Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LisectAVT_2403002A_52.exe

Overview

General Information

Sample name:LisectAVT_2403002A_52.exe
Analysis ID:1482189
MD5:52cb8bfa6bc3ffa539d9aba0ada28842
SHA1:12421664688e01c7500cb7c82fc67672558c6ff3
SHA256:dadafd098dc94e3706b0e84b36042b4dced32a372c4b086d85df4a23943b88ac
Tags:exeFormbook
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • LisectAVT_2403002A_52.exe (PID: 2748 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_52.exe" MD5: 52CB8BFA6BC3FFA539D9ABA0ADA28842)
    • LisectAVT_2403002A_52.exe (PID: 6380 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_52.exe" MD5: 52CB8BFA6BC3FFA539D9ABA0ADA28842)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.thanhancompony.com", "Username": "holger.werth@thanhancompony.com", "Password": "aSkIhV^3"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.4472594984.00000000029AE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.4472594984.0000000002981000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000002.4472594984.0000000002981000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000003.00000002.4471130246.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000003.00000002.4471130246.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.LisectAVT_2403002A_52.exe.37a4cb8.7.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.LisectAVT_2403002A_52.exe.37a4cb8.7.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.LisectAVT_2403002A_52.exe.37a4cb8.7.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x3320b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x3327d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x33307:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x33399:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x33403:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x33475:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x3350b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x3359b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.LisectAVT_2403002A_52.exe.37e12d8.9.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.LisectAVT_2403002A_52.exe.37e12d8.9.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 13 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 208.91.198.143, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe, Initiated: true, ProcessId: 6380, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49708

                    Snort Signatures

                    No Snort rule has matched

                    Suricata Signatures

                    Timestamp:2024-07-25T19:18:03.679925+0200
                    SID:2022930
                    Source Port:443
                    Destination Port:49712
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-25T19:18:42.168834+0200
                    SID:2022930
                    Source Port:443
                    Destination Port:49719
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: LisectAVT_2403002A_52.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: http://smtp.thanhancompony.comAvira URL Cloud: Label: malware
                    Found malware configuration
                    Source: 3.2.LisectAVT_2403002A_52.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.thanhancompony.com", "Username": "holger.werth@thanhancompony.com", "Password": "aSkIhV^3"}
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: LisectAVT_2403002A_52.exeJoe Sandbox ML: detected
                    Source: LisectAVT_2403002A_52.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: LisectAVT_2403002A_52.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: NutW.pdb source: LisectAVT_2403002A_52.exe
                    Source: Binary string: NutW.pdbSHA256 source: LisectAVT_2403002A_52.exe

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 3.2.LisectAVT_2403002A_52.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.LisectAVT_2403002A_52.exe.37e12d8.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.LisectAVT_2403002A_52.exe.37a4cb8.7.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.5:49708 -> 208.91.198.143:587
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.91.198.143 208.91.198.143
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                    Source: unknownDNS query: name: ip-api.com
                    Source: global trafficTCP traffic: 192.168.2.5:49708 -> 208.91.198.143:587
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: smtp.thanhancompony.com
                    Source: LisectAVT_2403002A_52.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                    Source: LisectAVT_2403002A_52.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                    Source: LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.0000000002951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: LisectAVT_2403002A_52.exe, 00000000.00000002.2020608917.000000000369E000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.0000000002951000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4471130246.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: LisectAVT_2403002A_52.exeString found in binary or memory: http://ocsp.comodoca.com0
                    Source: LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.0000000002951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.00000000029B4000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.00000000029D6000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.0000000002DAB000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.00000000029C4000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.0000000002D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.thanhancompony.com
                    Source: LisectAVT_2403002A_52.exeString found in binary or memory: http://tempuri.org/Locations.xsdkServer=ARCHIT;Database=Sample;Trusted_Connection=TrueUPlease
                    Source: LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.00000000029B4000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.00000000029D6000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.0000000002DAB000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.00000000029C4000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.0000000002D81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                    Source: LisectAVT_2403002A_52.exe, 00000000.00000002.2020608917.000000000369E000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4471130246.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: LisectAVT_2403002A_52.exeString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.LisectAVT_2403002A_52.exe.37a4cb8.7.raw.unpack, l8rGfzxi.cs.Net Code: _8em
                    Source: 0.2.LisectAVT_2403002A_52.exe.37e12d8.9.raw.unpack, l8rGfzxi.cs.Net Code: _8em
                    Installs a global keyboard hook
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\LisectAVT_2403002A_52.exeJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.LisectAVT_2403002A_52.exe.37a4cb8.7.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.LisectAVT_2403002A_52.exe.37e12d8.9.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 3.2.LisectAVT_2403002A_52.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.LisectAVT_2403002A_52.exe.37e12d8.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.LisectAVT_2403002A_52.exe.37a4cb8.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeCode function: 0_2_00A9DFCC0_2_00A9DFCC
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeCode function: 0_2_02352F240_2_02352F24
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeCode function: 3_2_029243303_2_02924330
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeCode function: 3_2_0292A6A83_2_0292A6A8
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeCode function: 3_2_0292EE803_2_0292EE80
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeCode function: 3_2_0292AE683_2_0292AE68
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeCode function: 3_2_02923FE83_2_02923FE8
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeCode function: 3_2_02924C003_2_02924C00
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeCode function: 3_2_06647E483_2_06647E48
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeCode function: 3_2_066466C03_2_066466C0
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeCode function: 3_2_066456883_2_06645688
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeCode function: 3_2_066424383_2_06642438
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeCode function: 3_2_0664C2603_2_0664C260
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeCode function: 3_2_0664B3083_2_0664B308
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeCode function: 3_2_066477683_2_06647768
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeCode function: 3_2_0664E4803_2_0664E480
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeCode function: 3_2_06645DC83_2_06645DC8
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeCode function: 3_2_066400403_2_06640040
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeCode function: 3_2_066400383_2_06640038
                    Source: LisectAVT_2403002A_52.exe, 00000000.00000002.2022896247.0000000006A70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs LisectAVT_2403002A_52.exe
                    Source: LisectAVT_2403002A_52.exe, 00000000.00000002.2019503270.000000000086E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs LisectAVT_2403002A_52.exe
                    Source: LisectAVT_2403002A_52.exe, 00000000.00000000.1996582834.000000000016C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNutW.exeX vs LisectAVT_2403002A_52.exe
                    Source: LisectAVT_2403002A_52.exe, 00000000.00000002.2020003772.0000000002522000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec9068e07-2280-46f8-aac1-0dfb13d8304a.exe4 vs LisectAVT_2403002A_52.exe
                    Source: LisectAVT_2403002A_52.exe, 00000000.00000002.2020608917.000000000369E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec9068e07-2280-46f8-aac1-0dfb13d8304a.exe4 vs LisectAVT_2403002A_52.exe
                    Source: LisectAVT_2403002A_52.exe, 00000000.00000002.2020608917.000000000369E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs LisectAVT_2403002A_52.exe
                    Source: LisectAVT_2403002A_52.exe, 00000003.00000002.4471298509.0000000000B59000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs LisectAVT_2403002A_52.exe
                    Source: LisectAVT_2403002A_52.exe, 00000003.00000002.4471130246.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec9068e07-2280-46f8-aac1-0dfb13d8304a.exe4 vs LisectAVT_2403002A_52.exe
                    Source: LisectAVT_2403002A_52.exeBinary or memory string: OriginalFilenameNutW.exeX vs LisectAVT_2403002A_52.exe
                    Source: LisectAVT_2403002A_52.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.LisectAVT_2403002A_52.exe.37a4cb8.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.LisectAVT_2403002A_52.exe.37e12d8.9.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 3.2.LisectAVT_2403002A_52.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.LisectAVT_2403002A_52.exe.37e12d8.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.LisectAVT_2403002A_52.exe.37a4cb8.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: LisectAVT_2403002A_52.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.LisectAVT_2403002A_52.exe.37a4cb8.7.raw.unpack, N1EZ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.LisectAVT_2403002A_52.exe.37a4cb8.7.raw.unpack, N1EZ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.LisectAVT_2403002A_52.exe.37a4cb8.7.raw.unpack, N1EZ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.LisectAVT_2403002A_52.exe.37a4cb8.7.raw.unpack, N1EZ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.LisectAVT_2403002A_52.exe.37a4cb8.7.raw.unpack, arzrv9AWTXK.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.LisectAVT_2403002A_52.exe.37a4cb8.7.raw.unpack, arzrv9AWTXK.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.LisectAVT_2403002A_52.exe.37a4cb8.7.raw.unpack, InmxgXcIi8d.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.LisectAVT_2403002A_52.exe.37a4cb8.7.raw.unpack, InmxgXcIi8d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.LisectAVT_2403002A_52.exe.38abc90.8.raw.unpack, k8NhOcl5rOqbRfggyX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.LisectAVT_2403002A_52.exe.6a70000.12.raw.unpack, k8NhOcl5rOqbRfggyX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.LisectAVT_2403002A_52.exe.38abc90.8.raw.unpack, sTGsWV1GJpy2U01jre.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.LisectAVT_2403002A_52.exe.38abc90.8.raw.unpack, sTGsWV1GJpy2U01jre.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.LisectAVT_2403002A_52.exe.38abc90.8.raw.unpack, sTGsWV1GJpy2U01jre.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.LisectAVT_2403002A_52.exe.6a70000.12.raw.unpack, sTGsWV1GJpy2U01jre.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.LisectAVT_2403002A_52.exe.6a70000.12.raw.unpack, sTGsWV1GJpy2U01jre.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.LisectAVT_2403002A_52.exe.6a70000.12.raw.unpack, sTGsWV1GJpy2U01jre.csSecurity API names: _0020.AddAccessRule
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/2
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LisectAVT_2403002A_52.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeMutant created: NULL
                    Source: LisectAVT_2403002A_52.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: LisectAVT_2403002A_52.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: LisectAVT_2403002A_52.exeString found in binary or memory: menuStrip1/addCarToolStripMenuItemFile1addCarToolStripMenuItem1
                    Source: unknownProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe "C:\Users\user\Desktop\LisectAVT_2403002A_52.exe"
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe "C:\Users\user\Desktop\LisectAVT_2403002A_52.exe"
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe "C:\Users\user\Desktop\LisectAVT_2403002A_52.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: LisectAVT_2403002A_52.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: LisectAVT_2403002A_52.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: LisectAVT_2403002A_52.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: NutW.pdb source: LisectAVT_2403002A_52.exe
                    Source: Binary string: NutW.pdbSHA256 source: LisectAVT_2403002A_52.exe

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 0.2.LisectAVT_2403002A_52.exe.24e6ddc.5.raw.unpack, wehuuoKhMKMbnQu72K.cs.Net Code: LOPk5OGwQvvejRfJl7n System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.LisectAVT_2403002A_52.exe.38abc90.8.raw.unpack, sTGsWV1GJpy2U01jre.cs.Net Code: bedpVUiH9A System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.LisectAVT_2403002A_52.exe.6a70000.12.raw.unpack, sTGsWV1GJpy2U01jre.cs.Net Code: bedpVUiH9A System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.LisectAVT_2403002A_52.exe.4ea0000.10.raw.unpack, wehuuoKhMKMbnQu72K.cs.Net Code: LOPk5OGwQvvejRfJl7n System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeCode function: 3_2_0292FC18 pushad ; iretd 3_2_0292FC25
                    Source: LisectAVT_2403002A_52.exeStatic PE information: section name: .text entropy: 7.938114305059397
                    Source: 0.2.LisectAVT_2403002A_52.exe.24e6ddc.5.raw.unpack, kdFvaMFVPKs73pA7Ae.csHigh entropy of concatenated method names: 'jlLbsIppcp4pe', 'HUDVafGQx3A5lYPXEbC', 'bWxlDPGFKtjOUjq8ME9', 'J13JY7Gs9VegMR0Usdn', 'gjnvHYGCPTFBSN5sXDA', 'UXn9pRGVr5JYGFjuCRJ', 'g8bQ3yGYPoLwrRusK3E', 'KwwAwLG5jtFVjgr5V0l', 'lJyLiGG0wAjthymuVo5', 'KrHGd2G9wj507LdZGDe'
                    Source: 0.2.LisectAVT_2403002A_52.exe.24e6ddc.5.raw.unpack, DD.csHigh entropy of concatenated method names: 'wgRxinKHcbWANUbFNm', 'dwveif1E9jqp4XTbTA', 'iYTXHL2SDoNZBJVsGw', 'hFySdn3keDBvJSvKal', 'PVIytPpWpuEYQLk40u'
                    Source: 0.2.LisectAVT_2403002A_52.exe.24e6ddc.5.raw.unpack, ihWImL1h2qjtIkVYDh.csHigh entropy of concatenated method names: 'qJUttacKFT', 'djwp7oGHZ8xfNf3m5ut', 'AZqALCG67UykKuowXP2', 'dkLCJpGlCfFdqtD7Epf', 'iHWSkAGjDuGN31hXJsT', 'u4UYnDGE5xCOMnt15QR', 'jhES7Va4c', 'jWmROKkjL', 'Dispose', 'BJj7gBhfp'
                    Source: 0.2.LisectAVT_2403002A_52.exe.24e6ddc.5.raw.unpack, oImfMJtvGUo8fMQNBQ.csHigh entropy of concatenated method names: 'cxsORewNJ', 'VvrninWuk', 'ustvIxt9o', 'QtXoY7g0N', 'cMKlMbnQu', 'w2KLAB5Xx', 'hNkF6TG2YCh7xU8s3hJ', 'hs4l1PGKtLhAeRnm1c4', 'Dispose', 'MoveNext'
                    Source: 0.2.LisectAVT_2403002A_52.exe.24e6ddc.5.raw.unpack, wehuuoKhMKMbnQu72K.csHigh entropy of concatenated method names: 'NXMyxc8eI', 'GTZadPHeP', 'DEVNaDCj9', 'cflmBNqev', 'VFQ0OImLC', 'PbYVMxZvt', 'UPdFjbLed', 'AeEi93ui9', 'oM66buTLn', 'nxFUIfcfn'
                    Source: 0.2.LisectAVT_2403002A_52.exe.38abc90.8.raw.unpack, cwvQKyDxnEcX9Sjm00.csHigh entropy of concatenated method names: 'cXtOULGkDa', 'zaoOwsecr7', 'UckO7NiqDp', 'dR8OC7lf7F', 'VrkO1l8VhF', 'rAH7cQxQYZ', 'zW37n3VbvH', 'nxx7XsFpA5', 'QYb70ZZ4cG', 'kmJ7B1sFco'
                    Source: 0.2.LisectAVT_2403002A_52.exe.38abc90.8.raw.unpack, k8NhOcl5rOqbRfggyX.csHigh entropy of concatenated method names: 'nTqwLerMe0', 'snow8Wpt9k', 'Ck1web4iUc', 'naSwyOmAcd', 'KMnwcXCMnG', 'zEHwnrRlHv', 'SWkwXqbIQO', 'e7Uw02oNy5', 'RSdwBehWsH', 'NWWwPsxok3'
                    Source: 0.2.LisectAVT_2403002A_52.exe.38abc90.8.raw.unpack, rnhpVsnCEiRTBtwtqm.csHigh entropy of concatenated method names: 'vwwF0xlQTv', 'Q9YFPoLi9X', 'FgVfvdCPDA', 'Aj4ftpocQq', 'z0bFrMs3gE', 'eLXFHy2d3g', 'O6RF3d506M', 'd6fFLix3YG', 'xmAF8DKJBb', 'XUmFec1813'
                    Source: 0.2.LisectAVT_2403002A_52.exe.38abc90.8.raw.unpack, jtyTvsLf9tI9AhwFwh.csHigh entropy of concatenated method names: 'ynsAIr4JvN', 'JjuAH7yy5O', 'lqwALaK0RG', 'sDDA8iiaPM', 'iVtAZpF2SD', 'NjHAoDA9wv', 'wDOA5NfFn5', 'DtaAsKWxOQ', 's9vAjF7lYn', 'UVrAg8sQAH'
                    Source: 0.2.LisectAVT_2403002A_52.exe.38abc90.8.raw.unpack, x3mRGDwWxjLYWqRjsf.csHigh entropy of concatenated method names: 'Dispose', 'GXTtB81ZWQ', 'cq1iZVAi7i', 'gKcXXhkyHm', 'a1UtP5J5Ij', 'cJYtzITEd0', 'ProcessDialogKey', 'GJhivnF4FS', 'RbfitT6aKS', 'UkDiihKvRp'
                    Source: 0.2.LisectAVT_2403002A_52.exe.38abc90.8.raw.unpack, sTGsWV1GJpy2U01jre.csHigh entropy of concatenated method names: 'Pc1MU0JLQD', 'ogeMSU68a8', 'u5oMwhB9TZ', 'odcM64Lnsk', 'VunM7Nwgm8', 'CEuMOU87vA', 'e5dMCS8SgY', 'wTsM1h8ppF', 'AgoMqmGmka', 'YToM4cmmjj'
                    Source: 0.2.LisectAVT_2403002A_52.exe.38abc90.8.raw.unpack, vtVpcI3QeIQNZi94XK.csHigh entropy of concatenated method names: 'Vh3blRVOi1', 'K25bQEE6ZB', 'wNBbD2e6Kf', 'wqWbZIhZvv', 'sdcb5pcNrl', 'twqbs9NVyV', 'trRbgXVtYh', 'WRbbxFjIYK', 'ln4bIZ7ljZ', 'iribrIS8jP'
                    Source: 0.2.LisectAVT_2403002A_52.exe.38abc90.8.raw.unpack, Ka8GYCeSguLOLtbGZZ.csHigh entropy of concatenated method names: 'ToString', 'nCm9rLqfNG', 'kmU9ZYPusO', 'SaK9oxHJ5k', 'qIZ95l2LNf', 'CDJ9sptQUa', 'KV99ji9YKp', 'HcD9g92nqy', 'zgM9xOMay5', 'a6d9GcUPU6'
                    Source: 0.2.LisectAVT_2403002A_52.exe.38abc90.8.raw.unpack, Gm4U4CiUyxVFUNfNpN.csHigh entropy of concatenated method names: 'KnDVciAyL', 'FGYKBQbQg', 'XW2RjcN4e', 'uLqWk0Q5i', 'alQQ3SHLr', 'gNSadm9Jd', 'whoVx4lFsSvRDp7iou', 'xKHfOCh05wMgiKeVVZ', 'PcU6wpLEdnw625DB63', 'uEjfdPMFr'
                    Source: 0.2.LisectAVT_2403002A_52.exe.38abc90.8.raw.unpack, U75Q4DzeYpHacR6kuT.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'x3YdbPKULx', 'QahdA71TUX', 'b3ud91pGOb', 'lMUdFxLXKT', 'OdDdf1xUS0', 'u3GddxyEp6', 'IowdNCsH1w'
                    Source: 0.2.LisectAVT_2403002A_52.exe.38abc90.8.raw.unpack, gRl3VhpTXMQWoFwZ0t.csHigh entropy of concatenated method names: 'E11tC8NhOc', 'IrOt1qbRfg', 'cpit4QSYLn', 'AnLtm76OuD', 'XJhtAXJiwv', 'EKyt9xnEcX', 'xoCs05Ra4NwuVgp9Ml', 'Xdf9cLZIB1TJCR1SQD', 'VCDttdkykp', 'TKvtMVTWKN'
                    Source: 0.2.LisectAVT_2403002A_52.exe.38abc90.8.raw.unpack, wKvRpKP49bRtrPO2wC.csHigh entropy of concatenated method names: 'HbKdtM9Xmg', 'wgldMHNXGd', 'XZTdpxNqTM', 'YyPdSimobv', 'pJXdwu838a', 'KUid7Ua3Cs', 'WpmdO2usuo', 'KoDfXvM5V5', 'tfXf0shnaD', 'TNSfBv2W5T'
                    Source: 0.2.LisectAVT_2403002A_52.exe.38abc90.8.raw.unpack, wnF4FSB8bfT6aKSckD.csHigh entropy of concatenated method names: 'zZcfDDRi3t', 'aa0fZlwnnS', 'KMyfoACJso', 'HUJf5qLJyX', 'YJyfLXlYKl', 'oVnfsCanYr', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.LisectAVT_2403002A_52.exe.38abc90.8.raw.unpack, kZkSxiQpiQSYLnKnL7.csHigh entropy of concatenated method names: 'AWZ6KXED9K', 'EoJ6ROySrU', 'FOX6lqBpoY', 'SEC6QiRp9L', 'p2f6A9oYnc', 'KhD697kpiw', 'y3W6FPUdDk', 'h7h6flnxJy', 'TEg6dmQ7Sv', 'pZC6NW79F7'
                    Source: 0.2.LisectAVT_2403002A_52.exe.38abc90.8.raw.unpack, kU5J5I0jMJYITEd0DJ.csHigh entropy of concatenated method names: 'GRifSv2AfB', 'u3RfwLE3IP', 'ob5f66ykQ1', 'ID7f7W1ck1', 'KaLfOG7ca6', 'P5FfC3cJ4Z', 'RHcf1iw2JT', 'wmFfqBc0Tq', 'QoNf4dxUFp', 'FCcfm05q9x'
                    Source: 0.2.LisectAVT_2403002A_52.exe.38abc90.8.raw.unpack, hOuDDRaJp8KDL0JhXJ.csHigh entropy of concatenated method names: 'Gch7JqFp5I', 'inb7WcY2qT', 'bBA6oEp3WS', 'IWP65rItmx', 'faP6sXKDnb', 'B286j4b0Iw', 'kfY6gbt33l', 'B0s6xVejHO', 'qVD6GlaE0I', 'NaB6IP18Im'
                    Source: 0.2.LisectAVT_2403002A_52.exe.38abc90.8.raw.unpack, I0H9wMGQllVCk95xxN.csHigh entropy of concatenated method names: 'B0pCuFIjjg', 'pIFCEuEmjv', 'N36CVofQWx', 'qsRCKNA3je', 'GPdCJx0CDW', 'm9UCRxk541', 'dIPCWB7QYr', 'l60Cl0IU0M', 'bFkCQHBM1B', 'bejCaUWh8l'
                    Source: 0.2.LisectAVT_2403002A_52.exe.38abc90.8.raw.unpack, phlAM8tvxEdrjEIreQ9.csHigh entropy of concatenated method names: 'JImdu870Jr', 'yX2dEYlEPT', 'VIHdVxR4Nb', 'UCfdK4tdxc', 'kF6dJL0FAM', 'kZCdRlKdw1', 'vfUdWEvwPt', 'Jn4dlVA3g0', 'RK2dQI9CxZ', 'rgAdaoEDlh'
                    Source: 0.2.LisectAVT_2403002A_52.exe.38abc90.8.raw.unpack, GfT8QYtMO2flwXIqGe5.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jgONLa6Q3A', 'Y5ON8u9NFD', 'YSNNeBpVv1', 'jMKNyPKgno', 'Bp9NcihnQq', 'M4JNnQSwd0', 'h03NXJL11u'
                    Source: 0.2.LisectAVT_2403002A_52.exe.6a70000.12.raw.unpack, cwvQKyDxnEcX9Sjm00.csHigh entropy of concatenated method names: 'cXtOULGkDa', 'zaoOwsecr7', 'UckO7NiqDp', 'dR8OC7lf7F', 'VrkO1l8VhF', 'rAH7cQxQYZ', 'zW37n3VbvH', 'nxx7XsFpA5', 'QYb70ZZ4cG', 'kmJ7B1sFco'
                    Source: 0.2.LisectAVT_2403002A_52.exe.6a70000.12.raw.unpack, k8NhOcl5rOqbRfggyX.csHigh entropy of concatenated method names: 'nTqwLerMe0', 'snow8Wpt9k', 'Ck1web4iUc', 'naSwyOmAcd', 'KMnwcXCMnG', 'zEHwnrRlHv', 'SWkwXqbIQO', 'e7Uw02oNy5', 'RSdwBehWsH', 'NWWwPsxok3'
                    Source: 0.2.LisectAVT_2403002A_52.exe.6a70000.12.raw.unpack, rnhpVsnCEiRTBtwtqm.csHigh entropy of concatenated method names: 'vwwF0xlQTv', 'Q9YFPoLi9X', 'FgVfvdCPDA', 'Aj4ftpocQq', 'z0bFrMs3gE', 'eLXFHy2d3g', 'O6RF3d506M', 'd6fFLix3YG', 'xmAF8DKJBb', 'XUmFec1813'
                    Source: 0.2.LisectAVT_2403002A_52.exe.6a70000.12.raw.unpack, jtyTvsLf9tI9AhwFwh.csHigh entropy of concatenated method names: 'ynsAIr4JvN', 'JjuAH7yy5O', 'lqwALaK0RG', 'sDDA8iiaPM', 'iVtAZpF2SD', 'NjHAoDA9wv', 'wDOA5NfFn5', 'DtaAsKWxOQ', 's9vAjF7lYn', 'UVrAg8sQAH'
                    Source: 0.2.LisectAVT_2403002A_52.exe.6a70000.12.raw.unpack, x3mRGDwWxjLYWqRjsf.csHigh entropy of concatenated method names: 'Dispose', 'GXTtB81ZWQ', 'cq1iZVAi7i', 'gKcXXhkyHm', 'a1UtP5J5Ij', 'cJYtzITEd0', 'ProcessDialogKey', 'GJhivnF4FS', 'RbfitT6aKS', 'UkDiihKvRp'
                    Source: 0.2.LisectAVT_2403002A_52.exe.6a70000.12.raw.unpack, sTGsWV1GJpy2U01jre.csHigh entropy of concatenated method names: 'Pc1MU0JLQD', 'ogeMSU68a8', 'u5oMwhB9TZ', 'odcM64Lnsk', 'VunM7Nwgm8', 'CEuMOU87vA', 'e5dMCS8SgY', 'wTsM1h8ppF', 'AgoMqmGmka', 'YToM4cmmjj'
                    Source: 0.2.LisectAVT_2403002A_52.exe.6a70000.12.raw.unpack, vtVpcI3QeIQNZi94XK.csHigh entropy of concatenated method names: 'Vh3blRVOi1', 'K25bQEE6ZB', 'wNBbD2e6Kf', 'wqWbZIhZvv', 'sdcb5pcNrl', 'twqbs9NVyV', 'trRbgXVtYh', 'WRbbxFjIYK', 'ln4bIZ7ljZ', 'iribrIS8jP'
                    Source: 0.2.LisectAVT_2403002A_52.exe.6a70000.12.raw.unpack, Ka8GYCeSguLOLtbGZZ.csHigh entropy of concatenated method names: 'ToString', 'nCm9rLqfNG', 'kmU9ZYPusO', 'SaK9oxHJ5k', 'qIZ95l2LNf', 'CDJ9sptQUa', 'KV99ji9YKp', 'HcD9g92nqy', 'zgM9xOMay5', 'a6d9GcUPU6'
                    Source: 0.2.LisectAVT_2403002A_52.exe.6a70000.12.raw.unpack, Gm4U4CiUyxVFUNfNpN.csHigh entropy of concatenated method names: 'KnDVciAyL', 'FGYKBQbQg', 'XW2RjcN4e', 'uLqWk0Q5i', 'alQQ3SHLr', 'gNSadm9Jd', 'whoVx4lFsSvRDp7iou', 'xKHfOCh05wMgiKeVVZ', 'PcU6wpLEdnw625DB63', 'uEjfdPMFr'
                    Source: 0.2.LisectAVT_2403002A_52.exe.6a70000.12.raw.unpack, U75Q4DzeYpHacR6kuT.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'x3YdbPKULx', 'QahdA71TUX', 'b3ud91pGOb', 'lMUdFxLXKT', 'OdDdf1xUS0', 'u3GddxyEp6', 'IowdNCsH1w'
                    Source: 0.2.LisectAVT_2403002A_52.exe.6a70000.12.raw.unpack, gRl3VhpTXMQWoFwZ0t.csHigh entropy of concatenated method names: 'E11tC8NhOc', 'IrOt1qbRfg', 'cpit4QSYLn', 'AnLtm76OuD', 'XJhtAXJiwv', 'EKyt9xnEcX', 'xoCs05Ra4NwuVgp9Ml', 'Xdf9cLZIB1TJCR1SQD', 'VCDttdkykp', 'TKvtMVTWKN'
                    Source: 0.2.LisectAVT_2403002A_52.exe.6a70000.12.raw.unpack, wKvRpKP49bRtrPO2wC.csHigh entropy of concatenated method names: 'HbKdtM9Xmg', 'wgldMHNXGd', 'XZTdpxNqTM', 'YyPdSimobv', 'pJXdwu838a', 'KUid7Ua3Cs', 'WpmdO2usuo', 'KoDfXvM5V5', 'tfXf0shnaD', 'TNSfBv2W5T'
                    Source: 0.2.LisectAVT_2403002A_52.exe.6a70000.12.raw.unpack, wnF4FSB8bfT6aKSckD.csHigh entropy of concatenated method names: 'zZcfDDRi3t', 'aa0fZlwnnS', 'KMyfoACJso', 'HUJf5qLJyX', 'YJyfLXlYKl', 'oVnfsCanYr', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.LisectAVT_2403002A_52.exe.6a70000.12.raw.unpack, kZkSxiQpiQSYLnKnL7.csHigh entropy of concatenated method names: 'AWZ6KXED9K', 'EoJ6ROySrU', 'FOX6lqBpoY', 'SEC6QiRp9L', 'p2f6A9oYnc', 'KhD697kpiw', 'y3W6FPUdDk', 'h7h6flnxJy', 'TEg6dmQ7Sv', 'pZC6NW79F7'
                    Source: 0.2.LisectAVT_2403002A_52.exe.6a70000.12.raw.unpack, kU5J5I0jMJYITEd0DJ.csHigh entropy of concatenated method names: 'GRifSv2AfB', 'u3RfwLE3IP', 'ob5f66ykQ1', 'ID7f7W1ck1', 'KaLfOG7ca6', 'P5FfC3cJ4Z', 'RHcf1iw2JT', 'wmFfqBc0Tq', 'QoNf4dxUFp', 'FCcfm05q9x'
                    Source: 0.2.LisectAVT_2403002A_52.exe.6a70000.12.raw.unpack, hOuDDRaJp8KDL0JhXJ.csHigh entropy of concatenated method names: 'Gch7JqFp5I', 'inb7WcY2qT', 'bBA6oEp3WS', 'IWP65rItmx', 'faP6sXKDnb', 'B286j4b0Iw', 'kfY6gbt33l', 'B0s6xVejHO', 'qVD6GlaE0I', 'NaB6IP18Im'
                    Source: 0.2.LisectAVT_2403002A_52.exe.6a70000.12.raw.unpack, I0H9wMGQllVCk95xxN.csHigh entropy of concatenated method names: 'B0pCuFIjjg', 'pIFCEuEmjv', 'N36CVofQWx', 'qsRCKNA3je', 'GPdCJx0CDW', 'm9UCRxk541', 'dIPCWB7QYr', 'l60Cl0IU0M', 'bFkCQHBM1B', 'bejCaUWh8l'
                    Source: 0.2.LisectAVT_2403002A_52.exe.6a70000.12.raw.unpack, phlAM8tvxEdrjEIreQ9.csHigh entropy of concatenated method names: 'JImdu870Jr', 'yX2dEYlEPT', 'VIHdVxR4Nb', 'UCfdK4tdxc', 'kF6dJL0FAM', 'kZCdRlKdw1', 'vfUdWEvwPt', 'Jn4dlVA3g0', 'RK2dQI9CxZ', 'rgAdaoEDlh'
                    Source: 0.2.LisectAVT_2403002A_52.exe.6a70000.12.raw.unpack, GfT8QYtMO2flwXIqGe5.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jgONLa6Q3A', 'Y5ON8u9NFD', 'YSNNeBpVv1', 'jMKNyPKgno', 'Bp9NcihnQq', 'M4JNnQSwd0', 'h03NXJL11u'
                    Source: 0.2.LisectAVT_2403002A_52.exe.4ea0000.10.raw.unpack, kdFvaMFVPKs73pA7Ae.csHigh entropy of concatenated method names: 'jlLbsIppcp4pe', 'HUDVafGQx3A5lYPXEbC', 'bWxlDPGFKtjOUjq8ME9', 'J13JY7Gs9VegMR0Usdn', 'gjnvHYGCPTFBSN5sXDA', 'UXn9pRGVr5JYGFjuCRJ', 'g8bQ3yGYPoLwrRusK3E', 'KwwAwLG5jtFVjgr5V0l', 'lJyLiGG0wAjthymuVo5', 'KrHGd2G9wj507LdZGDe'
                    Source: 0.2.LisectAVT_2403002A_52.exe.4ea0000.10.raw.unpack, DD.csHigh entropy of concatenated method names: 'wgRxinKHcbWANUbFNm', 'dwveif1E9jqp4XTbTA', 'iYTXHL2SDoNZBJVsGw', 'hFySdn3keDBvJSvKal', 'PVIytPpWpuEYQLk40u'
                    Source: 0.2.LisectAVT_2403002A_52.exe.4ea0000.10.raw.unpack, ihWImL1h2qjtIkVYDh.csHigh entropy of concatenated method names: 'qJUttacKFT', 'djwp7oGHZ8xfNf3m5ut', 'AZqALCG67UykKuowXP2', 'dkLCJpGlCfFdqtD7Epf', 'iHWSkAGjDuGN31hXJsT', 'u4UYnDGE5xCOMnt15QR', 'jhES7Va4c', 'jWmROKkjL', 'Dispose', 'BJj7gBhfp'
                    Source: 0.2.LisectAVT_2403002A_52.exe.4ea0000.10.raw.unpack, oImfMJtvGUo8fMQNBQ.csHigh entropy of concatenated method names: 'cxsORewNJ', 'VvrninWuk', 'ustvIxt9o', 'QtXoY7g0N', 'cMKlMbnQu', 'w2KLAB5Xx', 'hNkF6TG2YCh7xU8s3hJ', 'hs4l1PGKtLhAeRnm1c4', 'Dispose', 'MoveNext'
                    Source: 0.2.LisectAVT_2403002A_52.exe.4ea0000.10.raw.unpack, wehuuoKhMKMbnQu72K.csHigh entropy of concatenated method names: 'NXMyxc8eI', 'GTZadPHeP', 'DEVNaDCj9', 'cflmBNqev', 'VFQ0OImLC', 'PbYVMxZvt', 'UPdFjbLed', 'AeEi93ui9', 'oM66buTLn', 'nxFUIfcfn'
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_52.exe PID: 2748, type: MEMORYSTR
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: LisectAVT_2403002A_52.exe, 00000000.00000002.2020608917.000000000369E000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.0000000002981000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4471130246.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeMemory allocated: A90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeMemory allocated: 24C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeMemory allocated: 2300000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeMemory allocated: 7240000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeMemory allocated: 8240000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeMemory allocated: 83F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeMemory allocated: 93F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeMemory allocated: 28A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeMemory allocated: 2950000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeMemory allocated: 4950000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWindow / User API: threadDelayed 2439Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWindow / User API: threadDelayed 7394Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 2992Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -26747778906878833s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -99891s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -99754s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -99595s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -99469s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -99360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -99235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -99110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -98985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -98860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -98735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -98610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -98485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -98360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -98235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -98110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -97985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -97860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -97735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -97610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -97485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -97360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -97188s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -97035s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -96910s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -96782s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -96657s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -96532s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -96407s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -96282s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -96172s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -96063s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -95938s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -99906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -99796s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -99687s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -99578s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -99468s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -99359s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -99249s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -99140s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -99031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -98902s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -98796s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -98687s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -98577s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -98468s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -98359s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -98248s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -98140s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe TID: 1480Thread sleep time: -98031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 99891Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 99754Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 99595Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 99469Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 99360Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 99235Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 99110Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 98985Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 98860Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 98735Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 98610Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 98485Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 98360Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 98235Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 98110Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 97985Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 97860Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 97735Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 97610Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 97485Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 97360Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 97188Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 97035Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 96910Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 96782Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 96657Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 96532Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 96407Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 96282Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 96172Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 96063Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 95938Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 99906Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 99796Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 99687Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 99578Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 99468Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 99359Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 99249Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 99140Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 99031Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 98902Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 98796Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 98687Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 98577Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 98468Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 98359Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 98248Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 98140Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeThread delayed: delay time: 98031Jump to behavior
                    Source: LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.0000000002981000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                    Source: LisectAVT_2403002A_52.exe, 00000003.00000002.4471130246.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: LisectAVT_2403002A_52.exe, 00000003.00000002.4471130246.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VMwareVBox
                    Source: LisectAVT_2403002A_52.exe, 00000003.00000002.4471765496.0000000000E2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeCode function: 3_2_029271E8 CheckRemoteDebuggerPresent,3_2_029271E8
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe "C:\Users\user\Desktop\LisectAVT_2403002A_52.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_52.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.LisectAVT_2403002A_52.exe.37a4cb8.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.LisectAVT_2403002A_52.exe.37e12d8.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.LisectAVT_2403002A_52.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.LisectAVT_2403002A_52.exe.37e12d8.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.LisectAVT_2403002A_52.exe.37a4cb8.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.4472594984.00000000029AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4472594984.0000000002981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4471130246.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2020608917.000000000369E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_52.exe PID: 2748, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_52.exe PID: 6380, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_52.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.LisectAVT_2403002A_52.exe.37a4cb8.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.LisectAVT_2403002A_52.exe.37e12d8.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.LisectAVT_2403002A_52.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.LisectAVT_2403002A_52.exe.37e12d8.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.LisectAVT_2403002A_52.exe.37a4cb8.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.4472594984.0000000002981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4471130246.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2020608917.000000000369E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_52.exe PID: 2748, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_52.exe PID: 6380, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.LisectAVT_2403002A_52.exe.37a4cb8.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.LisectAVT_2403002A_52.exe.37e12d8.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.LisectAVT_2403002A_52.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.LisectAVT_2403002A_52.exe.37e12d8.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.LisectAVT_2403002A_52.exe.37a4cb8.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.4472594984.00000000029AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4472594984.0000000002981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4471130246.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2020608917.000000000369E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_52.exe PID: 2748, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_52.exe PID: 6380, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts2
                    Command and Scripting Interpreter                    		Boot or Logon Initialization Scripts11
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		34
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		531
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model21
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets261
                    Virtualization/Sandbox Evasion                    		SSH1
                    Clipboard Data                    		12
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items261
                    Virtualization/Sandbox Evasion                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1482189 Sample: LisectAVT_2403002A_52.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 17 smtp.thanhancompony.com 2->17 19 ip-api.com 2->19 21 us2.smtp.mailhostbox.com 2->21 27 Found malware configuration 2->27 29 Malicious sample detected (through community Yara rule) 2->29 31 Antivirus detection for URL or domain 2->31 33 9 other signatures 2->33 7 LisectAVT_2403002A_52.exe 3 2->7         started        signatures3 process4 file5 15 C:\Users\...\LisectAVT_2403002A_52.exe.log, ASCII 7->15 dropped 35 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->35 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->37 39 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->39 41 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 7->41 11 LisectAVT_2403002A_52.exe 15 2 7->11         started        signatures6 process7 dnsIp8 23 ip-api.com 208.95.112.1, 49707, 80 TUT-ASUS United States 11->23 25 us2.smtp.mailhostbox.com 208.91.198.143, 49708, 49711, 49720 PUBLIC-DOMAIN-REGISTRYUS United States 11->25 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->43 45 Tries to steal Mail credentials (via file / registry access) 11->45 47 Tries to harvest and steal ftp login credentials 11->47 49 2 other signatures 11->49 signatures9

