Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LisectAVT_2403002A_2.exe

Overview

General Information

Sample name:LisectAVT_2403002A_2.exe
Analysis ID:1482428
MD5:e099ad7e57b0011262cc822808972e10
SHA1:f2d3a518ebe54091351ced1d068db43f4dc09056
SHA256:449b2930259030577c8ac1061e4fd12e815b06597f8a55becf318efd44eac323
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • LisectAVT_2403002A_2.exe (PID: 6488 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_2.exe" MD5: E099AD7E57B0011262CC822808972E10)
    • powershell.exe (PID: 1416 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_2.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 764 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qHqJcuLw.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 2196 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 4884 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qHqJcuLw" /XML "C:\Users\user\AppData\Local\Temp\tmpCF64.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 2528 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 7144 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • qHqJcuLw.exe (PID: 1320 cmdline: C:\Users\user\AppData\Roaming\qHqJcuLw.exe MD5: E099AD7E57B0011262CC822808972E10)
    • schtasks.exe (PID: 6948 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qHqJcuLw" /XML "C:\Users\user\AppData\Local\Temp\tmpE378.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7056 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "sg2plcpnl0128.prod.sin2.secureserver.net", "Username": "accounts@equityhyundai.com", "Password": "oc27-JcbRAO~"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.2201120787.0000000002A6C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.2177368651.0000000004CA2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000001.00000002.2177368651.0000000004CA2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000A.00000002.2198188143.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0000000A.00000002.2198188143.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 18 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            12.2.qHqJcuLw.exe.461a338.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              12.2.qHqJcuLw.exe.461a338.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                12.2.qHqJcuLw.exe.461a338.3.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x3185b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x318cd:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x31957:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x319e9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x31a53:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x31ac5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x31b5b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31beb:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                1.2.LisectAVT_2403002A_2.exe.43b93a0.5.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  1.2.LisectAVT_2403002A_2.exe.43b93a0.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 24 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_2.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_2.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\LisectAVT_2403002A_2.exe", ParentImage: C:\Users\user\Desktop\LisectAVT_2403002A_2.exe, ParentProcessId: 6488, ParentProcessName: LisectAVT_2403002A_2.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_2.exe", ProcessId: 1416, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_2.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_2.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\LisectAVT_2403002A_2.exe", ParentImage: C:\Users\user\Desktop\LisectAVT_2403002A_2.exe, ParentProcessId: 6488, ParentProcessName: LisectAVT_2403002A_2.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_2.exe", ProcessId: 1416, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qHqJcuLw" /XML "C:\Users\user\AppData\Local\Temp\tmpE378.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qHqJcuLw" /XML "C:\Users\user\AppData\Local\Temp\tmpE378.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\qHqJcuLw.exe, ParentImage: C:\Users\user\AppData\Roaming\qHqJcuLw.exe, ParentProcessId: 1320, ParentProcessName: qHqJcuLw.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qHqJcuLw" /XML "C:\Users\user\AppData\Local\Temp\tmpE378.tmp", ProcessId: 6948, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 182.50.135.77, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7144, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49715
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qHqJcuLw" /XML "C:\Users\user\AppData\Local\Temp\tmpCF64.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qHqJcuLw" /XML "C:\Users\user\AppData\Local\Temp\tmpCF64.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\LisectAVT_2403002A_2.exe", ParentImage: C:\Users\user\Desktop\LisectAVT_2403002A_2.exe, ParentProcessId: 6488, ParentProcessName: LisectAVT_2403002A_2.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qHqJcuLw" /XML "C:\Users\user\AppData\Local\Temp\tmpCF64.tmp", ProcessId: 4884, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_2.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_2.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\LisectAVT_2403002A_2.exe", ParentImage: C:\Users\user\Desktop\LisectAVT_2403002A_2.exe, ParentProcessId: 6488, ParentProcessName: LisectAVT_2403002A_2.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_2.exe", ProcessId: 1416, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qHqJcuLw" /XML "C:\Users\user\AppData\Local\Temp\tmpCF64.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qHqJcuLw" /XML "C:\Users\user\AppData\Local\Temp\tmpCF64.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\LisectAVT_2403002A_2.exe", ParentImage: C:\Users\user\Desktop\LisectAVT_2403002A_2.exe, ParentProcessId: 6488, ParentProcessName: LisectAVT_2403002A_2.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qHqJcuLw" /XML "C:\Users\user\AppData\Local\Temp\tmpCF64.tmp", ProcessId: 4884, ProcessName: schtasks.exe

                    Snort Signatures

                    No Snort rule has matched

                    Suricata Signatures

                    Timestamp:2024-07-25T22:53:05.892965+0200
                    SID:2022930
                    Source Port:443
                    Destination Port:49721
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-25T22:53:43.946681+0200
                    SID:2022930
                    Source Port:443
                    Destination Port:49727
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: LisectAVT_2403002A_2.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: http://www.google.comURL Reputation: Label: malware
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeAvira: detection malicious, Label: TR/AD.GenSteal.gwmnl
                    Found malware configuration
                    Source: 1.2.LisectAVT_2403002A_2.exe.43b93a0.5.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "sg2plcpnl0128.prod.sin2.secureserver.net", "Username": "accounts@equityhyundai.com", "Password": "oc27-JcbRAO~"}
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: LisectAVT_2403002A_2.exeJoe Sandbox ML: detected
                    Source: LisectAVT_2403002A_2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.6:49714 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.6:49718 version: TLS 1.2
                    Source: LisectAVT_2403002A_2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: bSgh.pdbSHA256 source: LisectAVT_2403002A_2.exe, qHqJcuLw.exe.1.dr
                    Source: Binary string: bSgh.pdb source: LisectAVT_2403002A_2.exe, qHqJcuLw.exe.1.dr
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeCode function: 4x nop then jmp 07517D76h1_2_0751837C
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeCode function: 4x nop then jmp 0769705Eh12_2_07697664

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 1.2.LisectAVT_2403002A_2.exe.437e780.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.LisectAVT_2403002A_2.exe.43b93a0.5.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.6:49715 -> 182.50.135.77:587
                    Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                    Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                    Source: Joe Sandbox ViewIP Address: 182.50.135.77 182.50.135.77
                    Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.6:49715 -> 182.50.135.77:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: sg2plcpnl0128.prod.sin2.secureserver.net
                    Source: LisectAVT_2403002A_2.exe, 00000001.00000002.2176593205.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2201120787.00000000029FB000.00000004.00000800.00020000.00000000.sdmp, qHqJcuLw.exe, 0000000C.00000002.2222420893.0000000003310000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3362498072.0000000002A2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: RegSvcs.exe, 0000000A.00000002.2201120787.0000000002A6C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3362498072.0000000002A9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sg2plcpnl0128.prod.sin2.secureserver.net
                    Source: LisectAVT_2403002A_2.exe, 00000001.00000002.2176593205.0000000003041000.00000004.00000800.00020000.00000000.sdmp, qHqJcuLw.exe, 0000000C.00000002.2222420893.00000000032A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
                    Source: LisectAVT_2403002A_2.exe, qHqJcuLw.exe.1.drString found in binary or memory: http://www.google.com)Uygun
                    Source: LisectAVT_2403002A_2.exe, 00000001.00000002.2177368651.000000000437E000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_2.exe, 00000001.00000002.2177368651.0000000004CA2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2198188143.0000000000402000.00000040.00000400.00020000.00000000.sdmp, qHqJcuLw.exe, 0000000C.00000002.2224328592.00000000045DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: LisectAVT_2403002A_2.exe, 00000001.00000002.2177368651.000000000437E000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_2.exe, 00000001.00000002.2177368651.0000000004CA2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2198188143.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2201120787.00000000029FB000.00000004.00000800.00020000.00000000.sdmp, qHqJcuLw.exe, 0000000C.00000002.2224328592.00000000045DF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3362498072.0000000002A2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: RegSvcs.exe, 0000000A.00000002.2201120787.00000000029FB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3362498072.0000000002A2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: RegSvcs.exe, 0000000A.00000002.2201120787.00000000029FB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3362498072.0000000002A2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: LisectAVT_2403002A_2.exe, qHqJcuLw.exe.1.drString found in binary or memory: https://www.google.com
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.6:49714 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.6:49718 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 1.2.LisectAVT_2403002A_2.exe.43b93a0.5.raw.unpack, n00.cs.Net Code: Ajjb
                    Source: 1.2.LisectAVT_2403002A_2.exe.437e780.4.raw.unpack, n00.cs.Net Code: Ajjb

