5dec22c732351af4fe0e70af9a2b0
                          • Opcode Fuzzy Hash: 8e3780bcc05cde4b4225168db755945f08fab127f1e413d42d1139115a41f44a
                          • Instruction Fuzzy Hash: D121F2B59003499FDB10CF9AD844AEEBBF5FB48310F10842AE919B7600C374A944CFA5
                          Function 0070D017 Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1363220009.000000000070D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_70d000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
                          • Instruction ID: 3351e10012e12a26acb3f8be050a504ba5b1cadf761a81928ab5d886f76d9309
                          • Opcode Fuzzy Hash: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
                          • Instruction Fuzzy Hash: B111BE75504380CFCB21CF50D5C4B15BBA2FB44314F24C6AAD8494B696C33AD80ACB62
                          Function 0070D1CF Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1363220009.000000000070D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_70d000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
                          • Instruction ID: be55cc21d917437666a6cd513902d22af85b65949e53275db44d5eced694e976
                          • Opcode Fuzzy Hash: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
                          • Instruction Fuzzy Hash: 6A11BB75504380DFCB22CF54C5C4B15BBA2FB84324F24C6AAD8494B696C33AD80ACB61
                          Function 069A7450 Relevance: .0, Instructions: 41COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374058092.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_69a0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 81ddf8485feee33b474cefa89196dc78964ff2cdeeec78d494acec08358cea25
                          • Instruction ID: ac18fbb709ad7f8dc5ae84b5c54b4d4e56fb4f35e89bcac79f2aabbc1132ad41
                          • Opcode Fuzzy Hash: 81ddf8485feee33b474cefa89196dc78964ff2cdeeec78d494acec08358cea25
                          • Instruction Fuzzy Hash: BB015770501F14CBE374DF26F294512BBF2FF8971038589A9D9C682A68DFB6A8248B40
                          Function 069AF7C0 Relevance: .0, Instructions: 41COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374058092.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_69a0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d4dd2387708106e900fd8f557130fb1642430cfd2a7b12068a1d59457189e9d1
                          • Instruction ID: 34319853f154c1265af15b49db05e0e6014f8c26475c219e2c9d914f8cd0a641
                          • Opcode Fuzzy Hash: d4dd2387708106e900fd8f557130fb1642430cfd2a7b12068a1d59457189e9d1
                          • Instruction Fuzzy Hash: 1E01E838A04208DFD784DBA8C654AA9BBF9EB4C300F65D594E4099B765D731DE00DB80
                          Function 069A6E78 Relevance: .0, Instructions: 35COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374058092.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_69a0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0234f5eec8ee921a7bf228f54b57475ba252407f5285c51c81fb2d457cc90c0c
                          • Instruction ID: 759061be8e0ce8a3e08e1e7c25b689074a148f50232e8ed5c14b36961191fb82
                          • Opcode Fuzzy Hash: 0234f5eec8ee921a7bf228f54b57475ba252407f5285c51c81fb2d457cc90c0c
                          • Instruction Fuzzy Hash: D201D1B4A09348DFDB52DF68D5406ADBFF1EF86304F24419AD954A7352C7344A10CB80
                          Function 069A6E88 Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374058092.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_69a0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 63291e7c296132de8bb4d8e8ca1b5fec1f4b703aafd3b0b9bfc2988d1fbfbb44
                          • Instruction ID: e0003fdf4a0a7b5bbd9cfbc67c910616364bfb1f8f8b31f2648d06347ebeb4e8
                          • Opcode Fuzzy Hash: 63291e7c296132de8bb4d8e8ca1b5fec1f4b703aafd3b0b9bfc2988d1fbfbb44
                          • Instruction Fuzzy Hash: 03F0F974D05218DFDB80EFA9D9516ADBBF5EB98301F2084AAD919A3304E7345A108F80
                          Function 069A6AD9 Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374058092.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_69a0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 36d39e2274468c596e5892e7609a189691a08f70839de82b45618e6a224516ce
                          • Instruction ID: 9aec5c836a1d5b485c81854af0d1bfaf68bc01fb281992a8ed5ae1b59407c246
                          • Opcode Fuzzy Hash: 36d39e2274468c596e5892e7609a189691a08f70839de82b45618e6a224516ce
                          • Instruction Fuzzy Hash: F1F08230909308DFD750EFB4E5446ACBFF4EB89315F1445A9D80993790DA360E44CBC1
                          Function 069AFEE0 Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374058092.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_69a0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 27925e76d0b70de4d3bda80f3274f5253aaab745740dd6541b1af59ebee308da
                          • Instruction ID: 3be053ff104d2df163f0c6429518157271df942e5249f7de397798248d78c343
                          • Opcode Fuzzy Hash: 27925e76d0b70de4d3bda80f3274f5253aaab745740dd6541b1af59ebee308da
                          • Instruction Fuzzy Hash: 5401E874D002499FCB90DFA8D5445AEBBF5FB48310F248296E854A7341D735AA41DBA1
                          Function 069ABFE0 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374058092.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_69a0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ca8bf07f54195efef3cce13ff5472e37c715865e7ee6abe561ff3745e530ea36
                          • Instruction ID: ca2ba3d66de20eef7a254830fcbde790a616b5b676f2d84751946cb8881aaa2d
                          • Opcode Fuzzy Hash: ca8bf07f54195efef3cce13ff5472e37c715865e7ee6abe561ff3745e530ea36
                          • Instruction Fuzzy Hash: 5BF0B7B0D0431ADFDB54DFA9D945AAEBBF4AB48200F1085A9D918E7601E77599008BD1
                          Function 069A6F30 Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374058092.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_69a0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f8c236f1f5dfeda83346071160aaa2b30b3ad8ac8a6f3b7b90272932b08feca7
                          • Instruction ID: d30320579c248d5f9588d9b64241498acab1f579e72807755aa403a503ace024
                          • Opcode Fuzzy Hash: f8c236f1f5dfeda83346071160aaa2b30b3ad8ac8a6f3b7b90272932b08feca7
                          • Instruction Fuzzy Hash: 4DF05E30A09284DFDB66CB68D550A68BFB0AB47210F5981CEC4948B2A3CA364902DB41
                          Function 069A3855 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374058092.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_69a0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2b27db9c7bff7eab104cf8489accc792d9720b313d2a402e08ee15e457a72063
                          • Instruction ID: 551c4c4f167d62b6e7c55857532c166b79c785c73fe8c09df0b7c4b7433a9df7
                          • Opcode Fuzzy Hash: 2b27db9c7bff7eab104cf8489accc792d9720b313d2a402e08ee15e457a72063
                          • Instruction Fuzzy Hash: C6F05B74902229CFEB669F64E958B99B7B9BB04309F0056DAD009A2640D7B45F818F54
                          Function 069AC250 Relevance: .0, Instructions: 22COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374058092.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_69a0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 88416eac0065e146df81838ed15e5852ffea6ddfbcc8390c27d6dcf881546172
                          • Instruction ID: 024188925f617b4c8d73091d622543c0e38a33b72297e3f3e7b384945490a3a9
                          • Opcode Fuzzy Hash: 88416eac0065e146df81838ed15e5852ffea6ddfbcc8390c27d6dcf881546172
                          • Instruction Fuzzy Hash: 26E0C274E08208EFCB84DFA8D5406ACBBF4EB89200F2084AA981897340D6369A02CF80
                          Function 069A6F40 Relevance: .0, Instructions: 22COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374058092.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_69a0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 88416eac0065e146df81838ed15e5852ffea6ddfbcc8390c27d6dcf881546172
                          • Instruction ID: ef82c022e94a205b7f2acb88f5030e6340389ade64876864cbf1c370bc639822
                          • Opcode Fuzzy Hash: 88416eac0065e146df81838ed15e5852ffea6ddfbcc8390c27d6dcf881546172
                          • Instruction Fuzzy Hash: 22E07574E05208EFCB94DFA9D5556ACFBF4EB88304F24C5AE981893341D6369E42DF81
                          Function 069AA978 Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374058092.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_69a0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a234ab5bacf3db8a5f4b350373f33062278256961a9826ffa01baab5758e8e58
                          • Instruction ID: e0e74c78c2d09c1d6ba412b80d5b4c28a2afb239f1d4374c9fe5adb1fdff8f52
                          • Opcode Fuzzy Hash: a234ab5bacf3db8a5f4b350373f33062278256961a9826ffa01baab5758e8e58
                          • Instruction Fuzzy Hash: C9E0C231806308EFE741EFF096007A9B3FCEB4A204F1058EA800593210ED329E00DB81
                          Function 069A6AE8 Relevance: .0, Instructions: 19COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374058092.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_69a0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e9db44919b9611cc9844e2419797ba6eaf90b9d702b2128faf6f0bc81b0b2698
                          • Instruction ID: 9106461372a7b4cd680883d1df56a07a3d531e85c7a293a6c68df685b34395ed
                          • Opcode Fuzzy Hash: e9db44919b9611cc9844e2419797ba6eaf90b9d702b2128faf6f0bc81b0b2698
                          • Instruction Fuzzy Hash: 6BE0EC70D09308DFC790EFB9D5456ACBBF8EB04205F2041A9D80893340EA725E54CB91
                          Function 069ABF88 Relevance: .0, Instructions: 18COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374058092.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_69a0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c3311299f0224b5620e47a50e704053fe5f29f54cd451e4bed2385b3982e01bf
                          • Instruction ID: 697880dc9fae9b724ae87ee2620687638d68d602a188eff3e348d1861b85e534
                          • Opcode Fuzzy Hash: c3311299f0224b5620e47a50e704053fe5f29f54cd451e4bed2385b3982e01bf
                          • Instruction Fuzzy Hash: F0E012B4D002099FD780EFA9C908A5EBBF0AF08200F1088A9C018E7211E7708A008F80
                          Function 069AC080 Relevance: .0, Instructions: 14COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374058092.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_69a0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f03315e7f703e69f4cd5a9ec10f589273043186ebec0da8da3962d03d56ea74a
                          • Instruction ID: 48b2f92044d17bd90b1e9e44ba34dc6801eadb4f865ed84db50c58ebde9b8bb2
                          • Opcode Fuzzy Hash: f03315e7f703e69f4cd5a9ec10f589273043186ebec0da8da3962d03d56ea74a
                          • Instruction Fuzzy Hash: 1AD012321202089E8BC0EFA4EC00D5677ECBBB4600700C422E544CB430E621E424D7D1
                          Function 069ADE30 Relevance: .0, Instructions: 10COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374058092.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_69a0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ad6ef98e0ff80216c0b00acece6ef919ea6783777e8f29ff702ab897c466c969
                          • Instruction ID: 525f46db3c71b7e8fef61b6aff9058caacdf6332c35def653528acdc3895ed9e
                          • Opcode Fuzzy Hash: ad6ef98e0ff80216c0b00acece6ef919ea6783777e8f29ff702ab897c466c969
                          • Instruction Fuzzy Hash: BEC08C31040B0487C2B02FA0FB1D32476B8FB60206F000110E10C01AA14BBB5C00D6B1
                          Function 069A9500 Relevance: .0, Instructions: 8COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374058092.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_69a0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1161df655096493f99f9a063eafe89441a6bdeee95ea6fdf4ac4a98f81b960e4
                          • Instruction ID: 99681dd19d5ec9b241b614a5a8d796720e3b4d63a1906c96ac17c02f52dd425e
                          • Opcode Fuzzy Hash: 1161df655096493f99f9a063eafe89441a6bdeee95ea6fdf4ac4a98f81b960e4
                          • Instruction Fuzzy Hash: F0B012351A8301F779C5B2604E42B6B63D3BBFA735F00AC05731950400C4718824D6AB

                          Non-executed Functions

                          Function 06AD9CF8 Relevance: .4, Instructions: 407COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374310726.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ad0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ddcaf01b9925e8013e08cb9e6f216cb94ef654f6e019f2b5d3d2d4760b56cdec
                          • Instruction ID: ed52634af3499c23cf1ebd39358345a37f452f38f077cff97e529e1b1c5ab51e