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    LisectAVT_2403002A_52.exe100%AviraTR/Dropper.MSIL.lyrwn
                    LisectAVT_2403002A_52.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://account.dyn.com/0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
                    http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
                    http://ip-api.com0%URL Reputationsafe
                    http://smtp.thanhancompony.com100%Avira URL Cloudmalware
                    http://tempuri.org/Locations.xsdkServer=ARCHIT;Database=Sample;Trusted_Connection=TrueUPlease0%Avira URL Cloudsafe
                    http://us2.smtp.mailhostbox.com0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    us2.smtp.mailhostbox.com
                    		208.91.198.143
                    		truefalse
                      		unknown
                      ip-api.com
                      		208.95.112.1
                      		truetrue
                        		unknown
                        smtp.thanhancompony.com
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://ip-api.com/line/?fields=hostingfalse
                          • URL Reputation: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://smtp.thanhancompony.comLisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.00000000029B4000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.00000000029D6000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.0000000002DAB000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.00000000029C4000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.0000000002D81000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          https://account.dyn.com/LisectAVT_2403002A_52.exe, 00000000.00000002.2020608917.000000000369E000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4471130246.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://us2.smtp.mailhostbox.comLisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.00000000029B4000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.00000000029D6000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.0000000002DAB000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.00000000029C4000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.0000000002D81000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameLisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.0000000002951000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.chiark.greenend.org.uk/~sgtatham/putty/0LisectAVT_2403002A_52.exefalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Locations.xsdkServer=ARCHIT;Database=Sample;Trusted_Connection=TrueUPleaseLisectAVT_2403002A_52.exefalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://ip-api.comLisectAVT_2403002A_52.exe, 00000003.00000002.4472594984.0000000002951000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          208.91.198.143
                          		us2.smtp.mailhostbox.comUnited States
                          		394695PUBLIC-DOMAIN-REGISTRYUSfalse
                          208.95.112.1
                          		ip-api.comUnited States
                          		53334TUT-ASUStrue

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1482189
                          Start date and time:2024-07-25 19:16:56 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 8m 32s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:7
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:LisectAVT_2403002A_52.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@3/1@2/2
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 86
                          • Number of non-executed functions: 8
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • VT rate limit hit for: LisectAVT_2403002A_52.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          13:17:42API Interceptor11256986x Sleep call for process: LisectAVT_2403002A_52.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          208.91.198.143SecuriteInfo.com.Win32.PWSX-gen.14778.18726.exeGet hashmaliciousAgentTeslaBrowse
                            8hOkq9mMQu.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              Order List Pdf.exeGet hashmaliciousAgentTeslaBrowse
                                payment order.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  Mt103.exeGet hashmaliciousAgentTeslaBrowse
                                    PO-070724-WA00002.exeGet hashmaliciousAgentTeslaBrowse
                                      Swift Copy_98754.bat.exeGet hashmaliciousAgentTeslaBrowse
                                        Remittance Advice.exeGet hashmaliciousAgentTeslaBrowse
                                          Dhl_waybill#.exeGet hashmaliciousAgentTeslaBrowse
                                            z99WYGoGNBYnFW14sJ.exeGet hashmaliciousAgentTeslaBrowse
                                              208.95.112.1LisectAVT_2403002B_109.exeGet hashmaliciousBlackshadesBrowse
                                              • ip-api.com/json/
                                              LisectAVT_2403002B_253.exeGet hashmaliciousAgentTeslaBrowse
                                              • ip-api.com/line/?fields=hosting
                                              s6K4JjTwtz.exeGet hashmaliciousRHADAMANTHYSBrowse
                                              • ip-api.com/json
                                              IrJIw2lsaB.msiGet hashmaliciousRHADAMANTHYSBrowse
                                              • ip-api.com/json
                                              ptuNVk3HeK.exeGet hashmaliciousRHADAMANTHYSBrowse
                                              • ip-api.com/json
                                              uf0VrlE1bR.exeGet hashmaliciousRHADAMANTHYSBrowse
                                              • ip-api.com/json
                                              XaEvV3DPc7.exeGet hashmaliciousRHADAMANTHYSBrowse
                                              • ip-api.com/json
                                              LisectAVT_2403002B_264.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • ip-api.com/line/?fields=hosting
                                              LisectAVT_2403002B_330.exeGet hashmaliciousAgentTesla, BdaejecBrowse
                                              • ip-api.com/line/?fields=hosting
                                              LisectAVT_2403002B_339.exeGet hashmaliciousAgentTesla, BdaejecBrowse
                                              • ip-api.com/line/?fields=hosting

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              us2.smtp.mailhostbox.comSWIFT COPY.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.199.224
                                              LisectAVT_2403002B_465.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.199.224
                                              jRlq1fSUW5.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.199.225
                                              SecuriteInfo.com.Win32.PWSX-gen.14778.18726.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.198.143
                                              LCWGT83qLa.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.199.223
                                              IEnetcache.htaGet hashmaliciousCobalt Strike, AgentTesla, PureLog StealerBrowse
                                              • 208.91.199.225
                                              winiti.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 208.91.199.225
                                              8hOkq9mMQu.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 208.91.198.143
                                              0RA0ngi2c2.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 208.91.199.225
                                              5CxmQXL0LD.exeGet hashmaliciousSystemBCBrowse
                                              • 208.91.199.224
                                              ip-api.comLisectAVT_2403002B_109.exeGet hashmaliciousBlackshadesBrowse
                                              • 208.95.112.1
                                              LisectAVT_2403002B_253.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.95.112.1
                                              s6K4JjTwtz.exeGet hashmaliciousRHADAMANTHYSBrowse
                                              • 208.95.112.1
                                              IrJIw2lsaB.msiGet hashmaliciousRHADAMANTHYSBrowse
                                              • 208.95.112.1
                                              ptuNVk3HeK.exeGet hashmaliciousRHADAMANTHYSBrowse
                                              • 208.95.112.1
                                              uf0VrlE1bR.exeGet hashmaliciousRHADAMANTHYSBrowse
                                              • 208.95.112.1
                                              XaEvV3DPc7.exeGet hashmaliciousRHADAMANTHYSBrowse
                                              • 208.95.112.1
                                              LisectAVT_2403002B_264.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 208.95.112.1
                                              LisectAVT_2403002B_330.exeGet hashmaliciousAgentTesla, BdaejecBrowse
                                              • 208.95.112.1
                                              LisectAVT_2403002B_339.exeGet hashmaliciousAgentTesla, BdaejecBrowse
                                              • 208.95.112.1

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              PUBLIC-DOMAIN-REGISTRYUSSWIFT COPY.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.199.224
                                              LisectAVT_2403002B_290.exeGet hashmaliciousBdaejecBrowse
                                              • 74.119.239.234
                                              LisectAVT_2403002B_465.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.199.223
                                              jRlq1fSUW5.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.199.225
                                              SecuriteInfo.com.Win32.PWSX-gen.14778.18726.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.198.143
                                              bJrO2iUerN.elfGet hashmaliciousUnknownBrowse
                                              • 204.11.58.71
                                              PO#1164031.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                              • 208.91.198.24
                                              5RQ24SOW EPIRB_TOTAL Marine Services Ltd.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                              • 208.91.198.24
                                              LCWGT83qLa.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.199.223
                                              https://www.google.com.au/url?q=//www.google.co.nz/amp/s/clientdevelopmentserver.com/secure/documentattached.htmlGet hashmaliciousHTMLPhisherBrowse
                                              • 207.174.215.2
                                              TUT-ASUSLisectAVT_2403002B_109.exeGet hashmaliciousBlackshadesBrowse
                                              • 208.95.112.1
                                              LisectAVT_2403002B_253.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.95.112.1
                                              s6K4JjTwtz.exeGet hashmaliciousRHADAMANTHYSBrowse
                                              • 208.95.112.1
                                              IrJIw2lsaB.msiGet hashmaliciousRHADAMANTHYSBrowse
                                              • 208.95.112.1
                                              ptuNVk3HeK.exeGet hashmaliciousRHADAMANTHYSBrowse
                                              • 208.95.112.1
                                              uf0VrlE1bR.exeGet hashmaliciousRHADAMANTHYSBrowse
                                              • 208.95.112.1
                                              XaEvV3DPc7.exeGet hashmaliciousRHADAMANTHYSBrowse
                                              • 208.95.112.1
                                              LisectAVT_2403002B_264.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 208.95.112.1
                                              LisectAVT_2403002B_330.exeGet hashmaliciousAgentTesla, BdaejecBrowse
                                              • 208.95.112.1
                                              LisectAVT_2403002B_339.exeGet hashmaliciousAgentTesla, BdaejecBrowse
                                              • 208.95.112.1

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LisectAVT_2403002A_52.exe.log

                                              Download File
                                              Process:C:\Users\user\Desktop\LisectAVT_2403002A_52.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:modified
                                              Size (bytes):1216
                                              Entropy (8bit):5.34331486778365
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                              Malicious:true
                                              Reputation:high, very likely benign file
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):7.915152449015222
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                              • Win32 Executable (generic) a (10002005/4) 49.96%
                                              • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              • DOS Executable Generic (2002/1) 0.01%
                                              File name:LisectAVT_2403002A_52.exe
                                              File size:749'070 bytes
                                              MD5:52cb8bfa6bc3ffa539d9aba0ada28842
                                              SHA1:12421664688e01c7500cb7c82fc67672558c6ff3
                                              SHA256:dadafd098dc94e3706b0e84b36042b4dced32a372c4b086d85df4a23943b88ac
                                              SHA512:d7dd72353f4bdea1fd944a15bbb545405b1753d9442b0c59ca0446a52b07433b258c38a80d65ee23305c54d2b70c0e9d017c307326c8c404a6112f72605887d3
                                              SSDEEP:12288:0g4CMwp1SZUfek6vcaB5PXpPdJFyGn7xlfmE4RA36XbiiVWAmk:LSkeklaB/1/jdlfmQQF
                                              TLSH:5BF41262337C6A8BDABB8BB2986544024BF3F63E6036C6ED1CC160CD58E7F411B51A57
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|..f..............0.............".... ........@.. ....................................@................................