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 12.2.qHqJcuLw.exe.461a338.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 1.2.LisectAVT_2403002A_2.exe.43b93a0.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 1.2.LisectAVT_2403002A_2.exe.437e780.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 12.2.qHqJcuLw.exe.45df718.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 12.2.qHqJcuLw.exe.45df718.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 12.2.qHqJcuLw.exe.461a338.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 1.2.LisectAVT_2403002A_2.exe.437e780.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 1.2.LisectAVT_2403002A_2.exe.43b93a0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeCode function: 1_2_015CD5FC1_2_015CD5FC
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeCode function: 1_2_07511CF11_2_07511CF1
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeCode function: 1_2_075142E81_2_075142E8
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeCode function: 1_2_075121381_2_07512138
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeCode function: 1_2_075139381_2_07513938
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeCode function: 1_2_075139281_2_07513928
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeCode function: 1_2_0751A8581_2_0751A858
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeCode function: 1_2_075118C81_2_075118C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00EDE3C110_2_00EDE3C1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00ED4AB810_2_00ED4AB8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00EDAA4010_2_00EDAA40
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00ED3EA010_2_00ED3EA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00ED41E810_2_00ED41E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_062C564010_2_062C5640
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_062C669010_2_062C6690
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_062CC22810_2_062CC228
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_062CB2C810_2_062CB2C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_062C30F810_2_062C30F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_062C7E2010_2_062C7E20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_062C774010_2_062C7740
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_062C242010_2_062C2420
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_062CE43810_2_062CE438
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_062C004010_2_062C0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_062C5D8310_2_062C5D83
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_062C003910_2_062C0039
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeCode function: 12_2_0160D5FC12_2_0160D5FC
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeCode function: 12_2_07691CF112_2_07691CF1
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeCode function: 12_2_07699A7812_2_07699A78
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeCode function: 12_2_076942E812_2_076942E8
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeCode function: 12_2_0769392812_2_07693928
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeCode function: 12_2_0769213812_2_07692138
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeCode function: 12_2_0769393812_2_07693938
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeCode function: 12_2_0769187D12_2_0769187D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00DDE7C115_2_00DDE7C1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00DD4AB815_2_00DD4AB8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00DDAA5015_2_00DDAA50
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00DD3EA015_2_00DD3EA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00DD41E815_2_00DD41E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0639A1B415_2_0639A1B4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0639BA0015_2_0639BA00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_063A564015_2_063A5640
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_063A669015_2_063A6690
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_063AC22815_2_063AC228
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_063AB2C815_2_063AB2C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_063A30F815_2_063A30F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_063A7E2015_2_063A7E20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_063ACFD815_2_063ACFD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_063A774015_2_063A7740
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_063AE43815_2_063AE438
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_063A242015_2_063A2420
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_063A846915_2_063A8469
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_063A004015_2_063A0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_063A5D8315_2_063A5D83
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_063A001E15_2_063A001E
                    Source: LisectAVT_2403002A_2.exe, 00000001.00000002.2177368651.000000000437E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamee3f96683-b7f1-43d4-a3c4-2560ec391fa8.exe4 vs LisectAVT_2403002A_2.exe
                    Source: LisectAVT_2403002A_2.exe, 00000001.00000002.2177368651.000000000437E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs LisectAVT_2403002A_2.exe
                    Source: LisectAVT_2403002A_2.exe, 00000001.00000002.2182321862.00000000072C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs LisectAVT_2403002A_2.exe
                    Source: LisectAVT_2403002A_2.exe, 00000001.00000002.2175192068.000000000130E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs LisectAVT_2403002A_2.exe
                    Source: LisectAVT_2403002A_2.exe, 00000001.00000002.2183026021.00000000080A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs LisectAVT_2403002A_2.exe
                    Source: LisectAVT_2403002A_2.exe, 00000001.00000002.2176593205.00000000030B0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamee3f96683-b7f1-43d4-a3c4-2560ec391fa8.exe4 vs LisectAVT_2403002A_2.exe
                    Source: LisectAVT_2403002A_2.exeBinary or memory string: OriginalFilenamebSgh.exeF vs LisectAVT_2403002A_2.exe
                    Source: LisectAVT_2403002A_2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 12.2.qHqJcuLw.exe.461a338.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 1.2.LisectAVT_2403002A_2.exe.43b93a0.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 1.2.LisectAVT_2403002A_2.exe.437e780.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 12.2.qHqJcuLw.exe.45df718.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 12.2.qHqJcuLw.exe.45df718.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 12.2.qHqJcuLw.exe.461a338.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 1.2.LisectAVT_2403002A_2.exe.437e780.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 1.2.LisectAVT_2403002A_2.exe.43b93a0.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: LisectAVT_2403002A_2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: qHqJcuLw.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 1.2.LisectAVT_2403002A_2.exe.43b93a0.5.raw.unpack, NpXw3kw.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 1.2.LisectAVT_2403002A_2.exe.43b93a0.5.raw.unpack, NpXw3kw.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 1.2.LisectAVT_2403002A_2.exe.43b93a0.5.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 1.2.LisectAVT_2403002A_2.exe.43b93a0.5.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 1.2.LisectAVT_2403002A_2.exe.43b93a0.5.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 1.2.LisectAVT_2403002A_2.exe.43b93a0.5.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 1.2.LisectAVT_2403002A_2.exe.43b93a0.5.raw.unpack, fpnV0Qjz.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 1.2.LisectAVT_2403002A_2.exe.43b93a0.5.raw.unpack, fpnV0Qjz.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 1.2.LisectAVT_2403002A_2.exe.80a0000.8.raw.unpack, Gtx0Eoxc3Jl7r2dDpt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 1.2.LisectAVT_2403002A_2.exe.44263c0.3.raw.unpack, csyq77VieeGgrWwj6C.csSecurity API names: _0020.SetAccessControl
                    Source: 1.2.LisectAVT_2403002A_2.exe.44263c0.3.raw.unpack, csyq77VieeGgrWwj6C.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 1.2.LisectAVT_2403002A_2.exe.44263c0.3.raw.unpack, csyq77VieeGgrWwj6C.csSecurity API names: _0020.AddAccessRule
                    Source: 1.2.LisectAVT_2403002A_2.exe.80a0000.8.raw.unpack, csyq77VieeGgrWwj6C.csSecurity API names: _0020.SetAccessControl
                    Source: 1.2.LisectAVT_2403002A_2.exe.80a0000.8.raw.unpack, csyq77VieeGgrWwj6C.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 1.2.LisectAVT_2403002A_2.exe.80a0000.8.raw.unpack, csyq77VieeGgrWwj6C.csSecurity API names: _0020.AddAccessRule
                    Source: 1.2.LisectAVT_2403002A_2.exe.44263c0.3.raw.unpack, Gtx0Eoxc3Jl7r2dDpt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 1.2.LisectAVT_2403002A_2.exe.308b308.0.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: 1.2.LisectAVT_2403002A_2.exe.58c0000.7.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: 1.2.LisectAVT_2403002A_2.exe.3093320.1.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@21/15@2/2
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeFile created: C:\Users\user\AppData\Roaming\qHqJcuLw.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6416:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeMutant created: \Sessions\1\BaseNamedObjects\fpCdGkIXddE
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5616:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6688:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1336:120:WilError_03
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeFile created: C:\Users\user\AppData\Local\Temp\tmpCF64.tmpJump to behavior
                    Source: LisectAVT_2403002A_2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: LisectAVT_2403002A_2.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeFile read: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_2.exe "C:\Users\user\Desktop\LisectAVT_2403002A_2.exe"
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_2.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qHqJcuLw.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qHqJcuLw" /XML "C:\Users\user\AppData\Local\Temp\tmpCF64.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\qHqJcuLw.exe C:\Users\user\AppData\Roaming\qHqJcuLw.exe
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qHqJcuLw" /XML "C:\Users\user\AppData\Local\Temp\tmpE378.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_2.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qHqJcuLw.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qHqJcuLw" /XML "C:\Users\user\AppData\Local\Temp\tmpCF64.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qHqJcuLw" /XML "C:\Users\user\AppData\Local\Temp\tmpE378.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: LisectAVT_2403002A_2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: LisectAVT_2403002A_2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: LisectAVT_2403002A_2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: bSgh.pdbSHA256 source: LisectAVT_2403002A_2.exe, qHqJcuLw.exe.1.dr
                    Source: Binary string: bSgh.pdb source: LisectAVT_2403002A_2.exe, qHqJcuLw.exe.1.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: LisectAVT_2403002A_2.exe, BowserOdevi.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                    Source: qHqJcuLw.exe.1.dr, BowserOdevi.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                    Source: 1.2.LisectAVT_2403002A_2.exe.58b0000.6.raw.unpack, wehuuoKhMKMbnQu72K.cs.Net Code: LOPk5OGwQvvejRfJl7n System.Reflection.Assembly.Load(byte[])
                    Source: 1.2.LisectAVT_2403002A_2.exe.80a0000.8.raw.unpack, csyq77VieeGgrWwj6C.cs.Net Code: oeiUEOdQOe System.Reflection.Assembly.Load(byte[])
                    Source: 1.2.LisectAVT_2403002A_2.exe.44263c0.3.raw.unpack, csyq77VieeGgrWwj6C.cs.Net Code: oeiUEOdQOe System.Reflection.Assembly.Load(byte[])
                    Source: LisectAVT_2403002A_2.exeStatic PE information: 0xC6950FA3 [Mon Jul 29 20:27:15 2075 UTC]
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00ED0CCB push edi; retf 10_2_00ED0C7A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00ED0C45 push ebx; retf 10_2_00ED0C52
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeCode function: 12_2_056789E0 push eax; mov dword ptr [esp], ecx12_2_056789E4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00DD0CCB push edi; retf 15_2_00DD0C7A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00DD0C45 push ebx; retf 15_2_00DD0C52
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0639FB10 push es; iretd 15_2_0639FB1C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0639FB44 push es; iretd 15_2_0639FB48
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0639FBCD push es; iretd 15_2_0639FBDC
                    Source: LisectAVT_2403002A_2.exeStatic PE information: section name: .text entropy: 7.894347092736149
                    Source: qHqJcuLw.exe.1.drStatic PE information: section name: .text entropy: 7.894347092736149
                    Source: 1.2.LisectAVT_2403002A_2.exe.58b0000.6.raw.unpack, kdFvaMFVPKs73pA7Ae.csHigh entropy of concatenated method names: 'jlLbsIppcp4pe', 'HUDVafGQx3A5lYPXEbC', 'bWxlDPGFKtjOUjq8ME9', 'J13JY7Gs9VegMR0Usdn', 'gjnvHYGCPTFBSN5sXDA', 'UXn9pRGVr5JYGFjuCRJ', 'g8bQ3yGYPoLwrRusK3E', 'KwwAwLG5jtFVjgr5V0l', 'lJyLiGG0wAjthymuVo5', 'KrHGd2G9wj507LdZGDe'
                    Source: 1.2.LisectAVT_2403002A_2.exe.58b0000.6.raw.unpack, DD.csHigh entropy of concatenated method names: 'wgRxinKHcbWANUbFNm', 'dwveif1E9jqp4XTbTA', 'iYTXHL2SDoNZBJVsGw', 'hFySdn3keDBvJSvKal', 'PVIytPpWpuEYQLk40u'
                    Source: 1.2.LisectAVT_2403002A_2.exe.58b0000.6.raw.unpack, ihWImL1h2qjtIkVYDh.csHigh entropy of concatenated method names: 'qJUttacKFT', 'djwp7oGHZ8xfNf3m5ut', 'AZqALCG67UykKuowXP2', 'dkLCJpGlCfFdqtD7Epf', 'iHWSkAGjDuGN31hXJsT', 'u4UYnDGE5xCOMnt15QR', 'jhES7Va4c', 'jWmROKkjL', 'Dispose', 'BJj7gBhfp'
                    Source: 1.2.LisectAVT_2403002A_2.exe.58b0000.6.raw.unpack, oImfMJtvGUo8fMQNBQ.csHigh entropy of concatenated method names: 'cxsORewNJ', 'VvrninWuk', 'ustvIxt9o', 'QtXoY7g0N', 'cMKlMbnQu', 'w2KLAB5Xx', 'hNkF6TG2YCh7xU8s3hJ', 'hs4l1PGKtLhAeRnm1c4', 'Dispose', 'MoveNext'
                    Source: 1.2.LisectAVT_2403002A_2.exe.58b0000.6.raw.unpack, wehuuoKhMKMbnQu72K.csHigh entropy of concatenated method names: 'NXMyxc8eI', 'GTZadPHeP', 'DEVNaDCj9', 'cflmBNqev', 'VFQ0OImLC', 'PbYVMxZvt', 'UPdFjbLed', 'AeEi93ui9', 'oM66buTLn', 'nxFUIfcfn'
                    Source: 1.2.LisectAVT_2403002A_2.exe.80a0000.8.raw.unpack, PIh5iim8RpSHSH5ngN.csHigh entropy of concatenated method names: 'BPblCF32Ix', 'U1qldgAeu1', 'W44lgt7qPm', 'IiflQebvbS', 'GlflVIj92F', 'a4QgtZcIO9', 'soPgKDIVVu', 'Cu7gR9RaN8', 'toTgiyBCIG', 'Nufgfwxfxy'
                    Source: 1.2.LisectAVT_2403002A_2.exe.80a0000.8.raw.unpack, fmV0k6hepwABJ9MUVW4.csHigh entropy of concatenated method names: 'ehDX3NT5Kd', 'iUsXFT1Al3', 'x8oXE4HOm5', 'D7iX82ASqX', 's0nXGnnVyY', 'rvYXMyeGZL', 'NL4Xp00ZNt', 'QwAXxo33lu', 'LriXyKPyeD', 'Pt1X9Z6H3a'
                    Source: 1.2.LisectAVT_2403002A_2.exe.80a0000.8.raw.unpack, wkfaEpsjMnC3hJlq3A.csHigh entropy of concatenated method names: 'fAdE33fgU', 'uKN8Ovw6L', 'ar1MrKM7m', 'FjBpmYIJI', 'bIgy7smIc', 'DnC9FvCGs', 'E33Jngf87Jbc84hwpi', 'BpjiTu4w2l2c2pWiTC', 'wWoH0vW6s', 'Q5FrdXQZq'
                    Source: 1.2.LisectAVT_2403002A_2.exe.80a0000.8.raw.unpack, Gtx0Eoxc3Jl7r2dDpt.csHigh entropy of concatenated method names: 'BludOGrhhF', 'dMKdIltYqZ', 'EJOdNRWxAA', 'Q09dY8WMQm', 'EhVdtrZ2Cg', 'JljdKWm3iV', 'imjdR21tnE', 'pmCdiw3Jsy', 'H2adfCrS7Q', 'ly8dTFJw0W'
                    Source: 1.2.LisectAVT_2403002A_2.exe.80a0000.8.raw.unpack, GZvA1jhhKokUkk4kn1Z.csHigh entropy of concatenated method names: 'ToString', 'v0wrZp9GRm', 'zVBrUibASS', 'QxxrCjCm6R', 'F4sroa3GPq', 'FM0rdvaeJL', 'QwgrcGRMLD', 'KXSrgaHutn', 'OQvHbMdbjkJFe63VA4Y', 'oLmZCld3PfTsi9VLp1x'
                    Source: 1.2.LisectAVT_2403002A_2.exe.80a0000.8.raw.unpack, bhEvQparuJZ8BNPWlg.csHigh entropy of concatenated method names: 'kuuQ3wcWuY', 'yXpQF7SMLS', 'BiCQE9fHIc', 'fEyQ8f6cig', 'outQGYmBoe', 'RjnQMt7FNg', 'XvIQpcOBKp', 'NqwQxUXdC5', 'rhZQyoAwAi', 'wmwQ996LhK'
                    Source: 1.2.LisectAVT_2403002A_2.exe.80a0000.8.raw.unpack, VvBHyt7OvMu57IvZyy.csHigh entropy of concatenated method names: 'T786xD0xWG', 'h5p6y9e9kp', 'OXX6mF5P3g', 'bMr6WuwVSo', 'J9M6JLFbd7', 'rVi6B6JkhK', 'wtj6wiZFlJ', 'BYR6LmP1XW', 'PmC6AMRtsn', 'hu46ky3maf'
                    Source: 1.2.LisectAVT_2403002A_2.exe.80a0000.8.raw.unpack, LUdbk4dM5G1Wl6aYnw.csHigh entropy of concatenated method names: 'Dispose', 'fq4hfT8hcQ', 'sS7sW40wp4', 'Duj55VPftW', 'XoyhTYAIft', 'oGKhzSL7L7', 'ProcessDialogKey', 'SpSseXdaoY', 'aevshP8uu8', 'Y07ssVwjYB'
                    Source: 1.2.LisectAVT_2403002A_2.exe.80a0000.8.raw.unpack, kwjYBOTK5uliDdEeSV.csHigh entropy of concatenated method names: 'VQfXhk7gQ7', 'A85XZA32kW', 'ahwXU2t5lY', 'h75Xo4crNc', 'f6WXdxpxnL', 'CoQXgZGmoQ', 'NOoXlJ4DJV', 'p71HRl9oxm', 'DkwHiaoGkF', 'lUMHfkmTJ0'
                    Source: 1.2.LisectAVT_2403002A_2.exe.80a0000.8.raw.unpack, GoZLMXhZhOoQ9V3t55Z.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GfxrOsBCiZ', 'x6drISMHbU', 'Pt5rN39u32', 'pAlrYtZUX0', 's3ertbh2A8', 'fHnrKH64Iv', 'AYYrR6MZ32'
                    Source: 1.2.LisectAVT_2403002A_2.exe.80a0000.8.raw.unpack, krG3qNwmBc1T95d6a5.csHigh entropy of concatenated method names: 'RP3Qo5rgdT', 'a8CQcqUNIY', 'uOPQlx0tDV', 'phNlTfPmpV', 'F6AlzIj93I', 'mcdQeBV1lI', 'W1ZQhtPBC0', 'xeVQsFfRrI', 'cpkQZF3Buw', 'pXnQUy8DOj'
                    Source: 1.2.LisectAVT_2403002A_2.exe.80a0000.8.raw.unpack, FNmeIozGOrWwFX9H2g.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Kp9X6LrebR', 'R0RX0wCQRu', 'jJTXvp0J8B', 'XdQXuOvvTK', 'tQ2XH9YbtT', 'aP1XXv65XB', 'NTQXrZSJHN'
                    Source: 1.2.LisectAVT_2403002A_2.exe.80a0000.8.raw.unpack, csyq77VieeGgrWwj6C.csHigh entropy of concatenated method names: 'bYkZCYXdsx', 'L9bZoDC8k8', 'VKAZdgBnLk', 'slCZcXVi21', 'mufZgdTO64', 'hD6ZlwEDvB', 'kKlZQH0WkR', 'xlyZVBkVmS', 'D4uZnYPJcL', 'nVmZD4prSS'
                    Source: 1.2.LisectAVT_2403002A_2.exe.80a0000.8.raw.unpack, HUT48FUp7cQjRlwnRp.csHigh entropy of concatenated method names: 'avmhQtx0Eo', 'g3JhVl7r2d', 'Xt7hDZrIDN', 'j4Rh5sJKEs', 'BNmh0HuqIh', 'miihv8RpSH', 'WAuruj0Y3JFYwBdTbW', 'sL01iYwiv0mPNlS0u9', 'CpKhhiENsd', 'TOkhZlOQQD'
                    Source: 1.2.LisectAVT_2403002A_2.exe.80a0000.8.raw.unpack, jWFgVNKdk6m9BiqcsQ.csHigh entropy of concatenated method names: 'iaquiUXNbO', 'JxZuTUIe2c', 'UiuHeX6QdX', 'cyUHh5lnCy', 'jhqukgZhKx', 'ooKuqbAxWA', 's3gu7xUR65', 'rkAuOJLhB0', 'e8EuIRlKJ6', 'TQUuNJM9bl'
                    Source: 1.2.LisectAVT_2403002A_2.exe.80a0000.8.raw.unpack, Ib3OsQcQqutoyeUHtr.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Vrwsf5whTY', 'hKosTjAFgr', 'Slgszm627x', 'nmGZeeo5V4', 'DNqZh0YxVr', 's3nZsJu8Hs', 'RrqZZyZ5ub', 'fekAYvW75HQQ5CoNqFW'
                    Source: 1.2.LisectAVT_2403002A_2.exe.80a0000.8.raw.unpack, JKEsd0945PwyTGNmHu.csHigh entropy of concatenated method names: 'shNgGD92Cw', 'On3gpxawpE', 'zrFc41KnNd', 'VN9cJRIHDe', 'YvQcBomfEj', 'XiFcjt7Vff', 'xt9cwEOoxS', 'XIScLy9SOJ', 'vVbcaHLt7W', 'pI6cA7cIiG'
                    Source: 1.2.LisectAVT_2403002A_2.exe.80a0000.8.raw.unpack, dhIThTOdtGw4jwHPam.csHigh entropy of concatenated method names: 'LJk0AGjfhA', 'TfV0qJc51T', 'WwW0OkgSW3', 'kmh0I4U0uU', 'DHq0Wes8km', 'uAB04htoBf', 'M8V0Jf9gmm', 'xY90B0nmFM', 'zs90jNsDoP', 'RnG0wwoXvT'
                    Source: 1.2.LisectAVT_2403002A_2.exe.80a0000.8.raw.unpack, tKo7Tfyt7ZrIDNQ4Rs.csHigh entropy of concatenated method names: 'P2Vc8GNGeT', 'smicMdhGQK', 'fZYcx547JH', 'Ff5cy4fgi0', 'lDic0GG5py', 'x8scvBdorO', 'XxycuAl2IW', 'akTcHkt1gr', 'nlNcXG3hOW', 'Kv6crwIqmR'
                    Source: 1.2.LisectAVT_2403002A_2.exe.80a0000.8.raw.unpack, wXdaoYfeevP8uu8T07.csHigh entropy of concatenated method names: 'DuIHmOAyvZ', 'UOnHWskoi8', 'SypH48krBV', 'TfCHJNHhGR', 'h1JHO6XCbe', 'umfHBvPpND', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 1.2.LisectAVT_2403002A_2.exe.80a0000.8.raw.unpack, fyYAIfit0GKSL7L7Ip.csHigh entropy of concatenated method names: 'FinHoKSrvZ', 'tHwHd2jjpZ', 'ofZHcHXwpE', 'og4HgfEmjC', 'WLYHlnJ6RY', 'j9qHQoHZJu', 'VS7HVwa3ve', 'U3bHnvrTs1', 'dI0HDxpUaB', 'xKlH5wJv0g'
                    Source: 1.2.LisectAVT_2403002A_2.exe.44263c0.3.raw.unpack, PIh5iim8RpSHSH5ngN.csHigh entropy of concatenated method names: 'BPblCF32Ix', 'U1qldgAeu1', 'W44lgt7qPm', 'IiflQebvbS', 'GlflVIj92F', 'a4QgtZcIO9', 'soPgKDIVVu', 'Cu7gR9RaN8', 'toTgiyBCIG', 'Nufgfwxfxy'
                    Source: 1.2.LisectAVT_2403002A_2.exe.44263c0.3.raw.unpack, fmV0k6hepwABJ9MUVW4.csHigh entropy of concatenated method names: 'ehDX3NT5Kd', 'iUsXFT1Al3', 'x8oXE4HOm5', 'D7iX82ASqX', 's0nXGnnVyY', 'rvYXMyeGZL', 'NL4Xp00ZNt', 'QwAXxo33lu', 'LriXyKPyeD', 'Pt1X9Z6H3a'
                    Source: 1.2.LisectAVT_2403002A_2.exe.44263c0.3.raw.unpack, wkfaEpsjMnC3hJlq3A.csHigh entropy of concatenated method names: 'fAdE33fgU', 'uKN8Ovw6L', 'ar1MrKM7m', 'FjBpmYIJI', 'bIgy7smIc', 'DnC9FvCGs', 'E33Jngf87Jbc84hwpi', 'BpjiTu4w2l2c2pWiTC', 'wWoH0vW6s', 'Q5FrdXQZq'
                    Source: 1.2.LisectAVT_2403002A_2.exe.44263c0.3.raw.unpack, Gtx0Eoxc3Jl7r2dDpt.csHigh entropy of concatenated method names: 'BludOGrhhF', 'dMKdIltYqZ', 'EJOdNRWxAA', 'Q09dY8WMQm', 'EhVdtrZ2Cg', 'JljdKWm3iV', 'imjdR21tnE', 'pmCdiw3Jsy', 'H2adfCrS7Q', 'ly8dTFJw0W'
                    Source: 1.2.LisectAVT_2403002A_2.exe.44263c0.3.raw.unpack, GZvA1jhhKokUkk4kn1Z.csHigh entropy of concatenated method names: 'ToString', 'v0wrZp9GRm', 'zVBrUibASS', 'QxxrCjCm6R', 'F4sroa3GPq', 'FM0rdvaeJL', 'QwgrcGRMLD', 'KXSrgaHutn', 'OQvHbMdbjkJFe63VA4Y', 'oLmZCld3PfTsi9VLp1x'
                    Source: 1.2.LisectAVT_2403002A_2.exe.44263c0.3.raw.unpack, bhEvQparuJZ8BNPWlg.csHigh entropy of concatenated method names: 'kuuQ3wcWuY', 'yXpQF7SMLS', 'BiCQE9fHIc', 'fEyQ8f6cig', 'outQGYmBoe', 'RjnQMt7FNg', 'XvIQpcOBKp', 'NqwQxUXdC5', 'rhZQyoAwAi', 'wmwQ996LhK'
                    Source: 1.2.LisectAVT_2403002A_2.exe.44263c0.3.raw.unpack, VvBHyt7OvMu57IvZyy.csHigh entropy of concatenated method names: 'T786xD0xWG', 'h5p6y9e9kp', 'OXX6mF5P3g', 'bMr6WuwVSo', 'J9M6JLFbd7', 'rVi6B6JkhK', 'wtj6wiZFlJ', 'BYR6LmP1XW', 'PmC6AMRtsn', 'hu46ky3maf'
                    Source: 1.2.LisectAVT_2403002A_2.exe.44263c0.3.raw.unpack, LUdbk4dM5G1Wl6aYnw.csHigh entropy of concatenated method names: 'Dispose', 'fq4hfT8hcQ', 'sS7sW40wp4', 'Duj55VPftW', 'XoyhTYAIft', 'oGKhzSL7L7', 'ProcessDialogKey', 'SpSseXdaoY', 'aevshP8uu8', 'Y07ssVwjYB'
                    Source: 1.2.LisectAVT_2403002A_2.exe.44263c0.3.raw.unpack, kwjYBOTK5uliDdEeSV.csHigh entropy of concatenated method names: 'VQfXhk7gQ7', 'A85XZA32kW', 'ahwXU2t5lY', 'h75Xo4crNc', 'f6WXdxpxnL', 'CoQXgZGmoQ', 'NOoXlJ4DJV', 'p71HRl9oxm', 'DkwHiaoGkF', 'lUMHfkmTJ0'
                    Source: 1.2.LisectAVT_2403002A_2.exe.44263c0.3.raw.unpack, GoZLMXhZhOoQ9V3t55Z.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GfxrOsBCiZ', 'x6drISMHbU', 'Pt5rN39u32', 'pAlrYtZUX0', 's3ertbh2A8', 'fHnrKH64Iv', 'AYYrR6MZ32'
                    Source: 1.2.LisectAVT_2403002A_2.exe.44263c0.3.raw.unpack, krG3qNwmBc1T95d6a5.csHigh entropy of concatenated method names: 'RP3Qo5rgdT', 'a8CQcqUNIY', 'uOPQlx0tDV', 'phNlTfPmpV', 'F6AlzIj93I', 'mcdQeBV1lI', 'W1ZQhtPBC0', 'xeVQsFfRrI', 'cpkQZF3Buw', 'pXnQUy8DOj'
                    Source: 1.2.LisectAVT_2403002A_2.exe.44263c0.3.raw.unpack, FNmeIozGOrWwFX9H2g.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Kp9X6LrebR', 'R0RX0wCQRu', 'jJTXvp0J8B', 'XdQXuOvvTK', 'tQ2XH9YbtT', 'aP1XXv65XB', 'NTQXrZSJHN'
                    Source: 1.2.LisectAVT_2403002A_2.exe.44263c0.3.raw.unpack, csyq77VieeGgrWwj6C.csHigh entropy of concatenated method names: 'bYkZCYXdsx', 'L9bZoDC8k8', 'VKAZdgBnLk', 'slCZcXVi21', 'mufZgdTO64', 'hD6ZlwEDvB', 'kKlZQH0WkR', 'xlyZVBkVmS', 'D4uZnYPJcL', 'nVmZD4prSS'
                    Source: 1.2.LisectAVT_2403002A_2.exe.44263c0.3.raw.unpack, HUT48FUp7cQjRlwnRp.csHigh entropy of concatenated method names: 'avmhQtx0Eo', 'g3JhVl7r2d', 'Xt7hDZrIDN', 'j4Rh5sJKEs', 'BNmh0HuqIh', 'miihv8RpSH', 'WAuruj0Y3JFYwBdTbW', 'sL01iYwiv0mPNlS0u9', 'CpKhhiENsd', 'TOkhZlOQQD'
                    Source: 1.2.LisectAVT_2403002A_2.exe.44263c0.3.raw.unpack, jWFgVNKdk6m9BiqcsQ.csHigh entropy of concatenated method names: 'iaquiUXNbO', 'JxZuTUIe2c', 'UiuHeX6QdX', 'cyUHh5lnCy', 'jhqukgZhKx', 'ooKuqbAxWA', 's3gu7xUR65', 'rkAuOJLhB0', 'e8EuIRlKJ6', 'TQUuNJM9bl'
                    Source: 1.2.LisectAVT_2403002A_2.exe.44263c0.3.raw.unpack, Ib3OsQcQqutoyeUHtr.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Vrwsf5whTY', 'hKosTjAFgr', 'Slgszm627x', 'nmGZeeo5V4', 'DNqZh0YxVr', 's3nZsJu8Hs', 'RrqZZyZ5ub', 'fekAYvW75HQQ5CoNqFW'
                    Source: 1.2.LisectAVT_2403002A_2.exe.44263c0.3.raw.unpack, JKEsd0945PwyTGNmHu.csHigh entropy of concatenated method names: 'shNgGD92Cw', 'On3gpxawpE', 'zrFc41KnNd', 'VN9cJRIHDe', 'YvQcBomfEj', 'XiFcjt7Vff', 'xt9cwEOoxS', 'XIScLy9SOJ', 'vVbcaHLt7W', 'pI6cA7cIiG'
                    Source: 1.2.LisectAVT_2403002A_2.exe.44263c0.3.raw.unpack, dhIThTOdtGw4jwHPam.csHigh entropy of concatenated method names: 'LJk0AGjfhA', 'TfV0qJc51T', 'WwW0OkgSW3', 'kmh0I4U0uU', 'DHq0Wes8km', 'uAB04htoBf', 'M8V0Jf9gmm', 'xY90B0nmFM', 'zs90jNsDoP', 'RnG0wwoXvT'
                    Source: 1.2.LisectAVT_2403002A_2.exe.44263c0.3.raw.unpack, tKo7Tfyt7ZrIDNQ4Rs.csHigh entropy of concatenated method names: 'P2Vc8GNGeT', 'smicMdhGQK', 'fZYcx547JH', 'Ff5cy4fgi0', 'lDic0GG5py', 'x8scvBdorO', 'XxycuAl2IW', 'akTcHkt1gr', 'nlNcXG3hOW', 'Kv6crwIqmR'
                    Source: 1.2.LisectAVT_2403002A_2.exe.44263c0.3.raw.unpack, wXdaoYfeevP8uu8T07.csHigh entropy of concatenated method names: 'DuIHmOAyvZ', 'UOnHWskoi8', 'SypH48krBV', 'TfCHJNHhGR', 'h1JHO6XCbe', 'umfHBvPpND', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 1.2.LisectAVT_2403002A_2.exe.44263c0.3.raw.unpack, fyYAIfit0GKSL7L7Ip.csHigh entropy of concatenated method names: 'FinHoKSrvZ', 'tHwHd2jjpZ', 'ofZHcHXwpE', 'og4HgfEmjC', 'WLYHlnJ6RY', 'j9qHQoHZJu', 'VS7HVwa3ve', 'U3bHnvrTs1', 'dI0HDxpUaB', 'xKlH5wJv0g'
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeFile created: C:\Users\user\AppData\Roaming\qHqJcuLw.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qHqJcuLw" /XML "C:\Users\user\AppData\Local\Temp\tmpCF64.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: qHqJcuLw.exe PID: 1320, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeMemory allocated: 15C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeMemory allocated: 3040000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeMemory allocated: 2F90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeMemory allocated: 8120000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeMemory allocated: 9120000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeMemory allocated: 93E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeMemory allocated: A3E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeMemory allocated: 15E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeMemory allocated: 32A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeMemory allocated: 30A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeMemory allocated: 7DD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeMemory allocated: 8DD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeMemory allocated: 7DD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7766Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1173Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6137Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 808Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1604Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1383Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1034
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 3131
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exe TID: 1396Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2248Thread sleep count: 7766 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4904Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2248Thread sleep count: 1173 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6496Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1492Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6116Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exe TID: 4928Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99641Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99516Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99407Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99282Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99157Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99046Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98935Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98828Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98719Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98608Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98496Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98391Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98277Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99872
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99763
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99656
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99547
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99422
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99312
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99203
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99093
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98984
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98875
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98764
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98656
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98547
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98437
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98328
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98219
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98109
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97890
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97731
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                    Source: RegSvcs.exe, 0000000A.00000002.2199598243.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3368267188.0000000005D2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_2.exe"
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qHqJcuLw.exe"
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_2.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qHqJcuLw.exe"Jump to behavior
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 440000Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 972008Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 440000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 9B0008Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_2.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qHqJcuLw.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qHqJcuLw" /XML "C:\Users\user\AppData\Local\Temp\tmpCF64.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qHqJcuLw" /XML "C:\Users\user\AppData\Local\Temp\tmpE378.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeQueries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_2.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeQueries volume information: C:\Users\user\AppData\Roaming\qHqJcuLw.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qHqJcuLw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\LisectAVT_2403002A_2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 12.2.qHqJcuLw.exe.461a338.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.LisectAVT_2403002A_2.exe.43b93a0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.LisectAVT_2403002A_2.exe.437e780.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.qHqJcuLw.exe.45df718.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.qHqJcuLw.exe.45df718.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.qHqJcuLw.exe.461a338.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.LisectAVT_2403002A_2.exe.437e780.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.LisectAVT_2403002A_2.exe.43b93a0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.2201120787.0000000002A6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.2177368651.0000000004CA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2198188143.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.3362498072.0000000002A9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.3362498072.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.2177368651.000000000437E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2201120787.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2224328592.00000000045DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_2.exe PID: 6488, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7144, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: qHqJcuLw.exe PID: 1320, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7056, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txt
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 12.2.qHqJcuLw.exe.461a338.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.LisectAVT_2403002A_2.exe.43b93a0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.LisectAVT_2403002A_2.exe.437e780.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.qHqJcuLw.exe.45df718.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.qHqJcuLw.exe.45df718.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.qHqJcuLw.exe.461a338.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.LisectAVT_2403002A_2.exe.437e780.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.LisectAVT_2403002A_2.exe.43b93a0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.2177368651.0000000004CA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2198188143.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.3362498072.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.2177368651.000000000437E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2201120787.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2224328592.00000000045DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_2.exe PID: 6488, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7144, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: qHqJcuLw.exe PID: 1320, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7056, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 12.2.qHqJcuLw.exe.461a338.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.LisectAVT_2403002A_2.exe.43b93a0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.LisectAVT_2403002A_2.exe.437e780.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.qHqJcuLw.exe.45df718.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.qHqJcuLw.exe.45df718.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 12.2.qHqJcuLw.exe.461a338.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.LisectAVT_2403002A_2.exe.437e780.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.LisectAVT_2403002A_2.exe.43b93a0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.2201120787.0000000002A6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.2177368651.0000000004CA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2198188143.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.3362498072.0000000002A9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.3362498072.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.2177368651.000000000437E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2201120787.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2224328592.00000000045DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_2.exe PID: 6488, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7144, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: qHqJcuLw.exe PID: 1320, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7056, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts131
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		311
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		34
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Scheduled Task/Job                    		3
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		121
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model1
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets151
                    Virtualization/Sandbox Evasion                    		SSHKeylogging23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Masquerading                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job151
                    Virtualization/Sandbox Evasion                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt311
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1482428 Sample: LisectAVT_2403002A_2.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 46 sg2plcpnl0128.prod.sin2.secureserver.net 2->46 48 api.ipify.org 2->48 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for URL or domain 2->58 60 10 other signatures 2->60 8 LisectAVT_2403002A_2.exe 7 2->8         started        12 qHqJcuLw.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\Roaming\qHqJcuLw.exe, PE32 8->38 dropped 40 C:\Users\...\qHqJcuLw.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmpCF64.tmp, XML 8->42 dropped 44 C:\Users\...\LisectAVT_2403002A_2.exe.log, ASCII 8->44 dropped 62 Uses schtasks.exe or at.exe to add and modify task schedules 8->62 64 Writes to foreign memory regions 8->64 66 Allocates memory in foreign processes 8->66 68 Adds a directory exclusion to Windows Defender 8->68 14 RegSvcs.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        26 2 other processes 8->26 70 Antivirus detection for dropped file 12->70 72 Machine Learning detection for dropped file 12->72 74 Injects a PE file into a foreign processes 12->74 22 RegSvcs.exe 12->22         started        24 schtasks.exe 12->24         started        signatures6 process7 dnsIp8 50 sg2plcpnl0128.prod.sin2.secureserver.net 182.50.135.77, 49715, 49719, 587 AS-26496-GO-DADDY-COM-LLCUS Singapore 14->50 52 api.ipify.org 172.67.74.152, 443, 49714, 49718 CLOUDFLARENETUS United States 14->52 76 Loading BitLocker PowerShell Module 18->76 28 WmiPrvSE.exe 18->28         started        30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        78 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->78 80 Tries to steal Mail credentials (via file / registry access) 22->80 82 Tries to harvest and steal ftp login credentials 22->82 84 Tries to harvest and steal browser information (history, passwords, etc) 22->84 34 conhost.exe 24->34         started        86 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 26->86 36 conhost.exe 26->36         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    LisectAVT_2403002A_2.exe100%AviraTR/AD.GenSteal.gwmnl
                    LisectAVT_2403002A_2.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\qHqJcuLw.exe100%AviraTR/AD.GenSteal.gwmnl
                    C:\Users\user\AppData\Roaming\qHqJcuLw.exe100%Joe Sandbox ML