                          • Opcode Fuzzy Hash: ddcaf01b9925e8013e08cb9e6f216cb94ef654f6e019f2b5d3d2d4760b56cdec
                          • Instruction Fuzzy Hash: B8D1CC31B013148FDB99EB75C8507AF7BF6AF89300F148469E156DB291DB35E901CB92
                          Function 06AD3E30 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374310726.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ad0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8d41559e2ccf7b7e53e2c2a0188658c132130c6c4c1d0cbd5164d999e3147997
                          • Instruction ID: 48ade4fe66f15209fb577fb2b798cca2785e0325869fa1502c83663a8d4ad240
                          • Opcode Fuzzy Hash: 8d41559e2ccf7b7e53e2c2a0188658c132130c6c4c1d0cbd5164d999e3147997
                          • Instruction Fuzzy Hash: 6EE1FC74E002198FDB14DFA9C580AAEFBF2FF89304F248169E815AB355D731A941CFA1
                          Function 06AD3558 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374310726.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ad0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0fb7b9d1f5d8a346b5fcda1a2943917beb99ea5770001c8f7d668cdcfeca8fb7
                          • Instruction ID: df100f4ce72f4f982dabef8634d3a6ded75cf39d4541a7d161a2752999915620
                          • Opcode Fuzzy Hash: 0fb7b9d1f5d8a346b5fcda1a2943917beb99ea5770001c8f7d668cdcfeca8fb7
                          • Instruction Fuzzy Hash: ECE1FA74E002198FDB54DFA9C580AAEFBF2FF89304F248169E815AB355D731A941CFA1
                          Function 06AD1A78 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374310726.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ad0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3fbcf8d3cc640f5ee3aef9871e6a0045576a8a47e2190bf50ae25d2f195065a1
                          • Instruction ID: 03a6135d706ac9431b0de1f1b605f37f98fc78ae144c6f9e294b2e5165fe1673
                          • Opcode Fuzzy Hash: 3fbcf8d3cc640f5ee3aef9871e6a0045576a8a47e2190bf50ae25d2f195065a1
                          • Instruction Fuzzy Hash: 63E1C474E002198FDB54DFA9C580AAEBBF2FF89304F248169D815AB355D731AD41CFA0
                          Function 06AD3120 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374310726.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ad0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4ba2b84cb56ba1992a8fc0d6c325988df84abd0ad25dbd33ea559e4615882d85
                          • Instruction ID: af272f6f08b1244b5dfece88b36d5b9ffbdff877dd263a1b3352c531704101a1
                          • Opcode Fuzzy Hash: 4ba2b84cb56ba1992a8fc0d6c325988df84abd0ad25dbd33ea559e4615882d85
                          • Instruction Fuzzy Hash: CEE10A74E002598FDB14DFA9C580AAEFBF2FF89304F248169E815AB355D731A941CFA1
                          Function 0089E0AC Relevance: .3, Instructions: 264COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1364200503.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_890000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 143bd5980068b8188cf6d65e67e9a3c8e443f3755e894ca4e16c4585a48cbf64
                          • Instruction ID: e08472436b788d42242d8414b831da8fba978a3d2548616dd250cdca997f7936
                          • Opcode Fuzzy Hash: 143bd5980068b8188cf6d65e67e9a3c8e443f3755e894ca4e16c4585a48cbf64
                          • Instruction Fuzzy Hash: 3BA14C32A002099FCF09EFB4C84459EBBB2FF85301B19857AE905EB266DB71ED55CB40
                          Function 069AA218 Relevance: .3, Instructions: 264COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374058092.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_69a0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a681bb558bb013caba0cdb3659a9f704aba9cf7db39b9b6c1d60b94ee868c897
                          • Instruction ID: e82372dcec4afd5aeac27f647a2a9d5e637e14e85f046947c5281ac9a4a9cacc
                          • Opcode Fuzzy Hash: a681bb558bb013caba0cdb3659a9f704aba9cf7db39b9b6c1d60b94ee868c897
                          • Instruction Fuzzy Hash: 44D1F63191075A8ADB11EBA4D950AD9F7B1FF95300F11C79AE5093B224EF70AAC8CF91
                          Function 06AD3110 Relevance: .1, Instructions: 135COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374310726.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ad0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aecfd24b09bc7d4e7237a0939104bb20ea7fae03c5b16095fb1fdd7434037666
                          • Instruction ID: 1a66fcab0b8c5954e53fbf043375d0f61f715f83f1d81525fdfb2adbbf717995
                          • Opcode Fuzzy Hash: aecfd24b09bc7d4e7237a0939104bb20ea7fae03c5b16095fb1fdd7434037666
                          • Instruction Fuzzy Hash: 33511C74E002598FDB14DFA9C5805AEFBF2FF8A304F2481AAD419AB316D7319941CFA1
                          Function 069A0006 Relevance: .1, Instructions: 119COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374058092.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_69a0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5dff3a622de8c6976eaaf4ad80d103786b3da75f5e25692458cf770896989068
                          • Instruction ID: 8270d80f14cc3f955ee3bb267c3942216fc35476aed94adf6a1d8f765b43624a
                          • Opcode Fuzzy Hash: 5dff3a622de8c6976eaaf4ad80d103786b3da75f5e25692458cf770896989068
                          • Instruction Fuzzy Hash: 68419D71D05B548FEB59CF6B8C4069AFBF3AFC9200F18C1FAC448AA265DA3409468F51
                          Function 069A0040 Relevance: .1, Instructions: 100COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1374058092.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_69a0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 51c598ae1ef7ea05e197b842e56e8521a70d4203a247fc6f4d7b478b17b6159a
                          • Instruction ID: 2e189efb69b862828aae2b9c964ea11ff13b8fa5abebc6d80b5d07101de93029
                          • Opcode Fuzzy Hash: 51c598ae1ef7ea05e197b842e56e8521a70d4203a247fc6f4d7b478b17b6159a
                          • Instruction Fuzzy Hash: 8B414D71E05B188FEB5CCF6B8D4069AFAF7AFC9205F14C1BAC40CAA255EB3009858F51

                          Execution Graph

                          Execution Coverage:6.7%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:60
                          Total number of Limit Nodes:6
                          execution_graph 12981 12e79b8 12982 12e79e6 12981->12982 12985 12e6fb4 12982->12985 12984 12e7a06 12984->12984 12986 12e6fbf 12985->12986 12987 12e852c 12986->12987 12990 12ea173 12986->12990 12997 12ea1c0 12986->12997 12987->12984 12991 12ea153 12990->12991 12992 12ea17b 12990->12992 12991->12987 12994 12ea205 12992->12994 13003 12ea3c8 12992->13003 13011 12ea370 12992->13011 13015 12ea360 12992->13015 12994->12987 12999 12ea1e1 12997->12999 12998 12ea205 12998->12987 12999->12998 13000 12ea3c8 KiUserCallbackDispatcher 12999->13000 13001 12ea360 KiUserCallbackDispatcher 12999->13001 13002 12ea370 KiUserCallbackDispatcher 12999->13002 13000->12998 13001->12998 13002->12998 13004 12ea3cf 13003->13004 13006 12ea3a7 13003->13006 13004->13006 13008 12ea3d3 13004->13008 13005 12ea3b6 13005->12994 13006->13005 13020 12e81dc 13006->13020 13010 12ea428 13008->13010 13024 12e8210 13008->13024 13010->13010 13013 12ea37d 13011->13013 13012 12ea3b6 13012->12994 13013->13012 13014 12e81dc KiUserCallbackDispatcher 13013->13014 13014->13012 13016 12ea343 13015->13016 13017 12ea36b 13015->13017 13016->12994 13018 12ea3b6 13017->13018 13019 12e81dc KiUserCallbackDispatcher 13017->13019 13018->12994 13019->13018 13021 12e81e7 13020->13021 13022 12e8210 KiUserCallbackDispatcher 13021->13022 13023 12ea428 13021->13023 13022->13023 13025 12e821b 13024->13025 13030 12e8220 13025->13030 13028 12ea4a6 13028->13010 13033 12e822b 13030->13033 13031 12ea497 13034 12edd60 13031->13034 13032 12ea1c0 KiUserCallbackDispatcher 13032->13031 13033->13031 13033->13032 13035 12edd8e 13034->13035 13036 12edf86 13035->13036 13037 12ede5a KiUserCallbackDispatcher 13035->13037 13037->13036 13038 12e7158 13039 12e719e GetCurrentProcess 13038->13039 13041 12e71e9 13039->13041 13042 12e71f0 GetCurrentThread 13039->13042 13041->13042 13043 12e722d GetCurrentProcess 13042->13043 13044 12e7226 13042->13044 13045 12e7263 13043->13045 13044->13043 13046 12e728b GetCurrentThreadId 13045->13046 13047 12e72bc 13046->13047 13048 12e73a0 DuplicateHandle 13049 12e7436 13048->13049 13050 12e2020 13052 12e2064 SetWindowsHookExW 13050->13052 13053 12e20aa 13052->13053

                          Executed Functions

                          Function 012E7148 Relevance: 6.1, APIs: 4, Instructions: 138threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 012E71D6
                          • GetCurrentThread.KERNEL32 ref: 012E7213
                          • GetCurrentProcess.KERNEL32 ref: 012E7250
                          • GetCurrentThreadId.KERNEL32 ref: 012E72A9
                          Memory Dump Source
                          • Source File: 00000009.00000002.3805516356.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_12e0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: 38d70e84222a04cc452484f5e2026c4dfbd997eccfcf19d8dd332dafe0828407
                          • Instruction ID: 8f2bf83586454b8a86158f90f2e9cfcc7aa8dfc06ba380a5818f3b826c33fe92
                          • Opcode Fuzzy Hash: 38d70e84222a04cc452484f5e2026c4dfbd997eccfcf19d8dd332dafe0828407
                          • Instruction Fuzzy Hash: 0F5155B09103498FDB14CFA9D948BDEBBF1EF48314F20856AE418AB390D735A944CB65
                          Function 012E7158 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 012E71D6
                          • GetCurrentThread.KERNEL32 ref: 012E7213
                          • GetCurrentProcess.KERNEL32 ref: 012E7250
                          • GetCurrentThreadId.KERNEL32 ref: 012E72A9
                          Memory Dump Source
                          • Source File: 00000009.00000002.3805516356.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_12e0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: 808d8037c77fe1e048f949e6d8ce2b2b0b04daf8a29205f70b014fe6741ecb23
                          • Instruction ID: d78311771ea4ac1923ef7bc5a51e2ca854f6153fed07a7fb66d4e5be93a5ed0f
                          • Opcode Fuzzy Hash: 808d8037c77fe1e048f949e6d8ce2b2b0b04daf8a29205f70b014fe6741ecb23
                          • Instruction Fuzzy Hash: F45155B09103098FDB14CFAAD548BDEBBF1BF88314F20846AE419A7350D775A944CF65
                          Function 012E7398 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 47 12e7398-12e739d 48 12e739f-12e7434 DuplicateHandle 47->48 49 12e7376-12e738c 47->49 51 12e743d-12e745a 48->51 52 12e7436-12e743c 48->52 52->51
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012E7427
                          Memory Dump Source
                          • Source File: 00000009.00000002.3805516356.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_12e0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 4b4a4ddf447ba00abe6028e2f5735641985fce80902bd8f6eaf30e90363a65e0
                          • Instruction ID: bb30987b6e35a5b394880bef80307f0bdb8187c4ac96473a06d3beed577f6293
                          • Opcode Fuzzy Hash: 4b4a4ddf447ba00abe6028e2f5735641985fce80902bd8f6eaf30e90363a65e0
                          • Instruction Fuzzy Hash: 573127B69003499FDB10CFA9E984ADEBBF5FB48320F14842AE914A3350D3749955CFA4
                          Function 012E73A0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 55 12e73a0-12e7434 DuplicateHandle 56 12e743d-12e745a 55->56 57 12e7436-12e743c 55->57 57->56
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012E7427
                          Memory Dump Source
                          • Source File: 00000009.00000002.3805516356.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_12e0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: ea73d424cae7be7eb72181ee3dfc6fb1aa298b26964d4c7d33dfc65db09ee7e1
                          • Instruction ID: 325c987543d8f7d090f499ba1e428c8fc8947d00f882feb1d4b0117c551980fa
                          • Opcode Fuzzy Hash: ea73d424cae7be7eb72181ee3dfc6fb1aa298b26964d4c7d33dfc65db09ee7e1
                          • Instruction Fuzzy Hash: 5421E4B59003499FDB10CFAAD984ADEBFF4FB48320F14841AE918A3350D374A940CFA5
                          Function 012E2018 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 60 12e2018-12e206a 63 12e206c 60->63 64 12e2076-12e20a8 SetWindowsHookExW 60->64 67 12e2074 63->67 65 12e20aa-12e20b0 64->65 66 12e20b1-12e20d6 64->66 65->66 67->64
                          APIs
                          • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 012E209B
                          Memory Dump Source
                          • Source File: 00000009.00000002.3805516356.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_12e0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID: HookWindows