                                              File Icon

                                              Icon Hash:8b193a9ce163268d

                                              Static PE Info

                                              General

                                              Entrypoint:0x4aae22
                                              Entrypoint Section:.text
                                              Digitally signed:true
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x6600E97C [Mon Mar 25 03:03:24 2024 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Authenticode Signature

                                              Signature Valid:
                                              Signature Issuer:
                                              Signature Validation Error:
                                              Error Number:
                                              Not Before, Not After
                                                Subject Chain
                                                  Version:
                                                  Thumbprint MD5:
                                                  Thumbprint SHA-1:
                                                  Thumbprint SHA-256:
                                                  Serial:

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  xor al, 35h
                                                  xor eax, 43465138h
                                                  push eax
                                                  xor eax, 38453452h
                                                  xor dl, byte ptr [ecx+eax*2+5Ah]
                                                  push esi
                                                  dec eax
                                                  dec eax
                                                  inc ebx
                                                  inc esp
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xaadcf0x4f.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xac0000x90d8.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0xb38000x3608
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xb60000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0xa8a300x54.text
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000xa8e400xa90003b8d78bbb9c1872eaf1bd9b703aea172False0.939344778568787data7.938114305059397IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rsrc0xac0000x90d80x98004e19ba2bcfe2e018676d318479f1ba9aFalse0.9074064555921053data7.755276849963408IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0xb60000xc0x800cc40599b564a8342ab791e4d0a5e5a23False0.015625data0.03037337037012526IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_ICON0xac1000x899dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9775185216724858
                                                  RT_GROUP_ICON0xb4ab00x14data1.05
                                                  RT_VERSION0xb4ad40x404data0.4270428015564202
                                                  RT_MANIFEST0xb4ee80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Network Behavior

                                                  Suricata IDS Alerts

                                                  TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                                  2024-07-25T19:18:03.679925+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971240.68.123.157192.168.2.5
                                                  2024-07-25T19:18:42.168834+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971940.68.123.157192.168.2.5

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jul 25, 2024 19:17:46.483983994 CEST4970780192.168.2.5208.95.112.1
                                                  Jul 25, 2024 19:17:46.493005991 CEST8049707208.95.112.1192.168.2.5
                                                  Jul 25, 2024 19:17:46.493086100 CEST4970780192.168.2.5208.95.112.1
                                                  Jul 25, 2024 19:17:46.493830919 CEST4970780192.168.2.5208.95.112.1
                                                  Jul 25, 2024 19:17:46.502398968 CEST8049707208.95.112.1192.168.2.5
                                                  Jul 25, 2024 19:17:47.092885971 CEST8049707208.95.112.1192.168.2.5
                                                  Jul 25, 2024 19:17:47.143152952 CEST4970780192.168.2.5208.95.112.1
                                                  Jul 25, 2024 19:17:48.085622072 CEST49708587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:17:48.091141939 CEST58749708208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:17:48.091209888 CEST49708587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:17:48.816313982 CEST58749708208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:17:48.816606998 CEST49708587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:17:48.821921110 CEST58749708208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:17:48.982152939 CEST58749708208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:17:48.983150959 CEST49708587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:17:48.988136053 CEST58749708208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:17:49.175451040 CEST58749708208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:17:49.175721884 CEST49708587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:17:49.180844069 CEST58749708208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:17:51.392841101 CEST58749708208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:17:51.393059015 CEST49708587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:17:51.398575068 CEST58749708208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:17:51.561068058 CEST58749708208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:17:51.561269045 CEST49708587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:17:51.566451073 CEST58749708208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:17:51.760955095 CEST58749708208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:17:51.767947912 CEST49708587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:17:51.776587963 CEST58749708208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:17:51.776667118 CEST49708587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:17:51.788527966 CEST49711587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:17:51.797761917 CEST58749711208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:17:51.797851086 CEST49711587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:17:52.663439035 CEST58749711208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:17:52.663640022 CEST49711587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:17:52.664175034 CEST58749711208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:17:52.664237022 CEST49711587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:17:52.669482946 CEST58749711208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:17:52.829381943 CEST58749711208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:17:52.829596043 CEST49711587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:17:52.835753918 CEST58749711208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:17:52.989850044 CEST58749711208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:17:52.990263939 CEST49711587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:17:53.000786066 CEST58749711208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:17:55.407084942 CEST58749711208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:17:55.407335997 CEST49711587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:17:55.419941902 CEST58749711208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:17:55.578852892 CEST58749711208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:17:55.579051018 CEST49711587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:17:55.584444046 CEST58749711208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:17:55.765598059 CEST58749711208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:17:55.766254902 CEST49711587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:17:55.772351980 CEST58749711208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:17:55.772427082 CEST49711587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:18:37.705845118 CEST4970780192.168.2.5208.95.112.1
                                                  Jul 25, 2024 19:18:37.712671041 CEST8049707208.95.112.1192.168.2.5
                                                  Jul 25, 2024 19:18:37.712780952 CEST4970780192.168.2.5208.95.112.1
                                                  Jul 25, 2024 19:19:29.091939926 CEST49720587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:19:29.097337961 CEST58749720208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:29.099621058 CEST49720587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:19:29.662892103 CEST58749720208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:29.663526058 CEST49720587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:19:29.669321060 CEST58749720208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:30.130865097 CEST58749720208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:30.131197929 CEST49720587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:19:30.131546021 CEST58749720208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:30.131632090 CEST49720587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:19:30.139596939 CEST58749720208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:30.292591095 CEST58749720208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:30.293013096 CEST49720587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:19:30.297874928 CEST58749720208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:32.498332024 CEST58749720208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:32.505477905 CEST49720587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:19:32.510318041 CEST58749720208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:32.662017107 CEST58749720208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:32.665705919 CEST49720587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:19:32.671672106 CEST58749720208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:32.840616941 CEST58749720208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:32.841180086 CEST49720587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:19:32.847368956 CEST58749720208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:32.849540949 CEST49720587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:19:39.950237989 CEST49721587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:19:40.363784075 CEST58749721208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:40.363945007 CEST49721587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:19:41.269342899 CEST58749721208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:41.269584894 CEST49721587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:19:41.269702911 CEST58749721208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:41.269884109 CEST49721587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:19:41.274960995 CEST58749721208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:41.446901083 CEST58749721208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:41.447071075 CEST49721587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:19:41.452702045 CEST58749721208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:41.613581896 CEST58749721208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:41.613826990 CEST49721587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:19:41.618647099 CEST58749721208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:43.332592010 CEST58749721208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:43.335664034 CEST49721587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:19:43.340538979 CEST58749721208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:43.497304916 CEST58749721208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:43.497589111 CEST49721587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:19:43.502693892 CEST58749721208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:43.775619030 CEST58749721208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:43.775917053 CEST49721587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:19:43.794966936 CEST58749721208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:43.795020103 CEST49721587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:19:52.924412966 CEST49722587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:19:52.929861069 CEST58749722208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:52.929961920 CEST49722587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:19:53.518883944 CEST58749722208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:53.519040108 CEST49722587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:19:53.524415016 CEST58749722208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:53.682846069 CEST58749722208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:53.682990074 CEST49722587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:19:53.687809944 CEST58749722208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:57.841155052 CEST58749722208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:57.841419935 CEST49722587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:19:57.846259117 CEST58749722208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:59.338958025 CEST58749722208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:59.339984894 CEST49722587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:19:59.345957994 CEST58749722208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:59.525849104 CEST58749722208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:59.525981903 CEST49722587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:19:59.530983925 CEST58749722208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:59.700208902 CEST58749722208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:59.700404882 CEST49722587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:19:59.707586050 CEST58749722208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:19:59.707637072 CEST49722587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:01.921853065 CEST49723587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:01.927107096 CEST58749723208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:01.927187920 CEST49723587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:02.498034000 CEST58749723208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:02.498264074 CEST49723587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:02.503249884 CEST58749723208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:02.658258915 CEST58749723208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:02.658469915 CEST49723587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:02.664283037 CEST58749723208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:02.818344116 CEST58749723208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:02.821337938 CEST49723587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:02.826276064 CEST58749723208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:03.737283945 CEST49723587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:03.756431103 CEST58749723208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:03.756557941 CEST49723587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:03.800414085 CEST49724587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:03.806313992 CEST58749724208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:03.806394100 CEST49724587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:04.364473104 CEST58749724208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:04.364665985 CEST49724587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:04.371001005 CEST58749724208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:04.539583921 CEST58749724208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:04.540036917 CEST49724587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:04.550626993 CEST58749724208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:04.658833027 CEST49724587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:04.665088892 CEST58749724208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:04.665180922 CEST49724587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:04.716042042 CEST49725587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:04.727154016 CEST58749725208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:04.727926016 CEST49725587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:05.283797979 CEST58749725208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:05.283982038 CEST49725587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:05.289621115 CEST58749725208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:05.442523956 CEST58749725208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:05.442713022 CEST49725587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:05.449321032 CEST58749725208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:05.603177071 CEST58749725208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:05.603348970 CEST49725587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:05.608551979 CEST58749725208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:07.339443922 CEST58749725208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:07.341741085 CEST49725587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:07.346689939 CEST58749725208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:07.558235884 CEST58749725208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:07.558419943 CEST49725587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:07.563608885 CEST58749725208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:07.733979940 CEST58749725208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:07.734544992 CEST49725587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:07.741249084 CEST58749725208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:07.741327047 CEST49725587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:15.885550976 CEST49726587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:15.890743971 CEST58749726208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:15.890819073 CEST49726587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:16.517530918 CEST58749726208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:16.520664930 CEST49726587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:16.525562048 CEST58749726208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:16.686058998 CEST58749726208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:16.686285019 CEST49726587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:16.691338062 CEST58749726208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:16.853066921 CEST58749726208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:16.853295088 CEST49726587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:16.858401060 CEST58749726208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:18.786267996 CEST58749726208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:18.786597013 CEST49726587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:18.792310953 CEST58749726208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:18.792612076 CEST49726587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:18.792666912 CEST58749726208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:18.954289913 CEST58749726208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:18.954842091 CEST49726587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:18.960227966 CEST58749726208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:19.140961885 CEST58749726208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:19.141760111 CEST49726587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:19.148045063 CEST58749726208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:19.148262024 CEST49726587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:24.423126936 CEST49727587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:24.428019047 CEST58749727208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:24.428093910 CEST49727587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:25.103842020 CEST58749727208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:25.103969097 CEST49727587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:25.115987062 CEST58749727208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:25.317955017 CEST58749727208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:25.318209887 CEST49727587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:25.324116945 CEST58749727208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:25.480125904 CEST58749727208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:25.480405092 CEST49727587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:25.486815929 CEST58749727208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:27.317506075 CEST49727587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:27.371870041 CEST49728587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:27.627456903 CEST49727587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:27.679671049 CEST58749727208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:27.679714918 CEST58749727208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:27.679725885 CEST49727587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:27.679763079 CEST49727587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:27.689640045 CEST58749728208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:27.689651966 CEST58749727208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:27.689708948 CEST49728587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:27.689735889 CEST49727587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:28.261765003 CEST58749728208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:28.261874914 CEST49728587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:28.266669035 CEST58749728208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:28.432954073 CEST58749728208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:28.433098078 CEST49728587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:28.443720102 CEST58749728208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:28.604074955 CEST58749728208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:28.605648041 CEST49728587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:28.619245052 CEST58749728208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:29.518157005 CEST49728587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:29.524426937 CEST58749728208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:29.524513960 CEST49728587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:29.578933001 CEST49729587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:29.583789110 CEST58749729208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:29.583859921 CEST49729587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:30.162595034 CEST58749729208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:30.162786961 CEST49729587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:30.167839050 CEST58749729208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:30.321820021 CEST58749729208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:30.321975946 CEST49729587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:30.327518940 CEST58749729208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:30.491468906 CEST58749729208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:30.493690968 CEST49729587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:30.506489992 CEST58749729208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:32.378535986 CEST58749729208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:32.378798962 CEST49729587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:32.395066023 CEST58749729208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:32.621088028 CEST58749729208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:32.625514984 CEST49729587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:32.672940969 CEST58749729208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:32.822891951 CEST58749729208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:32.829509974 CEST49729587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:32.836242914 CEST58749729208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:32.836379051 CEST49729587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:38.062024117 CEST49730587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:38.067166090 CEST58749730208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:38.067240000 CEST49730587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:38.656832933 CEST58749730208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:38.661516905 CEST49730587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:38.669656038 CEST58749730208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:38.838748932 CEST58749730208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:38.840092897 CEST49730587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:38.854499102 CEST58749730208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:39.002557039 CEST49730587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:39.011456013 CEST58749730208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:39.011732101 CEST49730587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:39.014200926 CEST58749730208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:39.014329910 CEST49730587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:39.067564011 CEST49731587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:39.076725006 CEST58749731208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:39.079823971 CEST49731587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:39.252568007 CEST49731587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:39.258425951 CEST58749731208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:39.258517981 CEST49731587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:39.344031096 CEST49732587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:39.350970984 CEST58749732208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:39.351063013 CEST49732587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:39.580732107 CEST49732587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:39.589992046 CEST58749732208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:39.593059063 CEST58749732208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:39.593102932 CEST49732587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:39.686054945 CEST49733587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:39.691606045 CEST58749733208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:39.691679955 CEST49733587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:40.247836113 CEST58749733208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:40.247982025 CEST49733587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:40.253129959 CEST58749733208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:40.414540052 CEST58749733208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:40.414746046 CEST49733587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:40.460366011 CEST58749733208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:40.619743109 CEST58749733208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:40.620315075 CEST49733587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:40.625111103 CEST58749733208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:42.354418039 CEST58749733208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:42.354573011 CEST49733587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:42.368243933 CEST58749733208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:42.526681900 CEST58749733208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:42.531781912 CEST49733587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:42.537410975 CEST58749733208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:42.739706039 CEST58749733208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:42.747585058 CEST49733587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:42.758022070 CEST58749733208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:42.764326096 CEST49733587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:47.135844946 CEST49734587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:47.140932083 CEST58749734208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:47.141071081 CEST49734587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:47.811508894 CEST58749734208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:47.811672926 CEST49734587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:47.818537951 CEST58749734208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:47.979518890 CEST58749734208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:47.984751940 CEST49734587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:47.991075993 CEST58749734208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:48.148386002 CEST58749734208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:48.148616076 CEST49734587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:48.154035091 CEST58749734208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:50.364067078 CEST58749734208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:50.364218950 CEST49734587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:50.371648073 CEST58749734208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:50.537293911 CEST58749734208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:50.537606001 CEST49734587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:50.565689087 CEST58749734208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:50.741770029 CEST58749734208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:50.742049932 CEST49734587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:20:50.747849941 CEST58749734208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:20:50.747977972 CEST49734587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:00.385030031 CEST49735587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:00.405003071 CEST58749735208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:00.405138969 CEST49735587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:01.004905939 CEST58749735208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:01.005194902 CEST49735587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:01.012388945 CEST58749735208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:01.168024063 CEST58749735208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:01.168342113 CEST49735587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:01.173284054 CEST58749735208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:01.328331947 CEST58749735208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:01.328686953 CEST49735587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:01.333571911 CEST58749735208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:03.538322926 CEST58749735208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:03.538857937 CEST49735587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:03.544189930 CEST58749735208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:03.704817057 CEST58749735208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:03.705012083 CEST49735587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:03.714416981 CEST58749735208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:03.888133049 CEST58749735208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:03.888514996 CEST49735587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:03.894730091 CEST58749735208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:03.894788980 CEST49735587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:13.611346960 CEST49736587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:13.616614103 CEST58749736208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:13.616908073 CEST49736587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:14.254731894 CEST58749736208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:14.254928112 CEST49736587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:14.261231899 CEST58749736208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:14.460799932 CEST58749736208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:14.461024046 CEST49736587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:14.481415987 CEST58749736208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:14.672751904 CEST58749736208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:14.673049927 CEST49736587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:14.678500891 CEST58749736208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:16.378689051 CEST58749736208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:16.378885031 CEST49736587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:16.384968042 CEST58749736208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:16.859947920 CEST58749736208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:16.860127926 CEST49736587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:16.865880966 CEST58749736208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:16.866045952 CEST49736587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:16.872083902 CEST58749736208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:17.054963112 CEST58749736208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:17.055315971 CEST49736587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:17.065757990 CEST58749736208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:17.065871000 CEST49736587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:25.423506975 CEST49737587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:25.429198027 CEST58749737208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:25.429456949 CEST49737587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:26.385333061 CEST58749737208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:26.385489941 CEST49737587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:26.387170076 CEST58749737208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:26.387221098 CEST49737587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:26.828413010 CEST58749737208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:26.828526020 CEST49737587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:26.839493036 CEST58749737208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:26.990353107 CEST58749737208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:26.993752003 CEST49737587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:27.000118017 CEST58749737208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:27.155898094 CEST58749737208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:27.161735058 CEST49737587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:27.166764975 CEST58749737208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:29.172308922 CEST58749737208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:29.173795938 CEST49737587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:29.184653044 CEST58749737208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:29.339230061 CEST58749737208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:29.341702938 CEST49737587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:29.350841999 CEST58749737208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:29.524669886 CEST58749737208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:29.527945995 CEST49737587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:29.549170971 CEST58749737208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:29.552440882 CEST49737587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:34.168378115 CEST49738587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:34.178824902 CEST58749738208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:34.178905964 CEST49738587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:34.763938904 CEST58749738208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:34.769622087 CEST49738587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:34.776794910 CEST58749738208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:34.941061020 CEST58749738208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:34.944675922 CEST49738587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:34.951399088 CEST58749738208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:35.221143961 CEST58749738208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:35.221436024 CEST49738587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:35.233072042 CEST58749738208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:37.561686993 CEST58749738208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:37.564413071 CEST49738587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:37.571703911 CEST58749738208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:37.728533030 CEST58749738208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:37.728876114 CEST49738587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:37.733994007 CEST58749738208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:37.904254913 CEST58749738208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:37.904568911 CEST49738587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:38.185183048 CEST58749738208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:38.185245037 CEST49738587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:38.189640045 CEST58749738208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:38.189703941 CEST49738587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:52.938690901 CEST49739587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:52.944200993 CEST58749739208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:52.944277048 CEST49739587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:53.512001991 CEST58749739208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:53.512162924 CEST49739587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:53.517124891 CEST58749739208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:53.712277889 CEST58749739208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:53.712527990 CEST49739587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:53.718230009 CEST58749739208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:53.891038895 CEST58749739208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:53.892002106 CEST49739587192.168.2.5208.91.198.143
                                                  Jul 25, 2024 19:21:53.897826910 CEST58749739208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:55.198633909 CEST58749739208.91.198.143192.168.2.5
                                                  Jul 25, 2024 19:21:55.252471924 CEST49739587192.168.2.5208.91.198.143

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jul 25, 2024 19:17:46.015358925 CEST6218953192.168.2.51.1.1.1
                                                  Jul 25, 2024 19:17:46.477129936 CEST53621891.1.1.1192.168.2.5
                                                  Jul 25, 2024 19:17:47.698205948 CEST4924453192.168.2.51.1.1.1
                                                  Jul 25, 2024 19:17:48.052699089 CEST53492441.1.1.1192.168.2.5

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Jul 25, 2024 19:17:46.015358925 CEST192.168.2.51.1.1.10x8b18Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                  Jul 25, 2024 19:17:47.698205948 CEST192.168.2.51.1.1.10x3cf0Standard query (0)smtp.thanhancompony.comA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Jul 25, 2024 19:17:46.477129936 CEST1.1.1.1192.168.2.50x8b18No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                  Jul 25, 2024 19:17:48.052699089 CEST1.1.1.1192.168.2.50x3cf0No error (0)smtp.thanhancompony.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)false
                                                  Jul 25, 2024 19:17:48.052699089 CEST1.1.1.1192.168.2.50x3cf0No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)false
                                                  Jul 25, 2024 19:17:48.052699089 CEST1.1.1.1192.168.2.50x3cf0No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)false
                                                  Jul 25, 2024 19:17:48.052699089 CEST1.1.1.1192.168.2.50x3cf0No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)false
                                                  Jul 25, 2024 19:17:48.052699089 CEST1.1.1.1192.168.2.50x3cf0No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • ip-api.com

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.549707208.95.112.1806380C:\Users\user\Desktop\LisectAVT_2403002A_52.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 25, 2024 19:17:46.493830919 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                  Host: ip-api.com
                                                  Connection: Keep-Alive
                                                  Jul 25, 2024 19:17:47.092885971 CEST175INHTTP/1.1 200 OK
                                                  Date: Thu, 25 Jul 2024 17:17:46 GMT
                                                  Content-Type: text/plain; charset=utf-8
                                                  Content-Length: 6
                                                  Access-Control-Allow-Origin: *
                                                  X-Ttl: 60
                                                  X-Rl: 44
                                                  Data Raw: 66 61 6c 73 65 0a
                                                  Data Ascii: false