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://api.ipify.org/0%URL Reputationsafe
                    http://www.google.com100%URL Reputationmalware
                    https://api.ipify.org0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    https://api.ipify.org/t0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://www.google.com)Uygun0%Avira URL Cloudsafe
                    https://www.google.com0%Avira URL Cloudsafe
                    http://sg2plcpnl0128.prod.sin2.secureserver.net0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    sg2plcpnl0128.prod.sin2.secureserver.net
                    		182.50.135.77
                    		truetrue
                      		unknown
                      api.ipify.org
                      		172.67.74.152
                      		truefalse
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                        • URL Reputation: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://sg2plcpnl0128.prod.sin2.secureserver.netRegSvcs.exe, 0000000A.00000002.2201120787.0000000002A6C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3362498072.0000000002A9C000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.google.comLisectAVT_2403002A_2.exe, qHqJcuLw.exe.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.google.comLisectAVT_2403002A_2.exe, 00000001.00000002.2176593205.0000000003041000.00000004.00000800.00020000.00000000.sdmp, qHqJcuLw.exe, 0000000C.00000002.2222420893.00000000032A1000.00000004.00000800.00020000.00000000.sdmptrue
                        • URL Reputation: malware
                        		unknown
                        https://api.ipify.orgLisectAVT_2403002A_2.exe, 00000001.00000002.2177368651.000000000437E000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_2.exe, 00000001.00000002.2177368651.0000000004CA2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2198188143.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2201120787.00000000029FB000.00000004.00000800.00020000.00000000.sdmp, qHqJcuLw.exe, 0000000C.00000002.2224328592.00000000045DF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3362498072.0000000002A2C000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.google.com)UygunLisectAVT_2403002A_2.exe, qHqJcuLw.exe.1.drtrue
                        • Avira URL Cloud: safe
                        		unknown
                        https://account.dyn.com/LisectAVT_2403002A_2.exe, 00000001.00000002.2177368651.000000000437E000.00000004.00000800.00020000.00000000.sdmp, LisectAVT_2403002A_2.exe, 00000001.00000002.2177368651.0000000004CA2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2198188143.0000000000402000.00000040.00000400.00020000.00000000.sdmp, qHqJcuLw.exe, 0000000C.00000002.2224328592.00000000045DF000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.ipify.org/tRegSvcs.exe, 0000000A.00000002.2201120787.00000000029FB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3362498072.0000000002A2C000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameLisectAVT_2403002A_2.exe, 00000001.00000002.2176593205.00000000030B0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2201120787.00000000029FB000.00000004.00000800.00020000.00000000.sdmp, qHqJcuLw.exe, 0000000C.00000002.2222420893.0000000003310000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3362498072.0000000002A2C000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        172.67.74.152
                        		api.ipify.orgUnited States
                        		13335CLOUDFLARENETUSfalse
                        182.50.135.77
                        		sg2plcpnl0128.prod.sin2.secureserver.netSingapore
                        		26496AS-26496-GO-DADDY-COM-LLCUStrue