                          • String ID:
                          • API String ID: 2559412058-0
                          • Opcode ID: 3df0e97420e045ad37b9059c8c80394b1e9f7e52b78737888a8463b4adaf63f6
                          • Instruction ID: f3c78e7596f1d7d0b7899c33a2109cd1424ef5c2c370f669b6bf096dbf40ddcf
                          • Opcode Fuzzy Hash: 3df0e97420e045ad37b9059c8c80394b1e9f7e52b78737888a8463b4adaf63f6
                          • Instruction Fuzzy Hash: D7215971900209DFDB14DFA9C844BEEFBF5BF88310F108429E815A7250C775AA44CFA1
                          Function 012E2020 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 71 12e2020-12e206a 73 12e206c 71->73 74 12e2076-12e20a8 SetWindowsHookExW 71->74 77 12e2074 73->77 75 12e20aa-12e20b0 74->75 76 12e20b1-12e20d6 74->76 75->76 77->74
                          APIs
                          • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 012E209B
                          Memory Dump Source
                          • Source File: 00000009.00000002.3805516356.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_12e0000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID: HookWindows
                          • String ID:
                          • API String ID: 2559412058-0
                          • Opcode ID: 8390a8d6ab1a6e056d5c1b0169acdfaf7aa35e6b9f6d9b8c7422b661cea62ed5
                          • Instruction ID: b580d2b7e250bfff531a7e63f312edf6cd0a4c2368c24fcef0a7074b5a14f7e3
                          • Opcode Fuzzy Hash: 8390a8d6ab1a6e056d5c1b0169acdfaf7aa35e6b9f6d9b8c7422b661cea62ed5
                          • Instruction Fuzzy Hash: BF2115719002099FDB14DFAAC948BEEFBF5BB88310F10842AE515A7290C775A940CFA5
                          Function 0104D2B4 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.3802029424.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_104d000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6d62f1ede985ed398fa1b4424ac013c4a195c0724721654303f785ae2138d198
                          • Instruction ID: 66d426d4a57c756f4b4ec9956bb2891cfb8ce149299b5150eefa1e0dfd1bd5fd
                          • Opcode Fuzzy Hash: 6d62f1ede985ed398fa1b4424ac013c4a195c0724721654303f785ae2138d198
                          • Instruction Fuzzy Hash: 2621F2B1604204AFDB15DF94D5C0B2ABBA5FB94324F24C5BDE8894B242C336D846CB61
                          Function 0104D0FC Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.3802029424.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_104d000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9567a15e34861277e9db3bbc56c540c980c5eef314877d72ec788409baeb0915
                          • Instruction ID: 20630f6ab4f3058c836db89357c3f538701c55c20437a5675ce92ebb17a9ce9f
                          • Opcode Fuzzy Hash: 9567a15e34861277e9db3bbc56c540c980c5eef314877d72ec788409baeb0915
                          • Instruction Fuzzy Hash: 6621F2B1504204AFEB05DF94D9C4B26BBA5FB98324F20C5BDEC894B262C336D846CB61
                          Function 0104D0F7 Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.3802029424.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_104d000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
                          • Instruction ID: 6f933b41bf82c2e36551b21c1b48faa5c9804446728304485b2ec63eda850286
                          • Opcode Fuzzy Hash: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
                          • Instruction Fuzzy Hash: 6711DDB5504280DFDB16CF54D9C4B15BFB2FB84314F24C6AADC894B266C33AD44ACB61
                          Function 0104D2AF Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000009.00000002.3802029424.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_9_2_104d000_LisectAVT_2403002B_378.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
                          • Instruction ID: 25e90f0c9df2d591ee3e3272c9be2a4104088eebfff1da8bc6ffdf7b3891845d
                          • Opcode Fuzzy Hash: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
                          • Instruction Fuzzy Hash: 5A11D0B5504240DFDB12CF54D5C4B15BFA1FB44314F24C6A9E8894B252C33AD40ACF51

                          Execution Graph

                          Execution Coverage:11.6%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:366
                          Total number of Limit Nodes:21
                          execution_graph 35747 11dd01c 35748 11dd034 35747->35748 35749 11dd08e 35748->35749 35755 2f21f90 35748->35755 35759 2f21fcf 35748->35759 35762 2f21f8e 35748->35762 35766 2f21514 35748->35766 35773 2f22cf7 35748->35773 35756 2f21fb6 35755->35756 35757 2f21fd7 35756->35757 35758 2f21514 CallWindowProcW 35756->35758 35757->35749 35758->35757 35760 2f21514 CallWindowProcW 35759->35760 35761 2f21fd7 35760->35761 35761->35749 35763 2f21fb6 35762->35763 35764 2f21fd7 35763->35764 35765 2f21514 CallWindowProcW 35763->35765 35764->35749 35765->35764 35767 2f2151f 35766->35767 35768 2f22d59 35767->35768 35771 2f22d49 35767->35771 35785 2f2163c 35768->35785 35770 2f22d57 35780 2f22e80 35771->35780 35776 2f22d25 35773->35776 35774 2f22d59 35775 2f2163c CallWindowProcW 35774->35775 35778 2f22d57 35775->35778 35776->35774 35777 2f22d49 35776->35777 35779 2f22e80 CallWindowProcW 35777->35779 35779->35778 35782 2f22e94 35780->35782 35781 2f22f20 35781->35770 35789 2f22f37 35782->35789 35792 2f22f38 35782->35792 35786 2f21647 35785->35786 35787 2f2443a CallWindowProcW 35786->35787 35788 2f243e9 35786->35788 35787->35788 35788->35770 35790 2f22f49 35789->35790 35795 2f24373 35789->35795 35790->35781 35793 2f22f49 35792->35793 35794 2f24373 CallWindowProcW 35792->35794 35793->35781 35794->35793 35796 2f2163c CallWindowProcW 35795->35796 35797 2f2438a 35796->35797 35797->35790 36197 2f283c3 36198 2f283d0 36197->36198 36199 2f26e08 2 API calls 36198->36199 36200 2f283df 36199->36200 35798 122d5a0 35799 122d5e6 GetCurrentProcess 35798->35799 35801 122d631 35799->35801 35802 122d638 GetCurrentThread 35799->35802 35801->35802 35803 122d675 GetCurrentProcess 35802->35803 35804 122d66e 35802->35804 35805 122d6ab GetCurrentThreadId 35803->35805 35804->35803 35807 122d704 35805->35807 35808 7244ee2 35813 72462df 35808->35813 35831 7246289 35808->35831 35848 7246298 35808->35848 35809 7244ef1 35814 7246296 35813->35814 35815 72462ee 35813->35815 35819 72462d6 35814->35819 35865 7246b85 35814->35865 35870 7246abb 35814->35870 35875 7246a9a 35814->35875 35885 7246cb9 35814->35885 35890 7246efe 35814->35890 35895 7246bd1 35814->35895 35900 7246770 35814->35900 35905 72468b4 35814->35905 35909 724692b 35814->35909 35914 72468ea 35814->35914 35918 72465c8 35814->35918 35924 7246d4d 35814->35924 35929 7246803 35814->35929 35934 7246b06 35814->35934 35815->35809 35819->35809 35832 72462b2 35831->35832 35833 72462d6 35832->35833 35834 7246b85 2 API calls 35832->35834 35835 7246b06 2 API calls 35832->35835 35836 7246803 2 API calls 35832->35836 35837 7246d4d 2 API calls 35832->35837 35838 72465c8 2 API calls 35832->35838 35839 72468ea 2 API calls 35832->35839 35840 724692b 2 API calls 35832->35840 35841 72468b4 2 API calls 35832->35841 35842 7246770 2 API calls 35832->35842 35843 7246bd1 2 API calls 35832->35843 35844 7246efe 2 API calls 35832->35844 35845 7246cb9 2 API calls 35832->35845 35846 7246a9a 4 API calls 35832->35846 35847 7246abb 2 API calls 35832->35847 35833->35809 35834->35833 35835->35833 35836->35833 35837->35833 35838->35833 35839->35833 35840->35833 35841->35833 35842->35833 35843->35833 35844->35833 35845->35833 35846->35833 35847->35833 35849 72462b2 35848->35849 35850 72462d6 35849->35850 35851 7246b85 2 API calls 35849->35851 35852 7246b06 2 API calls 35849->35852 35853 7246803 2 API calls 35849->35853 35854 7246d4d 2 API calls 35849->35854 35855 72465c8 2 API calls 35849->35855 35856 72468ea 2 API calls 35849->35856 35857 724692b 2 API calls 35849->35857 35858 72468b4 2 API calls 35849->35858 35859 7246770 2 API calls 35849->35859 35860 7246bd1 2 API calls 35849->35860 35861 7246efe 2 API calls 35849->35861 35862 7246cb9 2 API calls 35849->35862 35863 7246a9a 4 API calls 35849->35863 35864 7246abb 2 API calls 35849->35864 35850->35809 35851->35850 35852->35850 35853->35850 35854->35850 35855->35850 35856->35850 35857->35850 35858->35850 35859->35850 35860->35850 35861->35850 35862->35850 35863->35850 35864->35850 35866 7246e1c 35865->35866 35939 7244400 35866->35939 35943 72443f8 35866->35943 35867 7246ff9 35871 7246a16 35870->35871 35872 724689e 35871->35872 35947 7243d80 35871->35947 35951 7243d78 35871->35951 35872->35819 35876 7246a16 35875->35876 35877 7246b2f 35875->35877 35878 724689e 35876->35878 35881 7243d80 ResumeThread 35876->35881 35882 7243d78 ResumeThread 35876->35882 35877->35876 35880 7247025 35877->35880 35878->35819 35879 7247188 35955 7244260 35880->35955 35959 7244268 35880->35959 35881->35876 35882->35876 35886 7246cd2 35885->35886 35963 7247338 35886->35963 35968 7247348 35886->35968 35887 7246e99 35891 7246942 35890->35891 35892 724689e 35891->35892 35893 7243d80 ResumeThread 35891->35893 35894 7243d78 ResumeThread 35891->35894 35892->35819 35893->35891 35894->35891 35897 72466ac 35895->35897 35896 7247208 35897->35819 35897->35896 35973 7244a7c 35897->35973 35977 7244a88 35897->35977 35902 72466ac 35900->35902 35901 7247208 35902->35819 35902->35901 35903 7244a7c CreateProcessA 35902->35903 35904 7244a88 CreateProcessA 35902->35904 35903->35902 35904->35902 35981 7244340 35905->35981 35985 7244338 35905->35985 35906 72468d5 35906->35819 35910 7246931 35909->35910 35911 724689e 35910->35911 35912 7243d80 ResumeThread 35910->35912 35913 7243d78 ResumeThread 35910->35913 35911->35819 35912->35910 35913->35910 35989 72444f0 35914->35989 35993 72444e8 35914->35993 35915 724690c 35915->35819 35919 72465a6 35918->35919 35921 72465cb 35918->35921 35919->35819 35920 7247208 35921->35819 35921->35920 35922 7244a7c CreateProcessA 35921->35922 35923 7244a88 CreateProcessA 35921->35923 35922->35921 35923->35921 35925 7246d56 35924->35925 35927 7244400 WriteProcessMemory 35925->35927 35928 72443f8 WriteProcessMemory 35925->35928 35926 7246da0 35927->35926 35928->35926 35931 72466ac 35929->35931 35930 7247208 35931->35819 35931->35930 35932 7244a7c CreateProcessA 35931->35932 35933 7244a88 CreateProcessA 35931->35933 35932->35931 35933->35931 35935 7246a0b 35934->35935 35936 7247038 35935->35936 35937 7244400 WriteProcessMemory 35935->35937 35938 72443f8 WriteProcessMemory 35935->35938 35937->35935 35938->35935 35940 7244448 WriteProcessMemory 35939->35940 35942 724449f 35940->35942 35942->35867 35944 7244448 WriteProcessMemory 35943->35944 35946 724449f 35944->35946 35946->35867 35948 7243dc0 ResumeThread 35947->35948 35950 7243df1 35948->35950 35950->35871 35952 7243d81 ResumeThread 35951->35952 35954 7243df1 35952->35954 35954->35871 35956 7244266 Wow64SetThreadContext 35955->35956 35958 72442f5 35956->35958 35958->35879 35960 724429a Wow64SetThreadContext 35959->35960 35962 72442f5 35960->35962 35962->35879 35964 724735d 35963->35964 35966 7244260 Wow64SetThreadContext 35964->35966 35967 7244268 Wow64SetThreadContext 35964->35967 35965 7247373 35965->35887 35966->35965 35967->35965 35969 724735d 35968->35969 35971 7244260 Wow64SetThreadContext 35969->35971 35972 7244268 Wow64SetThreadContext 35969->35972 35970 7247373 35970->35887 35971->35970 35972->35970 35974 7244a88 CreateProcessA 35973->35974 35976 7244cd3 35974->35976 35976->35976 35978 7244b11 CreateProcessA 35977->35978 35980 7244cd3 35978->35980 35980->35980 35982 7244380 VirtualAllocEx 35981->35982 35984 72443bd 35982->35984 35984->35906 35986 7244380 VirtualAllocEx 35985->35986 35988 72443bd 35986->35988 35988->35906 35990 724453b ReadProcessMemory 35989->35990 35992 724457f 35990->35992 35992->35915 35994 72444f0 ReadProcessMemory 35993->35994 35996 724457f 35994->35996 35996->35915 35997 122d7e8 DuplicateHandle 35998 122d87e 35997->35998 35999 1224668 36000 122467a 35999->36000 36003 1224686 36000->36003 36005 1224789 36000->36005 36002 12246a5 36010 1223e28 36003->36010 36006 122479d 36005->36006 36014 1224887 36006->36014 36018 1224888 36006->36018 36011 1223e33 36010->36011 36026 1227038 36011->36026 36013 122746a 36013->36002 36015 12248af 36014->36015 36016 122498c 36015->36016 36022 12244b0 36015->36022 36020 12248af 36018->36020 36019 122498c 36020->36019 36021 12244b0 CreateActCtxA 36020->36021 36021->36019 36023 1225918 CreateActCtxA 36022->36023 36025 12259db 36023->36025 36027 1227043 36026->36027 36030 122707c 36027->36030 36029 1227575 36029->36013 36031 1227087 36030->36031 36034 12270ac 36031->36034 36033 122765a 36033->36029 36035 12270b7 36034->36035 36038 12270dc 36035->36038 36037 122774d 36037->36033 36039 12270e7 36038->36039 36041 1228b33 36039->36041 36045 122add8 