                                                  SMTP Packets

                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                  Jul 25, 2024 19:17:48.816313982 CEST58749708208.91.198.143192.168.2.5220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                  Jul 25, 2024 19:17:48.816606998 CEST49708587192.168.2.5208.91.198.143EHLO 701188
                                                  Jul 25, 2024 19:17:48.982152939 CEST58749708208.91.198.143192.168.2.5250-us2.outbound.mailhostbox.com
                                                  250-PIPELINING
                                                  250-SIZE 41648128
                                                  250-VRFY
                                                  250-ETRN
                                                  250-STARTTLS
                                                  250-AUTH PLAIN LOGIN
                                                  250-AUTH=PLAIN LOGIN
                                                  250-ENHANCEDSTATUSCODES
                                                  250-8BITMIME
                                                  250-DSN
                                                  250 CHUNKING
                                                  Jul 25, 2024 19:17:48.983150959 CEST49708587192.168.2.5208.91.198.143AUTH login aG9sZ2VyLndlcnRoQHRoYW5oYW5jb21wb255LmNvbQ==
                                                  Jul 25, 2024 19:17:49.175451040 CEST58749708208.91.198.143192.168.2.5334 UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:17:51.392841101 CEST58749708208.91.198.143192.168.2.5535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:17:51.393059015 CEST49708587192.168.2.5208.91.198.143MAIL FROM:<holger.werth@thanhancompony.com>
                                                  Jul 25, 2024 19:17:51.561068058 CEST58749708208.91.198.143192.168.2.5250 2.1.0 Ok
                                                  Jul 25, 2024 19:17:51.561269045 CEST49708587192.168.2.5208.91.198.143RCPT TO:<accounts@scorpi0ship.com>
                                                  Jul 25, 2024 19:17:51.760955095 CEST58749708208.91.198.143192.168.2.5554 5.7.1 <accounts@scorpi0ship.com>: Relay access denied
                                                  Jul 25, 2024 19:17:52.663439035 CEST58749711208.91.198.143192.168.2.5220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                  Jul 25, 2024 19:17:52.663640022 CEST49711587192.168.2.5208.91.198.143EHLO 701188
                                                  Jul 25, 2024 19:17:52.664175034 CEST58749711208.91.198.143192.168.2.5220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                  Jul 25, 2024 19:17:52.829381943 CEST58749711208.91.198.143192.168.2.5250-us2.outbound.mailhostbox.com
                                                  250-PIPELINING
                                                  250-SIZE 41648128
                                                  250-VRFY
                                                  250-ETRN
                                                  250-STARTTLS
                                                  250-AUTH PLAIN LOGIN
                                                  250-AUTH=PLAIN LOGIN
                                                  250-ENHANCEDSTATUSCODES
                                                  250-8BITMIME
                                                  250-DSN
                                                  250 CHUNKING
                                                  Jul 25, 2024 19:17:52.829596043 CEST49711587192.168.2.5208.91.198.143AUTH login aG9sZ2VyLndlcnRoQHRoYW5oYW5jb21wb255LmNvbQ==
                                                  Jul 25, 2024 19:17:52.989850044 CEST58749711208.91.198.143192.168.2.5334 UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:17:55.407084942 CEST58749711208.91.198.143192.168.2.5535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:17:55.407335997 CEST49711587192.168.2.5208.91.198.143MAIL FROM:<holger.werth@thanhancompony.com>
                                                  Jul 25, 2024 19:17:55.578852892 CEST58749711208.91.198.143192.168.2.5250 2.1.0 Ok
                                                  Jul 25, 2024 19:17:55.579051018 CEST49711587192.168.2.5208.91.198.143RCPT TO:<accounts@scorpi0ship.com>
                                                  Jul 25, 2024 19:17:55.765598059 CEST58749711208.91.198.143192.168.2.5554 5.7.1 <accounts@scorpi0ship.com>: Relay access denied
                                                  Jul 25, 2024 19:19:29.662892103 CEST58749720208.91.198.143192.168.2.5220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                  Jul 25, 2024 19:19:29.663526058 CEST49720587192.168.2.5208.91.198.143EHLO 701188
                                                  Jul 25, 2024 19:19:30.130865097 CEST58749720208.91.198.143192.168.2.5250-us2.outbound.mailhostbox.com
                                                  250-PIPELINING
                                                  250-SIZE 41648128
                                                  250-VRFY
                                                  250-ETRN
                                                  250-STARTTLS
                                                  250-AUTH PLAIN LOGIN
                                                  250-AUTH=PLAIN LOGIN
                                                  250-ENHANCEDSTATUSCODES
                                                  250-8BITMIME
                                                  250-DSN
                                                  250 CHUNKING
                                                  Jul 25, 2024 19:19:30.131197929 CEST49720587192.168.2.5208.91.198.143AUTH login aG9sZ2VyLndlcnRoQHRoYW5oYW5jb21wb255LmNvbQ==
                                                  Jul 25, 2024 19:19:30.131546021 CEST58749720208.91.198.143192.168.2.5250-us2.outbound.mailhostbox.com
                                                  250-PIPELINING
                                                  250-SIZE 41648128
                                                  250-VRFY
                                                  250-ETRN
                                                  250-STARTTLS
                                                  250-AUTH PLAIN LOGIN
                                                  250-AUTH=PLAIN LOGIN
                                                  250-ENHANCEDSTATUSCODES
                                                  250-8BITMIME
                                                  250-DSN
                                                  250 CHUNKING
                                                  Jul 25, 2024 19:19:30.292591095 CEST58749720208.91.198.143192.168.2.5334 UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:19:32.498332024 CEST58749720208.91.198.143192.168.2.5535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:19:32.505477905 CEST49720587192.168.2.5208.91.198.143MAIL FROM:<holger.werth@thanhancompony.com>
                                                  Jul 25, 2024 19:19:32.662017107 CEST58749720208.91.198.143192.168.2.5250 2.1.0 Ok
                                                  Jul 25, 2024 19:19:32.665705919 CEST49720587192.168.2.5208.91.198.143RCPT TO:<accounts@scorpi0ship.com>
                                                  Jul 25, 2024 19:19:32.840616941 CEST58749720208.91.198.143192.168.2.5554 5.7.1 <accounts@scorpi0ship.com>: Relay access denied
                                                  Jul 25, 2024 19:19:41.269342899 CEST58749721208.91.198.143192.168.2.5220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                  Jul 25, 2024 19:19:41.269584894 CEST49721587192.168.2.5208.91.198.143EHLO 701188
                                                  Jul 25, 2024 19:19:41.269702911 CEST58749721208.91.198.143192.168.2.5220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                  Jul 25, 2024 19:19:41.446901083 CEST58749721208.91.198.143192.168.2.5250-us2.outbound.mailhostbox.com
                                                  250-PIPELINING
                                                  250-SIZE 41648128
                                                  250-VRFY
                                                  250-ETRN
                                                  250-STARTTLS
                                                  250-AUTH PLAIN LOGIN
                                                  250-AUTH=PLAIN LOGIN
                                                  250-ENHANCEDSTATUSCODES
                                                  250-8BITMIME
                                                  250-DSN
                                                  250 CHUNKING
                                                  Jul 25, 2024 19:19:41.447071075 CEST49721587192.168.2.5208.91.198.143AUTH login aG9sZ2VyLndlcnRoQHRoYW5oYW5jb21wb255LmNvbQ==
                                                  Jul 25, 2024 19:19:41.613581896 CEST58749721208.91.198.143192.168.2.5334 UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:19:43.332592010 CEST58749721208.91.198.143192.168.2.5535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:19:43.335664034 CEST49721587192.168.2.5208.91.198.143MAIL FROM:<holger.werth@thanhancompony.com>
                                                  Jul 25, 2024 19:19:43.497304916 CEST58749721208.91.198.143192.168.2.5250 2.1.0 Ok
                                                  Jul 25, 2024 19:19:43.497589111 CEST49721587192.168.2.5208.91.198.143RCPT TO:<accounts@scorpi0ship.com>
                                                  Jul 25, 2024 19:19:43.775619030 CEST58749721208.91.198.143192.168.2.5554 5.7.1 <accounts@scorpi0ship.com>: Relay access denied
                                                  Jul 25, 2024 19:19:53.518883944 CEST58749722208.91.198.143192.168.2.5220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                  Jul 25, 2024 19:19:53.519040108 CEST49722587192.168.2.5208.91.198.143EHLO 701188
                                                  Jul 25, 2024 19:19:53.682846069 CEST58749722208.91.198.143192.168.2.5250-us2.outbound.mailhostbox.com
                                                  250-PIPELINING
                                                  250-SIZE 41648128
                                                  250-VRFY
                                                  250-ETRN
                                                  250-STARTTLS
                                                  250-AUTH PLAIN LOGIN
                                                  250-AUTH=PLAIN LOGIN
                                                  250-ENHANCEDSTATUSCODES
                                                  250-8BITMIME
                                                  250-DSN
                                                  250 CHUNKING
                                                  Jul 25, 2024 19:19:53.682990074 CEST49722587192.168.2.5208.91.198.143AUTH login aG9sZ2VyLndlcnRoQHRoYW5oYW5jb21wb255LmNvbQ==
                                                  Jul 25, 2024 19:19:57.841155052 CEST58749722208.91.198.143192.168.2.5334 UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:19:59.338958025 CEST58749722208.91.198.143192.168.2.5535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:19:59.339984894 CEST49722587192.168.2.5208.91.198.143MAIL FROM:<holger.werth@thanhancompony.com>
                                                  Jul 25, 2024 19:19:59.525849104 CEST58749722208.91.198.143192.168.2.5250 2.1.0 Ok
                                                  Jul 25, 2024 19:19:59.525981903 CEST49722587192.168.2.5208.91.198.143RCPT TO:<accounts@scorpi0ship.com>
                                                  Jul 25, 2024 19:19:59.700208902 CEST58749722208.91.198.143192.168.2.5554 5.7.1 <accounts@scorpi0ship.com>: Relay access denied
                                                  Jul 25, 2024 19:20:02.498034000 CEST58749723208.91.198.143192.168.2.5220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                  Jul 25, 2024 19:20:02.498264074 CEST49723587192.168.2.5208.91.198.143EHLO 701188
                                                  Jul 25, 2024 19:20:02.658258915 CEST58749723208.91.198.143192.168.2.5250-us2.outbound.mailhostbox.com
                                                  250-PIPELINING
                                                  250-SIZE 41648128
                                                  250-VRFY
                                                  250-ETRN
                                                  250-STARTTLS
                                                  250-AUTH PLAIN LOGIN
                                                  250-AUTH=PLAIN LOGIN
                                                  250-ENHANCEDSTATUSCODES
                                                  250-8BITMIME
                                                  250-DSN
                                                  250 CHUNKING
                                                  Jul 25, 2024 19:20:02.658469915 CEST49723587192.168.2.5208.91.198.143AUTH login aG9sZ2VyLndlcnRoQHRoYW5oYW5jb21wb255LmNvbQ==
                                                  Jul 25, 2024 19:20:02.818344116 CEST58749723208.91.198.143192.168.2.5334 UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:20:04.364473104 CEST58749724208.91.198.143192.168.2.5220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                  Jul 25, 2024 19:20:04.364665985 CEST49724587192.168.2.5208.91.198.143EHLO 701188
                                                  Jul 25, 2024 19:20:04.539583921 CEST58749724208.91.198.143192.168.2.5250-us2.outbound.mailhostbox.com
                                                  250-PIPELINING
                                                  250-SIZE 41648128
                                                  250-VRFY
                                                  250-ETRN
                                                  250-STARTTLS
                                                  250-AUTH PLAIN LOGIN
                                                  250-AUTH=PLAIN LOGIN
                                                  250-ENHANCEDSTATUSCODES
                                                  250-8BITMIME
                                                  250-DSN
                                                  250 CHUNKING
                                                  Jul 25, 2024 19:20:04.540036917 CEST49724587192.168.2.5208.91.198.143AUTH login aG9sZ2VyLndlcnRoQHRoYW5oYW5jb21wb255LmNvbQ==
                                                  Jul 25, 2024 19:20:05.283797979 CEST58749725208.91.198.143192.168.2.5220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                  Jul 25, 2024 19:20:05.283982038 CEST49725587192.168.2.5208.91.198.143EHLO 701188
                                                  Jul 25, 2024 19:20:05.442523956 CEST58749725208.91.198.143192.168.2.5250-us2.outbound.mailhostbox.com
                                                  250-PIPELINING
                                                  250-SIZE 41648128
                                                  250-VRFY
                                                  250-ETRN
                                                  250-STARTTLS
                                                  250-AUTH PLAIN LOGIN
                                                  250-AUTH=PLAIN LOGIN
                                                  250-ENHANCEDSTATUSCODES
                                                  250-8BITMIME
                                                  250-DSN
                                                  250 CHUNKING
                                                  Jul 25, 2024 19:20:05.442713022 CEST49725587192.168.2.5208.91.198.143AUTH login aG9sZ2VyLndlcnRoQHRoYW5oYW5jb21wb255LmNvbQ==
                                                  Jul 25, 2024 19:20:05.603177071 CEST58749725208.91.198.143192.168.2.5334 UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:20:07.339443922 CEST58749725208.91.198.143192.168.2.5535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:20:07.341741085 CEST49725587192.168.2.5208.91.198.143MAIL FROM:<holger.werth@thanhancompony.com>
                                                  Jul 25, 2024 19:20:07.558235884 CEST58749725208.91.198.143192.168.2.5250 2.1.0 Ok
                                                  Jul 25, 2024 19:20:07.558419943 CEST49725587192.168.2.5208.91.198.143RCPT TO:<accounts@scorpi0ship.com>
                                                  Jul 25, 2024 19:20:07.733979940 CEST58749725208.91.198.143192.168.2.5554 5.7.1 <accounts@scorpi0ship.com>: Relay access denied
                                                  Jul 25, 2024 19:20:16.517530918 CEST58749726208.91.198.143192.168.2.5220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                  Jul 25, 2024 19:20:16.520664930 CEST49726587192.168.2.5208.91.198.143EHLO 701188
                                                  Jul 25, 2024 19:20:16.686058998 CEST58749726208.91.198.143192.168.2.5250-us2.outbound.mailhostbox.com
                                                  250-PIPELINING
                                                  250-SIZE 41648128
                                                  250-VRFY
                                                  250-ETRN
                                                  250-STARTTLS
                                                  250-AUTH PLAIN LOGIN
                                                  250-AUTH=PLAIN LOGIN
                                                  250-ENHANCEDSTATUSCODES
                                                  250-8BITMIME
                                                  250-DSN
                                                  250 CHUNKING
                                                  Jul 25, 2024 19:20:16.686285019 CEST49726587192.168.2.5208.91.198.143AUTH login aG9sZ2VyLndlcnRoQHRoYW5oYW5jb21wb255LmNvbQ==
                                                  Jul 25, 2024 19:20:16.853066921 CEST58749726208.91.198.143192.168.2.5334 UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:20:18.786267996 CEST58749726208.91.198.143192.168.2.5535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:20:18.786597013 CEST49726587192.168.2.5208.91.198.143MAIL FROM:<holger.werth@thanhancompony.com>
                                                  Jul 25, 2024 19:20:18.792310953 CEST58749726208.91.198.143192.168.2.5535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:20:18.954289913 CEST58749726208.91.198.143192.168.2.5250 2.1.0 Ok
                                                  Jul 25, 2024 19:20:18.954842091 CEST49726587192.168.2.5208.91.198.143RCPT TO:<accounts@scorpi0ship.com>
                                                  Jul 25, 2024 19:20:19.140961885 CEST58749726208.91.198.143192.168.2.5554 5.7.1 <accounts@scorpi0ship.com>: Relay access denied
                                                  Jul 25, 2024 19:20:25.103842020 CEST58749727208.91.198.143192.168.2.5220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                  Jul 25, 2024 19:20:25.103969097 CEST49727587192.168.2.5208.91.198.143EHLO 701188
                                                  Jul 25, 2024 19:20:25.317955017 CEST58749727208.91.198.143192.168.2.5250-us2.outbound.mailhostbox.com
                                                  250-PIPELINING
                                                  250-SIZE 41648128
                                                  250-VRFY
                                                  250-ETRN
                                                  250-STARTTLS
                                                  250-AUTH PLAIN LOGIN
                                                  250-AUTH=PLAIN LOGIN
                                                  250-ENHANCEDSTATUSCODES
                                                  250-8BITMIME
                                                  250-DSN
                                                  250 CHUNKING
                                                  Jul 25, 2024 19:20:25.318209887 CEST49727587192.168.2.5208.91.198.143AUTH login aG9sZ2VyLndlcnRoQHRoYW5oYW5jb21wb255LmNvbQ==
                                                  Jul 25, 2024 19:20:25.480125904 CEST58749727208.91.198.143192.168.2.5334 UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:20:27.679671049 CEST58749727208.91.198.143192.168.2.5535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:20:27.679714918 CEST58749727208.91.198.143192.168.2.5535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:20:28.261765003 CEST58749728208.91.198.143192.168.2.5220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                  Jul 25, 2024 19:20:28.261874914 CEST49728587192.168.2.5208.91.198.143EHLO 701188
                                                  Jul 25, 2024 19:20:28.432954073 CEST58749728208.91.198.143192.168.2.5250-us2.outbound.mailhostbox.com
                                                  250-PIPELINING
                                                  250-SIZE 41648128
                                                  250-VRFY
                                                  250-ETRN
                                                  250-STARTTLS
                                                  250-AUTH PLAIN LOGIN
                                                  250-AUTH=PLAIN LOGIN
                                                  250-ENHANCEDSTATUSCODES
                                                  250-8BITMIME
                                                  250-DSN
                                                  250 CHUNKING
                                                  Jul 25, 2024 19:20:28.433098078 CEST49728587192.168.2.5208.91.198.143AUTH login aG9sZ2VyLndlcnRoQHRoYW5oYW5jb21wb255LmNvbQ==
                                                  Jul 25, 2024 19:20:28.604074955 CEST58749728208.91.198.143192.168.2.5334 UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:20:30.162595034 CEST58749729208.91.198.143192.168.2.5220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                  Jul 25, 2024 19:20:30.162786961 CEST49729587192.168.2.5208.91.198.143EHLO 701188
                                                  Jul 25, 2024 19:20:30.321820021 CEST58749729208.91.198.143192.168.2.5250-us2.outbound.mailhostbox.com
                                                  250-PIPELINING
                                                  250-SIZE 41648128
                                                  250-VRFY
                                                  250-ETRN
                                                  250-STARTTLS
                                                  250-AUTH PLAIN LOGIN
                                                  250-AUTH=PLAIN LOGIN
                                                  250-ENHANCEDSTATUSCODES
                                                  250-8BITMIME
                                                  250-DSN
                                                  250 CHUNKING
                                                  Jul 25, 2024 19:20:30.321975946 CEST49729587192.168.2.5208.91.198.143AUTH login aG9sZ2VyLndlcnRoQHRoYW5oYW5jb21wb255LmNvbQ==
                                                  Jul 25, 2024 19:20:30.491468906 CEST58749729208.91.198.143192.168.2.5334 UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:20:32.378535986 CEST58749729208.91.198.143192.168.2.5535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:20:32.378798962 CEST49729587192.168.2.5208.91.198.143MAIL FROM:<holger.werth@thanhancompony.com>
                                                  Jul 25, 2024 19:20:32.621088028 CEST58749729208.91.198.143192.168.2.5250 2.1.0 Ok
                                                  Jul 25, 2024 19:20:32.625514984 CEST49729587192.168.2.5208.91.198.143RCPT TO:<accounts@scorpi0ship.com>
                                                  Jul 25, 2024 19:20:32.822891951 CEST58749729208.91.198.143192.168.2.5554 5.7.1 <accounts@scorpi0ship.com>: Relay access denied
                                                  Jul 25, 2024 19:20:38.656832933 CEST58749730208.91.198.143192.168.2.5220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                  Jul 25, 2024 19:20:38.661516905 CEST49730587192.168.2.5208.91.198.143EHLO 701188
                                                  Jul 25, 2024 19:20:38.838748932 CEST58749730208.91.198.143192.168.2.5250-us2.outbound.mailhostbox.com
                                                  250-PIPELINING
                                                  250-SIZE 41648128
                                                  250-VRFY
                                                  250-ETRN
                                                  250-STARTTLS
                                                  250-AUTH PLAIN LOGIN
                                                  250-AUTH=PLAIN LOGIN
                                                  250-ENHANCEDSTATUSCODES
                                                  250-8BITMIME
                                                  250-DSN
                                                  250 CHUNKING
                                                  Jul 25, 2024 19:20:38.840092897 CEST49730587192.168.2.5208.91.198.143AUTH login aG9sZ2VyLndlcnRoQHRoYW5oYW5jb21wb255LmNvbQ==
                                                  Jul 25, 2024 19:20:39.011456013 CEST58749730208.91.198.143192.168.2.5334 UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:20:40.247836113 CEST58749733208.91.198.143192.168.2.5220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                  Jul 25, 2024 19:20:40.247982025 CEST49733587192.168.2.5208.91.198.143EHLO 701188
                                                  Jul 25, 2024 19:20:40.414540052 CEST58749733208.91.198.143192.168.2.5250-us2.outbound.mailhostbox.com
                                                  250-PIPELINING
                                                  250-SIZE 41648128
                                                  250-VRFY
                                                  250-ETRN
                                                  250-STARTTLS
                                                  250-AUTH PLAIN LOGIN
                                                  250-AUTH=PLAIN LOGIN
                                                  250-ENHANCEDSTATUSCODES
                                                  250-8BITMIME
                                                  250-DSN
                                                  250 CHUNKING
                                                  Jul 25, 2024 19:20:40.414746046 CEST49733587192.168.2.5208.91.198.143AUTH login aG9sZ2VyLndlcnRoQHRoYW5oYW5jb21wb255LmNvbQ==
                                                  Jul 25, 2024 19:20:40.619743109 CEST58749733208.91.198.143192.168.2.5334 UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:20:42.354418039 CEST58749733208.91.198.143192.168.2.5535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:20:42.354573011 CEST49733587192.168.2.5208.91.198.143MAIL FROM:<holger.werth@thanhancompony.com>
                                                  Jul 25, 2024 19:20:42.526681900 CEST58749733208.91.198.143192.168.2.5250 2.1.0 Ok
                                                  Jul 25, 2024 19:20:42.531781912 CEST49733587192.168.2.5208.91.198.143RCPT TO:<accounts@scorpi0ship.com>
                                                  Jul 25, 2024 19:20:42.739706039 CEST58749733208.91.198.143192.168.2.5554 5.7.1 <accounts@scorpi0ship.com>: Relay access denied
                                                  Jul 25, 2024 19:20:47.811508894 CEST58749734208.91.198.143192.168.2.5220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                  Jul 25, 2024 19:20:47.811672926 CEST49734587192.168.2.5208.91.198.143EHLO 701188
                                                  Jul 25, 2024 19:20:47.979518890 CEST58749734208.91.198.143192.168.2.5250-us2.outbound.mailhostbox.com
                                                  250-PIPELINING
                                                  250-SIZE 41648128
                                                  250-VRFY
                                                  250-ETRN
                                                  250-STARTTLS
                                                  250-AUTH PLAIN LOGIN
                                                  250-AUTH=PLAIN LOGIN
                                                  250-ENHANCEDSTATUSCODES
                                                  250-8BITMIME
                                                  250-DSN
                                                  250 CHUNKING
                                                  Jul 25, 2024 19:20:47.984751940 CEST49734587192.168.2.5208.91.198.143AUTH login aG9sZ2VyLndlcnRoQHRoYW5oYW5jb21wb255LmNvbQ==
                                                  Jul 25, 2024 19:20:48.148386002 CEST58749734208.91.198.143192.168.2.5334 UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:20:50.364067078 CEST58749734208.91.198.143192.168.2.5535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:20:50.364218950 CEST49734587192.168.2.5208.91.198.143MAIL FROM:<holger.werth@thanhancompony.com>
                                                  Jul 25, 2024 19:20:50.537293911 CEST58749734208.91.198.143192.168.2.5250 2.1.0 Ok
                                                  Jul 25, 2024 19:20:50.537606001 CEST49734587192.168.2.5208.91.198.143RCPT TO:<accounts@scorpi0ship.com>
                                                  Jul 25, 2024 19:20:50.741770029 CEST58749734208.91.198.143192.168.2.5554 5.7.1 <accounts@scorpi0ship.com>: Relay access denied
                                                  Jul 25, 2024 19:21:01.004905939 CEST58749735208.91.198.143192.168.2.5220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                  Jul 25, 2024 19:21:01.005194902 CEST49735587192.168.2.5208.91.198.143EHLO 701188
                                                  Jul 25, 2024 19:21:01.168024063 CEST58749735208.91.198.143192.168.2.5250-us2.outbound.mailhostbox.com
                                                  250-PIPELINING
                                                  250-SIZE 41648128
                                                  250-VRFY
                                                  250-ETRN
                                                  250-STARTTLS
                                                  250-AUTH PLAIN LOGIN
                                                  250-AUTH=PLAIN LOGIN
                                                  250-ENHANCEDSTATUSCODES
                                                  250-8BITMIME
                                                  250-DSN
                                                  250 CHUNKING
                                                  Jul 25, 2024 19:21:01.168342113 CEST49735587192.168.2.5208.91.198.143AUTH login aG9sZ2VyLndlcnRoQHRoYW5oYW5jb21wb255LmNvbQ==
                                                  Jul 25, 2024 19:21:01.328331947 CEST58749735208.91.198.143192.168.2.5334 UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:21:03.538322926 CEST58749735208.91.198.143192.168.2.5535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:21:03.538857937 CEST49735587192.168.2.5208.91.198.143MAIL FROM:<holger.werth@thanhancompony.com>
                                                  Jul 25, 2024 19:21:03.704817057 CEST58749735208.91.198.143192.168.2.5250 2.1.0 Ok
                                                  Jul 25, 2024 19:21:03.705012083 CEST49735587192.168.2.5208.91.198.143RCPT TO:<accounts@scorpi0ship.com>
                                                  Jul 25, 2024 19:21:03.888133049 CEST58749735208.91.198.143192.168.2.5554 5.7.1 <accounts@scorpi0ship.com>: Relay access denied
                                                  Jul 25, 2024 19:21:14.254731894 CEST58749736208.91.198.143192.168.2.5220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                  Jul 25, 2024 19:21:14.254928112 CEST49736587192.168.2.5208.91.198.143EHLO 701188
                                                  Jul 25, 2024 19:21:14.460799932 CEST58749736208.91.198.143192.168.2.5250-us2.outbound.mailhostbox.com
                                                  250-PIPELINING
                                                  250-SIZE 41648128
                                                  250-VRFY
                                                  250-ETRN
                                                  250-STARTTLS
                                                  250-AUTH PLAIN LOGIN
                                                  250-AUTH=PLAIN LOGIN
                                                  250-ENHANCEDSTATUSCODES
                                                  250-8BITMIME
                                                  250-DSN
                                                  250 CHUNKING
                                                  Jul 25, 2024 19:21:14.461024046 CEST49736587192.168.2.5208.91.198.143AUTH login aG9sZ2VyLndlcnRoQHRoYW5oYW5jb21wb255LmNvbQ==
                                                  Jul 25, 2024 19:21:14.672751904 CEST58749736208.91.198.143192.168.2.5334 UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:21:16.378689051 CEST58749736208.91.198.143192.168.2.5535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:21:16.378885031 CEST49736587192.168.2.5208.91.198.143MAIL FROM:<holger.werth@thanhancompony.com>
                                                  Jul 25, 2024 19:21:16.859947920 CEST58749736208.91.198.143192.168.2.5250 2.1.0 Ok
                                                  Jul 25, 2024 19:21:16.860127926 CEST49736587192.168.2.5208.91.198.143RCPT TO:<accounts@scorpi0ship.com>
                                                  Jul 25, 2024 19:21:16.865880966 CEST58749736208.91.198.143192.168.2.5250 2.1.0 Ok
                                                  Jul 25, 2024 19:21:17.054963112 CEST58749736208.91.198.143192.168.2.5554 5.7.1 <accounts@scorpi0ship.com>: Relay access denied
                                                  Jul 25, 2024 19:21:26.385333061 CEST58749737208.91.198.143192.168.2.5220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                  Jul 25, 2024 19:21:26.385489941 CEST49737587192.168.2.5208.91.198.143EHLO 701188
                                                  Jul 25, 2024 19:21:26.387170076 CEST58749737208.91.198.143192.168.2.5220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                  Jul 25, 2024 19:21:26.828413010 CEST58749737208.91.198.143192.168.2.5220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                  Jul 25, 2024 19:21:26.990353107 CEST58749737208.91.198.143192.168.2.5250-us2.outbound.mailhostbox.com
                                                  250-PIPELINING
                                                  250-SIZE 41648128
                                                  250-VRFY
                                                  250-ETRN
                                                  250-STARTTLS
                                                  250-AUTH PLAIN LOGIN
                                                  250-AUTH=PLAIN LOGIN
                                                  250-ENHANCEDSTATUSCODES
                                                  250-8BITMIME
                                                  250-DSN
                                                  250 CHUNKING
                                                  Jul 25, 2024 19:21:26.993752003 CEST49737587192.168.2.5208.91.198.143AUTH login aG9sZ2VyLndlcnRoQHRoYW5oYW5jb21wb255LmNvbQ==
                                                  Jul 25, 2024 19:21:27.155898094 CEST58749737208.91.198.143192.168.2.5334 UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:21:29.172308922 CEST58749737208.91.198.143192.168.2.5535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:21:29.173795938 CEST49737587192.168.2.5208.91.198.143MAIL FROM:<holger.werth@thanhancompony.com>
                                                  Jul 25, 2024 19:21:29.339230061 CEST58749737208.91.198.143192.168.2.5250 2.1.0 Ok
                                                  Jul 25, 2024 19:21:29.341702938 CEST49737587192.168.2.5208.91.198.143RCPT TO:<accounts@scorpi0ship.com>
                                                  Jul 25, 2024 19:21:29.524669886 CEST58749737208.91.198.143192.168.2.5554 5.7.1 <accounts@scorpi0ship.com>: Relay access denied
                                                  Jul 25, 2024 19:21:34.763938904 CEST58749738208.91.198.143192.168.2.5220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                  Jul 25, 2024 19:21:34.769622087 CEST49738587192.168.2.5208.91.198.143EHLO 701188
                                                  Jul 25, 2024 19:21:34.941061020 CEST58749738208.91.198.143192.168.2.5250-us2.outbound.mailhostbox.com
                                                  250-PIPELINING
                                                  250-SIZE 41648128
                                                  250-VRFY
                                                  250-ETRN
                                                  250-STARTTLS
                                                  250-AUTH PLAIN LOGIN
                                                  250-AUTH=PLAIN LOGIN
                                                  250-ENHANCEDSTATUSCODES
                                                  250-8BITMIME
                                                  250-DSN
                                                  250 CHUNKING
                                                  Jul 25, 2024 19:21:34.944675922 CEST49738587192.168.2.5208.91.198.143AUTH login aG9sZ2VyLndlcnRoQHRoYW5oYW5jb21wb255LmNvbQ==
                                                  Jul 25, 2024 19:21:35.221143961 CEST58749738208.91.198.143192.168.2.5334 UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:21:37.561686993 CEST58749738208.91.198.143192.168.2.5535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:21:37.564413071 CEST49738587192.168.2.5208.91.198.143MAIL FROM:<holger.werth@thanhancompony.com>
                                                  Jul 25, 2024 19:21:37.728533030 CEST58749738208.91.198.143192.168.2.5250 2.1.0 Ok
                                                  Jul 25, 2024 19:21:37.728876114 CEST49738587192.168.2.5208.91.198.143RCPT TO:<accounts@scorpi0ship.com>
                                                  Jul 25, 2024 19:21:37.904254913 CEST58749738208.91.198.143192.168.2.5554 5.7.1 <accounts@scorpi0ship.com>: Relay access denied
                                                  Jul 25, 2024 19:21:38.185183048 CEST58749738208.91.198.143192.168.2.5554 5.7.1 <accounts@scorpi0ship.com>: Relay access denied
                                                  Jul 25, 2024 19:21:53.512001991 CEST58749739208.91.198.143192.168.2.5220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                  Jul 25, 2024 19:21:53.512162924 CEST49739587192.168.2.5208.91.198.143EHLO 701188
                                                  Jul 25, 2024 19:21:53.712277889 CEST58749739208.91.198.143192.168.2.5250-us2.outbound.mailhostbox.com
                                                  250-PIPELINING
                                                  250-SIZE 41648128
                                                  250-VRFY
                                                  250-ETRN
                                                  250-STARTTLS
                                                  250-AUTH PLAIN LOGIN
                                                  250-AUTH=PLAIN LOGIN
                                                  250-ENHANCEDSTATUSCODES
                                                  250-8BITMIME
                                                  250-DSN
                                                  250 CHUNKING
                                                  Jul 25, 2024 19:21:53.712527990 CEST49739587192.168.2.5208.91.198.143AUTH login aG9sZ2VyLndlcnRoQHRoYW5oYW5jb21wb255LmNvbQ==
                                                  Jul 25, 2024 19:21:53.891038895 CEST58749739208.91.198.143192.168.2.5334 UGFzc3dvcmQ6
                                                  Jul 25, 2024 19:21:55.198633909 CEST58749739208.91.198.143192.168.2.5535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6