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1482428
                        Start date and time:2024-07-25 22:51:58 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 8m 4s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:19
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:LisectAVT_2403002A_2.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@21/15@2/2
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 178
                        • Number of non-executed functions: 8
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 40.127.169.103, 13.85.23.206, 20.242.39.171
                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, fe3.delivery.mp.microsoft.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtCreateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: LisectAVT_2403002A_2.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        16:52:49API Interceptor1x Sleep call for process: LisectAVT_2403002A_2.exe modified
                        16:52:52API Interceptor36x Sleep call for process: powershell.exe modified
                        16:52:54API Interceptor37x Sleep call for process: RegSvcs.exe modified
                        16:52:55API Interceptor1x Sleep call for process: qHqJcuLw.exe modified
                        22:52:54Task SchedulerRun new task: qHqJcuLw path: C:\Users\user\AppData\Roaming\qHqJcuLw.exe

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        172.67.74.152golang-modules.exeGet hashmaliciousUnknownBrowse
                        • api.ipify.org/
                        SecuriteInfo.com.Trojan.Win64.Agent.14415.19839.exeGet hashmaliciousUnknownBrowse
                        • api.ipify.org/
                        242764.exeGet hashmaliciousFicker Stealer, Rusty StealerBrowse
                        • api.ipify.org/?format=wef
                        K8mzlntJVN.msiGet hashmaliciousUnknownBrowse
                        • api.ipify.org/
                        stub.exeGet hashmaliciousUnknownBrowse
                        • api.ipify.org/
                        stub.exeGet hashmaliciousUnknownBrowse
                        • api.ipify.org/
                        Sonic-Glyder.exeGet hashmaliciousStealitBrowse
                        • api.ipify.org/?format=json
                        Sky-Beta.exeGet hashmaliciousUnknownBrowse
                        • api.ipify.org/?format=json
                        Sky-Beta.exeGet hashmaliciousUnknownBrowse
                        • api.ipify.org/?format=json
                        Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                        • api.ipify.org/?format=json
                        182.50.135.77LisectAVT_2403002A_59.exeGet hashmaliciousAgentTeslaBrowse
                          rPURCHASEORDERPO-399.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            0044FIDB240149.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              Financial Invoice Report - STI ME-3051-2024.exeGet hashmaliciousAgentTeslaBrowse
                                EA1205-24-25607#U00a0QUOATATION.exeGet hashmaliciousAgentTeslaBrowse
                                  0044FIDB240149 swift.exeGet hashmaliciousAgentTeslaBrowse
                                    uF8wwjO0iU.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      GCSG151347.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        RCP000004689 Scan Copy.exeGet hashmaliciousAgentTeslaBrowse
                                          RCP000004689 SWIFT COPY.exeGet hashmaliciousAgentTeslaBrowse

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            sg2plcpnl0128.prod.sin2.secureserver.netLisectAVT_2403002A_59.exeGet hashmaliciousAgentTeslaBrowse
                                            • 182.50.135.77
                                            rPURCHASEORDERPO-399.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 182.50.135.77
                                            0044FIDB240149.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 182.50.135.77
                                            Financial Invoice Report - STI ME-3051-2024.exeGet hashmaliciousAgentTeslaBrowse
                                            • 182.50.135.77
                                            EA1205-24-25607#U00a0QUOATATION.exeGet hashmaliciousAgentTeslaBrowse
                                            • 182.50.135.77
                                            0044FIDB240149 swift.exeGet hashmaliciousAgentTeslaBrowse
                                            • 182.50.135.77
                                            uF8wwjO0iU.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 182.50.135.77
                                            GCSG151347.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 182.50.135.77
                                            RCP000004689 Scan Copy.exeGet hashmaliciousAgentTeslaBrowse
                                            • 182.50.135.77
                                            RCP000004689 SWIFT COPY.exeGet hashmaliciousAgentTeslaBrowse
                                            • 182.50.135.77
                                            api.ipify.orgLisectAVT_2403002A_460.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.26.13.205
                                            LisectAVT_2403002A_481.exeGet hashmaliciousLuna Grabber, Luna LoggerBrowse
                                            • 104.26.12.205
                                            LisectAVT_2403002A_63.exeGet hashmaliciousAgentTeslaBrowse
                                            • 172.67.74.152
                                            LisectAVT_2403002A_59.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.26.13.205
                                            LisectAVT_2403002A_74.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.26.13.205
                                            SWIFT COPY.exeGet hashmaliciousAgentTeslaBrowse
                                            • 172.67.74.152
                                            Re_ Q22689 - 07.24.2024_Conduit Construction Network Ltd_Today.emlGet hashmaliciousUnknownBrowse
                                            • 172.67.74.152
                                            LisectAVT_2403002B_385.exeGet hashmaliciousAgentTesla, BdaejecBrowse
                                            • 104.26.12.205
                                            LisectAVT_2403002B_390.exeGet hashmaliciousAgentTesla, BdaejecBrowse
                                            • 104.26.13.205
                                            DEBIT NOTE.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.26.13.205

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            AS-26496-GO-DADDY-COM-LLCUSLisectAVT_2403002A_59.exeGet hashmaliciousAgentTeslaBrowse
                                            • 182.50.135.77
                                            DEBIT NOTE.exeGet hashmaliciousAgentTeslaBrowse
                                            • 148.66.136.151
                                            httP://151.28.168.184.host.secureserver.net/documento=24/07/2024/U04cVk3Ovkp..VkcI/6VnUVdvU8k1Oz8c2H4/maud.gaume@gmail.com-282072__;!!P3IToRM6tg!mhHYI3NP1FN47238PV4Ejpyi3ZOkGxwJydSJnD9HyjmCKYq9ZCB_iRj7Oz_yw96WdDsvl9wksR7V4C9z2rZDtUTV_FwEQ6ffgUAMko4$Get hashmaliciousUnknownBrowse
                                            • 184.168.28.151
                                            LisectAVT_2403002B_412.exeGet hashmaliciousFormBookBrowse
                                            • 166.62.6.144
                                            LisectAVT_2403002C_15.exeGet hashmaliciousAgentTeslaBrowse
                                            • 148.66.145.151
                                            https://msms.live/index.phpGet hashmaliciousUnknownBrowse
                                            • 118.139.181.13
                                            http://www.acproyectosdeingenieria.comGet hashmaliciousUnknownBrowse
                                            • 192.169.151.159
                                            http://www.acproyectosdeingenieria.comGet hashmaliciousUnknownBrowse
                                            • 192.169.151.159
                                            http://hwylovermk.shop/product_details/5509027.htmlGet hashmaliciousUnknownBrowse
                                            • 68.178.154.150
                                            Invoice Copy.exeGet hashmaliciousAgentTeslaBrowse
                                            • 148.66.136.151
                                            CLOUDFLARENETUShttps://taf7.rphortan.com/xV5YqZuT/#Xjeffrey.laws@99restaurants.comGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                            • 104.17.25.14
                                            LisectAVT_2403002A_210.exeGet hashmaliciousPython Stealer, Empyrean, Discord Token StealerBrowse
                                            • 104.16.123.96
                                            Jeffrey.laws Replay VM (01m27sec).docxGet hashmaliciousHTMLPhisherBrowse
                                            • 172.64.151.101
                                            LisectAVT_2403002A_220.exeGet hashmaliciousUnknownBrowse
                                            • 104.21.6.108
                                            https://forms.office.com/Pages/ResponsePage.aspx?id=4Kydhlha3USXUsGxfRX-jBHWmjJmsZxDrR9zl3guaTNURU9US0pPQldQMFdROEtOVUJYRlJER1pIMi4uGet hashmaliciousUnknownBrowse
                                            • 104.17.25.14
                                            phish_alert_sp2_2.0.0.0-1.emlGet hashmaliciousHTMLPhisherBrowse
                                            • 1.1.1.1
                                            LisectAVT_2403002A_236.exeGet hashmaliciousLummaCBrowse
                                            • 104.21.48.252
                                            LisectAVT_2403002A_312.exeGet hashmaliciousHTMLPhisherBrowse
                                            • 104.21.11.245
                                            https://forms.office.com/r/qq9c20HBqaGet hashmaliciousTycoon2FABrowse
                                            • 104.17.25.14
                                            LisectAVT_2403002A_312.exeGet hashmaliciousHTMLPhisherBrowse
                                            • 104.21.11.245

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            3b5074b1b5d032e5620f69f9f700ff0eLisectAVT_2403002A_220.exeGet hashmaliciousUnknownBrowse
                                            • 172.67.74.152
                                            LisectAVT_2403002A_308.exeGet hashmaliciousUnknownBrowse
                                            • 172.67.74.152
                                            LisectAVT_2403002A_308.exeGet hashmaliciousUnknownBrowse
                                            • 172.67.74.152
                                            LisectAVT_2403002A_333.exeGet hashmaliciousUnknownBrowse
                                            • 172.67.74.152
                                            LisectAVT_2403002A_333.exeGet hashmaliciousUnknownBrowse
                                            • 172.67.74.152
                                            LisectAVT_2403002A_368.exeGet hashmaliciousBlank Grabber, DCRat, Umbral StealerBrowse
                                            • 172.67.74.152
                                            https://url.us.m.mimecastprotect.com/s/E8trC5yxE7iZK9MZ8-vlGet hashmaliciousUnknownBrowse
                                            • 172.67.74.152
                                            LisectAVT_2403002A_473.exeGet hashmaliciousNjrat, XWormBrowse
                                            • 172.67.74.152
                                            LisectAVT_2403002A_449.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                            • 172.67.74.152
                                            LisectAVT_2403002A_460.exeGet hashmaliciousAgentTeslaBrowse
                                            • 172.67.74.152

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LisectAVT_2403002A_2.exe.log

                                            Download File
                                            Process:C:\Users\user\Desktop\LisectAVT_2403002A_2.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1216
                                            Entropy (8bit):5.34331486778365
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                            Malicious:true
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\qHqJcuLw.exe.log

                                            Download File
                                            Process:C:\Users\user\AppData\Roaming\qHqJcuLw.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1216
                                            Entropy (8bit):5.34331486778365
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                            Malicious:false
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):2232
                                            Entropy (8bit):5.379938008936079
                                            Encrypted:false
                                            SSDEEP:48:wWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:wLHyIFKL3IZ2KRH9Oug8s
                                            MD5:642B2BB8F5469D7ACA5D78625A941C0F
                                            SHA1:49568AFB92968078732FB3887F5923D7663CC073
                                            SHA-256:7411341730810200323C82351BA6FCD1CC9F497A8405B1EF61FD4CE1BD10B706
                                            SHA-512:E050BBE5B9FD8AEE05F5BCF9A1BE0F2C7FE851D9CC32546E90D50B1C9892882081F3AF0CCDF1563BED0B3C6E02962E7AE03E9C2F84C5692466CD1CE0EDAD389E
                                            Malicious:false
                                            Preview:@...e.................................X..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3uhuktwx.pnf.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fd0434iv.evp.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ghcx1pe0.htk.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hwjhha2j.vou.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nl52yuir.5ok.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qsaebg2q.oef.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vfi4kfp0.y3h.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xjiaefui.gd1.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\tmpCF64.tmp

                                            Download File
                                            Process:C:\Users\user\Desktop\LisectAVT_2403002A_2.exe
                                            File Type:XML 1.0 document, ASCII text
                                            Category:dropped
                                            Size (bytes):1595
                                            Entropy (8bit):5.10178787731846
                                            Encrypted:false
                                            SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLAJaxv:cge7QYrFdOFzOzN33ODOiDdKrsuTDv
                                            MD5:B0F67FF3F1180FA59D79CBE2968CFE0B
                                            SHA1:4C3C190336B405F00C282A005E932B75C5DA28A0
                                            SHA-256:C8FC249B3BDB10EDA7939EEA3DE3746F14C2049D6AA8E1E9D38DC5BECD93DD69
                                            SHA-512:27EA0DFF68316B10F74E8763833D81A962C67591722EB97A31EB15C50BB619CDDB07508C9207C6BB99A90B38BE9CCF012346840D4BEA0AF1D3F5D696CE15269D
                                            Malicious:true
                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                                            C:\Users\user\AppData\Local\Temp\tmpE378.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Roaming\qHqJcuLw.exe
                                            File Type:XML 1.0 document, ASCII text
                                            Category:dropped
                                            Size (bytes):1595
                                            Entropy (8bit):5.10178787731846
                                            Encrypted:false
                                            SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLAJaxv:cge7QYrFdOFzOzN33ODOiDdKrsuTDv
                                            MD5:B0F67FF3F1180FA59D79CBE2968CFE0B
                                            SHA1:4C3C190336B405F00C282A005E932B75C5DA28A0
                                            SHA-256:C8FC249B3BDB10EDA7939EEA3DE3746F14C2049D6AA8E1E9D38DC5BECD93DD69
                                            SHA-512:27EA0DFF68316B10F74E8763833D81A962C67591722EB97A31EB15C50BB619CDDB07508C9207C6BB99A90B38BE9CCF012346840D4BEA0AF1D3F5D696CE15269D
                                            Malicious:false
                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                                            C:\Users\user\AppData\Roaming\qHqJcuLw.exe

                                            Download File
                                            Process:C:\Users\user\Desktop\LisectAVT_2403002A_2.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):706056
                                            Entropy (8bit):7.886955353243016
                                            Encrypted:false
                                            SSDEEP:12288:HUzWSsykmrzmac+vB5yG5CWcV4NKeHe1+YuDqZFr1KY9bh4CMwjN:HSmykszmw75CZ+0eHek1q1KY93N
                                            MD5:E099AD7E57B0011262CC822808972E10
                                            SHA1:F2D3A518EBE54091351CED1D068DB43F4DC09056
                                            SHA-256:449B2930259030577C8AC1061E4FD12E815B06597F8A55BECF318EFD44EAC323
                                            SHA-512:AF7EEA1638CB1104F2D78E687F31B1C99E516D52E0CCD5324FBF9262E8A53A58AD8387A77871F3E7B83E5BDD8F51D9F146F7F58D46EB0025C2DDF05C2D98292D
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Avira, Detection: 100%
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................... ............@.....................................O.......................................p............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H...........pu......`....%..............................................^..}.....(.......(.....*.0..;.........{....o....(......{....o....(......{......X...(....o.....*..0..;.........{....o....(......{....o....(......{......Y...(....o.....*..0..;.........{....o....(......{....o....(......{......Z...(....o.....*..0..c.........{....o....(.........,=..{....o....(......{....o....(......{......[...(....o......+..r...p(....&.*..0..+.........,..{.......+....,...{....o........(.....*.