36039->36045 36051 122addf 36039->36051 36040 1228b71 36040->36037 36041->36040 36057 122ced5 36041->36057 36046 122ade1 36045->36046 36062 122b208 36046->36062 36066 122b20f 36046->36066 36070 122b218 36046->36070 36047 122adee 36047->36041 36052 122ade1 36051->36052 36054 122b208 2 API calls 36052->36054 36055 122b218 2 API calls 36052->36055 36056 122b20f 2 API calls 36052->36056 36053 122adee 36053->36041 36054->36053 36055->36053 36056->36053 36058 122cef1 36057->36058 36059 122cf15 36058->36059 36093 122d478 36058->36093 36097 122d488 36058->36097 36059->36040 36063 122b211 36062->36063 36073 122b2ff 36063->36073 36064 122b227 36064->36047 36067 122b211 36066->36067 36069 122b2ff 2 API calls 36067->36069 36068 122b227 36068->36047 36069->36068 36072 122b2ff 2 API calls 36070->36072 36071 122b227 36071->36047 36072->36071 36074 122b321 36073->36074 36075 122b344 36073->36075 36074->36075 36081 122b59f 36074->36081 36085 122b5a8 36074->36085 36075->36064 36076 122b33c 36076->36075 36077 122b548 GetModuleHandleW 36076->36077 36078 122b575 36077->36078 36078->36064 36082 122b5a8 36081->36082 36084 122b5e1 36082->36084 36089 122afc0 36082->36089 36084->36076 36086 122b5bc 36085->36086 36087 122b5e1 36086->36087 36088 122afc0 LoadLibraryExW 36086->36088 36087->36076 36088->36087 36090 122b788 LoadLibraryExW 36089->36090 36092 122b801 36090->36092 36092->36084 36094 122d481 36093->36094 36095 122d4cf 36094->36095 36101 122d250 36094->36101 36095->36059 36098 122d495 36097->36098 36099 122d4cf 36098->36099 36100 122d250 2 API calls 36098->36100 36099->36059 36100->36099 36102 122d255 36101->36102 36104 122dde0 36102->36104 36105 122d37c 36102->36105 36104->36104 36106 122d387 36105->36106 36107 12270dc 2 API calls 36106->36107 36108 122de4f 36107->36108 36108->36104 36109 2f21dd8 36110 2f21e40 CreateWindowExW 36109->36110 36112 2f21efc 36110->36112 36112->36112 36113 2f26f58 36114 2f26f85 36113->36114 36127 2f26b48 36114->36127 36119 2f26b48 2 API calls 36120 2f2707a 36119->36120 36135 2f26b68 36120->36135 36122 2f270ac 36123 2f26b58 2 API calls 36122->36123 36124 2f270de 36123->36124 36125 2f26b68 2 API calls 36124->36125 36126 2f27110 36125->36126 36128 2f26b53 36127->36128 36144 2f26c68 36128->36144 36130 2f27016 36131 2f26b58 36130->36131 36132 2f26b63 36131->36132 36188 2f26e08 36132->36188 36134 2f27048 36134->36119 36136 2f26b73 36135->36136 36138 1228841 2 API calls 36136->36138 36139 1228827 2 API calls 36136->36139 36140 1228839 2 API calls 36136->36140 36141 122887f 2 API calls 36136->36141 36142 12270dc 2 API calls 36136->36142 36143 122883d 2 API calls 36136->36143 36137 2f2f28b 36137->36122 36138->36137 36139->36137 36140->36137 36141->36137 36142->36137 36143->36137 36145 2f26c73 36144->36145 36151 12270dc 2 API calls 36145->36151 36153 1228841 36145->36153 36160 122883d 36145->36160 36167 122887f 36145->36167 36174 1228839 36145->36174 36181 1228827 36145->36181 36146 2f2815c 36146->36130 36151->36146 36154 1228845 36153->36154 36156 1228b33 36154->36156 36158 122add8 2 API calls 36154->36158 36159 122addf 2 API calls 36154->36159 36155 1228b71 36155->36146 36156->36155 36157 122ced5 2 API calls 36156->36157 36157->36155 36158->36156 36159->36156 36161 1228845 36160->36161 36163 1228b33 36161->36163 36165 122add8 2 API calls 36161->36165 36166 122addf 2 API calls 36161->36166 36162 1228b71 36162->36146 36163->36162 36164 122ced5 2 API calls 36163->36164 36164->36162 36165->36163 36166->36163 36168 122888c 36167->36168 36170 1228b33 36168->36170 36172 122add8 2 API calls 36168->36172 36173 122addf 2 API calls 36168->36173 36169 1228b71 36169->36146 36170->36169 36171 122ced5 2 API calls 36170->36171 36171->36169 36172->36170 36173->36170 36175 1228845 36174->36175 36177 1228b33 36175->36177 36179 122add8 2 API calls 36175->36179 36180 122addf 2 API calls 36175->36180 36176 1228b71 36176->36146 36177->36176 36178 122ced5 2 API calls 36177->36178 36178->36176 36179->36177 36180->36177 36182 122882e 36181->36182 36184 1228b33 36182->36184 36186 122add8 2 API calls 36182->36186 36187 122addf 2 API calls 36182->36187 36183 1228b71 36183->36146 36184->36183 36185 122ced5 2 API calls 36184->36185 36185->36183 36186->36184 36187->36184 36189 2f26e0d 36188->36189 36190 2f28412 36189->36190 36191 1228841 2 API calls 36189->36191 36192 1228827 2 API calls 36189->36192 36193 1228839 2 API calls 36189->36193 36194 122887f 2 API calls 36189->36194 36195 12270dc 2 API calls 36189->36195 36196 122883d 2 API calls 36189->36196 36190->36134 36191->36190 36192->36190 36193->36190 36194->36190 36195->36190 36196->36190 36201 7247558 36202 72476e3 36201->36202 36204 724757e 36201->36204 36204->36202 36205 7244798 36204->36205 36206 72477d8 PostMessageW 36205->36206 36207 7247844 36206->36207

                          Executed Functions

                          Function 08ADB5F8 Relevance: .2, Instructions: 167COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1410589393.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8ad0000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a16fef4633df4f42ed9f314ae98bb9f3b02f9c6d8f5b55e65849f3f4f6128e35
                          • Instruction ID: 3daa05d68cbbd1ba0180eb225afb1ba0032e4d4918c56157850514b1a42d0a4b
                          • Opcode Fuzzy Hash: a16fef4633df4f42ed9f314ae98bb9f3b02f9c6d8f5b55e65849f3f4f6128e35
                          • Instruction Fuzzy Hash: 2561B3B5E04219DFDB04EFEAC844AAEFBB2FF98311F108029E519AB255DB345946CF50
                          Function 0122D5A0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 0122D61E
                          • GetCurrentThread.KERNEL32 ref: 0122D65B
                          • GetCurrentProcess.KERNEL32 ref: 0122D698
                          • GetCurrentThreadId.KERNEL32 ref: 0122D6F1
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1406120025.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_1220000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: de2954fedf3b4c68674b2de5cfb9252deb55c45c0d8256c028f2878ce8c2c101
                          • Instruction ID: 0a94bc5037b577aa3eecd42de064942f044f5357470e7198b4171f2f58a306a5
                          • Opcode Fuzzy Hash: de2954fedf3b4c68674b2de5cfb9252deb55c45c0d8256c028f2878ce8c2c101
                          • Instruction Fuzzy Hash: 3A5135B09113499FDB24CFAAD548BEEBBF1BF88314F20C459E019A7250D7746984CB65
                          Function 0122D59F Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 0122D61E
                          • GetCurrentThread.KERNEL32 ref: 0122D65B
                          • GetCurrentProcess.KERNEL32 ref: 0122D698
                          • GetCurrentThreadId.KERNEL32 ref: 0122D6F1
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1406120025.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_1220000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: 569e9047a30d8138d116ca5cfc92f1a3d825e4b547e67171efd5ef21329fdd87
                          • Instruction ID: 20ff51d4ef4e1bdb285bd17059c511744a6d905188398d49dcd3bee5d0156213
                          • Opcode Fuzzy Hash: 569e9047a30d8138d116ca5cfc92f1a3d825e4b547e67171efd5ef21329fdd87
                          • Instruction Fuzzy Hash: 3F5144B0D102499FDB28CFAAD548BEEBBF1BF88314F20C459E009A7250DB746984CF65
                          Function 07244A7C Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 42 7244a7c-7244b1d 45 7244b56-7244b76 42->45 46 7244b1f-7244b29 42->46 51 7244baf-7244bde 45->51 52 7244b78-7244b82 45->52 46->45 47 7244b2b-7244b2d 46->47 49 7244b50-7244b53 47->49 50 7244b2f-7244b39 47->50 49->45 53 7244b3d-7244b4c 50->53 54 7244b3b 50->54 62 7244c17-7244cd1 CreateProcessA 51->62 63 7244be0-7244bea 51->63 52->51 55 7244b84-7244b86 52->55 53->53 56 7244b4e 53->56 54->53 57 7244b88-7244b92 55->57 58 7244ba9-7244bac 55->58 56->49 60 7244b94 57->60 61 7244b96-7244ba5 57->61 58->51 60->61 61->61 64 7244ba7 61->64 74 7244cd3-7244cd9 62->74 75 7244cda-7244d60 62->75 63->62 65 7244bec-7244bee 63->65 64->58 67 7244bf0-7244bfa 65->67 68 7244c11-7244c14 65->68 69 7244bfc 67->69 70 7244bfe-7244c0d 67->70 68->62 69->70 70->70 71 7244c0f 70->71 71->68 74->75 85 7244d70-7244d74 75->85 86 7244d62-7244d66 75->86 87 7244d84-7244d88 85->87 88 7244d76-7244d7a 85->88 86->85 89 7244d68 86->89 91 7244d98-7244d9c 87->91 92 7244d8a-7244d8e 87->92 88->87 90 7244d7c 88->90 89->85 90->87 94 7244dae-7244db5 91->94 95 7244d9e-7244da4 91->95 92->91 93 7244d90 92->93 93->91 96 7244db7-7244dc6 94->96 97 7244dcc 94->97 95->94 96->97 98 7244dcd 97->98 98->98
                          APIs
                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07244CBE
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1409910264.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7240000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: a938a636c0804ace33708a7b3fe0b5f34bea99a4d554d3dcc0acaa8174fc1ca4
                          • Instruction ID: 6fc4d59b572ba1e525e5fbb7be0e6ec1f639e74c7d3cc9c5e8379772b301afc1
                          • Opcode Fuzzy Hash: a938a636c0804ace33708a7b3fe0b5f34bea99a4d554d3dcc0acaa8174fc1ca4
                          • Instruction Fuzzy Hash: 6FA17CB1D1025ADFEF24DFA8C8417EEBBB6BF44314F1481A9D818A7240DB749985CF91
                          Function 07244A88 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 100 7244a88-7244b1d 102 7244b56-7244b76 100->102 103 7244b1f-7244b29 100->103 108 7244baf-7244bde 102->108 109 7244b78-7244b82 102->109 103->102 104 7244b2b-7244b2d 103->104 106 7244b50-7244b53 104->106 107 7244b2f-7244b39 104->107 106->102 110 7244b3d-7244b4c 107->110 111 7244b3b 107->111 119 7244c17-7244cd1 CreateProcessA 108->119 120 7244be0-7244bea 108->120 109->108 112 7244b84-7244b86 109->112 110->110 113 7244b4e 110->113 111->110 114 7244b88-7244b92 112->114 115 7244ba9-7244bac 112->115 113->106 117 7244b94 114->117 118 7244b96-7244ba5 114->118 115->108 117->118 118->118 121 7244ba7 118->121 131 7244cd3-7244cd9 119->131 132 7244cda-7244d60 119->132 120->119 122 7244bec-7244bee 120->122 121->115 124 7244bf0-7244bfa 122->124 125 7244c11-7244c14 122->125 126 7244bfc 124->126 127 7244bfe-7244c0d 124->127 125->119 126->127 127->127 128 7244c0f 127->128 128->125 131->132 142 7244d70-7244d74 132->142 143 7244d62-7244d66 132->143 144 7244d84-7244d88 142->144 145 7244d76-7244d7a 142->145 143->142 146 7244d68 143->146 148 7244d98-7244d9c 144->148 149 7244d8a-7244d8e 144->149 145->144 147 7244d7c 145->147 146->142 147->144 151 7244dae-7244db5 148->151 152 7244d9e-7244da4 148->152 149->148 150 7244d90 149->150 150->148 153 7244db7-7244dc6 151->153 154 7244dcc 151->154 152->151 153->154 155 7244dcd 154->155 155->155
                          APIs
                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07244CBE
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1409910264.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7240000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: f1399c6c59aec74bb29f42f4385f5f0191de2daf8f719e3e9f95c1c13219841c
                          • Instruction ID: eaaf9878ea7bb8e6253263b59929333e03b7132565a39da4a559d18c74835c63
                          • Opcode Fuzzy Hash: f1399c6c59aec74bb29f42f4385f5f0191de2daf8f719e3e9f95c1c13219841c
                          • Instruction Fuzzy Hash: 8E917DB1D1025ACFEF24DFA8C841BEEBBB6BF44314F1481A9D818A7240DB749985CF91
                          Function 0122B2FF Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 157 122b2ff-122b31f 158 122b321-122b32e call 1229d84 157->158 159 122b34b-122b34f 157->159 164 122b330 158->164 165 122b344 158->165 161 122b363-122b3a4 159->161 162 122b351-122b35b 159->162 168 122b3b1-122b3bf 161->168 169 122b3a6-122b3ae 161->169 162->161 212 122b336 call 122b5a8 164->212 213 122b336 call 122b59f 164->213 165->159 170 122b3e3-122b3e5 168->170 171 122b3c1-122b3c6 168->171 169->168 176 122b3e8-122b3ef 170->176 173 122b3d1 171->173 174 122b3c8-122b3cf call 122af74 171->174 172 122b33c-122b33e 172->165 175 122b480-122b540 172->175 178 122b3d3-122b3e1 173->178 174->178 207 122b542-122b545 175->207 208 122b548-122b573 GetModuleHandleW 175->208 179 122b3f1-122b3f9 176->179 180 122b3fc-122b403 176->180 178->176 179->180 182 122b410-122b419 call 122af84 180->182 183 122b405-122b40d 180->183 188 122b426-122b42b 182->188 189 122b41b-122b423 182->189 183->182 190 122b449-122b456 188->190 191 122b42d-122b434 188->191 189->188 198 122b458-122b476 190->198 199 122b479-122b47f 190->199 191->190 193 122b436-122b446 call 122af94 call 122afa4 191->193 193->190 198->199 207->208 209 122b575-122b57b 208->209 210 122b57c-122b590 208->210 209->210 212->172 213->172
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0122B566
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1406120025.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_1220000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: df08e625702dd5d8407a12473a109e171a4af1684b8bb55ceb791d733a7038da