                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:13:17:42
                                                  Start date:25/07/2024
                                                  Path:C:\Users\user\Desktop\LisectAVT_2403002A_52.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\LisectAVT_2403002A_52.exe"
                                                  Imagebase:0xc0000
                                                  File size:749'070 bytes
                                                  MD5 hash:52CB8BFA6BC3FFA539D9ABA0ADA28842
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2020608917.000000000369E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2020608917.000000000369E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:3
                                                  Start time:13:17:44
                                                  Start date:25/07/2024
                                                  Path:C:\Users\user\Desktop\LisectAVT_2403002A_52.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\LisectAVT_2403002A_52.exe"
                                                  Imagebase:0x710000
                                                  File size:749'070 bytes
                                                  MD5 hash:52CB8BFA6BC3FFA539D9ABA0ADA28842
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4472594984.00000000029AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4472594984.0000000002981000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4472594984.0000000002981000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4471130246.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4471130246.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:false

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:9%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:93
                                                    Total number of Limit Nodes:6
                                                    execution_graph 17340 a9d6a8 DuplicateHandle 17341 a9d73e 17340->17341 17342 a94668 17343 a94672 17342->17343 17347 a94758 17342->17347 17352 a94218 17343->17352 17345 a9468d 17348 a9477d 17347->17348 17356 a94859 17348->17356 17360 a94868 17348->17360 17353 a94223 17352->17353 17368 a95de4 17353->17368 17355 a970b3 17355->17345 17357 a9488f 17356->17357 17358 a9496c 17357->17358 17364 a944e0 17357->17364 17361 a9488f 17360->17361 17362 a9496c 17361->17362 17363 a944e0 CreateActCtxA 17361->17363 17363->17362 17365 a958f8 CreateActCtxA 17364->17365 17367 a959bb 17365->17367 17367->17367 17369 a95def 17368->17369 17372 a95e14 17369->17372 17371 a97195 17371->17355 17373 a95e1f 17372->17373 17375 a9768a 17373->17375 17376 a95e44 17373->17376 17375->17371 17377 a95e4f 17376->17377 17380 a97230 17377->17380 17379 a97785 17379->17375 17381 a9723b 17380->17381 17383 a989f3 17381->17383 17386 a9ac98 17381->17386 17382 a98a31 17382->17379 17383->17382 17390 a9cd80 17383->17390 17395 a9b0d8 17386->17395 17398 a9b0ca 17386->17398 17387 a9acae 17387->17383 17392 a9cdb1 17390->17392 17391 a9cdd5 17391->17382 17392->17391 17422 a9d339 17392->17422 17426 a9d348 17392->17426 17402 a9b1d0 17395->17402 17396 a9b0e7 17396->17387 17399 a9b0d8 17398->17399 17401 a9b1d0 2 API calls 17399->17401 17400 a9b0e7 17400->17387 17401->17400 17403 a9b1e1 17402->17403 17404 a9b204 17402->17404 17403->17404 17410 a9b468 17403->17410 17414 a9b458 17403->17414 17404->17396 17405 a9b1fc 17405->17404 17406 a9b408 GetModuleHandleW 17405->17406 17407 a9b435 17406->17407 17407->17396 17411 a9b47c 17410->17411 17412 a9b4a1 17411->17412 17418 a9aee8 17411->17418 17412->17405 17415 a9b47c 17414->17415 17416 a9b4a1 17415->17416 17417 a9aee8 LoadLibraryExW 17415->17417 17416->17405 17417->17416 17419 a9b648 LoadLibraryExW 17418->17419 17421 a9b6c1 17419->17421 17421->17412 17423 a9d355 17422->17423 17424 a9d38f 17423->17424 17430 a9d170 17423->17430 17424->17391 17427 a9d355 17426->17427 17428 a9d38f 17427->17428 17429 a9d170 2 API calls 17427->17429 17428->17391 17429->17428 17431 a9d17b 17430->17431 17433 a9dca0 17431->17433 17434 a9d29c 17431->17434 17435 a9d2a7 17434->17435 17436 a97230 2 API calls 17435->17436 17437 a9dd0f 17436->17437 17437->17433 17438 a9d460 17439 a9d4a6 GetCurrentProcess 17438->17439 17441 a9d4f8 GetCurrentThread 17439->17441 17443 a9d4f1 17439->17443 17442 a9d535 GetCurrentProcess 17441->17442 17444 a9d52e 17441->17444 17447 a9d56b 17442->17447 17443->17441 17444->17442 17445 a9d593 GetCurrentThreadId 17446 a9d5c4 17445->17446 17447->17445 17448 2351258 17449 23513e3 17448->17449 17450 235127e 17448->17450 17450->17449 17453 23514d0 PostMessageW 17450->17453 17455 23514d8 PostMessageW 17450->17455 17454 2351544 17453->17454 17454->17450 17456 2351544 17455->17456 17456->17450 17457 23537b8 17458 23537be FindCloseChangeNotification 17457->17458 17459 235381f 17458->17459

                                                    Executed Functions

                                                    Function 00A9D450 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 294 a9d450-a9d4ef GetCurrentProcess 298 a9d4f8-a9d52c GetCurrentThread 294->298 299 a9d4f1-a9d4f7 294->299 300 a9d52e-a9d534 298->300 301 a9d535-a9d569 GetCurrentProcess 298->301 299->298 300->301 302 a9d56b-a9d571 301->302 303 a9d572-a9d58d call a9d62f 301->303 302->303 307 a9d593-a9d5c2 GetCurrentThreadId 303->307 308 a9d5cb-a9d62d 307->308 309 a9d5c4-a9d5ca 307->309 309->308
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 00A9D4DE
                                                    • GetCurrentThread.KERNEL32 ref: 00A9D51B
                                                    • GetCurrentProcess.KERNEL32 ref: 00A9D558
                                                    • GetCurrentThreadId.KERNEL32 ref: 00A9D5B1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2019745369.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_a90000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: 1dd4c21d384d5a50f6d1a26e010594a2b8f4c571c105f1487a39346866618ba2
                                                    • Instruction ID: 3f8c13207e850eb2b8e82898dc7a4e55402a101bfef207500507d7895c970002
                                                    • Opcode Fuzzy Hash: 1dd4c21d384d5a50f6d1a26e010594a2b8f4c571c105f1487a39346866618ba2
                                                    • Instruction Fuzzy Hash: 455165B09013498FDB14DFA9D548B9EBFF1FF89304F20846DE419A7260D778A984CB65
                                                    Function 00A9D460 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 316 a9d460-a9d4ef GetCurrentProcess 320 a9d4f8-a9d52c GetCurrentThread 316->320 321 a9d4f1-a9d4f7 316->321 322 a9d52e-a9d534 320->322 323 a9d535-a9d569 GetCurrentProcess 320->323 321->320 322->323 324 a9d56b-a9d571 323->324 325 a9d572-a9d58d call a9d62f 323->325 324->325 329 a9d593-a9d5c2 GetCurrentThreadId 325->329 330 a9d5cb-a9d62d 329->330 331 a9d5c4-a9d5ca 329->331 331->330
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 00A9D4DE
                                                    • GetCurrentThread.KERNEL32 ref: 00A9D51B
                                                    • GetCurrentProcess.KERNEL32 ref: 00A9D558
                                                    • GetCurrentThreadId.KERNEL32 ref: 00A9D5B1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2019745369.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_a90000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: b9324b948f37010bca382e22e546569b05a2fe450869fada3f67ee7ac83b533a
                                                    • Instruction ID: cd68783b6a939ebaaf7f627c98fd588688dfbf130c8b636d348aef4c75b10865
                                                    • Opcode Fuzzy Hash: b9324b948f37010bca382e22e546569b05a2fe450869fada3f67ee7ac83b533a
                                                    • Instruction Fuzzy Hash: 325145B09003498FDB14DFA9D548B9EBBF5FF88314F208469E419A7360D778A984CB65
                                                    Function 00A9B1D0 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 380 a9b1d0-a9b1df 381 a9b20b-a9b20f 380->381 382 a9b1e1-a9b1ee call a9ae84 380->382 383 a9b211-a9b21b 381->383 384 a9b223-a9b264 381->384 387 a9b1f0 382->387 388 a9b204 382->388 383->384 391 a9b271-a9b27f 384->391 392 a9b266-a9b26e 384->392 437 a9b1f6 call a9b468 387->437 438 a9b1f6 call a9b458 387->438 388->381 394 a9b281-a9b286 391->394 395 a9b2a3-a9b2a5 391->395 392->391 393 a9b1fc-a9b1fe 393->388 396 a9b340-a9b400 393->396 398 a9b288-a9b28f call a9ae90 394->398 399 a9b291 394->399 397 a9b2a8-a9b2af 395->397 430 a9b408-a9b433 GetModuleHandleW 396->430 431 a9b402-a9b405 396->431 402 a9b2bc-a9b2c3 397->402 403 a9b2b1-a9b2b9 397->403 401 a9b293-a9b2a1 398->401 399->401 401->397 405 a9b2d0-a9b2d9 call a9aea0 402->405 406 a9b2c5-a9b2cd 402->406 403->402 411 a9b2db-a9b2e3 405->411 412 a9b2e6-a9b2eb 405->412 406->405 411->412 413 a9b309-a9b30d 412->413 414 a9b2ed-a9b2f4 412->414 435 a9b310 call a9b768 413->435 436 a9b310 call a9b758 413->436 414->413 416 a9b2f6-a9b306 call a9aeb0 call a9aec0 414->416 416->413 419 a9b313-a9b316 421 a9b339-a9b33f 419->421 422 a9b318-a9b336 419->422 422->421 432 a9b43c-a9b450 430->432 433 a9b435-a9b43b 430->433 431->430 433->432 435->419 436->419 437->393 438->393
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00A9B426
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2019745369.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_a90000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: 7d76c78cd4d957505a91c240aad11ef8077b9d5ed0e6ce224553a826e074befd
                                                    • Instruction ID: b72a1b1a6326419ed8e468514d73419e21136215d79e17240632b3c10c8752e1
                                                    • Opcode Fuzzy Hash: 7d76c78cd4d957505a91c240aad11ef8077b9d5ed0e6ce224553a826e074befd
                                                    • Instruction Fuzzy Hash: 9A715970A10B058FDB24DF6AD24479ABBF5FF88300F10892DD44ADBA50DB75E945CBA1
                                                    Function 00A958EC Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 439 a958ec-a959b9 CreateActCtxA 441 a959bb-a959c1 439->441 442 a959c2-a95a1c 439->442 441->442 449 a95a2b-a95a2f 442->449 450 a95a1e-a95a21 442->450 451 a95a31-a95a3d 449->451 452 a95a40 449->452 450->449 451->452 453 a95a41 452->453 453->453
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 00A959A9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2019745369.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_a90000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: 5df0d26c84b832a4e64f71e543c4204b79af28c221258845e9ecf3814e68233a
                                                    • Instruction ID: 084b024c3e0a4c2b4514c39705c9d5eb4a2aeb69ec78570e0be47e4a8a38bf93
                                                    • Opcode Fuzzy Hash: 5df0d26c84b832a4e64f71e543c4204b79af28c221258845e9ecf3814e68233a
                                                    • Instruction Fuzzy Hash: 8D4100B0D00619CBDB25DFA9C888B8DBBF1BF48304F20816AD409AB255DB756946CF90
                                                    Function 00A944E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 455 a944e0-a959b9 CreateActCtxA 458 a959bb-a959c1 455->458 459 a959c2-a95a1c 455->459 458->459 466 a95a2b-a95a2f 459->466 467 a95a1e-a95a21 459->467 468 a95a31-a95a3d 466->468 469 a95a40 466->469 467->466 468->469 470 a95a41 469->470 470->470
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 00A959A9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2019745369.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_a90000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: 20626bfc663181d81eeca9a75d84cb092bb90700fb236e67bf12a3d2948368a2
                                                    • Instruction ID: 5f6e9b604ff011c39d9ae33e91a0284010001c3e9a39b3b08c54c7551b73a8f6
                                                    • Opcode Fuzzy Hash: 20626bfc663181d81eeca9a75d84cb092bb90700fb236e67bf12a3d2948368a2
                                                    • Instruction Fuzzy Hash: 1341FFB0D00719CBDB25DFA9C888B9DBBF5BF49304F20806AD409AB255DBB56946CF90
                                                    Function 00A9D6A0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 472 a9d6a0-a9d73c DuplicateHandle 473 a9d73e-a9d744 472->473 474 a9d745-a9d762 472->474 473->474
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A9D72F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2019745369.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_a90000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 926df0433af4367025a460ff8569a84f9b1e19875ac78ff5ea98f46f03d4d6ec
                                                    • Instruction ID: 027c5ed2330edd0d59305355bbccbabf82f71e408f56b92358d8fbad70823816
                                                    • Opcode Fuzzy Hash: 926df0433af4367025a460ff8569a84f9b1e19875ac78ff5ea98f46f03d4d6ec
                                                    • Instruction Fuzzy Hash: 5721E5B59002499FDB10CF9AD984ADEFFF5EB48310F14841AE918A7350D378A945CFA4
                                                    Function 00A9D6A8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 477 a9d6a8-a9d73c DuplicateHandle 478 a9d73e-a9d744 477->478 479 a9d745-a9d762 477->479 478->479
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A9D72F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2019745369.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_a90000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 3948bd4a4708c853c8a8dcaf83a075fd803369852203ec22f9b01e6a9afb2522
                                                    • Instruction ID: 8265bb5a16947dc22f61d5b37da4160b27a229d4adc558a361d380135bed91be
                                                    • Opcode Fuzzy Hash: 3948bd4a4708c853c8a8dcaf83a075fd803369852203ec22f9b01e6a9afb2522
                                                    • Instruction Fuzzy Hash: 0221D5B59002489FDB10CF9AD584ADEFFF9FB48310F14841AE918A3350D378A944CFA5
                                                    Function 00A9AEE8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 482 a9aee8-a9b688 484 a9b68a-a9b68d 482->484 485 a9b690-a9b6bf LoadLibraryExW 482->485 484->485 486 a9b6c8-a9b6e5 485->486 487 a9b6c1-a9b6c7 485->487 487->486
                                                    APIs
                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00A9B4A1,00000800,00000000,00000000), ref: 00A9B6B2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2019745369.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_a90000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: f991a8e0ba8b147487634ee93121c22d81770a9361fe03dd3ccfa2ad00854879
                                                    • Instruction ID: 7a9af7b1418fe41b0705a0045e47d58d97f24645057f9589fa63e729b681d215
                                                    • Opcode Fuzzy Hash: f991a8e0ba8b147487634ee93121c22d81770a9361fe03dd3ccfa2ad00854879
                                                    • Instruction Fuzzy Hash: A61123B69003489FDB20DF9AD544AEEFBF5EB48320F10842EE519A7300C379A945CFA4
                                                    Function 00A9B641 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 490 a9b641-a9b688 491 a9b68a-a9b68d 490->491 492 a9b690-a9b6bf LoadLibraryExW 490->492 491->492 493 a9b6c8-a9b6e5 492->493 494 a9b6c1-a9b6c7 492->494 494->493
                                                    APIs
                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00A9B4A1,00000800,00000000,00000000), ref: 00A9B6B2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2019745369.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_a90000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: 8d732d95d1a4947073f3427d4d51a0d8f5ed1f22fc1925d8ff9e392d1a21f9b9
                                                    • Instruction ID: 9b4962795f4012f4164ce03f2dc390e835dd5bec6c21e651c4446d3dc557d40b
                                                    • Opcode Fuzzy Hash: 8d732d95d1a4947073f3427d4d51a0d8f5ed1f22fc1925d8ff9e392d1a21f9b9
                                                    • Instruction Fuzzy Hash: D41114B69002498FDB10CF9AD544AEEFBF5EB48310F10842ED519A7250C379A545CFA4
                                                    Function 023537B0 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 497 23537b0-23537b6 498 23537be-235381d FindCloseChangeNotification 497->498 499 23537b8-23537bd 497->499 500 2353826-235384e 498->500 501 235381f-2353825 498->501 499->498 501->500
                                                    APIs
                                                    • FindCloseChangeNotification.KERNELBASE(?), ref: 02353810
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2019906928.0000000002350000.00000040.00000800.00020000.00000000.sdmp, Offset: 02350000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_2350000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID: ChangeCloseFindNotification
                                                    • String ID:
                                                    • API String ID: 2591292051-0
                                                    • Opcode ID: 1004caa641f2a022414c4e7b5fece4296e8e17cf6f7bd91954833cee665620ae
                                                    • Instruction ID: b3a1480d05ce9c08646b98c354c14cfceb4a31f3971814c7bba257145917361e
                                                    • Opcode Fuzzy Hash: 1004caa641f2a022414c4e7b5fece4296e8e17cf6f7bd91954833cee665620ae
                                                    • Instruction Fuzzy Hash: C21122B58003599FCB20DF9AC545BEEBBF4EB48320F20845AD958A7340D338A984CFA5
                                                    Function 023514D0 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 504 23514d0-2351542 PostMessageW 505 2351544-235154a 504->505 506 235154b-235155f 504->506 505->506
                                                    APIs
                                                    • PostMessageW.USER32(?,?,?,?), ref: 02351535
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2019906928.0000000002350000.00000040.00000800.00020000.00000000.sdmp, Offset: 02350000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_2350000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: f091dd0761ceed454a51576e2f25820517ac743706e520a300fd05a9c8ddfd76
                                                    • Instruction ID: 1073ceeff51d62b61f017329ac03949c8c634cee4e93706b5b904c53d64359d6
                                                    • Opcode Fuzzy Hash: f091dd0761ceed454a51576e2f25820517ac743706e520a300fd05a9c8ddfd76
                                                    • Instruction Fuzzy Hash: A511F5B58003599FCB10DF9AD485BDEBBF4EB49320F108419D558A7600C379A585CFA1
                                                    Function 023537B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindCloseChangeNotification.KERNELBASE(?), ref: 02353810
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2019906928.0000000002350000.00000040.00000800.00020000.00000000.sdmp, Offset: 02350000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_2350000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID: ChangeCloseFindNotification
                                                    • String ID:
                                                    • API String ID: 2591292051-0
                                                    • Opcode ID: d6669ee89d31bf093e6e535acd820d59425e2e2ca5ef9d77e211a1966088fb82
                                                    • Instruction ID: b631588d01c4900568ca458b566d65b62196276c61d92f8bebf3ac99d8995452
                                                    • Opcode Fuzzy Hash: d6669ee89d31bf093e6e535acd820d59425e2e2ca5ef9d77e211a1966088fb82
                                                    • Instruction Fuzzy Hash: 2E1103B58003498FCB20DF9AC545BDEBBF4EB48320F10845AD958A7340D778A984CFA5
                                                    Function 00A9B3C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 508 a9b3c0-a9b400 509 a9b408-a9b433 GetModuleHandleW 508->509 510 a9b402-a9b405 508->510 511 a9b43c-a9b450 509->511 512 a9b435-a9b43b 509->512 510->509 512->511
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00A9B426
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2019745369.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_a90000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: 4f730a7e863e2d1de1a6dae33d5daeb734b6e0806299aece42d9118807c0a729
                                                    • Instruction ID: 7580cfe6b47b799c21f78b4a1bd1db9f85aa223163048ba523835a7407f8c4c5
                                                    • Opcode Fuzzy Hash: 4f730a7e863e2d1de1a6dae33d5daeb734b6e0806299aece42d9118807c0a729
                                                    • Instruction Fuzzy Hash: 8211DFB5D003498FCB10DF9AD544A9EFBF5EF89320F14841AD419A7611C379A545CFA1
                                                    Function 023514D8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,?,?,?), ref: 02351535
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2019906928.0000000002350000.00000040.00000800.00020000.00000000.sdmp, Offset: 02350000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_2350000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: ac5e04e86fae5e1f73a28d35f16ab92cd4f4be4667ee563b62023988cc2cffae
                                                    • Instruction ID: 69e3bf4d6070284b69f0393926c0375858c00324e1306749a0065f56ab216f44
                                                    • Opcode Fuzzy Hash: ac5e04e86fae5e1f73a28d35f16ab92cd4f4be4667ee563b62023988cc2cffae
                                                    • Instruction Fuzzy Hash: F811D3B58003499FDB10DF9AD585BDEFBF8EB48324F108859D959A7600C379A984CFA1
                                                    Function 0083D1FC Relevance: .1, Instructions: 76COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2019427112.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_83d000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 82c3ddcb827e03e277e893cc6ef36a52256cce1a194defd81ec7820d390f1202
                                                    • Instruction ID: aaba33ba2396cd114f2740150f04f87b25d65f36dba68bd329f0034b6f0dacb6
                                                    • Opcode Fuzzy Hash: 82c3ddcb827e03e277e893cc6ef36a52256cce1a194defd81ec7820d390f1202
                                                    • Instruction Fuzzy Hash: 2421ED72504304DFCB059F54E980B2BBF65FBC8314F20C5A9ED098B256C37AE816DBA2
                                                    Function 0083D4C4 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2019427112.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_83d000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 062600fc151727b143b220084f1f6537e4fe76bf1ed5de783458a7e153401e79
                                                    • Instruction ID: 96f82da653aa1eb862eb4f59d78a74cf3d98740764903e954b66a553c5ee76a2
                                                    • Opcode Fuzzy Hash: 062600fc151727b143b220084f1f6537e4fe76bf1ed5de783458a7e153401e79
                                                    • Instruction Fuzzy Hash: ED21FF72600344DFCB05DF24E980B26BF65FBD8318F20C569E9098A256C33AD816DAE2
                                                    Function 0084D1D4 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2019452308.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_84d000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1255f0c37f7d3709508fadd0c6570abdb475fdf9169e0c345d819314d43f8552
                                                    • Instruction ID: bb94f1fae26ab1f41062fbe23a75c8eb4d45d0be57605e85f1b2fe312aa41b20
                                                    • Opcode Fuzzy Hash: 1255f0c37f7d3709508fadd0c6570abdb475fdf9169e0c345d819314d43f8552
                                                    • Instruction Fuzzy Hash: 82210771604308DFDB05DF14D5C0F26BBA5FB84318F20C66DE9098B356C3BAE806CA61
                                                    Function 0084D01C Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2019452308.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_84d000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bbfdf2b6165eaf3ff2f8b23d7676513fc42410e5a5e4a83b5a43f8996132368f
                                                    • Instruction ID: 554a169839916f9c8c648161095499ce3767c264ef0e6c0e98eec5f610d38075
                                                    • Opcode Fuzzy Hash: bbfdf2b6165eaf3ff2f8b23d7676513fc42410e5a5e4a83b5a43f8996132368f
                                                    • Instruction Fuzzy Hash: EF21F271604708DFCB14DF24D984B26BF65FB98318F20C56DD90A8B396C33AD807CA61
                                                    Function 0083D1F7 Relevance: .1, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2019427112.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_83d000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
                                                    • Instruction ID: 775b0165d28740963cb83949c41d5fe4bdd06fde18e0bb0777ae40e409e87e2c
                                                    • Opcode Fuzzy Hash: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
                                                    • Instruction Fuzzy Hash: 73219D76504240DFDB06CF50D9C4B16BF72FB88314F24C5A9DD494B656C37AE82ACBA2
                                                    Function 0083D4BF Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2019427112.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_83d000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                    • Instruction ID: e56f73e22e019ad1cf11ac91b6f2adf0e15f232bb3108850483d928ce0545e63
                                                    • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                    • Instruction Fuzzy Hash: 8911D376504380CFCB16CF14D5C4B16BF71FB98314F24C6A9D9494B656C33AD85ACBA2
                                                    Function 0084D017 Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2019452308.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_84d000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                    • Instruction ID: e8943fc29a1ea5ada68c0ced86e59a803d320b321918c33cd7634dfdbbed63b1
                                                    • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                    • Instruction Fuzzy Hash: 9111BB75504784CFCB16CF14D5C4B15BBA2FB88314F24C6AAD8498B656C33AD80ACBA2
                                                    Function 0084D1CF Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2019452308.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_84d000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                    • Instruction ID: c3facd596391d38d1a25f93af182ae1a114f18029e88765694cce6077d22857d
                                                    • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                    • Instruction Fuzzy Hash: 9D11BB75504384DFCB02CF10C5C4B15BBA2FB84314F24C6A9D8498B296C37AE80ACB62
                                                    Function 0083D745 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2019427112.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_83d000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9abf765dd5f5ed0b5f8e13bd2c4fc13ccc24ac6d24039e9593262d06d2d36ff5
                                                    • Instruction ID: 65d2cb2d848d7ebfadb6e16ccc7b483c197252aacb7636343c4e78340d54c615
                                                    • Opcode Fuzzy Hash: 9abf765dd5f5ed0b5f8e13bd2c4fc13ccc24ac6d24039e9593262d06d2d36ff5
                                                    • Instruction Fuzzy Hash: C101D6710053449AE7209E2ADD84B67BF9CFFC6364F18C52AED198A286D27D9C41CAF1
                                                    Function 0083D744 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2019427112.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_83d000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7d385b590a6ff033e5d936b5492c3d6e0dd17b52f01a4bc82aff8cde2eb4c11a
                                                    • Instruction ID: 39773122fd2e58d060d5df6da4c8460e645268ffd143fac40e929ddab7bebec1
                                                    • Opcode Fuzzy Hash: 7d385b590a6ff033e5d936b5492c3d6e0dd17b52f01a4bc82aff8cde2eb4c11a
                                                    • Instruction Fuzzy Hash: 7BF06271405344AAE7108E16D888B66FF98FF95734F18C45AED485A386C2799C44CAB1