                                            C:\Users\user\AppData\Roaming\qHqJcuLw.exe:Zone.Identifier

                                            Download File
                                            Process:C:\Users\user\Desktop\LisectAVT_2403002A_2.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):26
                                            Entropy (8bit):3.95006375643621
                                            Encrypted:false
                                            SSDEEP:3:ggPYV:rPYV
                                            MD5:187F488E27DB4AF347237FE461A079AD
                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                            Malicious:true
                                            Preview:[ZoneTransfer]....ZoneId=0

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):7.886955353243016
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Windows Screen Saver (13104/52) 0.07%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            File name:LisectAVT_2403002A_2.exe
                                            File size:706'056 bytes
                                            MD5:e099ad7e57b0011262cc822808972e10
                                            SHA1:f2d3a518ebe54091351ced1d068db43f4dc09056
                                            SHA256:449b2930259030577c8ac1061e4fd12e815b06597f8a55becf318efd44eac323
                                            SHA512:af7eea1638cb1104f2d78e687f31b1c99e516d52e0ccd5324fbf9262e8a53a58ad8387a77871f3e7b83e5bdd8f51d9f146f7f58d46eb0025c2ddf05c2d98292d
                                            SSDEEP:12288:HUzWSsykmrzmac+vB5yG5CWcV4NKeHe1+YuDqZFr1KY9bh4CMwjN:HSmykszmw75CZ+0eHek1q1KY93N
                                            TLSH:9DE402013EB85B93E6BA8BF81475649057B57A6F2831D31C9CD2A1DD2736F848BC1E23
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................... ............@................................

                                            File Icon

                                            Icon Hash:00928e8e8686b000

                                            Static PE Info

                                            General

                                            Entrypoint:0x4adae2
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0xC6950FA3 [Mon Jul 29 20:27:15 2075 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            xor al, 35h
                                            xor eax, 43465138h
                                            push eax
                                            xor eax, 38453452h
                                            xor dl, byte ptr [ecx+eax*2+5Ah]
                                            push esi
                                            dec eax
                                            dec eax
                                            inc ebx
                                            inc esp
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xada8f0x4f.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xae0000x5c4.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xb00000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0xab5840x70.text
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000xabb000xabc000201554c0d028cec96519de696532f2fFalse0.9099359193049491data7.894347092736149IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rsrc0xae0000x5c40x600e408df321003f82c36705f83fc0a4875False0.4251302083333333data4.11762863617361IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0xb00000xc0x20065ade1692081cf4186da0e64d4fd049fFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_VERSION0xae0900x334data0.424390243902439
                                            RT_MANIFEST0xae3d40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Network Behavior

                                            Suricata IDS Alerts

                                            TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                            2024-07-25T22:53:05.892965+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434972140.127.169.103192.168.2.6
                                            2024-07-25T22:53:43.946681+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434972740.127.169.103192.168.2.6

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jul 25, 2024 22:52:53.832690001 CEST49714443192.168.2.6172.67.74.152
                                            Jul 25, 2024 22:52:53.832731009 CEST44349714172.67.74.152192.168.2.6
                                            Jul 25, 2024 22:52:53.832799911 CEST49714443192.168.2.6172.67.74.152
                                            Jul 25, 2024 22:52:53.841579914 CEST49714443192.168.2.6172.67.74.152
                                            Jul 25, 2024 22:52:53.841614962 CEST44349714172.67.74.152192.168.2.6
                                            Jul 25, 2024 22:52:54.427356005 CEST44349714172.67.74.152192.168.2.6
                                            Jul 25, 2024 22:52:54.427421093 CEST49714443192.168.2.6172.67.74.152
                                            Jul 25, 2024 22:52:54.429425955 CEST49714443192.168.2.6172.67.74.152
                                            Jul 25, 2024 22:52:54.429438114 CEST44349714172.67.74.152192.168.2.6
                                            Jul 25, 2024 22:52:54.429749966 CEST44349714172.67.74.152192.168.2.6
                                            Jul 25, 2024 22:52:54.478553057 CEST49714443192.168.2.6172.67.74.152
                                            Jul 25, 2024 22:52:54.580528021 CEST49714443192.168.2.6172.67.74.152
                                            Jul 25, 2024 22:52:54.624500036 CEST44349714172.67.74.152192.168.2.6
                                            Jul 25, 2024 22:52:55.020905018 CEST44349714172.67.74.152192.168.2.6
                                            Jul 25, 2024 22:52:55.020970106 CEST44349714172.67.74.152192.168.2.6
                                            Jul 25, 2024 22:52:55.022180080 CEST49714443192.168.2.6172.67.74.152
                                            Jul 25, 2024 22:52:55.028067112 CEST49714443192.168.2.6172.67.74.152
                                            Jul 25, 2024 22:52:55.723870039 CEST49715587192.168.2.6182.50.135.77
                                            Jul 25, 2024 22:52:55.728897095 CEST58749715182.50.135.77192.168.2.6
                                            Jul 25, 2024 22:52:55.729006052 CEST49715587192.168.2.6182.50.135.77
                                            Jul 25, 2024 22:52:57.866283894 CEST49718443192.168.2.6172.67.74.152
                                            Jul 25, 2024 22:52:57.866344929 CEST44349718172.67.74.152192.168.2.6
                                            Jul 25, 2024 22:52:57.866411924 CEST49718443192.168.2.6172.67.74.152
                                            Jul 25, 2024 22:52:57.870588064 CEST49718443192.168.2.6172.67.74.152
                                            Jul 25, 2024 22:52:57.870609045 CEST44349718172.67.74.152192.168.2.6
                                            Jul 25, 2024 22:52:57.920909882 CEST58749715182.50.135.77192.168.2.6
                                            Jul 25, 2024 22:52:57.920990944 CEST49715587192.168.2.6182.50.135.77
                                            Jul 25, 2024 22:52:58.465754032 CEST44349718172.67.74.152192.168.2.6
                                            Jul 25, 2024 22:52:58.465879917 CEST49718443192.168.2.6172.67.74.152
                                            Jul 25, 2024 22:52:58.467569113 CEST49718443192.168.2.6172.67.74.152
                                            Jul 25, 2024 22:52:58.467576981 CEST44349718172.67.74.152192.168.2.6
                                            Jul 25, 2024 22:52:58.467803001 CEST44349718172.67.74.152192.168.2.6
                                            Jul 25, 2024 22:52:58.525448084 CEST49718443192.168.2.6172.67.74.152
                                            Jul 25, 2024 22:52:58.572499037 CEST44349718172.67.74.152192.168.2.6
                                            Jul 25, 2024 22:52:58.643517017 CEST49715587192.168.2.6182.50.135.77
                                            Jul 25, 2024 22:52:58.667929888 CEST44349718172.67.74.152192.168.2.6
                                            Jul 25, 2024 22:52:58.667999029 CEST44349718172.67.74.152192.168.2.6
                                            Jul 25, 2024 22:52:58.668447018 CEST49718443192.168.2.6172.67.74.152
                                            Jul 25, 2024 22:52:58.672357082 CEST49718443192.168.2.6172.67.74.152
                                            Jul 25, 2024 22:52:59.194823980 CEST49719587192.168.2.6182.50.135.77
                                            Jul 25, 2024 22:52:59.199868917 CEST58749719182.50.135.77192.168.2.6
                                            Jul 25, 2024 22:52:59.199958086 CEST49719587192.168.2.6182.50.135.77
                                            Jul 25, 2024 22:53:01.361299038 CEST58749719182.50.135.77192.168.2.6
                                            Jul 25, 2024 22:53:01.362600088 CEST49719587192.168.2.6182.50.135.77
                                            Jul 25, 2024 22:53:01.456820011 CEST49719587192.168.2.6182.50.135.77
                                            Jul 25, 2024 22:53:01.461657047 CEST58749719182.50.135.77192.168.2.6

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jul 25, 2024 22:52:53.720999002 CEST5128653192.168.2.61.1.1.1
                                            Jul 25, 2024 22:52:53.787518024 CEST53512861.1.1.1192.168.2.6
                                            Jul 25, 2024 22:52:55.709983110 CEST5081653192.168.2.61.1.1.1
                                            Jul 25, 2024 22:52:55.723084927 CEST53508161.1.1.1192.168.2.6

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Jul 25, 2024 22:52:53.720999002 CEST192.168.2.61.1.1.10xb456Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                            Jul 25, 2024 22:52:55.709983110 CEST192.168.2.61.1.1.10x2779Standard query (0)sg2plcpnl0128.prod.sin2.secureserver.netA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Jul 25, 2024 22:52:53.787518024 CEST1.1.1.1192.168.2.60xb456No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                            Jul 25, 2024 22:52:53.787518024 CEST1.1.1.1192.168.2.60xb456No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                            Jul 25, 2024 22:52:53.787518024 CEST1.1.1.1192.168.2.60xb456No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                            Jul 25, 2024 22:52:55.723084927 CEST1.1.1.1192.168.2.60x2779No error (0)sg2plcpnl0128.prod.sin2.secureserver.net182.50.135.77A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • api.ipify.org

                                            HTTPS Proxied Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.649714172.67.74.1524437144C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                            TimestampBytes transferredDirectionData
                                            2024-07-25 20:52:54 UTC155OUTGET / HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                            Host: api.ipify.org
                                            Connection: Keep-Alive
                                            2024-07-25 20:52:55 UTC211INHTTP/1.1 200 OK
                                            Date: Thu, 25 Jul 2024 20:52:54 GMT
                                            Content-Type: text/plain
                                            Content-Length: 11
                                            Connection: close
                                            Vary: Origin
                                            CF-Cache-Status: DYNAMIC
                                            Server: cloudflare
                                            CF-RAY: 8a8f095188a072aa-EWR
                                            2024-07-25 20:52:55 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                            Data Ascii: 8.46.123.33


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            1192.168.2.649718172.67.74.1524437056C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                            TimestampBytes transferredDirectionData
                                            2024-07-25 20:52:58 UTC155OUTGET / HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                            Host: api.ipify.org
                                            Connection: Keep-Alive
                                            2024-07-25 20:52:58 UTC211INHTTP/1.1 200 OK
                                            Date: Thu, 25 Jul 2024 20:52:58 GMT
                                            Content-Type: text/plain
                                            Content-Length: 11
                                            Connection: close
                                            Vary: Origin
                                            CF-Cache-Status: DYNAMIC
                                            Server: cloudflare
                                            CF-RAY: 8a8f096a4a4d6a5c-EWR
                                            2024-07-25 20:52:58 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                            Data Ascii: 8.46.123.33


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:1
                                            Start time:16:52:48
                                            Start date:25/07/2024
                                            Path:C:\Users\user\Desktop\LisectAVT_2403002A_2.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\LisectAVT_2403002A_2.exe"
                                            Imagebase:0xca0000
                                            File size:706'056 bytes
                                            MD5 hash:E099AD7E57B0011262CC822808972E10
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2177368651.0000000004CA2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2177368651.0000000004CA2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2177368651.000000000437E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2177368651.000000000437E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:3
                                            Start time:16:52:50
                                            Start date:25/07/2024
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\LisectAVT_2403002A_2.exe"
                                            Imagebase:0xc40000
                                            File size:433'152 bytes
                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:4
                                            Start time:16:52:50
                                            Start date:25/07/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff66e660000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:5
                                            Start time:16:52:50
                                            Start date:25/07/2024
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qHqJcuLw.exe"
                                            Imagebase:0xc40000
                                            File size:433'152 bytes
                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:6
                                            Start time:16:52:51
                                            Start date:25/07/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff66e660000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:7
                                            Start time:16:52:51
                                            Start date:25/07/2024
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qHqJcuLw" /XML "C:\Users\user\AppData\Local\Temp\tmpCF64.tmp"
                                            Imagebase:0x7a0000
                                            File size:187'904 bytes
                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:8
                                            Start time:16:52:51
                                            Start date:25/07/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff66e660000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:9
                                            Start time:16:52:52
                                            Start date:25/07/2024
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                            Imagebase:0xb0000
                                            File size:45'984 bytes
                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:10
                                            Start time:16:52:52
                                            Start date:25/07/2024
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                            Imagebase:0x690000
                                            File size:45'984 bytes
                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2201120787.0000000002A6C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2198188143.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2198188143.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2201120787.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2201120787.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:11
                                            Start time:16:52:53
                                            Start date:25/07/2024
                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                            Imagebase:0x7ff717f30000
                                            File size:496'640 bytes
                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                            Has elevated privileges:true
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:12
                                            Start time:16:52:54
                                            Start date:25/07/2024
                                            Path:C:\Users\user\AppData\Roaming\qHqJcuLw.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\AppData\Roaming\qHqJcuLw.exe
                                            Imagebase:0xd00000
                                            File size:706'056 bytes
                                            MD5 hash:E099AD7E57B0011262CC822808972E10
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2224328592.00000000045DF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.2224328592.00000000045DF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Antivirus matches:
                                            • Detection: 100%, Avira
                                            • Detection: 100%, Joe Sandbox ML
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:13
                                            Start time:16:52:56
                                            Start date:25/07/2024
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qHqJcuLw" /XML "C:\Users\user\AppData\Local\Temp\tmpE378.tmp"
                                            Imagebase:0x7a0000
                                            File size:187'904 bytes
                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:14
                                            Start time:16:52:56
                                            Start date:25/07/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff66e660000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:15
                                            Start time:16:52:56
                                            Start date:25/07/2024
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                            Imagebase:0x770000
                                            File size:45'984 bytes
                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.3362498072.0000000002A9C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.3362498072.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.3362498072.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Has exited:false