                          • Instruction ID: 621ac76cd8a0424174713bae9bb6bf62e9aa3a6cfd904a49097321c4d2adce49
                          • Opcode Fuzzy Hash: df08e625702dd5d8407a12473a109e171a4af1684b8bb55ceb791d733a7038da
                          • Instruction Fuzzy Hash: BC815670A10B56AFDB25DF29D0507AABBF1FF88304F00892ED586D7A50D779E845CB90
                          Function 02F21DD7 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 214 2f21dd7-2f21e3e 215 2f21e40-2f21e46 214->215 216 2f21e49-2f21e50 214->216 215->216 217 2f21e52-2f21e58 216->217 218 2f21e5b-2f21e93 216->218 217->218 219 2f21e9b-2f21efa CreateWindowExW 218->219 220 2f21f03-2f21f3b 219->220 221 2f21efc-2f21f02 219->221 225 2f21f48 220->225 226 2f21f3d-2f21f40 220->226 221->220 227 2f21f49 225->227 226->225 227->227
                          APIs
                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02F21EEA
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1407143998.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_2f20000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID: CreateWindow
                          • String ID:
                          • API String ID: 716092398-0
                          • Opcode ID: 6cd40274d7b91e4494bf2027ec664bde39e40dbe60641801cd51ca74c7e7a984
                          • Instruction ID: 9f6e56e835354b6b09aeb086fe0328304768c79292feaa00916ace4bc6887150
                          • Opcode Fuzzy Hash: 6cd40274d7b91e4494bf2027ec664bde39e40dbe60641801cd51ca74c7e7a984
                          • Instruction Fuzzy Hash: DF41C0B1D00359DFDB14CFAAC884ADEBFB5BF48310F24812AE519AB211D775A845CF94
                          Function 02F21DD8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 228 2f21dd8-2f21e3e 229 2f21e40-2f21e46 228->229 230 2f21e49-2f21e50 228->230 229->230 231 2f21e52-2f21e58 230->231 232 2f21e5b-2f21efa CreateWindowExW 230->232 231->232 234 2f21f03-2f21f3b 232->234 235 2f21efc-2f21f02 232->235 239 2f21f48 234->239 240 2f21f3d-2f21f40 234->240 235->234 241 2f21f49 239->241 240->239 241->241
                          APIs
                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02F21EEA
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1407143998.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_2f20000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID: CreateWindow
                          • String ID:
                          • API String ID: 716092398-0
                          • Opcode ID: 388699cd21fe01bf4670b7eadf97a874a9e842933420bbd1cee8b8218c46d553
                          • Instruction ID: 03264b84903987998e13f84b98ca88e894e08dc89d38aa4626d44226382e2d0d
                          • Opcode Fuzzy Hash: 388699cd21fe01bf4670b7eadf97a874a9e842933420bbd1cee8b8218c46d553
                          • Instruction Fuzzy Hash: 0241C0B1D00359DFDB14CF9AC884ADEBBB5BF48310F24812AE519AB211D775A845CF94
                          Function 02F2163C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 242 2f2163c-2f243dc 245 2f243e2-2f243e7 242->245 246 2f2448c-2f244ac call 2f21514 242->246 248 2f2443a-2f24472 CallWindowProcW 245->248 249 2f243e9-2f24420 245->249 253 2f244af-2f244bc 246->253 250 2f24474-2f2447a 248->250 251 2f2447b-2f2448a 248->251 256 2f24422-2f24428 249->256 257 2f24429-2f24438 249->257 250->251 251->253 256->257 257->253
                          APIs
                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 02F24461
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1407143998.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F20000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_2f20000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID: CallProcWindow
                          • String ID:
                          • API String ID: 2714655100-0
                          • Opcode ID: cec5664afc940e4e587d38a411335219a6cd03e644fc945ae3fb631ede02c003
                          • Instruction ID: 62ac3a8ad4eb15ee03f2a42c5eb9f96de4b4f3e37ce116bfc64ba6cb2c7b6239
                          • Opcode Fuzzy Hash: cec5664afc940e4e587d38a411335219a6cd03e644fc945ae3fb631ede02c003
                          • Instruction Fuzzy Hash: 2B412AB5A00319CFDB14CF99C548BAABBF5FB89314F24C499E519AB321D374A845CFA0
                          Function 012244B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 259 12244b0-12259d9 CreateActCtxA 262 12259e2-1225a3c 259->262 263 12259db-12259e1 259->263 270 1225a4b-1225a4f 262->270 271 1225a3e-1225a41 262->271 263->262 272 1225a60 270->272 273 1225a51-1225a5d 270->273 271->270 275 1225a61 272->275 273->272 275->275
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 012259C9
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1406120025.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_1220000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: bb1132b6d704dab1f2c666851d65b2861bf6a1854945ab508460d1b4c0d1ae68
                          • Instruction ID: 7a0ed9dce95901c2720878691b7c42d618e20eb3a25f54b00f73f66d916bc6d5
                          • Opcode Fuzzy Hash: bb1132b6d704dab1f2c666851d65b2861bf6a1854945ab508460d1b4c0d1ae68
                          • Instruction Fuzzy Hash: F641E270C10729DBEB24DFAAC8457DEBBB5BF49304F24806AD408AB251D7B16945CF90
                          Function 072443F8 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 289 72443f8-724444e 291 7244450-724445c 289->291 292 724445e-724449d WriteProcessMemory 289->292 291->292 294 72444a6-72444d6 292->294 295 724449f-72444a5 292->295 295->294
                          APIs
                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07244490
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1409910264.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7240000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: 31d84d05598f425b8c5415b8ab19098b2659560ec6247db4e6ee53133ba6e985
                          • Instruction ID: 075f02ce89cb10e0de10d8f11f3579832de9dfa47ba0a5ee53620e9affda3306
                          • Opcode Fuzzy Hash: 31d84d05598f425b8c5415b8ab19098b2659560ec6247db4e6ee53133ba6e985
                          • Instruction Fuzzy Hash: 8A2146B19003499FDB10DFA9C884BEEBBF1FF48310F10842AE958A7240C7789950CFA4
                          Function 07244260 Relevance: 1.6, APIs: 1, Instructions: 71threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 276 7244260-7244264 277 7244266-7244294 276->277 278 724429a-72442b3 276->278 277->278 281 72442b5-72442c1 278->281 282 72442c3-72442f3 Wow64SetThreadContext 278->282 281->282 284 72442f5-72442fb 282->284 285 72442fc-724432c 282->285 284->285
                          APIs
                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 072442E6
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1409910264.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7240000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID: ContextThreadWow64
                          • String ID:
                          • API String ID: 983334009-0
                          • Opcode ID: cbc36ae51a395e4f96e7a792278895516d5d4ba1cf42f7a2078d866093ddec3e
                          • Instruction ID: b7ad89fe8c63404338e56e5a191e92ae02849f773ecd03ce70b9530818a39236
                          • Opcode Fuzzy Hash: cbc36ae51a395e4f96e7a792278895516d5d4ba1cf42f7a2078d866093ddec3e
                          • Instruction Fuzzy Hash: 692166B1D003499FDB14DFAAC8847EFBBF4EF58210F10842AD458A7240D7789985CFA4
                          Function 07244400 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 299 7244400-724444e 301 7244450-724445c 299->301 302 724445e-724449d WriteProcessMemory 299->302 301->302 304 72444a6-72444d6 302->304 305 724449f-72444a5 302->305 305->304
                          APIs
                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07244490
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1409910264.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7240000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: 4a171ea12f3e9b419a851fac306e8dc231e3bbaf341ba0b7ed056d4216b0e8c3
                          • Instruction ID: 1dc9275efef77eddf1a52d327fe48bcf54b6cffb142a195986ca6873977e8ee9
                          • Opcode Fuzzy Hash: 4a171ea12f3e9b419a851fac306e8dc231e3bbaf341ba0b7ed056d4216b0e8c3
                          • Instruction Fuzzy Hash: 612139B19003599FDF10DFAAC885BDEBBF5FF48310F10842AE958A7240D7789950CBA4
                          Function 072444E8 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 309 72444e8-724457d ReadProcessMemory 313 7244586-72445b6 309->313 314 724457f-7244585 309->314 314->313
                          APIs
                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07244570
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1409910264.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7240000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: 9ca900048b128321e71f8884147a965cc2ee8351b6ed4fdf80e5c1bcedbbad9f
                          • Instruction ID: da926c8f54840300500bb9d10c648f30882c3b4985ac26724cc2af14ddbe17fb
                          • Opcode Fuzzy Hash: 9ca900048b128321e71f8884147a965cc2ee8351b6ed4fdf80e5c1bcedbbad9f
                          • Instruction Fuzzy Hash: 272116B18003499FDB10DFAAC884BEEFBF5FF48310F10882AE959A7250D7789551CBA5
                          Function 072444F0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 329 72444f0-724457d ReadProcessMemory 332 7244586-72445b6 329->332 333 724457f-7244585 329->333 333->332
                          APIs
                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07244570
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1409910264.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7240000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: 5d750fd13aa36363e815316c4d729c2ecfa82e310aa8a7aff9b4c47056c0438b
                          • Instruction ID: f3c8a9d7291edc070836f00380704fa8089d7e69287d44a9ed8654c2a60d1072
                          • Opcode Fuzzy Hash: 5d750fd13aa36363e815316c4d729c2ecfa82e310aa8a7aff9b4c47056c0438b
                          • Instruction Fuzzy Hash: 4B2114B18003499FDB10DFAAC880BEEBBF5FF48310F10842AE919A7250D7789950CBA4
                          Function 07244268 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 318 7244268-72442b3 321 72442b5-72442c1 318->321 322 72442c3-72442f3 Wow64SetThreadContext 318->322 321->322 324 72442f5-72442fb 322->324 325 72442fc-724432c 322->325 324->325
                          APIs
                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 072442E6
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1409910264.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7240000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID: ContextThreadWow64
                          • String ID:
                          • API String ID: 983334009-0
                          • Opcode ID: 2241a9efab94776e45e7da1e13ad0042cc94439f153dcdf09b74676d0c77d7e3
                          • Instruction ID: 6b526645c21358bfc235a98bb063e01b0d1929ac65f951f999cb52ea9ad9ee5c
                          • Opcode Fuzzy Hash: 2241a9efab94776e45e7da1e13ad0042cc94439f153dcdf09b74676d0c77d7e3
                          • Instruction Fuzzy Hash: FF2138B1D003099FDB14DFAAC4857EEBBF4AF48310F14842AD459A7240DB789944CFA4
                          Function 0122D7E8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                          Download Yara Rule
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0122D86F
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1406120025.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_1220000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: bc996926faf544718b9e5380dfe1f422eef23f531d00ead812673f3d5eaaacc8
                          • Instruction ID: 3dd3e52e4cdfd6b659525cb10e844bd39ce890a798b3494ebee800c1794cba5b
                          • Opcode Fuzzy Hash: bc996926faf544718b9e5380dfe1f422eef23f531d00ead812673f3d5eaaacc8
                          • Instruction Fuzzy Hash: 0A21E6B590024CAFDB10CF9AD484ADEBBF4FB48310F14801AE918A7350D374A950CF65
                          Function 07244338 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 072443AE
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1409910264.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7240000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 935b836b6d6e4105d8d7bc9eebd30f170b1c353363da2e84a3c282542062aaf7
                          • Instruction ID: 46586747ce54715930fb79a1a2dc66aef8bb53ca419a78093bdb49abe8be6e22
                          • Opcode Fuzzy Hash: 935b836b6d6e4105d8d7bc9eebd30f170b1c353363da2e84a3c282542062aaf7