                                                    Non-executed Functions

                                                    Function 02352F24 Relevance: .4, Instructions: 440COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2019906928.0000000002350000.00000040.00000800.00020000.00000000.sdmp, Offset: 02350000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_2350000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d7a02e3207998c72fab9dff223169072d606bbec4aad1c6894883f63295c3a9e
                                                    • Instruction ID: 9353fd6b784b82c30497ed4adc3ce74cac969ccbe7fd39bb4198afceb2a7bd71
                                                    • Opcode Fuzzy Hash: d7a02e3207998c72fab9dff223169072d606bbec4aad1c6894883f63295c3a9e
                                                    • Instruction Fuzzy Hash: 66D1AA307017108FDB29DB75C550BAFB7FAAF89744F1444AAD90ACB291DB35E902CB92
                                                    Function 00A9DFCC Relevance: .3, Instructions: 264COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2019745369.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_a90000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0a1c4673d300b1723950353581a9dce8b66200dde6f6528488e1264b884dce36
                                                    • Instruction ID: 56bef68c6e3afae2387bf1767018a6902182e436e3df2b5507f12a2cd667b854
                                                    • Opcode Fuzzy Hash: 0a1c4673d300b1723950353581a9dce8b66200dde6f6528488e1264b884dce36
                                                    • Instruction Fuzzy Hash: 31A13936F002058FCF05DFA5C9845AEB7F2FF89300B15857AE905AB266DB71E955CB40

                                                    Execution Graph

                                                    Execution Coverage:13.3%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:8.3%
                                                    Total number of Nodes:36
                                                    Total number of Limit Nodes:4
                                                    execution_graph 26891 29271e8 26892 292722c CheckRemoteDebuggerPresent 26891->26892 26893 292726e 26892->26893 26894 2920848 26896 292084e 26894->26896 26895 292091b 26896->26895 26898 29214c0 26896->26898 26900 29214d6 26898->26900 26899 29215ea 26899->26896 26900->26899 26904 2928290 26900->26904 26908 29283a8 26900->26908 26915 2928281 26900->26915 26906 29282a6 26904->26906 26905 2928412 26905->26900 26906->26905 26919 292fbd9 26906->26919 26909 29283b2 26908->26909 26911 29283cc 26909->26911 26912 664fb18 2 API calls 26909->26912 26913 664fb09 2 API calls 26909->26913 26910 2928412 26910->26900 26911->26910 26914 292fbd9 2 API calls 26911->26914 26912->26911 26913->26911 26914->26910 26917 29282a6 26915->26917 26916 2928412 26916->26900 26917->26916 26918 292fbd9 2 API calls 26917->26918 26918->26916 26920 292fbe4 26919->26920 26924 664fb18 26920->26924 26929 664fb09 26920->26929 26921 292fbeb 26921->26905 26926 664fb2d 26924->26926 26925 664fd42 26925->26921 26926->26925 26927 664fd68 GlobalMemoryStatusEx GlobalMemoryStatusEx 26926->26927 26928 664fd58 GlobalMemoryStatusEx GlobalMemoryStatusEx 26926->26928 26927->26926 26928->26926 26930 664fb16 26929->26930 26931 664fd42 26930->26931 26932 664fd68 GlobalMemoryStatusEx GlobalMemoryStatusEx 26930->26932 26933 664fd58 GlobalMemoryStatusEx GlobalMemoryStatusEx 26930->26933 26931->26921 26932->26930 26933->26930