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:11.4%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:214
                                              Total number of Limit Nodes:9
                                              execution_graph 23096 15c4668 23097 15c467a 23096->23097 23098 15c4686 23097->23098 23102 15c4778 23097->23102 23107 15c3e34 23098->23107 23100 15c46a5 23103 15c479d 23102->23103 23111 15c4888 23103->23111 23115 15c4879 23103->23115 23108 15c3e3f 23107->23108 23123 15c5c44 23108->23123 23110 15c7089 23110->23100 23113 15c48af 23111->23113 23112 15c498c 23112->23112 23113->23112 23119 15c44b4 23113->23119 23117 15c4888 23115->23117 23116 15c498c 23116->23116 23117->23116 23118 15c44b4 CreateActCtxA 23117->23118 23118->23116 23120 15c5918 CreateActCtxA 23119->23120 23122 15c59db 23120->23122 23124 15c5c4f 23123->23124 23127 15c5c64 23124->23127 23126 15c7135 23126->23110 23128 15c5c6f 23127->23128 23131 15c5c94 23128->23131 23130 15c721a 23130->23126 23132 15c5c9f 23131->23132 23135 15c5cc4 23132->23135 23134 15c730d 23134->23130 23136 15c5ccf 23135->23136 23138 15c860b 23136->23138 23141 15cacb8 23136->23141 23137 15c8649 23137->23134 23138->23137 23145 15ccda8 23138->23145 23151 15cacf0 23141->23151 23155 15cace0 23141->23155 23142 15cacce 23142->23138 23146 15ccdd9 23145->23146 23147 15ccdfd 23146->23147 23191 15ccf58 23146->23191 23195 15ccfc1 23146->23195 23200 15ccf68 23146->23200 23147->23137 23160 15cade8 23151->23160 23168 15cadd7 23151->23168 23152 15cacff 23152->23142 23156 15cacf0 23155->23156 23158 15cade8 3 API calls 23156->23158 23159 15cadd7 3 API calls 23156->23159 23157 15cacff 23157->23142 23158->23157 23159->23157 23161 15cadf9 23160->23161 23162 15cae1c 23160->23162 23161->23162 23176 15cb080 23161->23176 23180 15cb071 23161->23180 23162->23152 23163 15cae14 23163->23162 23164 15cb020 GetModuleHandleW 23163->23164 23165 15cb04d 23164->23165 23165->23152 23169 15cadf9 23168->23169 23170 15cae1c 23168->23170 23169->23170 23174 15cb080 LoadLibraryExW 23169->23174 23175 15cb071 2 API calls 23169->23175 23170->23152 23171 15cae14 23171->23170 23172 15cb020 GetModuleHandleW 23171->23172 23173 15cb04d 23172->23173 23173->23152 23174->23171 23175->23171 23177 15cb094 23176->23177 23178 15cb0b9 23177->23178 23187 15ca170 23177->23187 23178->23163 23181 15cb019 GetModuleHandleW 23180->23181 23184 15cb07a 23180->23184 23183 15cb04d 23181->23183 23183->23163 23185 15cb0b9 23184->23185 23186 15ca170 LoadLibraryExW 23184->23186 23185->23163 23186->23185 23188 15cb260 LoadLibraryExW 23187->23188 23190 15cb2d9 23188->23190 23190->23178 23192 15ccf68 23191->23192 23193 15ccfaf 23192->23193 23204 15cbb20 23192->23204 23193->23147 23196 15ccfca 23195->23196 23197 15ccf7b 23195->23197 23196->23147 23198 15ccfaf 23197->23198 23199 15cbb20 4 API calls 23197->23199 23198->23147 23199->23198 23201 15ccf75 23200->23201 23202 15ccfaf 23201->23202 23203 15cbb20 4 API calls 23201->23203 23202->23147 23203->23202 23205 15cbb2b 23204->23205 23207 15cdcc8 23205->23207 23208 15cd31c 23205->23208 23207->23207 23209 15cd327 23208->23209 23210 15c5cc4 4 API calls 23209->23210 23211 15cdd37 23210->23211 23211->23207 23212 7519028 23213 75191b3 23212->23213 23215 751904e 23212->23215 23215->23213 23216 7518b4c 23215->23216 23217 75192a8 PostMessageW 23216->23217 23218 7519314 23217->23218 23218->23215 22948 15cd6d0 DuplicateHandle 22949 15cd766 22948->22949 22950 7514efd 22951 7514e7e 22950->22951 22952 7514e93 22951->22952 22956 7517910 22951->22956 22969 7517986 22951->22969 22983 7517920 22951->22983 22957 7517920 22956->22957 22958 7517942 22957->22958 22996 7518497 22957->22996 23001 7517d73 22957->23001 23006 751822d 22957->23006 23012 7518167 22957->23012 23017 7518265 22957->23017 23025 75182c3 22957->23025 23030 7517e9e 22957->23030 23034 7517f1f 22957->23034 23038 75181dc 22957->23038 23043 751807b 22957->23043 22958->22952 22970 7517914 22969->22970 22971 7517989 22969->22971 22972 7517942 22970->22972 22973 7517d73 2 API calls 22970->22973 22974 7518497 2 API calls 22970->22974 22975 751807b 2 API calls 22970->22975 22976 75181dc 2 API calls 22970->22976 22977 7517f1f 2 API calls 22970->22977 22978 7517e9e 2 API calls 22970->22978 22979 75182c3 2 API calls 22970->22979 22980 7518265 4 API calls 22970->22980 22981 7518167 2 API calls 22970->22981 22982 751822d 2 API calls 22970->22982 22971->22952 22972->22952 22973->22972 22974->22972 22975->22972 22976->22972 22977->22972 22978->22972 22979->22972 22980->22972 22981->22972 22982->22972 22984 751793a 22983->22984 22985 7517942 22984->22985 22986 7517d73 2 API calls 22984->22986 22987 7518497 2 API calls 22984->22987 22988 751807b 2 API calls 22984->22988 22989 75181dc 2 API calls 22984->22989 22990 7517f1f 2 API calls 22984->22990 22991 7517e9e 2 API calls 22984->22991 22992 75182c3 2 API calls 22984->22992 22993 7518265 4 API calls 22984->22993 22994 7518167 2 API calls 22984->22994 22995 751822d 2 API calls 22984->22995 22985->22952 22986->22985 22987->22985 22988->22985 22989->22985 22990->22985 22991->22985 22992->22985 22993->22985 22994->22985 22995->22985 22997 75184a0 22996->22997 23048 75147e0 22997->23048 23052 75147d8 22997->23052 22998 7518768 23002 7517d83 23001->23002 23056 7514a68 23002->23056 23060 7514a5c 23002->23060 23007 751824b 23006->23007 23008 7518235 23006->23008 23010 75147e0 WriteProcessMemory 23007->23010 23011 75147d8 WriteProcessMemory 23007->23011 23008->22958 23009 7518822 23010->23009 23011->23009 23013 7518188 23012->23013 23064 7514720 23013->23064 23068 751471a 23013->23068 23014 75187a8 23018 75181e0 23017->23018 23019 75182de 23017->23019 23072 7514210 23018->23072 23076 751420a 23018->23076 23020 75181fb 23019->23020 23080 7514160 23019->23080 23084 751415a 23019->23084 23020->22958 23026 75182de 23025->23026 23027 7518491 23026->23027 23028 7514160 ResumeThread 23026->23028 23029 751415a ResumeThread 23026->23029 23027->22958 23028->23026 23029->23026 23032 7514210 Wow64SetThreadContext 23030->23032 23033 751420a Wow64SetThreadContext 23030->23033 23031 7517e2d 23031->22958 23032->23031 23033->23031 23088 75148d0 23034->23088 23092 75148c9 23034->23092 23035 7517f44 23035->22958 23039 75181e0 23038->23039 23041 7514210 Wow64SetThreadContext 23039->23041 23042 751420a Wow64SetThreadContext 23039->23042 23040 75181fb 23040->22958 23041->23040 23042->23040 23044 751809e 23043->23044 23046 75147e0 WriteProcessMemory 23044->23046 23047 75147d8 WriteProcessMemory 23044->23047 23045 7517e36 23045->22958 23046->23045 23047->23045 23049 7514828 WriteProcessMemory 23048->23049 23051 751487f 23049->23051 23051->22998 23053 75147e0 WriteProcessMemory 23052->23053 23055 751487f 23053->23055 23055->22998 23057 7514af1 CreateProcessA 23056->23057 23059 7514cb3 23057->23059 23059->23059 23061 7514a68 CreateProcessA 23060->23061 23063 7514cb3 23061->23063 23063->23063 23065 7514760 VirtualAllocEx 23064->23065 23067 751479d 23065->23067 23067->23014 23069 7514760 VirtualAllocEx 23068->23069 23071 751479d 23069->23071 23071->23014 23073 7514255 Wow64SetThreadContext 23072->23073 23075 751429d 23073->23075 23075->23020 23077 7514210 Wow64SetThreadContext 23076->23077 23079 751429d 23077->23079 23079->23020 23081 75141a0 ResumeThread 23080->23081 23083 75141d1 23081->23083 23083->23019 23085 7514160 ResumeThread 23084->23085 23087 75141d1 23085->23087 23087->23019 23089 751491b ReadProcessMemory 23088->23089 23091 751495f 23089->23091 23091->23035 23093 751491b ReadProcessMemory 23092->23093 23095 751495f 23093->23095 23095->23035 23219 15cd080 23220 15cd0c6 GetCurrentProcess 23219->23220 23222 15cd118 GetCurrentThread 23220->23222 23223 15cd111 23220->23223 23224 15cd14e 23222->23224 23225 15cd155 GetCurrentProcess 23222->23225 23223->23222 23224->23225 23228 15cd18b 23225->23228 23226 15cd1b3 GetCurrentThreadId 23227 15cd1e4 23226->23227 23228->23226