                          • Instruction Fuzzy Hash: 1A1126729042899FDB10DFAAD844BEFBFF5EF48310F24881AE515A7250C7B5A550CFA0
                          Function 0122AFC0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0122B5E1,00000800,00000000,00000000), ref: 0122B7F2
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1406120025.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_1220000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: 14d76730d3f76b6cacc715cb2636c0807838ce2a4113c046afd8cdaf8401cb73
                          • Instruction ID: b9982a6aee33adc875275f368a226a030c636ad8c8da3661fa6b10bea2b5f9c9
                          • Opcode Fuzzy Hash: 14d76730d3f76b6cacc715cb2636c0807838ce2a4113c046afd8cdaf8401cb73
                          • Instruction Fuzzy Hash: B21112B68003499FDB24CF9AC444BEEFBF4EB58310F14842AE519AB200C3B5A545CFA5
                          Function 0122B780 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0122B5E1,00000800,00000000,00000000), ref: 0122B7F2
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1406120025.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_1220000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: 044affcb799e5c4970de1ad75e8286caeca83dd99314703ce76d77ad556564ad
                          • Instruction ID: 2f34283eecc981e8c42b6f070f2f7e2466ad9f00c526c5c890dfd1516d444085
                          • Opcode Fuzzy Hash: 044affcb799e5c4970de1ad75e8286caeca83dd99314703ce76d77ad556564ad
                          • Instruction Fuzzy Hash: D71103B68002499FDB24CFAAC444AEEFBF5BB98310F14842AE519A7200C3B5A545CFA5
                          Function 07244340 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 072443AE
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1409910264.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7240000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 0c7089c0d54d28ced64251dd0d4ad9e0f1ae768e023dadfb7999579118fa987f
                          • Instruction ID: cf28fef02d5faa4a7a971fd5bca549cdb2b0231bc51b2f920f646f38b954d718
                          • Opcode Fuzzy Hash: 0c7089c0d54d28ced64251dd0d4ad9e0f1ae768e023dadfb7999579118fa987f
                          • Instruction Fuzzy Hash: 191137728003499FDB10DFAAC845BDFBBF5EF48320F248419E515A7250C775A550CFA4
                          Function 07243D78 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1409910264.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7240000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: 92ecbf2d6e8516295713a4284e7ff22a31fec6f3a1dfa2ba855feb7729d033a6
                          • Instruction ID: e009cf5ee2357acd0d0d90772abb60e2930f064686a596083804e13d6c1ab0f7
                          • Opcode Fuzzy Hash: 92ecbf2d6e8516295713a4284e7ff22a31fec6f3a1dfa2ba855feb7729d033a6
                          • Instruction Fuzzy Hash: 401146B19002498FDB20DFAAC8457EEFBF4EF48324F24846AD419A7240CB759944CBA4
                          Function 07243D80 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1409910264.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7240000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: e1b74899b970d1741a5d5776b368c2c4ca7096c368db83fe527e4a3713e3b304
                          • Instruction ID: b8b1456e3c3c10b02580ab6417b42312c36b68e548ad8d6fff6b129f374d3461
                          • Opcode Fuzzy Hash: e1b74899b970d1741a5d5776b368c2c4ca7096c368db83fe527e4a3713e3b304
                          • Instruction Fuzzy Hash: 2C1128B19003498BDB24DFAAC8457DFFBF4AF48224F24842AD519A7240C775A540CBA5
                          Function 0122B500 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0122B566
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1406120025.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_1220000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: aa74c6c9c3d828e35af022a7d819a1d90803c3270b8ea7de5736f7a485495318
                          • Instruction ID: ce4c24c928dd56520112b3157bce7d50753f20160ba2eaffef9c188f4fe4785b
                          • Opcode Fuzzy Hash: aa74c6c9c3d828e35af022a7d819a1d90803c3270b8ea7de5736f7a485495318
                          • Instruction Fuzzy Hash: 331110B6C002499FDB20CFAAD444BDEFBF4AB88320F10842AD518BB210C379A545CFA1
                          Function 072477D0 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 07247835
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1409910264.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7240000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: 1b77e8b6ac8c5b0b56bf70a20ce3ea78c716301c8c5cc3e6bd6508eac67240f0
                          • Instruction ID: 4bb44e51117d8e36d97b2059536a18ec35662783cefdd23e42fe2f26b4b80af8
                          • Opcode Fuzzy Hash: 1b77e8b6ac8c5b0b56bf70a20ce3ea78c716301c8c5cc3e6bd6508eac67240f0
                          • Instruction Fuzzy Hash: 9A11E3B5800249DFDB21DF9AC845BDEBBF8FB48310F10842AE918A7210D3B5A954CFA1
                          Function 07244798 Relevance: 1.5, APIs: 1, Instructions: 39windowCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 07247835
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1409910264.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7240000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: 7644da944de826062f3d98aea34b36c28c6cd8d42c111777be973bec477c3c5a
                          • Instruction ID: f1b88dfd89fc1d312993948ab30076e5d9d5fd8c82a5fb37af468e3d5ab81617
                          • Opcode Fuzzy Hash: 7644da944de826062f3d98aea34b36c28c6cd8d42c111777be973bec477c3c5a
                          • Instruction Fuzzy Hash: 5E0105B08103499FDB10DF9AC885B9EBFF8FB08310F108419E414A7350D3B4A540CFA5
                          Function 08AD7598 Relevance: .4, Instructions: 385COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1410589393.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8ad0000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f6ca67c4790f6bf1bda458a94e56472fccb4db8e157294898459ba5084771858
                          • Instruction ID: 689e8607b5bc34c4f59a2a104bd8d27460163d83db53dd042d4f381830eec8fb
                          • Opcode Fuzzy Hash: f6ca67c4790f6bf1bda458a94e56472fccb4db8e157294898459ba5084771858
                          • Instruction Fuzzy Hash: A5E10231A09741CFC719DF28D884B69BFB1EF81312F15899EE446CBAA2C731E849C791
                          Function 08ADEA68 Relevance: .3, Instructions: 264COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1410589393.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8ad0000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 182c971d3363ff3078495b470ecca4fed14609b8214158ebd6c3a4a4cb4eb2ec
                          • Instruction ID: 565e28e8e5e961be336202be15156d3e0f2c33fb9915bbd9f60d510341832768
                          • Opcode Fuzzy Hash: 182c971d3363ff3078495b470ecca4fed14609b8214158ebd6c3a4a4cb4eb2ec
                          • Instruction Fuzzy Hash: 9BB13B70E1531ADFDB04DFA4D880ADDBBB6FF88711F208619D41AAB655DB30A846CF50
                          Function 08AD71E8 Relevance: .2, Instructions: 188COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1410589393.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8ad0000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d2d6d0bf2d5ffc5d577bbe9c356de0ae403add071aef3b9206db1fd59cdff87a
                          • Instruction ID: c64904e787506ce20077c2f54353832e5ab2e992c08a906e1deddbb2cd2a40f8
                          • Opcode Fuzzy Hash: d2d6d0bf2d5ffc5d577bbe9c356de0ae403add071aef3b9206db1fd59cdff87a
                          • Instruction Fuzzy Hash: 2771C07140A792CFD30AEF65F4582587FB0FB42301B5A84CED486CBA93C77648A9C71A
                          Function 08AD7900 Relevance: .1, Instructions: 141COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1410589393.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8ad0000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dde3231a7b7efefa06a21bbeaaed4cbd78a10879476ad3a15c33a18328c9df69
                          • Instruction ID: 9f05ef8b820a21ac04ba840040a230c707cc108571814dd25c2f530c66625ffd
                          • Opcode Fuzzy Hash: dde3231a7b7efefa06a21bbeaaed4cbd78a10879476ad3a15c33a18328c9df69
                          • Instruction Fuzzy Hash: 4C518E31601705CFCB48CF29C5C4E6AFBB2FF80312B16859AE446CBAA6C770E845CB90
                          Function 08AD7910 Relevance: .1, Instructions: 133COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1410589393.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8ad0000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2599b1222d43decddf2f7eb99b51d5f343eea6eeda9084870e6488f5cf66e4cb
                          • Instruction ID: 882dec5a5b858c8540c0f331779b23ede2c0ff45885d8746982bd7c4f65540f1
                          • Opcode Fuzzy Hash: 2599b1222d43decddf2f7eb99b51d5f343eea6eeda9084870e6488f5cf66e4cb
                          • Instruction Fuzzy Hash: F4518C31601705CFCB08CF1AC5C4E2AF7B2FF80302B42859AE446CBAA6C770E845CB94
                          Function 08ADAA08 Relevance: .1, Instructions: 108COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1410589393.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8ad0000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 02daae35b600809d1d35a3c23b8637d273f33791e11bf3153f576551942784b0
                          • Instruction ID: c7af11616e59f7887cc14b39e3238e726a21db223a28e26e566ecacbd75febcd
                          • Opcode Fuzzy Hash: 02daae35b600809d1d35a3c23b8637d273f33791e11bf3153f576551942784b0
                          • Instruction Fuzzy Hash: 5B31F471A09384AFCB16CBB8CD156A97FF99F46250B0841EFE846CB6A2E631DD06C311
                          Function 08AD9548 Relevance: .1, Instructions: 102COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1410589393.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8ad0000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 08564d97800d19c607ba8701963f734f04cc8e67209d21905fe16642df2c3099
                          • Instruction ID: 08fd6befbe10ea1574ac74b6cb6452bba0b150667b656c8b9eda2d81b9dee5d4
                          • Opcode Fuzzy Hash: 08564d97800d19c607ba8701963f734f04cc8e67209d21905fe16642df2c3099
                          • Instruction Fuzzy Hash: 4B3148B6900308AFDB10DFA9D845ADEBFF5EB49310F14842AE809E7310D775A955CFA4
                          Function 08AD68E0 Relevance: .1, Instructions: 86COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1410589393.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8ad0000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fb989828355dd54bf37f2a3a057a433a674078a5af44df94363fc4338f2a4f7c
                          • Instruction ID: 38667b13f38464a4f651fa59e73545f6982a840ff7d6e482555505a7953085c7
                          • Opcode Fuzzy Hash: fb989828355dd54bf37f2a3a057a433a674078a5af44df94363fc4338f2a4f7c
                          • Instruction Fuzzy Hash: A221BF75B143058FCB16AB78985867F7BFAEFC9211718492EE41ADB380EE349C068761
                          Function 08AD6B23 Relevance: .1, Instructions: 84COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1410589393.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8ad0000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1feddcc67b0927a47a1e36c4f2a0cde27910d59512c563d947b88a9498f81d3a
                          • Instruction ID: ec74a50d8ca1cc6b3d8a012bdbd75b2d874612c53818021f8f95fce3e1ef0e65
                          • Opcode Fuzzy Hash: 1feddcc67b0927a47a1e36c4f2a0cde27910d59512c563d947b88a9498f81d3a
                          • Instruction Fuzzy Hash: EE319E75E002199FDB09DFA9D840AEEBBF2BF88710F14802AD815B7364EB3559468F94
                          Function 08ADC108 Relevance: .1, Instructions: 78COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1410589393.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8ad0000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cfea1bd8293989ab98c2816c86d655bd066f111ad51553a555c439a66de1881c
                          • Instruction ID: 8da0be38199b132cfdf4c4e9cb4aae94e710706f3bcb175a5f6121d962a783aa
                          • Opcode Fuzzy Hash: cfea1bd8293989ab98c2816c86d655bd066f111ad51553a555c439a66de1881c
                          • Instruction Fuzzy Hash: 61313874E04219CFDB04EFA9D440AAEB7F2FF88711F50806AD925A7350CB359900CF90
                          Function 011CD3D8 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1405695081.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_11cd000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3c8739c84e7e1e8bb2f6998e92d2bcf63042a15a718c65d7a40fe8f4f0aa9a8b
                          • Instruction ID: 6e0a4946e093c517c1e664a81f7e35088379383246e1644dada939bdd2478583
                          • Opcode Fuzzy Hash: 3c8739c84e7e1e8bb2f6998e92d2bcf63042a15a718c65d7a40fe8f4f0aa9a8b