                                                    Executed Functions

                                                    Function 06642438 Relevance: 9.0, Strings: 6, Instructions: 1497COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                                    • API String ID: 0-3723351465
                                                    • Opcode ID: 1de42cc663ce9795d8232f9bf729dc4439c96cbab078090e903867b08d9e00e2
                                                    • Instruction ID: c31e8305fedbb94a93970f2de0d8c902a70264e5a06529100f204be574ddfcbb
                                                    • Opcode Fuzzy Hash: 1de42cc663ce9795d8232f9bf729dc4439c96cbab078090e903867b08d9e00e2
                                                    • Instruction Fuzzy Hash: A6D25D30E002058FDB64EF68C594A9DB7F6FF89304F6485A9E449AB355EB30ED85CB90
                                                    Function 0664B308 Relevance: 8.3, Strings: 6, Instructions: 773COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                                    • API String ID: 0-3723351465
                                                    • Opcode ID: 6dda700ca17e64147910acb871b84b7743c28d56db1ec12266e7cc2793d43f16
                                                    • Instruction ID: 33c51643b497d90caa91fa5f46e10fb45c6b56670b6774f773e34bedc9fcf729
                                                    • Opcode Fuzzy Hash: 6dda700ca17e64147910acb871b84b7743c28d56db1ec12266e7cc2793d43f16
                                                    • Instruction Fuzzy Hash: BC526030E002098FDF64EF69D5907AEB7B6EF85310F248929E405EB395DA34DD86CB91
                                                    Function 029271E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1246 29271e8-292726c CheckRemoteDebuggerPresent 1248 2927275-29272b0 1246->1248 1249 292726e-2927274 1246->1249 1249->1248
                                                    APIs
                                                    • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 0292725F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4472512381.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2920000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID: CheckDebuggerPresentRemote
                                                    • String ID: ]
                                                    • API String ID: 3662101638-3352871620
                                                    • Opcode ID: 70d0748de830d895958c60359038613799f170f37efe9fc048318d7f8240b29b
                                                    • Instruction ID: 971f50c3647402a7c52331c5f4edbf0bc0c84ace3b09c33e03c4afbb0095e08c
                                                    • Opcode Fuzzy Hash: 70d0748de830d895958c60359038613799f170f37efe9fc048318d7f8240b29b
                                                    • Instruction Fuzzy Hash: 3D2125B18012598FCB10CFAAD584BEEFBF8BF49310F14845AE459B3250D778A944CFA1
                                                    Function 06647E48 Relevance: 3.0, Strings: 2, Instructions: 478COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1795 6647e48-6647e66 1796 6647e68-6647e6b 1795->1796 1797 6647e6d-6647e77 1796->1797 1798 6647e78-6647e7b 1796->1798 1799 6647e92-6647e95 1798->1799 1800 6647e7d-6647e8b 1798->1800 1801 6647e97-6647eb3 1799->1801 1802 6647eb8-6647ebb 1799->1802 1809 6647e8d 1800->1809 1810 6647eee-6647f04 1800->1810 1801->1802 1803 6647edc-6647ede 1802->1803 1804 6647ebd-6647ed7 1802->1804 1807 6647ee5-6647ee8 1803->1807 1808 6647ee0 1803->1808 1804->1803 1807->1796 1807->1810 1808->1807 1809->1799 1814 664811f-6648129 1810->1814 1815 6647f0a-6647f13 1810->1815 1817 6647f19-6647f36 1815->1817 1818 664812a-664815f 1815->1818 1824 664810c-6648119 1817->1824 1825 6647f3c-6647f64 1817->1825 1823 6648161-6648164 1818->1823 1826 6648166-6648182 1823->1826 1827 6648187-664818a 1823->1827 1824->1814 1824->1815 1825->1824 1849 6647f6a-6647f73 1825->1849 1826->1827 1828 6648237-664823a 1827->1828 1829 6648190-664819c 1827->1829 1830 6648240-664824f 1828->1830 1831 664846f-6648471 1828->1831 1834 66481a7-66481a9 1829->1834 1847 6648251-664826c 1830->1847 1848 664826e-66482b2 1830->1848 1835 6648473 1831->1835 1836 6648478-664847b 1831->1836 1838 66481c1-66481c5 1834->1838 1839 66481ab-66481b1 1834->1839 1835->1836 1836->1823 1842 6648481-664848a 1836->1842 1845 66481c7-66481d1 1838->1845 1846 66481d3 1838->1846 1843 66481b5-66481b7 1839->1843 1844 66481b3 1839->1844 1843->1838 1844->1838 1850 66481d8-66481da 1845->1850 1846->1850 1847->1848 1857 6648443-6648459 1848->1857 1858 66482b8-66482c9 1848->1858 1849->1818 1851 6647f79-6647f95 1849->1851 1853 66481f1-664822a 1850->1853 1854 66481dc-66481df 1850->1854 1861 66480fa-6648106 1851->1861 1862 6647f9b-6647fc5 1851->1862 1853->1830 1877 664822c-6648236 1853->1877 1854->1842 1857->1831 1867 664842e-664843d 1858->1867 1868 66482cf-66482ec 1858->1868 1861->1824 1861->1849 1878 66480f0-66480f5 1862->1878 1879 6647fcb-6647ff3 1862->1879 1867->1857 1867->1858 1868->1867 1880 66482f2-66483e8 call 6646670 1868->1880 1878->1861 1879->1878 1886 6647ff9-6648027 1879->1886 1929 66483f6 1880->1929 1930 66483ea-66483f4 1880->1930 1886->1878 1891 664802d-6648036 1886->1891 1891->1878 1893 664803c-664806e 1891->1893 1900 6648070-6648074 1893->1900 1901 6648079-6648095 1893->1901 1900->1878 1903 6648076 1900->1903 1901->1861 1904 6648097-66480ee call 6646670 1901->1904 1903->1901 1904->1861 1931 66483fb-66483fd 1929->1931 1930->1931 1931->1867 1932 66483ff-6648404 1931->1932 1933 6648406-6648410 1932->1933 1934 6648412 1932->1934 1935 6648417-6648419 1933->1935 1934->1935 1935->1867 1936 664841b-6648427 1935->1936 1936->1867
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $]q$$]q
                                                    • API String ID: 0-127220927
                                                    • Opcode ID: 0e01d36ea62d6fa7d077e2b8da20e476bb04df70b1b19caa537567a8e991391d
                                                    • Instruction ID: 8263fa77f0b95172a01105a4a19b8d6e2c284c2590e2160dc119fd7425119f6d
                                                    • Opcode Fuzzy Hash: 0e01d36ea62d6fa7d077e2b8da20e476bb04df70b1b19caa537567a8e991391d
                                                    • Instruction Fuzzy Hash: BA02BF30B002099FDB54EF68D990AAEB7E6FF84344F148529D809DB395EB35EC46CB91
                                                    Function 06645688 Relevance: 1.8, Strings: 1, Instructions: 595COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2286 6645688-66456a5 2287 66456a7-66456aa 2286->2287 2288 66456b1-66456b4 2287->2288 2289 66456ac-66456ae 2287->2289 2290 66456c5-66456c8 2288->2290 2291 66456b6-66456ba 2288->2291 2289->2288 2294 66456e1-66456e4 2290->2294 2295 66456ca-66456dc 2290->2295 2292 66456c0 2291->2292 2293 6645841-664584e 2291->2293 2292->2290 2296 66456e6-66456f5 2294->2296 2297 66456fa-66456fd 2294->2297 2295->2294 2296->2297 2299 66456ff-6645706 2297->2299 2300 664570b-664570e 2297->2300 2299->2300 2302 6645710-6645713 2300->2302 2303 664575b-6645761 2300->2303 2304 6645715-6645722 2302->2304 2305 6645727-664572a 2302->2305 2306 6645783-664578d 2303->2306 2307 6645763 2303->2307 2304->2305 2309 6645747-664574a 2305->2309 2310 664572c-6645742 2305->2310 2315 6645794-6645796 2306->2315 2308 6645768-664576b 2307->2308 2311 664576d-6645773 2308->2311 2312 664577e-6645781 2308->2312 2313 6645756-6645759 2309->2313 2314 664574c-6645755 2309->2314 2310->2309 2317 66457f8-66457fb 2311->2317 2318 6645779 2311->2318 2312->2306 2319 664579b-664579e 2312->2319 2313->2303 2313->2308 2315->2319 2321 6645800-6645803 2317->2321 2318->2312 2322 66457c4-66457c7 2319->2322 2323 66457a0-66457bf 2319->2323 2324 6645805-664580b 2321->2324 2325 664582f-6645831 2321->2325 2326 66457e6-66457ec 2322->2326 2327 66457c9-66457cc 2322->2327 2323->2322 2329 664580d-6645815 2324->2329 2330 664584f-664587b 2324->2330 2332 6645833 2325->2332 2333 6645838-664583b 2325->2333 2326->2324 2328 66457ee 2326->2328 2334 66457d4-66457d7 2327->2334 2335 66457ce-66457cf 2327->2335 2338 66457f3-66457f6 2328->2338 2329->2330 2339 6645817-6645824 2329->2339 2343 6645885-6645888 2330->2343 2332->2333 2333->2287 2333->2293 2336 66457e1-66457e4 2334->2336 2337 66457d9-66457dc 2334->2337 2335->2334 2336->2326 2336->2338 2337->2336 2338->2317 2338->2321 2339->2330 2341 6645826-664582a 2339->2341 2341->2325 2344 66458aa-66458ad 2343->2344 2345 664588a-664588e 2343->2345 2348 66458c5-66458c8 2344->2348 2349 66458af-66458c0 2344->2349 2346 6645894-664589c 2345->2346 2347 6645976-66459b4 2345->2347 2346->2347 2350 66458a2-66458a5 2346->2350 2362 66459b6-66459b9 2347->2362 2351 66458dc-66458df 2348->2351 2352 66458ca-66458d1 2348->2352 2349->2348 2350->2344 2353 6645901-6645904 2351->2353 2354 66458e1-66458e5 2351->2354 2357 66458d7 2352->2357 2358 664596e-6645975 2352->2358 2360 6645906-664590a 2353->2360 2361 664591e-6645921 2353->2361 2354->2347 2359 66458eb-66458f3 2354->2359 2357->2351 2359->2347 2363 66458f9-66458fc 2359->2363 2360->2347 2364 664590c-6645914 2360->2364 2365 6645923-6645927 2361->2365 2366 664593b-664593e 2361->2366 2367 66459d7-66459da 2362->2367 2368 66459bb-66459cc 2362->2368 2363->2353 2364->2347 2369 6645916-6645919 2364->2369 2365->2347 2370 6645929-6645931 2365->2370 2371 6645940-664594a 2366->2371 2372 664594f-6645952 2366->2372 2373 66459f2-66459f5 2367->2373 2374 66459dc-66459ef 2367->2374 2386 66459d2 2368->2386 2387 6645d69-6645d70 2368->2387 2369->2361 2370->2347 2379 6645933-6645936 2370->2379 2371->2372 2375 6645954-664595b 2372->2375 2376 664595c-664595e 2372->2376 2377 66459f7-6645a08 2373->2377 2378 6645a0f-6645a12 2373->2378 2382 6645965-6645968 2376->2382 2383 6645960 2376->2383 2377->2368 2393 6645a0a 2377->2393 2384 6645a14-6645a25 2378->2384 2385 6645a30-6645a33 2378->2385 2379->2366 2382->2343 2382->2358 2383->2382 2384->2387 2403 6645a2b 2384->2403 2391 6645a35-6645a38 2385->2391 2392 6645a5b-6645bef 2385->2392 2386->2367 2390 6645d75-6645d78 2387->2390 2394 6645d82-6645d85 2390->2394 2395 6645d7a-6645d7f 2390->2395 2397 6645a52-6645a55 2391->2397 2398 6645a3a-6645a4b 2391->2398 2435 6645bf5-6645bfc 2392->2435 2436 6645d28-6645d3b 2392->2436 2393->2378 2401 6645d87-6645d8e 2394->2401 2402 6645d93-6645d95 2394->2402 2395->2394 2397->2392 2399 6645d3e-6645d41 2397->2399 2398->2374 2410 6645a4d 2398->2410 2399->2392 2406 6645d47-6645d4a 2399->2406 2401->2402 2404 6645d97 2402->2404 2405 6645d9c-6645d9f 2402->2405 2403->2385 2404->2405 2405->2362 2412 6645da5-6645dae 2405->2412 2408 6645d64-6645d67 2406->2408 2409 6645d4c-6645d5d 2406->2409 2408->2387 2408->2390 2409->2387 2415 6645d5f 2409->2415 2410->2397 2415->2408 2437 6645cb0-6645cb7 2435->2437 2438 6645c02-6645c25 2435->2438 2437->2436 2439 6645cb9-6645cec 2437->2439 2447 6645c2d-6645c35 2438->2447 2451 6645cf1-6645d1e 2439->2451 2452 6645cee 2439->2452 2449 6645c37 2447->2449 2450 6645c3a-6645c7b 2447->2450 2449->2450 2460 6645c93-6645ca4 2450->2460 2461 6645c7d-6645c8e 2450->2461 2451->2412 2452->2451 2460->2412 2461->2412
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $
                                                    • API String ID: 0-3993045852
                                                    • Opcode ID: ac0494434afaba36032a2d47e7e57f76dbdedab3917ce6e032e6be21736ff90d
                                                    • Instruction ID: 7a51d064d35df8bda6890297dc3f02deba7ce9d87c6ec3129faeea4c2891154c
                                                    • Opcode Fuzzy Hash: ac0494434afaba36032a2d47e7e57f76dbdedab3917ce6e032e6be21736ff90d
                                                    • Instruction Fuzzy Hash: 2B22D635F002159FDF60EFA4C4806AEBBB2EF85310F24846AD84AAB354DB35DD46CB91
                                                    Function 066466C0 Relevance: .8, Instructions: 821COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fe7201725f1332e3542fd53169f84028351d4b8667ae142f8aba554bb976a375
                                                    • Instruction ID: 0ff793d8940fe77b65d621d92fc1405d56a6a74e0b5104c2f04c66c6ace6c7f4
                                                    • Opcode Fuzzy Hash: fe7201725f1332e3542fd53169f84028351d4b8667ae142f8aba554bb976a375
                                                    • Instruction Fuzzy Hash: 56629F34B002048FDB54EF68D594AADBBF6EF89314F148469E806DB395DB35EC46CB90
                                                    Function 0664C260 Relevance: .7, Instructions: 652COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a2f61f1878cb4069eb03b8a6efc0fa56e90dc95df9e88b131e66992327377a8a
                                                    • Instruction ID: 76ad6d56d35471aa9805f4bb94aa812a63646c5d403ca31df1c2b7c06b2c9df3
                                                    • Opcode Fuzzy Hash: a2f61f1878cb4069eb03b8a6efc0fa56e90dc95df9e88b131e66992327377a8a
                                                    • Instruction Fuzzy Hash: 94329030B112099FDF54EF68D980BAEBBB6EB88310F108525D805EB395DB35EC52CB91
                                                    Function 0664ADA0 Relevance: 10.4, Strings: 8, Instructions: 405COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 0 664ada0-664adbe 1 664adc0-664adc3 0->1 2 664adc5-664add2 1->2 3 664add7-664adda 1->3 2->3 4 664addc-664ade5 3->4 5 664adea-664aded 3->5 4->5 6 664ae07-664ae0a 5->6 7 664adef-664adf8 5->7 11 664ae0c-664ae28 6->11 12 664ae2d-664ae30 6->12 9 664afd7-664afe1 7->9 10 664adfe-664ae02 7->10 21 664b042-664b054 9->21 22 664afe3-664afe9 9->22 10->6 11->12 13 664ae41-664ae44 12->13 14 664ae32-664ae36 12->14 19 664ae46-664ae59 13->19 20 664ae5e-664ae61 13->20 17 664afcc-664afd6 14->17 18 664ae3c 14->18 18->13 19->20 23 664ae67-664ae6a 20->23 24 664afbd-664afc6 20->24 38 664b247-664b25a 21->38 39 664b05a-664b066 21->39 26 664b04a-664b054 22->26 27 664afeb-664b00e 22->27 28 664ae74-664ae76 23->28 29 664ae6c-664ae71 23->29 24->7 24->17 26->38 45 664b056-664b059 26->45 36 664b010-664b013 27->36 32 664ae7d-664ae80 28->32 33 664ae78 28->33 29->28 32->1 37 664ae86-664aeaa 32->37 33->32 41 664b27c-664b27f 36->41 42 664b019-664b041 36->42 61 664aeb0-664aebf 37->61 62 664afba 37->62 40 664b25c 38->40 50 664b086-664b0ca 39->50 51 664b068-664b081 39->51 49 664b25d 40->49 47 664b281-664b28b 41->47 48 664b28c-664b28f 41->48 42->21 45->39 52 664b291-664b2ad 48->52 53 664b2b2-664b2b5 48->53 49->49 81 664b0e6-664b125 50->81 82 664b0cc-664b0de 50->82 51->40 52->53 54 664b2c6-664b2c9 53->54 55 664b2b7-664b2bb 53->55 59 664b2d8-664b2da 54->59 60 664b2cb 54->60 55->42 58 664b2c1 55->58 58->54 64 664b2e1-664b2e4 59->64 65 664b2dc 59->65 132 664b2cb call 664b308 60->132 133 664b2cb call 664b2fa 60->133 71 664aed7-664af12 call 6646670 61->71 72 664aec1-664aec7 61->72 62->24 64->36 69 664b2ea-664b2f4 64->69 65->64 68 664b2d1-664b2d3 68->59 93 664af14-664af1a 71->93 94 664af2a-664af41 71->94 73 664aec9 72->73 74 664aecb-664aecd 72->74 73->71 74->71 87 664b20c-664b221 81->87 88 664b12b-664b206 call 6646670 81->88 82->81 87->38 88->87 96 664af1c 93->96 97 664af1e-664af20 93->97 102 664af43-664af49 94->102 103 664af59-664af6a 94->103 96->94 97->94 104 664af4d-664af4f 102->104 105 664af4b 102->105 109 664af82-664afb3 103->109 110 664af6c-664af72 103->110 104->103 105->103 109->62 111 664af74 110->111 112 664af76-664af78 110->112 111->109 112->109 132->68 133->68
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                    • API String ID: 0-1273862796
                                                    • Opcode ID: 3d8a3537f0a703a82f6c12858f4c1cef08d05bd89d6b59b575ce4e6a7fd3e460
                                                    • Instruction ID: e7c3cd275c966dbf568384531e0dce611181b6867fb53745990d8bd1b513479e
                                                    • Opcode Fuzzy Hash: 3d8a3537f0a703a82f6c12858f4c1cef08d05bd89d6b59b575ce4e6a7fd3e460
                                                    • Instruction Fuzzy Hash: D1E19130E102099FCF69EFA8D5906AEB7B6EF85301F108529D819EB358DB34DC46CB91
                                                    Function 06649218 Relevance: 5.2, Strings: 4, Instructions: 230COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 866 6649218-664923d 867 664923f-6649242 866->867 868 6649b00-6649b03 867->868 869 6649248-664925d 867->869 870 6649b05-6649b24 868->870 871 6649b29-6649b2b 868->871 877 6649275-664928b 869->877 878 664925f-6649265 869->878 870->871 872 6649b32-6649b35 871->872 873 6649b2d 871->873 872->867 876 6649b3b-6649b45 872->876 873->872 883 6649296-6649298 877->883 879 6649267 878->879 880 6649269-664926b 878->880 879->877 880->877 884 66492b0-6649321 883->884 885 664929a-66492a0 883->885 896 6649323-6649346 884->896 897 664934d-6649369 884->897 886 66492a4-66492a6 885->886 887 66492a2 885->887 886->884 887->884 896->897 902 6649395-66493b0 897->902 903 664936b-664938e 897->903 908 66493b2-66493d4 902->908 909 66493db-66493f6 902->909 903->902 908->909 914 66493f8-6649414 909->914 915 664941b-6649429 909->915 914->915 916 6649439-66494b3 915->916 917 664942b-6649434 915->917 923 66494b5-66494d3 916->923 924 6649500-6649515 916->924 917->876 928 66494d5-66494e4 923->928 929 66494ef-66494fe 923->929 924->868 928->929 929->923 929->924
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $]q$$]q$$]q$$]q
                                                    • API String ID: 0-858218434
                                                    • Opcode ID: 566ecd69cf1faf85252c1afe67c8131610f3d1f29f47951e8580246f172390ee
                                                    • Instruction ID: ce2775fcad406d5b923642d53f0cd6eb904d8e454013641efa348a624ac3963d
                                                    • Opcode Fuzzy Hash: 566ecd69cf1faf85252c1afe67c8131610f3d1f29f47951e8580246f172390ee
                                                    • Instruction Fuzzy Hash: 2B916130B4420A9FDB54EF65D950BAFB7F6AF89340F108565C80DEB348EE309D468B91
                                                    Function 0664D020 Relevance: 4.5, Strings: 3, Instructions: 798COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 932 664d020-664d03b 933 664d03d-664d040 932->933 934 664d042-664d084 933->934 935 664d089-664d08c 933->935 934->935 936 664d0d5-664d0d8 935->936 937 664d08e-664d0d0 935->937 939 664d121-664d124 936->939 940 664d0da-664d11c 936->940 937->936 941 664d126-664d135 939->941 942 664d16d-664d170 939->942 940->939 945 664d144-664d150 941->945 946 664d137-664d13c 941->946 948 664d176-664d179 942->948 949 664d50c-664d518 942->949 950 664d156-664d168 945->950 951 664da3d-664da76 945->951 946->945 954 664d188-664d18b 948->954 955 664d17b-664d17d 948->955 952 664d232-664d241 949->952 953 664d51e-664d80b 949->953 950->942 975 664da78-664da7b 951->975 958 664d250-664d25c 952->958 959 664d243-664d248 952->959 1144 664d811-664d817 953->1144 1145 664da32-664da3c 953->1145 963 664d1d4-664d1d7 954->963 964 664d18d-664d1cf 954->964 961 664d3c7-664d3d0 955->961 962 664d183 955->962 958->951 972 664d262-664d274 958->972 959->958 966 664d3d2-664d3d7 961->966 967 664d3df-664d3eb 961->967 962->954 970 664d1e1-664d1e4 963->970 971 664d1d9-664d1de 963->971 964->963 966->967 980 664d3f1-664d405 967->980 981 664d4fc-664d501 967->981 976 664d1e6-664d228 970->976 977 664d22d-664d230 970->977 971->970 983 664d279-664d27c 972->983 984 664da7d 975->984 985 664da8a-664da8d 975->985 976->977 977->952 977->983 1005 664d509 980->1005 1006 664d40b-664d41d 980->1006 981->1005 988 664d2c5-664d2c8 983->988 989 664d27e-664d2c0 983->989 1191 664da7d call 664db95 984->1191 1192 664da7d call 664dba8 984->1192 994 664dac0-664dac3 985->994 995 664da8f-664dabb 985->995 999 664d2d7-664d2da 988->999 1000 664d2ca-664d2cc 988->1000 989->988 1003 664dac5-664dae1 994->1003 1004 664dae6-664dae8 994->1004 995->994 1010 664d323-664d326 999->1010 1011 664d2dc-664d31e 999->1011 1000->1005 1009 664d2d2 1000->1009 1001 664da83-664da85 1001->985 1003->1004 1014 664daef-664daf2 1004->1014 1015 664daea 1004->1015 1005->949 1022 664d441-664d443 1006->1022 1023 664d41f-664d425 1006->1023 1009->999 1019 664d343-664d346 1010->1019 1020 664d328-664d33e 1010->1020 1011->1010 1014->975 1018 664daf4-664db03 1014->1018 1015->1014 1047 664db05-664db68 call 6646670 1018->1047 1048 664db6a-664db7f 1018->1048 1024 664d348-664d364 1019->1024 1025 664d369-664d36c 1019->1025 1020->1019 1042 664d44d-664d459 1022->1042 1030 664d427 1023->1030 1031 664d429-664d435 1023->1031 1024->1025 1032 664d3b5-664d3b7 1025->1032 1033 664d36e-664d3b0 1025->1033 1038 664d437-664d43f 1030->1038 1031->1038 1043 664d3be-664d3c1 1032->1043 1044 664d3b9 1032->1044 1033->1032 1038->1042 1063 664d467 1042->1063 1064 664d45b-664d465 1042->1064 1043->933 1043->961 1044->1043 1047->1048 1068 664d46c-664d46e 1063->1068 1064->1068 1068->1005 1071 664d474-664d490 call 6646670 1068->1071 1084 664d492-664d497 1071->1084 1085 664d49f-664d4ab 1071->1085 1084->1085 1085->981 1087 664d4ad-664d4fa 1085->1087 1087->1005 1146 664d826-664d82f 1144->1146 1147 664d819-664d81e 1144->1147 1146->951 1148 664d835-664d848 1146->1148 1147->1146 1150 664da22-664da2c 1148->1150 1151 664d84e-664d854 1148->1151 1150->1144 1150->1145 1152 664d856-664d85b 1151->1152 1153 664d863-664d86c 1151->1153 1152->1153 1153->951 1154 664d872-664d893 1153->1154 1157 664d895-664d89a 1154->1157 1158 664d8a2-664d8ab 1154->1158 1157->1158 1158->951 1159 664d8b1-664d8ce 1158->1159 1159->1150 1162 664d8d4-664d8da 1159->1162 1162->951 1163 664d8e0-664d8f9 1162->1163 1165 664da15-664da1c 1163->1165 1166 664d8ff-664d926 1163->1166 1165->1150 1165->1162 1166->951 1169 664d92c-664d936 1166->1169 1169->951 1170 664d93c-664d953 1169->1170 1172 664d955-664d960 1170->1172 1173 664d962-664d97d 1170->1173 1172->1173 1173->1165 1178 664d983-664d99c call 6646670 1173->1178 1182 664d99e-664d9a3 1178->1182 1183 664d9ab-664d9b4 1178->1183 1182->1183 1183->951 1184 664d9ba-664da0e 1183->1184 1184->1165 1191->1001 1192->1001
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $]q$$]q$$]q
                                                    • API String ID: 0-182748909
                                                    • Opcode ID: 5f0ebb0ffdd5c49eb9461de9ef5c4fc39b3b224e0912917a78f239b4fb3ff375
                                                    • Instruction ID: 47d8987b1859dc924eb5dc33f76eeb795e57e9ce0e00fb7bd22b2fd8a133f186
                                                    • Opcode Fuzzy Hash: 5f0ebb0ffdd5c49eb9461de9ef5c4fc39b3b224e0912917a78f239b4fb3ff375
                                                    • Instruction Fuzzy Hash: 27626E30A013098FCB55EF68E580A5EB7B6FF85304F208929D4059F369DB75ED8ACB91
                                                    Function 06644C50 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1193 6644c50-6644c74 1194 6644c76-6644c79 1193->1194 1195 6644c9a-6644c9d 1194->1195 1196 6644c7b-6644c95 1194->1196 1197 6644ca3-6644d9b 1195->1197 1198 664537c-664537e 1195->1198 1196->1195 1216 6644da1-6644de9 1197->1216 1217 6644e1e-6644e25 1197->1217 1199 6645385-6645388 1198->1199 1200 6645380 1198->1200 1199->1194 1202 664538e-664539b 1199->1202 1200->1199 1238 6644dee call 6645510 1216->1238 1239 6644dee call 6645501 1216->1239 1218 6644ea9-6644eb2 1217->1218 1219 6644e2b-6644e9b 1217->1219 1218->1202 1236 6644ea6 1219->1236 1237 6644e9d 1219->1237 1230 6644df4-6644e10 1233 6644e12 1230->1233 1234 6644e1b 1230->1234 1233->1234 1234->1217 1236->1218 1237->1236 1238->1230 1239->1230
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: fbq$XPbq$\Obq
                                                    • API String ID: 0-4057264190
                                                    • Opcode ID: fa164939f089d97f8bee0b6aeb1ce7ff475a552012c5f7d5f234d4cefb10f691
                                                    • Instruction ID: 80cad97936f3d1e7b511cbe43ee2f35f108706416e6272817c8a5f9dc3dbb40f
                                                    • Opcode Fuzzy Hash: fa164939f089d97f8bee0b6aeb1ce7ff475a552012c5f7d5f234d4cefb10f691
                                                    • Instruction Fuzzy Hash: C5618030F002189FDB54AFA8C8557AEBAF6FF88300F208429E506AB395DF758D458B51
                                                    Function 029271E1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1240 29271e1-292726c CheckRemoteDebuggerPresent 1242 2927275-29272b0 1240->1242 1243 292726e-2927274 1240->1243 1243->1242
                                                    APIs
                                                    • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 0292725F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4472512381.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2920000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID: CheckDebuggerPresentRemote
                                                    • String ID: ]
                                                    • API String ID: 3662101638-3352871620
                                                    • Opcode ID: 0dc65a758338b95da29005257d7a64a7ff9b9819f81088d582219b13b67402db
                                                    • Instruction ID: c391cc55d4e5655f5adff5088828c2d64c8fe12bc7886e685a2a5616d9c2749d
                                                    • Opcode Fuzzy Hash: 0dc65a758338b95da29005257d7a64a7ff9b9819f81088d582219b13b67402db
                                                    • Instruction Fuzzy Hash: F32139B18012598FCB10CFAAD4447EEFBF4FF49320F14845AE458A7290D7389944CF61
                                                    Function 0292F3D7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1252 292f3d7-292f464 GlobalMemoryStatusEx 1255 292f466-292f46c 1252->1255 1256 292f46d-292f495 1252->1256 1255->1256
                                                    APIs
                                                    • GlobalMemoryStatusEx.KERNELBASE ref: 0292F457
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4472512381.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2920000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID: GlobalMemoryStatus
                                                    • String ID: ]
                                                    • API String ID: 1890195054-3352871620
                                                    • Opcode ID: 3cc62fcb6d9f6c61a0948d6e01561285adb7c03efa101c0c9e9e5b1d8b7b0b47
                                                    • Instruction ID: c4980f11cbf70d447fbd5ac1978a2515a12bb878717a39d6c5aa9deeb9387b8e
                                                    • Opcode Fuzzy Hash: 3cc62fcb6d9f6c61a0948d6e01561285adb7c03efa101c0c9e9e5b1d8b7b0b47
                                                    • Instruction Fuzzy Hash: 942122B1C006599FCB10CFAAD545B9EFBF4BF08314F14856AD418B7641D378A944CFA1
                                                    Function 0292F3F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1259 292f3f0-292f464 GlobalMemoryStatusEx 1261 292f466-292f46c 1259->1261 1262 292f46d-292f495 1259->1262 1261->1262
                                                    APIs
                                                    • GlobalMemoryStatusEx.KERNELBASE ref: 0292F457
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4472512381.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Offset: 02920000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_2920000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID: GlobalMemoryStatus
                                                    • String ID: ]
                                                    • API String ID: 1890195054-3352871620
                                                    • Opcode ID: 777c33ba4b3b45c5ff9be255d10a9809679972fcfc1053b937e9adaee0163e4b
                                                    • Instruction ID: 1f6ea405e2ce6fa34673f36066c0a7ea97b8963b69c884ad711b0be9e3aa47d1
                                                    • Opcode Fuzzy Hash: 777c33ba4b3b45c5ff9be255d10a9809679972fcfc1053b937e9adaee0163e4b
                                                    • Instruction Fuzzy Hash: 7B11E2B1C006599BCB10DF9AD544B9EFBF4BF49324F14816AD818A7240D778A944CFA5
                                                    Function 06649209 Relevance: 2.7, Strings: 2, Instructions: 163COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2171 6649209-664923d 2172 664923f-6649242 2171->2172 2173 6649b00-6649b03 2172->2173 2174 6649248-664925d 2172->2174 2175 6649b05-6649b24 2173->2175 2176 6649b29-6649b2b 2173->2176 2182 6649275-664928b 2174->2182 2183 664925f-6649265 2174->2183 2175->2176 2177 6649b32-6649b35 2176->2177 2178 6649b2d 2176->2178 2177->2172 2181 6649b3b-6649b45 2177->2181 2178->2177 2188 6649296-6649298 2182->2188 2184 6649267 2183->2184 2185 6649269-664926b 2183->2185 2184->2182 2185->2182 2189 66492b0-6649321 2188->2189 2190 664929a-66492a0 2188->2190 2201 6649323-6649346 2189->2201 2202 664934d-6649369 2189->2202 2191 66492a4-66492a6 2190->2191 2192 66492a2 2190->2192 2191->2189 2192->2189 2201->2202 2207 6649395-66493b0 2202->2207 2208 664936b-664938e 2202->2208 2213 66493b2-66493d4 2207->2213 2214 66493db-66493f6 2207->2214 2208->2207 2213->2214 2219 66493f8-6649414 2214->2219 2220 664941b-6649429 2214->2220 2219->2220 2221 6649439-66494b3 2220->2221 2222 664942b-6649434 2220->2222 2228 66494b5-66494d3 2221->2228 2229 6649500-6649515 2221->2229 2222->2181 2233 66494d5-66494e4 2228->2233 2234 66494ef-66494fe 2228->2234 2229->2173 2233->2234 2234->2228 2234->2229
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $]q$$]q
                                                    • API String ID: 0-127220927
                                                    • Opcode ID: 4c94048f4a126cdda335b5f55ef8657d63c8c4eb693ea7ee8eb6eb90f4a94592
                                                    • Instruction ID: c5c2920c0b1b0257531bcfc60b10e40d23ec612366b941f8d699e45648b789a2
                                                    • Opcode Fuzzy Hash: 4c94048f4a126cdda335b5f55ef8657d63c8c4eb693ea7ee8eb6eb90f4a94592
                                                    • Instruction Fuzzy Hash: 9B516030B142059FDB55EF78D950BAF77F6AB88740F108569D80DDB388EE309C468BA1
                                                    Function 06644C20 Relevance: 2.7, Strings: 2, Instructions: 155COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2237 6644c20-6644c74 2240 6644c76-6644c79 2237->2240 2241 6644c9a-6644c9d 2240->2241 2242 6644c7b-6644c95 2240->2242 2243 6644ca3-6644d9b 2241->2243 2244 664537c-664537e 2241->2244 2242->2241 2262 6644da1-6644de9 2243->2262 2263 6644e1e-6644e25 2243->2263 2245 6645385-6645388 2244->2245 2246 6645380 2244->2246 2245->2240 2248 664538e-664539b 2245->2248 2246->2245 2284 6644dee call 6645510 2262->2284 2285 6644dee call 6645501 2262->2285 2264 6644ea9-6644eb2 2263->2264 2265 6644e2b-6644e9b 2263->2265 2264->2248 2282 6644ea6 2265->2282 2283 6644e9d 2265->2283 2276 6644df4-6644e10 2279 6644e12 2276->2279 2280 6644e1b 2276->2280 2279->2280 2280->2263 2282->2264 2283->2282 2284->2276 2285->2276
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: fbq$XPbq
                                                    • API String ID: 0-2292610095
                                                    • Opcode ID: 3ede0bcf92f8e564e6ebe87a6dff99b5bdabd93e2966131bb962065ee546e8d8
                                                    • Instruction ID: c82958819cdb0b8eb83e9009873f6d4fac6b15077b2b4f9150fb8ba49a2ab914
                                                    • Opcode Fuzzy Hash: 3ede0bcf92f8e564e6ebe87a6dff99b5bdabd93e2966131bb962065ee546e8d8
                                                    • Instruction Fuzzy Hash: F5518E70F002589FDB559FA8C855B9EBBF6EF88700F20842AE505AB395DE758C068B91
                                                    Function 0664DBA8 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: PH]q
                                                    • API String ID: 0-3168235125
                                                    • Opcode ID: cb4627bd7be384f5027b37eb714deb81b9d277233a11ab32fae1201d3796119b
                                                    • Instruction ID: fc5ce4b1369dd58ddd7990dc1af6ff41e8cd00ec78756735970bb9095e65fbb3
                                                    • Opcode Fuzzy Hash: cb4627bd7be384f5027b37eb714deb81b9d277233a11ab32fae1201d3796119b
                                                    • Instruction Fuzzy Hash: B8417C30E0030ADFDB55AF65D85469EBBA6FF85340F20452AE405EB384EBB4A946CB91
                                                    Function 0664DB95 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: PH]q
                                                    • API String ID: 0-3168235125
                                                    • Opcode ID: 47f2a7f2f692f4e0b22c6a55b0e5f61ba6bf78b7e0d44bf69eec5c6e30ee6f7c
                                                    • Instruction ID: 8409f3304a28f07fdad1b57a1905de034eacddb58583c65a27c284069417068f
                                                    • Opcode Fuzzy Hash: 47f2a7f2f692f4e0b22c6a55b0e5f61ba6bf78b7e0d44bf69eec5c6e30ee6f7c
                                                    • Instruction Fuzzy Hash: 4F417C70E00709DFDB55EFA4C88069EBBB6FF85240F10852AE405EB380EBB4D946CB51
                                                    Function 0664229D Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: PH]q
                                                    • API String ID: 0-3168235125
                                                    • Opcode ID: 251410d140b95c50d9f4a971af0596c21a6e72baa347566d9c3b26516b8fdf09
                                                    • Instruction ID: 5aab4662a1b401a5adf4399cca765879bfe4ea96ac9526b8c398ff815eaa9fd9
                                                    • Opcode Fuzzy Hash: 251410d140b95c50d9f4a971af0596c21a6e72baa347566d9c3b26516b8fdf09
                                                    • Instruction Fuzzy Hash: A631F330B002058FCB46AB74C56076F7BEAAF89210F244568E806DB3D5EF35CD46CBA1
                                                    Function 066422B0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: PH]q
                                                    • API String ID: 0-3168235125
                                                    • Opcode ID: a2fbca024901bc730233692df151244e03f4d1c7482f176e1c14277c3fbce925
                                                    • Instruction ID: 7b70e4c166f8b7efc7f9bbc7d953b76f6d0fed57ac374da44694b60b78bf2cd2
                                                    • Opcode Fuzzy Hash: a2fbca024901bc730233692df151244e03f4d1c7482f176e1c14277c3fbce925
                                                    • Instruction Fuzzy Hash: A831C130B002058FDB59AB78C56466F7BEAAF89250F204438E406DB395EE75DE46CBA1
                                                    Function 06643968 Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ]
                                                    • API String ID: 0-3352871620
                                                    • Opcode ID: ab067e5aac0a4a41f6f5c0d0a203395438ac1494bc1a971bb6b6fd02948914dd
                                                    • Instruction ID: 8af08178a25d6bc8393d615cbf3661d322ca8f6dd1af7c870d4e3c5a3e7f19e8
                                                    • Opcode Fuzzy Hash: ab067e5aac0a4a41f6f5c0d0a203395438ac1494bc1a971bb6b6fd02948914dd
                                                    • Instruction Fuzzy Hash: FB21E0B5D01259ABCB00DF9AD885ACEFFB4FB49310F10812AE918A7300D379A940CFE5
                                                    Function 06643970 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ]
                                                    • API String ID: 0-3352871620
                                                    • Opcode ID: 700893c0356d6681209439ecc10a567ffdd91f20731b28e1435ed2fd9c42acdf
                                                    • Instruction ID: 06a33419a11542ee89b05af0c0c100eec850b8bafef61d1f83ca659880c773d8
                                                    • Opcode Fuzzy Hash: 700893c0356d6681209439ecc10a567ffdd91f20731b28e1435ed2fd9c42acdf
                                                    • Instruction Fuzzy Hash: F511C0B1D01219ABCB00DF9AD885A9EFBB4FB49310F10812AE518A7340D375A544CBA5
                                                    Function 06644739 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \Obq
                                                    • API String ID: 0-2878401908
                                                    • Opcode ID: b67527bac477066b6d2b9c7b5c3c22d5611d4b8a44d003da9df4ff6359ce3de3
                                                    • Instruction ID: 1c0a8f35c13b6a55b8d315ce08bbdd7a4fe43cfe6f5385410202722820b7363e
                                                    • Opcode Fuzzy Hash: b67527bac477066b6d2b9c7b5c3c22d5611d4b8a44d003da9df4ff6359ce3de3
                                                    • Instruction Fuzzy Hash: 9EF0DA30A14219DBDB14EF94E85ABAEBBB6FF84711F204519E402A7394CBB41C46CB80
                                                    Function 0664B2FA Relevance: .3, Instructions: 298COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 19b981c717965e592e6ff444670a6a698c68e37bf598bc8b780f4a09ee9ff8b6
                                                    • Instruction ID: 574c472219fe6d57e526e479888928243d0eec62886fa409c625a5dbf94beea1
                                                    • Opcode Fuzzy Hash: 19b981c717965e592e6ff444670a6a698c68e37bf598bc8b780f4a09ee9ff8b6
                                                    • Instruction Fuzzy Hash: BAA17770F002098FEF64EE6DD5907AEB7EAEB89310F244825E409DB396DA35DC45C7A1
                                                    Function 066462C0 Relevance: .2, Instructions: 229COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d2de4b30346e55fe966995c534546fa5149283dcaff941d42e52aced55268353
                                                    • Instruction ID: 093c26b3e1b14a9bb0b467f02aa5696c0bd6873eaf5e3207c6aeed3d55e96c5e
                                                    • Opcode Fuzzy Hash: d2de4b30346e55fe966995c534546fa5149283dcaff941d42e52aced55268353
                                                    • Instruction Fuzzy Hash: FD61BF71F001214BDF55AA7EC880A6FBADBAFD5220B154479D80EDB360DE69ED0287D2
                                                    Function 066442A4 Relevance: .2, Instructions: 222COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f45ed2b1437f8280e323b32e2952c0820478135a370877b38b061143b47f9bba
                                                    • Instruction ID: d26cfb4532c19901b34577fc929cbbc8b60776012f696f8d7e3ab8591fa2f57f
                                                    • Opcode Fuzzy Hash: f45ed2b1437f8280e323b32e2952c0820478135a370877b38b061143b47f9bba
                                                    • Instruction Fuzzy Hash: BB913C30E006198BDF60DF68C890B9DB7B1FF89300F208695D549AB395DB70AE86CB51
                                                    Function 06643F89 Relevance: .2, Instructions: 222COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1ab0b5695a6e4963f92d2f5867dac02990253cd105e3a2958e6242210e1b36ad
                                                    • Instruction ID: 947358ec9e962d5eab3cb94cc4d8d8b8ecf85bc636129abe41256565c6dc9d1a
                                                    • Opcode Fuzzy Hash: 1ab0b5695a6e4963f92d2f5867dac02990253cd105e3a2958e6242210e1b36ad
                                                    • Instruction Fuzzy Hash: AC814C30B102099BDB84EFA9C5557AEB7F6EF89304F108528D40AEB394EF31DC468B91
                                                    Function 06643F98 Relevance: .2, Instructions: 218COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7e6d58f76e26d25aaa0daa0ab32359671512e4cd15b8a5b5fbd334f996a8b96a
                                                    • Instruction ID: eb376982e5fc82c61354ef461efa490a06fc500f65bc76d97e5c1a099eca5d7c
                                                    • Opcode Fuzzy Hash: 7e6d58f76e26d25aaa0daa0ab32359671512e4cd15b8a5b5fbd334f996a8b96a
                                                    • Instruction Fuzzy Hash: CE814C30B102099BDB84EFA9C55576EB7F6EF89304F108528D40AEB394EF31DC468B92
                                                    Function 066442B8 Relevance: .2, Instructions: 210COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b28556e75cc4a7fe944131395fd540886fe4bd6a692db330704d2fd41f6d1046
                                                    • Instruction ID: 853f114e6737168a671490765ea0e42a64b12306fa1a9afb39fb8bf490f6cca7
                                                    • Opcode Fuzzy Hash: b28556e75cc4a7fe944131395fd540886fe4bd6a692db330704d2fd41f6d1046
                                                    • Instruction Fuzzy Hash: 31914C30E106198BDF60DF68C890B9DB7B1FF89300F208599D549AB395EB70AE85CF91
                                                    Function 0664EBE0 Relevance: .2, Instructions: 206COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 92a826ab3a40aa43c78e79042296b64c064134302de7ba9007ea5420f90853bf
                                                    • Instruction ID: 27ca784a684ac246ff7d047b99019cd9a6ece893a94bb337d4dc0db94e0290a6
                                                    • Opcode Fuzzy Hash: 92a826ab3a40aa43c78e79042296b64c064134302de7ba9007ea5420f90853bf
                                                    • Instruction Fuzzy Hash: 2C713A30A006099FDB45EFA8D990AADBBF6FF88300F148429E419EB355DB31ED46CB50
                                                    Function 0664EBF0 Relevance: .2, Instructions: 201COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c81481a797f75a61ba0ffeb8211198aabf5fe48b229273211402afa97f6ec60c
                                                    • Instruction ID: 1b28ea588a47ec5bb3c4e679550b6468e308f1e9617d9482794bb52e61d8f726
                                                    • Opcode Fuzzy Hash: c81481a797f75a61ba0ffeb8211198aabf5fe48b229273211402afa97f6ec60c
                                                    • Instruction Fuzzy Hash: F9713C30A006089FDB54EFA8D990A9DBBF6FF88300F148529E419EB365DB31ED46CB50
                                                    Function 066445D8 Relevance: .2, Instructions: 172COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cef3b97177cd6f6b61e3b298ed165cb21406154a96c27c3eff884380de96040d
                                                    • Instruction ID: 6f1ca3916a579843d5c64f4ce3daf3ad11869e60a366d1e0b45386b9b31e277d
                                                    • Opcode Fuzzy Hash: cef3b97177cd6f6b61e3b298ed165cb21406154a96c27c3eff884380de96040d
                                                    • Instruction Fuzzy Hash: 9751C330B011049FDB64EBA9D885B5EBBE2EF85314F208429E40AD7391DE31EC42CB91
                                                    Function 0664FB09 Relevance: .2, Instructions: 171COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b578c62ff69db52dd7fd61f346cb12998477864a1583fb0f01b797e22ab3f57e
                                                    • Instruction ID: 16bccaa13d68887a58c4472ad37f0dff92c2e9bded2d46c04d7d4f2b3b5708f0
                                                    • Opcode Fuzzy Hash: b578c62ff69db52dd7fd61f346cb12998477864a1583fb0f01b797e22ab3f57e
                                                    • Instruction Fuzzy Hash: ED517570B513149FEF647769E95476F2A5EDBC9310F104826E809CB3D9CA7CCC4A87A2
                                                    Function 0664FD68 Relevance: .2, Instructions: 171COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5df5ee0ab3c78fba0461690f0b6a23f471ea84cb70b2c0e4cf5675467322eadc
                                                    • Instruction ID: 8bb63a379faae619bd082188f6116487862277472942351665afab99666347dc
                                                    • Opcode Fuzzy Hash: 5df5ee0ab3c78fba0461690f0b6a23f471ea84cb70b2c0e4cf5675467322eadc
                                                    • Instruction Fuzzy Hash: 4B51CE31E01205DFDB64BFB8E8846AEBBB2EBC5315F108869E10AD7394DB319855CB91
                                                    Function 0664FB18 Relevance: .2, Instructions: 163COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 274fd3f42a909a211ba3ba6a615f916ef0c3cf4f9599029ec27c997cd53dfc11
                                                    • Instruction ID: e2a0c3750771a564f230ebc79dc8571d11b142795de8906b4f14d6c89b4a5d4a
                                                    • Opcode Fuzzy Hash: 274fd3f42a909a211ba3ba6a615f916ef0c3cf4f9599029ec27c997cd53dfc11
                                                    • Instruction Fuzzy Hash: 3C519570B113149FEF64766DE95472F265EDBC9310F204826E80AC73D9CA7CCC8987A2
                                                    Function 06645510 Relevance: .1, Instructions: 126COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f52db17e55652d4634a57b65cfb39e788bdc291528d4601b5ff9354274999994
                                                    • Instruction ID: fcda2d3db1c8e55fde93b320bf3b60de1bda78a6a196d61734c10180098e5fb1
                                                    • Opcode Fuzzy Hash: f52db17e55652d4634a57b65cfb39e788bdc291528d4601b5ff9354274999994
                                                    • Instruction Fuzzy Hash: 25415B71E006098FDF74DEA9D880ABFFBB2EB84310F10492AE21AD7650D731E855CB91
                                                    Function 0664FD58 Relevance: .1, Instructions: 120COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 823993c0855c892d18df41f3e7a99399e56afc3cdb5db1ea82b9106e3f57110f
                                                    • Instruction ID: a258c715eaa73dcbcfaa65f022dd46d7312ec38ba6fa64aeee179a62187e77c0
                                                    • Opcode Fuzzy Hash: 823993c0855c892d18df41f3e7a99399e56afc3cdb5db1ea82b9106e3f57110f
                                                    • Instruction Fuzzy Hash: 42312131F11105DFCB14BBB8E8446AEBBB2EBC5212F008879E10AE7384DF35881AC791
                                                    Function 066445C8 Relevance: .1, Instructions: 117COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 76b34cdf8631943cf3384ef53c17813e20af902c15f7ea1b41a461104926b996
                                                    • Instruction ID: b9d8b1bcd0a90543867d6dc51fa0ad3623f1610a11b09e8c113f87efcc8142de
                                                    • Opcode Fuzzy Hash: 76b34cdf8631943cf3384ef53c17813e20af902c15f7ea1b41a461104926b996
                                                    • Instruction Fuzzy Hash: 04416F30E101048FDB64EB69D595B9EBBF2EF89304F248429E40ADB3A1DA35DC46CB91
                                                    Function 06642160 Relevance: .1, Instructions: 94COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ae5d260a62e5a0d85304f7fbff3d5e2a6dd2727ed4f7db95555e716441ee2b00
                                                    • Instruction ID: 8f072c4babf31b9af19c0ea99656f3c921bf1003d122aae199693b7b9b1de641
                                                    • Opcode Fuzzy Hash: ae5d260a62e5a0d85304f7fbff3d5e2a6dd2727ed4f7db95555e716441ee2b00
                                                    • Instruction Fuzzy Hash: 1E319230E102099BDB55DF64D86469FBBB6AF89300F208619E856E7390DF719942CB50
                                                    Function 06645501 Relevance: .1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bdc66619530de0b0c409042386b5d50e27c17bb319015768d75c269404c48e9b
                                                    • Instruction ID: 004e6eca1b6cadee5cd259bd1371d37f63f2ba82e7f15d90582ad0052f5f0dee
                                                    • Opcode Fuzzy Hash: bdc66619530de0b0c409042386b5d50e27c17bb319015768d75c269404c48e9b
                                                    • Instruction Fuzzy Hash: 01316D71E007098FCB64EEA9C8C1ABEBBB6FB84310F14492AD15AD7654D770E849CB91
                                                    Function 06642170 Relevance: .1, Instructions: 91COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3c6b80bcbe99013ac8e336b87ff214b2ae06b737704186f2a1ec3602a4638fbd
                                                    • Instruction ID: 19da994a4c42b1aaa59fa603a2716c847bee138aad346eb8304f26165461b468
                                                    • Opcode Fuzzy Hash: 3c6b80bcbe99013ac8e336b87ff214b2ae06b737704186f2a1ec3602a4638fbd
                                                    • Instruction Fuzzy Hash: 71314D30E102099BCB59DF65D8A469FBBB6AF89300F208529E916EB350DB71E946CB50
                                                    Function 06643B91 Relevance: .1, Instructions: 84COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2976ab7cd4dab30fa293db33546b0948ce56bd809985bc117ee1aa8aa88c69bb
                                                    • Instruction ID: 001ba363e2c87bcadee32d3889e2d671ba7eab5073e14a001e05d7b18e5808e9
                                                    • Opcode Fuzzy Hash: 2976ab7cd4dab30fa293db33546b0948ce56bd809985bc117ee1aa8aa88c69bb
                                                    • Instruction Fuzzy Hash: 56219C75F05225AFDB50DF79D980AEEBBF9AB88310F108025E915FB340E730D8428B91
                                                    Function 06646DD0 Relevance: .1, Instructions: 81COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e4f2437c1767949543f32a80ba532de5a9c5ca458ea6e0ed59a1c5624d0fa65a
                                                    • Instruction ID: 42cd681e8daf8cc5c52681bc0cca1ee2455bb799f20a20c69c70d6c8c451d947
                                                    • Opcode Fuzzy Hash: e4f2437c1767949543f32a80ba532de5a9c5ca458ea6e0ed59a1c5624d0fa65a
                                                    • Instruction Fuzzy Hash: 5121C231B141449BDF54EBA9E954A9EBBFAEB85314F148435E409DB340DB30ED028B90
                                                    Function 06643BA0 Relevance: .1, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f5b4552ce1570d6dec92f5221e28e6db13ac05e109cc01a848c88f60266ce69c
                                                    • Instruction ID: bee54b3a5bd4463da6dea8c98feda9f4fafe9c7b5472a5c1d5b9e53b79ca1410
                                                    • Opcode Fuzzy Hash: f5b4552ce1570d6dec92f5221e28e6db13ac05e109cc01a848c88f60266ce69c
                                                    • Instruction Fuzzy Hash: 41219075F052259FDB50EF6AD980AAEBBF9EB48710F108029E915FB350E730D9418B91
                                                    Function 00D6D1E4 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4471644594.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_d6d000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 24ebdbc825f996fd84c60726c58aedd3b1eec81934e1b2df611093ad1f141291
                                                    • Instruction ID: 6825315304e3213dcbb9aac2a2f345bcb160071e14120da9c1783bb22bf4fa36
                                                    • Opcode Fuzzy Hash: 24ebdbc825f996fd84c60726c58aedd3b1eec81934e1b2df611093ad1f141291
                                                    • Instruction Fuzzy Hash: 1B212671A04344DFCB00DF14E590F26BB66FB98314F24C569D8490B256C37AD806CAB2
                                                    Function 00D6D394 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4471644594.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_d6d000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 60d390a217ded6cdd107d0112f934a3f96da434c4ea23fc231a15e9be9dd85ff
                                                    • Instruction ID: de26c252a13d34a573444b01158e88dfa28e894cf5ba1703afa64923d7ddaf7f
                                                    • Opcode Fuzzy Hash: 60d390a217ded6cdd107d0112f934a3f96da434c4ea23fc231a15e9be9dd85ff
                                                    • Instruction Fuzzy Hash: F221F571A04244DFCB04DF24E5C0B26BB66FB88314F24C569D84A4B356C73AEC46CA72
                                                    Function 00D6D01C Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4471644594.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_d6d000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 65a93806b9811adce17dc4711175bbcb7b57b9f22629897935a5481e0904725e
                                                    • Instruction ID: 1bfe31011d92a312e48477112d8d9a4bccfe1298ed214678e23d6d1e09f977a1
                                                    • Opcode Fuzzy Hash: 65a93806b9811adce17dc4711175bbcb7b57b9f22629897935a5481e0904725e
                                                    • Instruction Fuzzy Hash: BD21F275A04244DFCB14DF24E984B26BF66FB88314F24C569E94A4B296C33BD807CAB1
                                                    Function 06643150 Relevance: .1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7c9a4e787a514ec8c20d1f33b237c566dd3d3e53715ed9738a4ca5afc9dbe271
                                                    • Instruction ID: ddc58444517f419d3f04aa231baeaa8fe7a74799336b82cc28f9ac98c4da30df
                                                    • Opcode Fuzzy Hash: 7c9a4e787a514ec8c20d1f33b237c566dd3d3e53715ed9738a4ca5afc9dbe271
                                                    • Instruction Fuzzy Hash: A8118171E002199BCB58AB69D9805DEB7B5EF89310F108569D409FB340EE31DA41CBA1
                                                    Function 00D6D005 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4471644594.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_d6d000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 77cce55843f2dd4d3f83c20b7fe1b3c02c8f9b2868eecce6d8df6ab02b28ac2e
                                                    • Instruction ID: 89efa264226bf72cd4aca705b25faf979f7f670ca372eba43196836e5f23193f
                                                    • Opcode Fuzzy Hash: 77cce55843f2dd4d3f83c20b7fe1b3c02c8f9b2868eecce6d8df6ab02b28ac2e
                                                    • Instruction Fuzzy Hash: 2B2162755093C08FDB12CF24D994715BF72EB46314F28C5EAD8498F6A7C33A980ACB62
                                                    Function 06643CB0 Relevance: .1, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fac8aec202639a3327ba9e531d037c640a41a1ee18eae5755ea193e4af07ddac
                                                    • Instruction ID: b3708c207882a3bff23466a908d0140da942a99665db9539105d1ac46bc6c166
                                                    • Opcode Fuzzy Hash: fac8aec202639a3327ba9e531d037c640a41a1ee18eae5755ea193e4af07ddac
                                                    • Instruction Fuzzy Hash: 45118032B141295FDB54AA79DC146AF73EAEBC9710F00853AD40AEB344EE65DC068BD1
                                                    Function 06643EE8 Relevance: .1, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ec84b3b5fe3e1870c9d67fbe8de8767ca865766ec682d54880eec8cb49d488bb
                                                    • Instruction ID: cffcc0ed23f745c7a4ae0abdc1cdb3d6167e3861e975d6edec281e84023e4b06
                                                    • Opcode Fuzzy Hash: ec84b3b5fe3e1870c9d67fbe8de8767ca865766ec682d54880eec8cb49d488bb
                                                    • Instruction Fuzzy Hash: 4C01F131B011110BDBA1A6BEE51476BABEACBCA722F14843AF50EDB391DA25DC064391
                                                    Function 0664EE5F Relevance: .1, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dec05e6488404c4a757d2d3a8a44101fb1871e9970dbdf7ed7eb25b19384b881
                                                    • Instruction ID: 4986ba2c30c15933e04453c46078dd766e492f7c30bd8e5fcef6f9ea7f2c956f
                                                    • Opcode Fuzzy Hash: dec05e6488404c4a757d2d3a8a44101fb1871e9970dbdf7ed7eb25b19384b881
                                                    • Instruction Fuzzy Hash: B001FC31B105501BCB65A63DD891B2F7BD6E7CA710F148879F50EC7381DD16DC068392
                                                    Function 06643CA2 Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f6cfb6738842667e8093c6c541199425740ffb195f31bf0ed7673f982e76a2d2
                                                    • Instruction ID: c273cd1180b5f437cc5a0245458feb4b98567159572ec68c672630d34d223ce0
                                                    • Opcode Fuzzy Hash: f6cfb6738842667e8093c6c541199425740ffb195f31bf0ed7673f982e76a2d2
                                                    • Instruction Fuzzy Hash: 2001DF32F141295BEB55AA7DDC147EF77AAEBC9310F04443AD50AE7380EF2188068BD2
                                                    Function 00D6D1DF Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4471644594.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_d6d000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 58489c3f61924d27558184a5eb21aea17821769c0c96028cc0fb4c2ef8240ab9
                                                    • Instruction ID: 1fe1cd9da8c3a8e59204d832decbe9705ac95a18680f4d3010379d1b806fa7b4
                                                    • Opcode Fuzzy Hash: 58489c3f61924d27558184a5eb21aea17821769c0c96028cc0fb4c2ef8240ab9
                                                    • Instruction Fuzzy Hash: AE11C475904280DFDB12CF14E5D4B15FF72FB88324F28C6A9D8494B656C33AD80ACBA2
                                                    Function 00D6D38F Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4471644594.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_d6d000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                    • Instruction ID: e4330f865f1c1bf7ab085a5d31e3b825d7192cd44d92cc5294db32065c3296cf
                                                    • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                    • Instruction Fuzzy Hash: E711D075A04280DFCB01CF14D5C4B15BF72FB84314F28C6A9D8494B652C33AE84ACB62
                                                    Function 0664A3D2 Relevance: .1, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 840470f69278de6c12c892c812ba96b04c91d731c79ffac01fbe5d2b3a68956f
                                                    • Instruction ID: 1bb79001948cdd1d5aadb7b0d113e78d4b21f233e5c4d5f629f70af439e76773
                                                    • Opcode Fuzzy Hash: 840470f69278de6c12c892c812ba96b04c91d731c79ffac01fbe5d2b3a68956f
                                                    • Instruction Fuzzy Hash: DE01D430B041501FDBA2A6BCE955B6F7BD5DB86704F108869F10ECB3A9EE25DD028761
                                                    Function 06643EF8 Relevance: .1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3ecaf7da6423a4029fa45372fc535339d34f3f74c544cdd63fc387bf0e501dc0
                                                    • Instruction ID: c3a1f43f6ac063cee5f9ced351fb38869e90bcb69f19857519bcd586d9c64ee0
                                                    • Opcode Fuzzy Hash: 3ecaf7da6423a4029fa45372fc535339d34f3f74c544cdd63fc387bf0e501dc0
                                                    • Instruction Fuzzy Hash: AF01D131B101100BDBA4A56EE40472BB7EACBCA721F20843AF90ED7394DE61DD024391
                                                    Function 0664EE70 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 28a1bd82c4780eacbbd9b85e5bc0c02ba2a0a59cec8b9a984c08cf6c29df3f92
                                                    • Instruction ID: 5c4975b00156af8b663b7f728f5bc1bbe3c48a75a030f800ba9d31f14a7927ff
                                                    • Opcode Fuzzy Hash: 28a1bd82c4780eacbbd9b85e5bc0c02ba2a0a59cec8b9a984c08cf6c29df3f92
                                                    • Instruction Fuzzy Hash: 3401AF31B105144BDB65AA3DD894B2F7BDAEBCA711F108839F50ECB340EE26DC028391
                                                    Function 0664A3E0 Relevance: .0, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bb242767479a0e09604346b0c65566483ff3f227f371cab9f394f1e711557637
                                                    • Instruction ID: 5503e65e5bee56ca5239e15b294b164504a2acda9405e52eef9e06d7bf06a9d8
                                                    • Opcode Fuzzy Hash: bb242767479a0e09604346b0c65566483ff3f227f371cab9f394f1e711557637
                                                    • Instruction Fuzzy Hash: F401F430B000141BDB61EABCE944B2F77D9DB8A714F108438E50ECB358EE25DC0287A1
                                                    Function 0664C8B0 Relevance: .0, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7a7806af4cf2adca36e356c573042c823edd3e77b9f9c8073299236fc6c95a03
                                                    • Instruction ID: 6a5dc3adaf270444b210a14775274b076bf38f97a8a79f19b5c5e71e7d4a4a9c
                                                    • Opcode Fuzzy Hash: 7a7806af4cf2adca36e356c573042c823edd3e77b9f9c8073299236fc6c95a03
                                                    • Instruction Fuzzy Hash: EEF0A732E212689BDF14A975DC00A9AB73AEB85354F104429DD01E7344D631A855CBD0
                                                    Function 06646540 Relevance: .0, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a08746f123d371cdffd1f6aeeb108c1da1ec75de2dccd887035c040221f0baae
                                                    • Instruction ID: b05727ff024ad944b00a63ee690437a9b16a3320d71b4443e84f6d313fd82764
                                                    • Opcode Fuzzy Hash: a08746f123d371cdffd1f6aeeb108c1da1ec75de2dccd887035c040221f0baae
                                                    • Instruction Fuzzy Hash: 0BF09B71E05284BFDB61DA74D94965B7FB9DB42314F2045B6D408CB252E535CE41C351
                                                    Function 06646550 Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 82565eebd83bffce6bea1bd5b4002266f047242f662974c57d004e09e824686e
                                                    • Instruction ID: 514b8f2b5b70cf3ab32c666d5e95f666ca468fc160f25f5c24c3ab5dae2a5e48
                                                    • Opcode Fuzzy Hash: 82565eebd83bffce6bea1bd5b4002266f047242f662974c57d004e09e824686e
                                                    • Instruction Fuzzy Hash: 6EE01271E11208ABDF50EEB4C94975A77BDE702214F2084A5D409C7306E576DE01C784