                                              Executed Functions

                                              Function 0751837C Relevance: .0, Instructions: 18COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2182727714.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7510000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 93af1962fe4596dd7d8681ec21ade157615ab2584dc2775ee507f051ff2060d1
                                              • Instruction ID: 23808725e76e131c0e72d05cff6ee2984dc7e52ec9edc930510a0e361fbc6e31
                                              • Opcode Fuzzy Hash: 93af1962fe4596dd7d8681ec21ade157615ab2584dc2775ee507f051ff2060d1
                                              • Instruction Fuzzy Hash: 99D012B4C59548DFD710EF50C4845F8B7B8BB5B313F156855440A97311E63059448E84
                                              Function 015CD070 Relevance: 6.1, APIs: 4, Instructions: 134threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 015CD0FE
                                              • GetCurrentThread.KERNEL32 ref: 015CD13B
                                              • GetCurrentProcess.KERNEL32 ref: 015CD178
                                              • GetCurrentThreadId.KERNEL32 ref: 015CD1D1
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2176247592.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_15c0000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: 575057999b06e646613c4e7692e22757f979b358403b317f8b9257aebbede76c
                                              • Instruction ID: 71947a10846bc8412f8a7cc2e02508a218dfc8ce41523dfc2b5439fd89d1b7ae
                                              • Opcode Fuzzy Hash: 575057999b06e646613c4e7692e22757f979b358403b317f8b9257aebbede76c
                                              • Instruction Fuzzy Hash: 295145B0900249DFEB54CFAAD548B9EBBF1FB88314F208419E519AB360DB385944CF65
                                              Function 015CD080 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 015CD0FE
                                              • GetCurrentThread.KERNEL32 ref: 015CD13B
                                              • GetCurrentProcess.KERNEL32 ref: 015CD178
                                              • GetCurrentThreadId.KERNEL32 ref: 015CD1D1
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2176247592.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_15c0000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: 27e525d058aa39dff3dd42be97a02bc230dbc85e6fe73106e8b9964a6b9c406d
                                              • Instruction ID: 10623bf0d17af90cff0e6f08d532c72bd7cecde17a85c98320b59cadd3c25bf4
                                              • Opcode Fuzzy Hash: 27e525d058aa39dff3dd42be97a02bc230dbc85e6fe73106e8b9964a6b9c406d
                                              • Instruction Fuzzy Hash: 835134B0900649DFEB54CFAAD548BAEBBF1BB88314F208419E509AB360DB345944CF65
                                              Function 07514A5C Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 45 7514a5c-7514afd 48 7514b36-7514b56 45->48 49 7514aff-7514b09 45->49 56 7514b58-7514b62 48->56 57 7514b8f-7514bbe 48->57 49->48 50 7514b0b-7514b0d 49->50 51 7514b30-7514b33 50->51 52 7514b0f-7514b19 50->52 51->48 54 7514b1b 52->54 55 7514b1d-7514b2c 52->55 54->55 55->55 58 7514b2e 55->58 56->57 59 7514b64-7514b66 56->59 65 7514bc0-7514bca 57->65 66 7514bf7-7514cb1 CreateProcessA 57->66 58->51 60 7514b89-7514b8c 59->60 61 7514b68-7514b72 59->61 60->57 63 7514b74 61->63 64 7514b76-7514b85 61->64 63->64 64->64 67 7514b87 64->67 65->66 68 7514bcc-7514bce 65->68 77 7514cb3-7514cb9 66->77 78 7514cba-7514d40 66->78 67->60 70 7514bf1-7514bf4 68->70 71 7514bd0-7514bda 68->71 70->66 72 7514bdc 71->72 73 7514bde-7514bed 71->73 72->73 73->73 75 7514bef 73->75 75->70 77->78 88 7514d50-7514d54 78->88 89 7514d42-7514d46 78->89 91 7514d64-7514d68 88->91 92 7514d56-7514d5a 88->92 89->88 90 7514d48 89->90 90->88 94 7514d78-7514d7c 91->94 95 7514d6a-7514d6e 91->95 92->91 93 7514d5c 92->93 93->91 97 7514d8e-7514d95 94->97 98 7514d7e-7514d84 94->98 95->94 96 7514d70 95->96 96->94 99 7514d97-7514da6 97->99 100 7514dac 97->100 98->97 99->100 102 7514dad 100->102 102->102
                                              APIs
                                              • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07514C9E
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2182727714.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7510000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 22776d2e79960f3950f7912593d436c40c60e4299b49729a686e18eb14f08bde
                                              • Instruction ID: 6e46163ba842339fbb6e4f1d74c45f676da32567bb6cd47d09a2b5fce881941f
                                              • Opcode Fuzzy Hash: 22776d2e79960f3950f7912593d436c40c60e4299b49729a686e18eb14f08bde
                                              • Instruction Fuzzy Hash: 4FA17FB1D0025ACFEF24DFA8C8417EDBBB2BF44315F04816AE848A7240DB749985CF91
                                              Function 07514A68 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 103 7514a68-7514afd 105 7514b36-7514b56 103->105 106 7514aff-7514b09 103->106 113 7514b58-7514b62 105->113 114 7514b8f-7514bbe 105->114 106->105 107 7514b0b-7514b0d 106->107 108 7514b30-7514b33 107->108 109 7514b0f-7514b19 107->109 108->105 111 7514b1b 109->111 112 7514b1d-7514b2c 109->112 111->112 112->112 115 7514b2e 112->115 113->114 116 7514b64-7514b66 113->116 122 7514bc0-7514bca 114->122 123 7514bf7-7514cb1 CreateProcessA 114->123 115->108 117 7514b89-7514b8c 116->117 118 7514b68-7514b72 116->118 117->114 120 7514b74 118->120 121 7514b76-7514b85 118->121 120->121 121->121 124 7514b87 121->124 122->123 125 7514bcc-7514bce 122->125 134 7514cb3-7514cb9 123->134 135 7514cba-7514d40 123->135 124->117 127 7514bf1-7514bf4 125->127 128 7514bd0-7514bda 125->128 127->123 129 7514bdc 128->129 130 7514bde-7514bed 128->130 129->130 130->130 132 7514bef 130->132 132->127 134->135 145 7514d50-7514d54 135->145 146 7514d42-7514d46 135->146 148 7514d64-7514d68 145->148 149 7514d56-7514d5a 145->149 146->145 147 7514d48 146->147 147->145 151 7514d78-7514d7c 148->151 152 7514d6a-7514d6e 148->152 149->148 150 7514d5c 149->150 150->148 154 7514d8e-7514d95 151->154 155 7514d7e-7514d84 151->155 152->151 153 7514d70 152->153 153->151 156 7514d97-7514da6 154->156 157 7514dac 154->157 155->154 156->157 159 7514dad 157->159 159->159
                                              APIs
                                              • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07514C9E
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2182727714.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7510000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: abb21927b9da71fdfa984db0edd8a6e5678b5a4bdb91516a1ccc098b46d5581d
                                              • Instruction ID: c82f6afd56bcc2703839110ccf00bd20247538bbe74ac533694b6489a4b6aefe
                                              • Opcode Fuzzy Hash: abb21927b9da71fdfa984db0edd8a6e5678b5a4bdb91516a1ccc098b46d5581d
                                              • Instruction Fuzzy Hash: 2E915EB1D0025ADFEF24DFA8C8417DDBBB2BF44315F14856AD848A7280DB749985CF91
                                              Function 015CADE8 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 160 15cade8-15cadf7 161 15cadf9-15cae06 call 15ca10c 160->161 162 15cae23-15cae27 160->162 167 15cae1c 161->167 168 15cae08 161->168 164 15cae29-15cae33 162->164 165 15cae3b-15cae7c 162->165 164->165 171 15cae7e-15cae86 165->171 172 15cae89-15cae97 165->172 167->162 218 15cae0e call 15cb080 168->218 219 15cae0e call 15cb071 168->219 171->172 173 15cae99-15cae9e 172->173 174 15caebb-15caebd 172->174 177 15caea9 173->177 178 15caea0-15caea7 call 15ca118 173->178 176 15caec0-15caec7 174->176 175 15cae14-15cae16 175->167 179 15caf58-15caf6f 175->179 181 15caec9-15caed1 176->181 182 15caed4-15caedb 176->182 183 15caeab-15caeb9 177->183 178->183 191 15caf71-15cafd0 179->191 181->182 186 15caedd-15caee5 182->186 187 15caee8-15caeea call 15ca128 182->187 183->176 186->187 190 15caeef-15caef1 187->190 192 15caefe-15caf03 190->192 193 15caef3-15caefb 190->193 211 15cafd2-15cb018 191->211 194 15caf05-15caf0c 192->194 195 15caf21-15caf2e 192->195 193->192 194->195 196 15caf0e-15caf1e call 15ca138 call 15ca148 194->196 201 15caf30-15caf4e 195->201 202 15caf51-15caf57 195->202 196->195 201->202 213 15cb01a-15cb01d 211->213 214 15cb020-15cb04b GetModuleHandleW 211->214 213->214 215 15cb04d-15cb053 214->215 216 15cb054-15cb068 214->216 215->216 218->175 219->175
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000), ref: 015CB03E
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2176247592.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_15c0000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 112d507efeaf9610408343edd9188e6ff501665ddad907c375a07e47d999f13f
                                              • Instruction ID: 5db535abf8f617b546a78fb111b7a75a80c55fed043027845d2ca304c68aa992
                                              • Opcode Fuzzy Hash: 112d507efeaf9610408343edd9188e6ff501665ddad907c375a07e47d999f13f
                                              • Instruction Fuzzy Hash: B2715970A00B0A8FD724DFA9D45575ABBF1FF88600F00892DD596DBA40E734E849CF95
                                              Function 015C44B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 220 15c44b4-15c59d9 CreateActCtxA 223 15c59db-15c59e1 220->223 224 15c59e2-15c5a3c 220->224 223->224 231 15c5a3e-15c5a41 224->231 232 15c5a4b-15c5a4f 224->232 231->232 233 15c5a60 232->233 234 15c5a51-15c5a5d 232->234 235 15c5a61 233->235 234->233 235->235
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 015C59C9
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2176247592.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_15c0000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 9505c20caa6ba11081a8a241ebe185c655855b876ba98b21f2f1e6461c4853c1
                                              • Instruction ID: 04268e5d564caa062a188ad8bdb2d14cc3ea0d778c53861ec5b027f251df2ad9
                                              • Opcode Fuzzy Hash: 9505c20caa6ba11081a8a241ebe185c655855b876ba98b21f2f1e6461c4853c1
                                              • Instruction Fuzzy Hash: 7F41DE70D00719CFEB24CFAAC884BCEBBB5BF49704F20816AD508AB255DBB16945CF91
                                              Function 015C590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 237 15c590c-15c59d9 CreateActCtxA 239 15c59db-15c59e1 237->239 240 15c59e2-15c5a3c 237->240 239->240 247 15c5a3e-15c5a41 240->247 248 15c5a4b-15c5a4f 240->248 247->248 249 15c5a60 248->249 250 15c5a51-15c5a5d 248->250 251 15c5a61 249->251 250->249 251->251
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 015C59C9
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2176247592.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_15c0000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 6a1cecde4ce98939417cdbc6c5ea8db2f23d65f4f4ef1bc0cdaac83a2f44e59e
                                              • Instruction ID: 6ee8faeeed522db8cd4d2189aef7a5072de2b80c652e23c3631092d663b82b80
                                              • Opcode Fuzzy Hash: 6a1cecde4ce98939417cdbc6c5ea8db2f23d65f4f4ef1bc0cdaac83a2f44e59e
                                              • Instruction Fuzzy Hash: B741D0B0D00719CFEB24CFAAC884BCEBBB5BF49704F20816AD508AB255DB756946CF51
                                              Function 075147D8 Relevance: 1.6, APIs: 1, Instructions: 75injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 253 75147d8-751482e 256 7514830-751483c 253->256 257 751483e-751487d WriteProcessMemory 253->257 256->257 259 7514886-75148b6 257->259 260 751487f-7514885 257->260 260->259
                                              APIs
                                              • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07514870
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2182727714.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7510000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: 05f7e2d903fd1b0d691219248c8e153603b2fdb7e4763be431c58f8a318bd03b
                                              • Instruction ID: dd94a51b95945c9eba667981e3d45fd4f31fa46a7cdaa3da68420b5ab5761316
                                              • Opcode Fuzzy Hash: 05f7e2d903fd1b0d691219248c8e153603b2fdb7e4763be431c58f8a318bd03b
                                              • Instruction Fuzzy Hash: 8A2148B19003499FEB10CFA9C881BDEBBF5FF48310F10842AE958A7640C7789541CBA4
                                              Function 075147E0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 264 75147e0-751482e 266 7514830-751483c 264->266 267 751483e-751487d WriteProcessMemory 264->267 266->267 269 7514886-75148b6 267->269 270 751487f-7514885 267->270 270->269
                                              APIs
                                              • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07514870
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2182727714.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7510000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: 7acf994c7c892faa631a0fc7ca276c34ad8989d69103fe629da7d5881e79bbb8
                                              • Instruction ID: 6a4477162800f7dcd1a02f5756d38db28447c9aacff6986d3b456317648bc874
                                              • Opcode Fuzzy Hash: 7acf994c7c892faa631a0fc7ca276c34ad8989d69103fe629da7d5881e79bbb8
                                              • Instruction Fuzzy Hash: 0E21F6B19003599FEB10DFA9C885BDEBBF5FF48310F10842AE959A7240C7789954CBA5
                                              Function 0751420A Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 274 751420a-751425b 277 751426b-751429b Wow64SetThreadContext 274->277 278 751425d-7514269 274->278 280 75142a4-75142d4 277->280 281 751429d-75142a3 277->281 278->277 281->280
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0751428E
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2182727714.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7510000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: 4ffc3473404ad9906613d575d752fe2e7043c99083e402ab3ea1f778cd2bf997
                                              • Instruction ID: 0c0b7dfbd305fc4bdfd091815b87fa2fbf0b731793b1893114647d7c9bcee7e7
                                              • Opcode Fuzzy Hash: 4ffc3473404ad9906613d575d752fe2e7043c99083e402ab3ea1f778cd2bf997
                                              • Instruction Fuzzy Hash: 622168B19003499FEB10CFAAC4857EEBBF4FF88320F14842AD559A7240CB789945CFA5
                                              Function 075148C9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 285 75148c9-751495d ReadProcessMemory 288 7514966-7514996 285->288 289 751495f-7514965 285->289 289->288
                                              APIs
                                              • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07514950
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2182727714.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7510000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: 64fc816426faca69b6bcbd0df0f02408fd10b2f6e11a8ff5dc676f965a4ef6eb
                                              • Instruction ID: 4ba3ec1f1398169d83143fa1e0c45fa970dd9fa3c8d30659c8ae25e108d1893d
                                              • Opcode Fuzzy Hash: 64fc816426faca69b6bcbd0df0f02408fd10b2f6e11a8ff5dc676f965a4ef6eb
                                              • Instruction Fuzzy Hash: C52116B18003499FDB10DFAAC881BEEBBF5FF48310F10842AE958A7250C7789941CBA5
                                              Function 07514210 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 298 7514210-751425b 300 751426b-751429b Wow64SetThreadContext 298->300 301 751425d-7514269 298->301 303 75142a4-75142d4 300->303 304 751429d-75142a3 300->304 301->300 304->303
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0751428E
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2182727714.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7510000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: a13608435269ca412dc9114e48e701908f7c79ede6f8e57cd3bbc3ad55a23d09
                                              • Instruction ID: 76ff6d5b9b16df634d41a1879036032129d9e85345052fc2e1a37f3438d22212
                                              • Opcode Fuzzy Hash: a13608435269ca412dc9114e48e701908f7c79ede6f8e57cd3bbc3ad55a23d09
                                              • Instruction Fuzzy Hash: AC2147B19003499FEB10CFAAC4857EEBBF4FF88310F14842AD559A7240CB789944CFA5
                                              Function 075148D0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 308 75148d0-751495d ReadProcessMemory 311 7514966-7514996 308->311 312 751495f-7514965 308->312 312->311
                                              APIs
                                              • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07514950
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2182727714.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7510000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: 4a47927527d8aade9ca6033075e54346d4c8f4e546a495f95d9a269d1687fd40
                                              • Instruction ID: 6d2f155162172a57237279e3940b9f131b64a3be7d67c6e0f22ce26ffe141578
                                              • Opcode Fuzzy Hash: 4a47927527d8aade9ca6033075e54346d4c8f4e546a495f95d9a269d1687fd40
                                              • Instruction Fuzzy Hash: 992125B18003499FDB10CFAAC881BEEBBF5FF88310F10842AE558A7240C7389900CBA5
                                              Function 015CD6C8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 293 15cd6c8-15cd764 DuplicateHandle 294 15cd76d-15cd78a 293->294 295 15cd766-15cd76c 293->295 295->294
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015CD757
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2176247592.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_15c0000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 1d0c3e2d0f09d1b90834513e93710fa31aa139e0d5bc8643e229e4ad436b519c
                                              • Instruction ID: b307c763e5ff30c68f0fb16e42adb6ae4a51b1ba964c075be9485492c17e9d99
                                              • Opcode Fuzzy Hash: 1d0c3e2d0f09d1b90834513e93710fa31aa139e0d5bc8643e229e4ad436b519c
                                              • Instruction Fuzzy Hash: 2721D2B5900249DFDB10CFA9D985ADEBBF4AB48214F14841AE958B7310D378A944CFA5
                                              Function 015CD6D0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 316 15cd6d0-15cd764 DuplicateHandle 317 15cd76d-15cd78a 316->317 318 15cd766-15cd76c 316->318 318->317
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015CD757
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2176247592.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_15c0000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 4d3cbf4599535522aad752581ac2f5765b0e67ccc5ce359e4e6159eac195efb8
                                              • Instruction ID: 07e45e33fc57f93db7d4f993a518a75634ddc9364d3db18bb878bec625d85446
                                              • Opcode Fuzzy Hash: 4d3cbf4599535522aad752581ac2f5765b0e67ccc5ce359e4e6159eac195efb8
                                              • Instruction Fuzzy Hash: 4421E4B5900248DFDB10CFAAD984ADEBBF8FB48710F14841AE918B7310D378A944CFA5
                                              Function 015CB071 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000), ref: 015CB03E
                                                • Part of subcall function 015CA170: LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,015CB0B9,00000800,00000000,00000000), ref: 015CB2CA
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2176247592.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_15c0000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID: HandleLibraryLoadModule
                                              • String ID:
                                              • API String ID: 4133054770-0
                                              • Opcode ID: b2570a6b693b3975bc06a7d73c7c1ef3f98736c0e3a1934f186c83eafd356268
                                              • Instruction ID: e054e59810762d15fe5e48ff9acdd3690d67ca8a8ce86e2a935adee77c354cb2
                                              • Opcode Fuzzy Hash: b2570a6b693b3975bc06a7d73c7c1ef3f98736c0e3a1934f186c83eafd356268
                                              • Instruction Fuzzy Hash: E01182756002059FE714DF9AD841BDBBBF9FBC4754F04846DD514EB250C778A805CBA1
                                              Function 015CA170 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,015CB0B9,00000800,00000000,00000000), ref: 015CB2CA
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2176247592.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_15c0000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 4bd36de350edcfff2c2c53f4609716158ab93104f3821b59fd8060f7a74b3352
                                              • Instruction ID: 5948ef83ae316e452cf009fdfbb825eb15324510715017298c9f917b97f3f579
                                              • Opcode Fuzzy Hash: 4bd36de350edcfff2c2c53f4609716158ab93104f3821b59fd8060f7a74b3352
                                              • Instruction Fuzzy Hash: BC1103B69002499FDB10CF9AC485B9EFBF9FB88750F10842ED519AB200C375A545CFA5
                                              Function 015CB258 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,015CB0B9,00000800,00000000,00000000), ref: 015CB2CA
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2176247592.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_15c0000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 8bc36c59cc55ad3ae914d1fd4b7512ddf3f8cdc37c20993095464d1dabb44289
                                              • Instruction ID: 6e3a7e0799890c423d8de94724825059b576e23b4bb67c7c81f1c80d1dfe8f76
                                              • Opcode Fuzzy Hash: 8bc36c59cc55ad3ae914d1fd4b7512ddf3f8cdc37c20993095464d1dabb44289
                                              • Instruction Fuzzy Hash: D71103B68002499FDB10CF9AC885BDEFBF9EB88710F10841ED519A7200C379A545CFA5
                                              Function 0751471A Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0751478E
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2182727714.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7510000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: de0f8d061734ffa8a85dbef02576ba1911dd6b229a61589dd2d192478bcc7153
                                              • Instruction ID: ac1343604f6ef37054199245a6d2b9cf6613bd417e1226f6e6b7be007a6ae8fb
                                              • Opcode Fuzzy Hash: de0f8d061734ffa8a85dbef02576ba1911dd6b229a61589dd2d192478bcc7153
                                              • Instruction Fuzzy Hash: 6A115671900289DFEB10CFAAD845BEEBBF5EF89320F14881AE555A7250C7359501CFA0
                                              Function 0751415A Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2182727714.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7510000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: 7c3d714fb2998420dbfe6b46bc602aeaa42903e78c95cf8ce2fb0b8683f82233
                                              • Instruction ID: c30311e3988ea1236acf698c4e9868a6afebc6b59adb2b227723d9750a52faf1
                                              • Opcode Fuzzy Hash: 7c3d714fb2998420dbfe6b46bc602aeaa42903e78c95cf8ce2fb0b8683f82233
                                              • Instruction Fuzzy Hash: C4115BB19003499FEB10DFAAC8457DEFBF4EF88710F24841AD519A7640CB359540CBA5
                                              Function 07514720 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0751478E
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2182727714.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7510000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: ef876589c39f3f4e9c5fd700eb8276485131d1fb40c389e522fd1e389b481b73
                                              • Instruction ID: 0046435ea48daf3656259a4879bc0088b12457f1d7342002202d3f3a726719b0
                                              • Opcode Fuzzy Hash: ef876589c39f3f4e9c5fd700eb8276485131d1fb40c389e522fd1e389b481b73
                                              • Instruction Fuzzy Hash: F9115671800349DFEB10CFAAC845BDEBBF5AF88320F148819E515A7250C7359500CBA4
                                              Function 07514160 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2182727714.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7510000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: b929172a508145d9d233f74fd62b745468d0d64137f0542f7c5154fb3f4b35a3
                                              • Instruction ID: fb39f173358c45ab366dfb3120e9c2a9145a13b6ad014e7435b03a4a6784080c
                                              • Opcode Fuzzy Hash: b929172a508145d9d233f74fd62b745468d0d64137f0542f7c5154fb3f4b35a3
                                              • Instruction Fuzzy Hash: D3113AB19003498FEB10DFAAC8457DEFBF4AF89710F258819D519A7240CB79A544CBA5
                                              Function 07518B4C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 07519305
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2182727714.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7510000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: fbebc7f68b1b530b6c9e8c28ce7720bf0663ab32c62dad1a4c1ac5a6734cf6cf
                                              • Instruction ID: 931955408a1734e90d309d77e82949de05fa0a7c381f80b566c52d6ccfcf2c5f
                                              • Opcode Fuzzy Hash: fbebc7f68b1b530b6c9e8c28ce7720bf0663ab32c62dad1a4c1ac5a6734cf6cf
                                              • Instruction Fuzzy Hash: 3711F2B5800349DFEB10CF9AC895BDEBBF8FB48314F10885AE559A7240C375A944CFA5
                                              Function 075192A2 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 07519305
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2182727714.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7510000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 25c3df0fea52a1e477eb094a87a740cf5f7c475accfdf382683441db9f1f63ca
                                              • Instruction ID: 83e0afaf336bd51ccaf19b18b6139bec9a6ba718bd04f7a53ef888d585a8c644
                                              • Opcode Fuzzy Hash: 25c3df0fea52a1e477eb094a87a740cf5f7c475accfdf382683441db9f1f63ca
                                              • Instruction Fuzzy Hash: FC11F2B5800349DFEB10CF9AD885BDEBBF8FB48324F14845AE558A7640C375A544CFA5
                                              Function 015CAFD8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000), ref: 015CB03E
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2176247592.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_15c0000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: b9128d3a275d91d0cdd59ec5899073e708e4c624078930ad20f7de0687b7a0d2
                                              • Instruction ID: 204fb979f385bff73969059c80be29c1b5404a16cdcdf471dd6aed6b8a02f43a
                                              • Opcode Fuzzy Hash: b9128d3a275d91d0cdd59ec5899073e708e4c624078930ad20f7de0687b7a0d2
                                              • Instruction Fuzzy Hash: 7E110FB5C00749CFEB10CF9AD445BDEFBF8AB88610F10841AD528B7200D379A549CFA5
                                              Function 0152D3D8 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2175792880.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_152d000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d9560f9eb32d232b0345df6abfb6109fcf864ba356fd56182b6be12fa5345c70
                                              • Instruction ID: a56e5d3baf6deec97dbb4afdc753470c29b64467bba65394a0eb2510dca9fbea
                                              • Opcode Fuzzy Hash: d9560f9eb32d232b0345df6abfb6109fcf864ba356fd56182b6be12fa5345c70
                                              • Instruction Fuzzy Hash: FF21F172504204EFDB05DF54D9C0B6ABBB5FB89324F20C569E9090F296C37AE456CAE2
                                              Function 0152D4C4 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2175792880.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_152d000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c7485e45ea74a8cfc0361fbc33f79bd10a04a2af4fe916c72b31e637cb1aca44
                                              • Instruction ID: 89f162d4763889794f03b43ace478a7157e8bba4ffaa7cc47c7d60057711dfa5
                                              • Opcode Fuzzy Hash: c7485e45ea74a8cfc0361fbc33f79bd10a04a2af4fe916c72b31e637cb1aca44
                                              • Instruction Fuzzy Hash: 22212572604240EFDB05DF58D9C0B2ABFB5FB89318F20C56DE9090F296C376D456CAA2
                                              Function 0153D1D4 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2175883685.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_153d000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1d9b33fa0c3335a355615017c309a173e5af679ef9f1ebb3dad26e2d233df836
                                              • Instruction ID: 0d566d5147b2ac4c67b2b1d9c0715bc1feece681c3c087b3b6efc6a7ee21d3e4
                                              • Opcode Fuzzy Hash: 1d9b33fa0c3335a355615017c309a173e5af679ef9f1ebb3dad26e2d233df836
                                              • Instruction Fuzzy Hash: 2C210771504204EFDB05DFA4D5C0B25BBB5FBC4324F60C96DE9094F252C37AD446CA61
                                              Function 0153D01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2175883685.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_153d000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9563a8c7ba8fcd0862783ecf6762156e6a5c61bcab47d1021d6042d4f219c08e
                                              • Instruction ID: 6984e7019e0c1447d70adc1a07d0b88dd0d2634f9c7bb42a8f727388487afcca
                                              • Opcode Fuzzy Hash: 9563a8c7ba8fcd0862783ecf6762156e6a5c61bcab47d1021d6042d4f219c08e
                                              • Instruction Fuzzy Hash: C421F171604204EFDB15DF64D580B26FBB5FB84714F60C96DD9090F242D33AD446CA61
                                              Function 0153D006 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2175883685.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_153d000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 025b128e1c1bd7656c0caa7c02c413428d0c4b32f22ab3c471af9f62b1fcb380
                                              • Instruction ID: b5a3af4765eec9e9ce2de0ade7b80de341656e4ed7cea4e5f1c379ea61033447
                                              • Opcode Fuzzy Hash: 025b128e1c1bd7656c0caa7c02c413428d0c4b32f22ab3c471af9f62b1fcb380
                                              • Instruction Fuzzy Hash: AA2180755093809FCB02CF64D990715FF71FB86214F28C5DAD8498F2A7C33A980ACB62
                                              Function 0152D3D3 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2175792880.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_152d000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                                              • Instruction ID: 09486868eba3aefc23b2c3df1c0de8e68683f8a4b5831477aa826725d4092611
                                              • Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                                              • Instruction Fuzzy Hash: CA11CD72504280DFDB02CF44D9C0B5ABF71FB84224F2482A9D8090E257C37AE45ACBA2
                                              Function 0152D4BF Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2175792880.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_152d000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                                              • Instruction ID: d43f027a2c59247207fc34928a48c45ab0fd725d28c76bbf22456cbdcf9b17d9
                                              • Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                                              • Instruction Fuzzy Hash: EC11CD72504280DFCB02CF54D5C0B1ABF71FB84214F24C6A9D8090F256C33AD45ACBA2
                                              Function 0153D1CF Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2175883685.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_153d000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
                                              • Instruction ID: 1c5f686fc57cc9a92e751c43a5e436b48440ac877a028ef006165da07ca8b913
                                              • Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
                                              • Instruction Fuzzy Hash: 3011A975904280DFCB02CF54C5C0B19BBB1FB84224F24C6A9E8494F296C33AD40ACB62
                                              Function 0152D745 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2175792880.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_152d000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d34d506d788bbde4c8378e0bba96819ced26b0fdbc198a8ea157fa0c4799ad9b
                                              • Instruction ID: 086d80bc416a0a6ccc364670c34d2d09f80ac37f37ec0558b449371085261577
                                              • Opcode Fuzzy Hash: d34d506d788bbde4c8378e0bba96819ced26b0fdbc198a8ea157fa0c4799ad9b
                                              • Instruction Fuzzy Hash: 8601D4320043909AF7104EA9C984B6ABFE8FF42220F08891AEE080E2C6C67D9440C6B1
                                              Function 0152D744 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2175792880.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_152d000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 186a5f3b84de12accb408ef6b0bf0310362af4d72b568f998536d88ec5f8ae3c
                                              • Instruction ID: 82f697422371af94c7c93067c7935f7dd1faec02972b3a871c15fda2a2342316
                                              • Opcode Fuzzy Hash: 186a5f3b84de12accb408ef6b0bf0310362af4d72b568f998536d88ec5f8ae3c
                                              • Instruction Fuzzy Hash: D7F0C272004394AEF7118E59C884B66FFA8EB82734F18C45AED480E287C27D9844CAB1