                          • Instruction Fuzzy Hash: 3021E2B1504204EFDF09DF54E9C0B66BBA5FBA4624F20C17DEA090B656C336E456CAA2
                          Function 011CD4C4 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1405695081.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_11cd000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2a7a207f4c888ce6d1d111545837279ffa7f3943fb28782dd2f0f77c2c43e997
                          • Instruction ID: 1e3229babb2ba34ffc95f419d942e9430419f994993cab176aa352f47fa8d73a
                          • Opcode Fuzzy Hash: 2a7a207f4c888ce6d1d111545837279ffa7f3943fb28782dd2f0f77c2c43e997
                          • Instruction Fuzzy Hash: 68212471504240DFDF09DF54E8C0B26BB71FBA4618F20C17DE9090B246C336D446CAE2
                          Function 08AD8EB8 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1410589393.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8ad0000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dfd5bf2a02d15afc14e09baded661f5fb06ba16ae6fd5f3949d7a0731fb84c69
                          • Instruction ID: a08322ac741602878a48c0fcd601b797934d972db4ac790d91d31b329c0d06bf
                          • Opcode Fuzzy Hash: dfd5bf2a02d15afc14e09baded661f5fb06ba16ae6fd5f3949d7a0731fb84c69
                          • Instruction Fuzzy Hash: 6C310AB4E0420ACFDB44FFA9D8456AEB7F2FB98701F108529D416A7354D7385905CFA1
                          Function 011DD01C Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1405797865.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_11dd000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a5e11c35a73238f9c238ea19528abf753d63ff00df7f1e71752f30e76a106224
                          • Instruction ID: 613f63d6d1f9e53f12878dbd249c814acce9033278fd2029807740572d2187e3
                          • Opcode Fuzzy Hash: a5e11c35a73238f9c238ea19528abf753d63ff00df7f1e71752f30e76a106224
                          • Instruction Fuzzy Hash: EB21F271604304EFDF19DF64E984B26BBA5FBC8314F24C5ADE84A4B286C336D447CA62
                          Function 011DD1D4 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1405797865.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_11dd000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cd0e97f8ca6d9eb119b3733b995787a5e14e550902656ed5c58fc3a527df4ad7
                          • Instruction ID: 7ae5f133a5457ed9bf4131234466328eefbbea9b8344eb80903efa6defee96dc
                          • Opcode Fuzzy Hash: cd0e97f8ca6d9eb119b3733b995787a5e14e550902656ed5c58fc3a527df4ad7
                          • Instruction Fuzzy Hash: 8321F671504304EFDF19DFA4E9C0B26BBA5FB84324F24C5ADE9494B292C33AD446CA62
                          Function 08AD74F8 Relevance: .1, Instructions: 67COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1410589393.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8ad0000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 12444f8cddb7c38bfa9607cc9604a9c415c1fe5be4ba8b93baaefea8b6e20b1e
                          • Instruction ID: 95ed2a0a2b17616fa022c2e0185d2c0b9c9298f32450d05d67ec81c4705e71a3
                          • Opcode Fuzzy Hash: 12444f8cddb7c38bfa9607cc9604a9c415c1fe5be4ba8b93baaefea8b6e20b1e
                          • Instruction Fuzzy Hash: E121AE3110CB83CBC7066B34F4416617FA0FF0A21636A95DED08A8B543DB76C05BC796
                          Function 08AD69B4 Relevance: .1, Instructions: 67COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1410589393.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8ad0000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 006868fa59df5ed2b6d893bd37b249bfb3839d98b1bbf71068e238c9c22e29d2
                          • Instruction ID: aa01768b6c4de69dd1d58bd8a51e45a7a107e34abf42e12315a4dc13059efc2f
                          • Opcode Fuzzy Hash: 006868fa59df5ed2b6d893bd37b249bfb3839d98b1bbf71068e238c9c22e29d2
                          • Instruction Fuzzy Hash: C031C0B0C013589FDB20DFA9C584B9EBFF4BB48714F24846AE409BB690C7B59845CFA5
                          Function 011DD006 Relevance: .1, Instructions: 60COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1405797865.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_11dd000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8547b66c94b333af2cdbc0995829ad318f4e7cd1b8cd85a741272e95a63a2b5d
                          • Instruction ID: 9b9d5c1f773f5570e7bebae8aa9c2e0bcfdcfc1881d1992a61fb47d7a123ec81
                          • Opcode Fuzzy Hash: 8547b66c94b333af2cdbc0995829ad318f4e7cd1b8cd85a741272e95a63a2b5d
                          • Instruction Fuzzy Hash: FD21A1755093808FDB17CF24D994B15BF71EB85214F28C5EAD8498B6A7C33AD40ACB62
                          Function 08AD91A8 Relevance: .1, Instructions: 58COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1410589393.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8ad0000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2e5e0ee135ab76e9795b0cfdb9e68552d9a0108f1b2b14bf49bc26b345bdb496
                          • Instruction ID: 9fee99adcd1b59cdc67a7ec1a023d8e36d644962413dca90225f4082c14a9ba2
                          • Opcode Fuzzy Hash: 2e5e0ee135ab76e9795b0cfdb9e68552d9a0108f1b2b14bf49bc26b345bdb496
                          • Instruction Fuzzy Hash: D8111835B002198BDB54EBA998106FFBBF6ABC9711F544069C519F7340EB318D019BA1
                          Function 08AD9558 Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1410589393.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8ad0000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 649e3fc3a59ec4749bcfe372c7dcae876a3dea22b6d1c1194729c05cd303e125
                          • Instruction ID: 7d6ea1048759fc3ae10328150ff38790e00bab26a93f6e8ab226308eb4c1bf04
                          • Opcode Fuzzy Hash: 649e3fc3a59ec4749bcfe372c7dcae876a3dea22b6d1c1194729c05cd303e125
                          • Instruction Fuzzy Hash: D721E4B590034D9FCB10DF9AD884BDEBBF5FB48310F10842AE919A7610C375A955CFA5
                          Function 011CD3D3 Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1405695081.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_11cd000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
                          • Instruction ID: 6e5b3760f1577fb7d81bf45d49acb3a6d6c46c33df2c87d1638d8575b5cdf503
                          • Opcode Fuzzy Hash: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
                          • Instruction Fuzzy Hash: 2C11CD72404280DFDF16CF44D9C4B56BF62FB94224F2482ADD9090A656C33AE456CBA2
                          Function 011CD4BF Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1405695081.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_11cd000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
                          • Instruction ID: e28b6e6ba5328c75c6762b33673af190d4b64a44916d026477da39f3d28aad01
                          • Opcode Fuzzy Hash: 335ff2cd27920e120e44ddd98b5f99d48130ef09aa4f624435d54826826d70db
                          • Instruction Fuzzy Hash: C311CD76404280CFCF16CF54E9C4B16BF72FBA4618F2486A9D8490B256C336D456CBA2
                          Function 011DD1CF Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1405797865.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_11dd000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
                          • Instruction ID: 8d451518047f0bdd5cfbd561d4279c3a197ea92fb851eeca6289dc332b95acbb
                          • Opcode Fuzzy Hash: b45452ff36ccf171b58ba96a6db3430600b1fbfab4e67b74f20ffb50b37cf843
                          • Instruction Fuzzy Hash: 28118B75504280DFDF16CF54D5C4B16BBB2FB84224F24C6AAE8494B696C33AD44ACB62
                          Function 08AD744B Relevance: .0, Instructions: 42COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1410589393.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8ad0000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 09c3912d922f51a11c56e3bf1afc65cc3b75ecf5e39b31e03c9780f5eeadfa8d
                          • Instruction ID: f984fcd061d51d6a016b58c96fbf52119e3dce89998806f0bd2160b68a7d2a01
                          • Opcode Fuzzy Hash: 09c3912d922f51a11c56e3bf1afc65cc3b75ecf5e39b31e03c9780f5eeadfa8d
                          • Instruction Fuzzy Hash: B7115731500F11CFD324EF26F584912BBF1FF88710385C99DD0CA83A66DBB2A8648B58
                          Function 08AD7450 Relevance: .0, Instructions: 41COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1410589393.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8ad0000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 43c5290058268bcc3eb913ae3bfa61cedbb129c59074a75c2fa90f2d2999da04
                          • Instruction ID: 1c50028b994a945996006a45f497d81671ec5d48c46502ab68e9bcbfa8ac312d
                          • Opcode Fuzzy Hash: 43c5290058268bcc3eb913ae3bfa61cedbb129c59074a75c2fa90f2d2999da04
                          • Instruction Fuzzy Hash: FA016931500F11CFD324EF26F184912BBF1FF88710385899DD0CA83A66DBB2B8648B48
                          Function 08ADF7C0 Relevance: .0, Instructions: 41COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1410589393.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8ad0000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6f507452c42259ed2773f2e1a33918c683bd7492e8e8a51385b29e89b549a054
                          • Instruction ID: 83d8d7675ddcb6b23ea96b8b6e85d2d221a44a976c18f9b329256d9de870485b
                          • Opcode Fuzzy Hash: 6f507452c42259ed2773f2e1a33918c683bd7492e8e8a51385b29e89b549a054
                          • Instruction Fuzzy Hash: AD01EC38A05208EFD704DBA4C644BA9BBF6FF4C601F65D094D40A9B652DB30DE00DB40
                          Function 08AD6E78 Relevance: .0, Instructions: 40COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1410589393.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8ad0000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c2364ed9cc2bd2983ae791a1a82e8160be40a12d0cbea167fb95f2c97aacb655
                          • Instruction ID: 07f59e29107d960357eddb68e38738cc88ccd3b3ae1a34f1e5b46e5b625ed411
                          • Opcode Fuzzy Hash: c2364ed9cc2bd2983ae791a1a82e8160be40a12d0cbea167fb95f2c97aacb655
                          • Instruction Fuzzy Hash: 7E0128B4D09309DBCB04EFA8D4416AEBFB1EB99201F1081AAD819E3301E7704A088F80
                          Function 08AD74F3 Relevance: .0, Instructions: 34COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1410589393.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8ad0000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6b5ea6e532821c5b58d6aef50c41124568ffbfcb2b96649e65af03ac86fde9a2
                          • Instruction ID: 0f63a763e6a2b382ef6a274ced3a4653ccad0061833e011c7aa5550c2220d093
                          • Opcode Fuzzy Hash: 6b5ea6e532821c5b58d6aef50c41124568ffbfcb2b96649e65af03ac86fde9a2
                          • Instruction Fuzzy Hash: 53012431604606DBC704AF24F1456207FB0FF4830A7AA96DDE48A8A247DB72D4B7C74A
                          Function 08AD6AD9 Relevance: .0, Instructions: 33COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1410589393.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8ad0000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c66d4bd390444d0c67b8b21f436eaf8f3db456aace0ddbfc36fdbbb243477bd9
                          • Instruction ID: 904da8c7b63bfc9e8b92c9df99cbfd7d260faba8d5e6fd09f0cab6109de20d64
                          • Opcode Fuzzy Hash: c66d4bd390444d0c67b8b21f436eaf8f3db456aace0ddbfc36fdbbb243477bd9
                          • Instruction Fuzzy Hash: 46F08930949308DFCB10EFF8D9057ADBFF0DB5A212F1041ADD84AD3691D6714944CB81
                          Function 08AD6F30 Relevance: .0, Instructions: 33COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1410589393.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8ad0000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4e32ae23373cc58efcddb2c772d27624f505f14439d29c1022973bdc7dc90e9c
                          • Instruction ID: e540a848e3b1257e29ba02cec5cec06a2773ea593aa55ff3968265e199ab7c04
                          • Opcode Fuzzy Hash: 4e32ae23373cc58efcddb2c772d27624f505f14439d29c1022973bdc7dc90e9c
                          • Instruction Fuzzy Hash: D5F06D74D09388DFCB91DBA8D5412ACBFB4EB5A300F2484DEC809D7302D6B59A06CF80
                          Function 08AD6E88 Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1410589393.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8ad0000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f9b408925d63c61d933a96ce1e2d2dc825f9b91d4a3d9e50ecd73617480922ac
                          • Instruction ID: ee6650e8ac5ad6216aa279e1f351c4a243292a3f6240150d4e77b37c887381e6
                          • Opcode Fuzzy Hash: f9b408925d63c61d933a96ce1e2d2dc825f9b91d4a3d9e50ecd73617480922ac
                          • Instruction Fuzzy Hash: CAF0F9B4D08319DFCB44EFA9D4516ADBBF5FB98701F1085AAD419E3300EB745A048F80