                                                    Non-executed Functions

                                                    Function 06647768 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                    • API String ID: 0-2843079600
                                                    • Opcode ID: bdb4b0602f347bf7dc7ebb5f3a98496d286b6a198b23ede3a8a4cc06d863f75a
                                                    • Instruction ID: 549fad16c0c0168bbd34a06024d6eba819171e9fc25acc876a49bee2cc3eca75
                                                    • Opcode Fuzzy Hash: bdb4b0602f347bf7dc7ebb5f3a98496d286b6a198b23ede3a8a4cc06d863f75a
                                                    • Instruction Fuzzy Hash: F6122E30E10219CFDB68EF69D994A9DBBB6FF88304F208969D409AB354DB309D45CF91
                                                    Function 0664AA08 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                    • API String ID: 0-1273862796
                                                    • Opcode ID: 5a649c7ad14b58780079f0effad7c24b46ebadce20962f065930d7ab7f8d48ca
                                                    • Instruction ID: 61d5d7d3ed15e31245c5411b972a6371df959526735a369b42bca375efd68d25
                                                    • Opcode Fuzzy Hash: 5a649c7ad14b58780079f0effad7c24b46ebadce20962f065930d7ab7f8d48ca
                                                    • Instruction Fuzzy Hash: C1917230A40209EFDB98EFA8D594B6E77F6FF44300F108429D8459B398DB749C45CB90
                                                    Function 06647168 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: .5uq$$]q$$]q$$]q$$]q$$]q$$]q
                                                    • API String ID: 0-981061697
                                                    • Opcode ID: 9f7c2857499bf82a31a767d8c328432ca13f044e2df0316543b4137200e3ad58
                                                    • Instruction ID: caff3e8080ed9bdc9f6a92b1946986f900ac94ca2436a755e69d51a09087bfa6
                                                    • Opcode Fuzzy Hash: 9f7c2857499bf82a31a767d8c328432ca13f044e2df0316543b4137200e3ad58
                                                    • Instruction Fuzzy Hash: D8F15C30A05208CFDB58EF69D594A6EBBB7FF88340F248568D4459B369DB34EC46CB90
                                                    Function 066484A0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $]q$$]q$$]q$$]q
                                                    • API String ID: 0-858218434
                                                    • Opcode ID: 4d5fc5aa92d68034743b18aa24dd999694d3881db5d507d35035475f8782bb45
                                                    • Instruction ID: 4e07836175ad727b6ebf9034fad19fcc5aa4792c7d040d96d5d098140acce943
                                                    • Opcode Fuzzy Hash: 4d5fc5aa92d68034743b18aa24dd999694d3881db5d507d35035475f8782bb45
                                                    • Instruction Fuzzy Hash: D4B15C30E012188FDB58EF68C59466EBBB6FF84304F24882DD4069B355DB35DC86CB90
                                                    Function 066488B8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LR]q$LR]q$$]q$$]q
                                                    • API String ID: 0-3527005858
                                                    • Opcode ID: 9cbdea8735d4360dc22de809ffe3054d4516dcdc0ca30c6f4d2952abf77b1ac4
                                                    • Instruction ID: bd7cd0ebf5312c8bfa53bc60502668cc04ff85383cdab972c5f479fd35568066
                                                    • Opcode Fuzzy Hash: 9cbdea8735d4360dc22de809ffe3054d4516dcdc0ca30c6f4d2952abf77b1ac4
                                                    • Instruction Fuzzy Hash: 9B51C330B042059FDB58EF28D980A6A77E6FF89700F14896DE8069F3A5DB71EC45CB91
                                                    Function 0664AD92 Relevance: 5.2, Strings: 4, Instructions: 166COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.4478123286.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_6640000_LisectAVT_2403002A_52.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $]q$$]q$$]q$$]q
                                                    • API String ID: 0-858218434
                                                    • Opcode ID: a3ade00a5710be7ce70eb038a19b13e335b735efbc678f2e86febeca8c8640b7
                                                    • Instruction ID: b314644b5a04b399524515cb0e5bd971f874a555b53582075e0025d2a1417f92
                                                    • Opcode Fuzzy Hash: a3ade00a5710be7ce70eb038a19b13e335b735efbc678f2e86febeca8c8640b7
                                                    • Instruction Fuzzy Hash: 1C51B370E51205AFCFA5FFA8D580AAEB7B6EB88301F10852AD815DB358DB31DC42CB51