                          Function 08ADFEE0 Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1410589393.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8ad0000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 20c10d4fad737c3611fb4ed9ebb36eaf00bee9f4b37aa36825acffc9fbef34a5
                          • Instruction ID: e618a7609573bbf6a2a8c1dec90ba0986109ae7381e535d6614f92d89fba669d
                          • Opcode Fuzzy Hash: 20c10d4fad737c3611fb4ed9ebb36eaf00bee9f4b37aa36825acffc9fbef34a5
                          • Instruction Fuzzy Hash: 6C01A474D04249EFCB40EFA8D544AAEBBF5FF48311F2481AAD859E7341DB349A40DBA1
                          Function 08ADBFE0 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1410589393.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8ad0000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4611908913f7a71696e20b369dc79eac519184762193bdfe808cf3399d6db021
                          • Instruction ID: 1a3cb2f448ffb96667a646d6d779c64ca84edb384222b91168b7c1fdc544b9b8
                          • Opcode Fuzzy Hash: 4611908913f7a71696e20b369dc79eac519184762193bdfe808cf3399d6db021
                          • Instruction Fuzzy Hash: A2F0B7B0D1430A9FDB44DFA9D845BAFBBF4AB48310F5045A9D519E7700D7759900CF91
                          Function 08AD3855 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1410589393.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8ad0000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cddaa56f753d41c02e56561263f5e9f3135fd3b141ffc941263eaddc3f285ef3
                          • Instruction ID: d06c92a2006059a24ab55a2f22fe2f648178443ee0db9aa2a0d5c3258c2d6598
                          • Opcode Fuzzy Hash: cddaa56f753d41c02e56561263f5e9f3135fd3b141ffc941263eaddc3f285ef3
                          • Instruction Fuzzy Hash: D2F06D74902269CFEB66DF64E948B89B7B5BB04705F0065DAE00EF3641C7B05B858F14
                          Function 08ADA978 Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1410589393.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8ad0000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7d1fa6e442483e3a82bf75b10c9372bb844526b2f9c2d228340ecfb896a5283a
                          • Instruction ID: 30427c924e90460922debd1e8cf1a58b5f4b36eef817b6e67268a993f2623980
                          • Opcode Fuzzy Hash: 7d1fa6e442483e3a82bf75b10c9372bb844526b2f9c2d228340ecfb896a5283a
                          • Instruction Fuzzy Hash: ECE0C23150A308EBC741EFF094047E9B3F8EB49201F0098A9840A83150E9315E04DB51
                          Function 08AD6AE8 Relevance: .0, Instructions: 19COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1410589393.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8ad0000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a2db141347acb19976cd7fd3bbcb3f82139c9f76177df24750db0a49f7fcc082
                          • Instruction ID: 16f0778c780ce63c5d15ff1f30bad146049323f26bd2dc3ed85690ee5f68e131
                          • Opcode Fuzzy Hash: a2db141347acb19976cd7fd3bbcb3f82139c9f76177df24750db0a49f7fcc082
                          • Instruction Fuzzy Hash: 0DE0EC70949309DFC740EFB8D5457ACBBF4EB05201F1040AD8809D3241EA715A54CB91
                          Function 08ADBF88 Relevance: .0, Instructions: 18COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1410589393.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8ad0000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6634b43d767c05758c0d59e127a8a6a54299650d7d94b7e0dca5f62bd400ddc5
                          • Instruction ID: fbd55cc787525977ef0023c2bd7000b05fc9ef9b7ce20ed5b3fd93c6fe065957
                          • Opcode Fuzzy Hash: 6634b43d767c05758c0d59e127a8a6a54299650d7d94b7e0dca5f62bd400ddc5
                          • Instruction Fuzzy Hash: 80E092B0D4420AEFD740EFA9C949B5EBBF0BF08710F1185A9D419E7251E7B496058F91
                          Function 08ADC080 Relevance: .0, Instructions: 14COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1410589393.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8ad0000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0fa2445c7bc456ad0aa181889d19cd0e22cd8f30d98560827c5ab54897a5d37b
                          • Instruction ID: f90308109adf7f114eeed9211b510479e44ecfc6e6a2599177d52c83bed7ed8b
                          • Opcode Fuzzy Hash: 0fa2445c7bc456ad0aa181889d19cd0e22cd8f30d98560827c5ab54897a5d37b
                          • Instruction Fuzzy Hash: 1AD012371102089F9B41EFA4E800E5677ECBB54710B41C422E504CB520FA25E425D791
                          Function 08ADDE30 Relevance: .0, Instructions: 10COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1410589393.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8ad0000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 52d5eb9385d686c6528f198f186567b61a88a56af9baa73f378d9576e416965c
                          • Instruction ID: 5a0b167bf0025e6d0065b0b6cfe3711dc708febe9f366fa80f2e40f0a73a8594
                          • Opcode Fuzzy Hash: 52d5eb9385d686c6528f198f186567b61a88a56af9baa73f378d9576e416965c
                          • Instruction Fuzzy Hash: 7EC08C31048709CBC2003FF0BA0D3243AA9F740206F400028D10E928634FB08410C661
                          Function 08AD68C0 Relevance: .0, Instructions: 9COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1410589393.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8ad0000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c8f55af19e73248788ec50bdf89463ac2a5f49e515f806e8e87c7a664aa694a1
                          • Instruction ID: 135dd64f81572399ad29ea527eae788601963d298b583e1ea4e589f9d181a225
                          • Opcode Fuzzy Hash: c8f55af19e73248788ec50bdf89463ac2a5f49e515f806e8e87c7a664aa694a1
                          • Instruction Fuzzy Hash: C9C04C39014205FF9641BB50855499ABBE6BFA5B11B44D852F14685530D661C418EB27
                          Function 08AD9500 Relevance: .0, Instructions: 8COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.1410589393.0000000008AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_8ad0000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7a090450adcd940aee05be8c82014009f8505a7a47654a44382690ab7a6c531e
                          • Instruction ID: 24739bb77e983c205fd6fa7bc048217c7aa1c567ef63740ab86f113bd2ae3d71
                          • Opcode Fuzzy Hash: 7a090450adcd940aee05be8c82014009f8505a7a47654a44382690ab7a6c531e
                          • Instruction Fuzzy Hash: 8FB012391D4302F3604173A04A51B5B66E1ABF9F23F40EC12B30B80410C4718428D63B

                          Executed Functions

                          Function 01A314D8 Relevance: .5, Instructions: 495COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000012.00000002.1435511464.0000000001A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_1a30000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e60e3aff232d5d5741d06500db3446fcfba876175d0f76c4abb92031aed2f004
                          • Instruction ID: 70b83e14b878bff64682cab16364297a570aeeac55eafe6b21d53a10bdc31fb1
                          • Opcode Fuzzy Hash: e60e3aff232d5d5741d06500db3446fcfba876175d0f76c4abb92031aed2f004
                          • Instruction Fuzzy Hash: 74317170E00309DFDB01EFB8E8456AD7BB2FF88210F108969D405AB351DB38A941CF95
                          Function 01A30D28 Relevance: .2, Instructions: 232COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000012.00000002.1435511464.0000000001A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_1a30000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 85764de75d9a5269137df2859ba01bf19cb8559fbd9dbcafa2b0110a1bd0bbd2
                          • Instruction ID: 10cfad061854b9a96a8b35189a840c46ac6b75e9cbdd8d8bc94f63e239b11855
                          • Opcode Fuzzy Hash: 85764de75d9a5269137df2859ba01bf19cb8559fbd9dbcafa2b0110a1bd0bbd2
                          • Instruction Fuzzy Hash: 7C8171707002058FDB29EB78E85866E7BF2FF88690B108969E506DB3A5DF349C05CF91
                          Function 01A30D1E Relevance: .1, Instructions: 145COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000012.00000002.1435511464.0000000001A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_1a30000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 78d9795482c150b32081252d57dbcfa9e6c849d98fc0332bddc4faf4f08ce1fb
                          • Instruction ID: 629ca6f6169fb993bee7836365b72383f8b33ea489d34bdc17e18b43eb41e65c
                          • Opcode Fuzzy Hash: 78d9795482c150b32081252d57dbcfa9e6c849d98fc0332bddc4faf4f08ce1fb
                          • Instruction Fuzzy Hash: 2E514C707007058FDB29EBB8F85C56E77E2FF886907008928E4069B6A4DF389D45CFA5
                          Function 01A31938 Relevance: .1, Instructions: 123COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000012.00000002.1435511464.0000000001A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_1a30000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0c87efb12ba8d86406c2a056c0e80375c555c1c44ba66e2fc3a20d365c1d6e1c
                          • Instruction ID: a349e1bd84918433c5e709b0323fd9a60c5732732c936d50f067c56a6f0db213
                          • Opcode Fuzzy Hash: 0c87efb12ba8d86406c2a056c0e80375c555c1c44ba66e2fc3a20d365c1d6e1c
                          • Instruction Fuzzy Hash: E4419471B003059FDB05EBB9E8147AE7BE6FFC8610B148439E40ADB355DE349D418BA9
                          Function 01A30E50 Relevance: .1, Instructions: 85COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000012.00000002.1435511464.0000000001A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_1a30000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7eb8fe9e62f489d15c1905605be1ecec2ef2702cc8e0487a3b20c7e38b206af8
                          • Instruction ID: fd714de1afe7d29515e422a7af290eabd5c8778b8fa82a512c7b72b4967a33c4
                          • Opcode Fuzzy Hash: 7eb8fe9e62f489d15c1905605be1ecec2ef2702cc8e0487a3b20c7e38b206af8
                          • Instruction Fuzzy Hash: A0218172700B054FDA2AEBBD985426E77E27FC4660314892DD01B9B790DF389D048FE6
                          Function 01A30921 Relevance: .1, Instructions: 69COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000012.00000002.1435511464.0000000001A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_1a30000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d0f1fc3b75fdecaea519ac70630cf5da4fc3d2113060cdd9b7bec09e87d22fd4
                          • Instruction ID: a2f836ff08b7705b7e989e0bd6f541a241f2c8e7436d51c8b6679fa1427d3d6a
                          • Opcode Fuzzy Hash: d0f1fc3b75fdecaea519ac70630cf5da4fc3d2113060cdd9b7bec09e87d22fd4
                          • Instruction Fuzzy Hash: 2E219A30E05204CFDB69DBB8D9557ADBBF1AF85310F5581AAD809EB285EB348E51CB80
                          Function 01A31830 Relevance: .1, Instructions: 69COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000012.00000002.1435511464.0000000001A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_1a30000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 91024ac4916d4bc3088551bab785b946860aec6b674a7710349f6238a75435fb
                          • Instruction ID: 65f783fcf185e4536268849dd6e1156d8f9b8f2f2bffdfe1d699c41e3ab0c672
                          • Opcode Fuzzy Hash: 91024ac4916d4bc3088551bab785b946860aec6b674a7710349f6238a75435fb
                          • Instruction Fuzzy Hash: 3F217C70E00209DFDB01EFB8E8486ADBBB2FF88610F108969D405A7354DB35AE40CF99
                          Function 01A30838 Relevance: .1, Instructions: 52COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000012.00000002.1435511464.0000000001A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_1a30000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f19d01dd32a852f724ee3955ccd71d8d80c5ccd755586562f329aa42f9796501
                          • Instruction ID: 8f41191fb44478c9fdab09dd6675b5d9c902f61be5662af80599cf170a2522b4
                          • Opcode Fuzzy Hash: f19d01dd32a852f724ee3955ccd71d8d80c5ccd755586562f329aa42f9796501
                          • Instruction Fuzzy Hash: B621BBB0B41349DFDB01DB28F888A9577B5FB48764B009AA4D4048B225DB78AD0ACFD6
                          Function 01A30848 Relevance: .0, Instructions: 44COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000012.00000002.1435511464.0000000001A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_18_2_1a30000_IVsIyeJQN.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 98d2fd086631f0d4bc5c51c052226b0219262780865f57bfb763041d94fa5286
                          • Instruction ID: e93a17fdda6e2ff88bf72500f40817fff4abbda7156b5e9eef83ca10650177f3
                          • Opcode Fuzzy Hash: 98d2fd086631f0d4bc5c51c052226b0219262780865f57bfb763041d94fa5286
                          • Instruction Fuzzy Hash: 5F119DB0B10309DFDB01DF1CF988A9577E5F7487A4B009AA4D4048B215DB78AD0ADFD6