                                              Non-executed Functions

                                              Function 0751A858 Relevance: .3, Instructions: 323COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2182727714.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7510000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2cf6f452a78e0343a16c9dae8a7c8c03cc97c3524473fa262fc47f44b95f7d19
                                              • Instruction ID: 1091ec70b388b5d0606781fcb06ccc42d2ba1b7add4f5ab1f1f041870cb7fc5a
                                              • Opcode Fuzzy Hash: 2cf6f452a78e0343a16c9dae8a7c8c03cc97c3524473fa262fc47f44b95f7d19
                                              • Instruction Fuzzy Hash: CFC1CCB07022468FEB1ADB75C450BAEB7F6BFC9606F14846EC146CB290DB34E801CB91
                                              Function 07511CF1 Relevance: .3, Instructions: 318COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2182727714.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7510000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e601d6166e704074e62809344f008f80cf9e0c217aeb2ab9595a218d19b5cb29
                                              • Instruction ID: 2af33778228949b579ac70314b0470de7b730fb01c39cd352827bf36c934ff77
                                              • Opcode Fuzzy Hash: e601d6166e704074e62809344f008f80cf9e0c217aeb2ab9595a218d19b5cb29
                                              • Instruction Fuzzy Hash: 6EE1EBB4E002598FDB14CFA9C5809AEFBB2FF89305F24C169D914AB355D734A942CFA1
                                              Function 075142E8 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2182727714.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7510000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1d1660624d815493d041b0f8f2f89b22d32f927cf6f01a2cfa626af2e1ef703d
                                              • Instruction ID: c25cedcf61528130058a705a7cba40c3a213f928b9f8b970e0e3cf5604b0bdb1
                                              • Opcode Fuzzy Hash: 1d1660624d815493d041b0f8f2f89b22d32f927cf6f01a2cfa626af2e1ef703d
                                              • Instruction Fuzzy Hash: 65E1EAB4E002598FDB14DFA9C5809AEFBB2FF89305F248169D814AB355D735AD42CFA0
                                              Function 07512138 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2182727714.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7510000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d02d4533b3b489a0e47b38c696966120c75f0bff1108020cde039eed0b8c069d
                                              • Instruction ID: e2f978cef4a0ad9d30d2ed291150d8991419016f64efca0bf218d6ac4388f1d7
                                              • Opcode Fuzzy Hash: d02d4533b3b489a0e47b38c696966120c75f0bff1108020cde039eed0b8c069d
                                              • Instruction Fuzzy Hash: C9E1DBB4E002198FDB14CFA9C5809AEFBB6FF89305F24816AD814AB355D735AD41CF61
                                              Function 07513938 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2182727714.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7510000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 579e6e839d4c9ae72de5025ea9a8b4abf6cb3d66616b3381c53c6a415d214bcc
                                              • Instruction ID: 6327484f12b5eea0ca5dacd1cd50d014e0cd77295923706e464070d40a543951
                                              • Opcode Fuzzy Hash: 579e6e839d4c9ae72de5025ea9a8b4abf6cb3d66616b3381c53c6a415d214bcc
                                              • Instruction Fuzzy Hash: 76E1D9B4E002598FDB14CFA9C5909AEFBB2FF89305F24816AD814AB355D735AD41CFA0
                                              Function 075118C8 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2182727714.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7510000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 71122e59f06182e9dc946c7bdfd725fe232f2da29a248d67b24c04a60753c842
                                              • Instruction ID: 5717b83017c479c960c5477affc6000054b62f46331ad2498f7b403366324172
                                              • Opcode Fuzzy Hash: 71122e59f06182e9dc946c7bdfd725fe232f2da29a248d67b24c04a60753c842
                                              • Instruction Fuzzy Hash: 47E1DAB4E046198FDB14CFA9C580AAEFBB2FF89305F24816AD514AB355D734AD41CFA0
                                              Function 015CD5FC Relevance: .3, Instructions: 264COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2176247592.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_15c0000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b981eceb49e6cad5cee9d0506950271207e0223549d33a2be4dc55509f1c6816
                                              • Instruction ID: ef8cc1b5a09467caa958e839a14c852731ea3896939e8f14fb061501ef82314b
                                              • Opcode Fuzzy Hash: b981eceb49e6cad5cee9d0506950271207e0223549d33a2be4dc55509f1c6816
                                              • Instruction Fuzzy Hash: 03A15B36A002168FCF05DFB8C84459EBBB3FF85700B15856EE906AF265DB75E946CB40
                                              Function 07513928 Relevance: .1, Instructions: 132COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.2182727714.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_1_2_7510000_LisectAVT_2403002A_2.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: faa223509e28cd0b47bbdf6ff8076f918b4430adb2d2f3d9f491232a6c3a5a97
                                              • Instruction ID: 0fe839330b1208a7626d59dddeff33671fecbf354df79354a6c34d564380f11b
                                              • Opcode Fuzzy Hash: faa223509e28cd0b47bbdf6ff8076f918b4430adb2d2f3d9f491232a6c3a5a97
                                              • Instruction Fuzzy Hash: B65108B4E002598FDB14CFA9C9909EEFBB2FF89305F24C16AD418A7255D7349942CFA1

                                              Execution Graph

                                              Execution Coverage:12.2%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:24
                                              Total number of Limit Nodes:5
                                              execution_graph 23804 ed0848 23805 ed084e 23804->23805 23806 ed091b 23805->23806 23809 ed1392 23805->23809 23814 ed14a8 23805->23814 23811 ed1399 23809->23811 23810 ed1335 23810->23805 23811->23810 23813 ed14a8 GlobalMemoryStatusEx 23811->23813 23820 ed7fa0 23811->23820 23813->23811 23815 ed14ab 23814->23815 23817 ed13a6 23814->23817 23815->23805 23816 ed14a0 23816->23805 23817->23816 23818 ed7fa0 GlobalMemoryStatusEx 23817->23818 23819 ed14a8 GlobalMemoryStatusEx 23817->23819 23818->23817 23819->23817 23821 ed7faa 23820->23821 23822 ed7fc4 23821->23822 23825 62cfad0 23821->23825 23829 62cfac0 23821->23829 23822->23811 23826 62cfae5 23825->23826 23827 62cfcfa 23826->23827 23828 62cfd11 GlobalMemoryStatusEx 23826->23828 23827->23822 23828->23826 23830 62cfae5 23829->23830 23831 62cfcfa 23830->23831 23832 62cfd11 GlobalMemoryStatusEx 23830->23832 23831->23822 23832->23830

                                              Executed Functions

                                              Function 062C5640 Relevance: 1.8, Strings: 1, Instructions: 596COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 684 62c5640-62c565d 685 62c565f-62c5662 684->685 686 62c5678-62c567b 685->686 687 62c5664-62c566d 685->687 686->687 688 62c567d-62c5680 686->688 689 62c5791-62c579a 687->689 690 62c5673 687->690 691 62c568a-62c568d 688->691 692 62c5682-62c5687 688->692 693 62c57a0-62c57a8 689->693 694 62c5821-62c584b 689->694 690->686 695 62c569e-62c56a1 691->695 696 62c568f-62c5693 691->696 692->691 693->694 697 62c57aa-62c57ba 693->697 719 62c5855-62c5858 694->719 701 62c56af-62c56b2 695->701 702 62c56a3-62c56aa 695->702 699 62c5699 696->699 700 62c5813-62c5820 696->700 697->694 703 62c57bc-62c57c0 697->703 699->695 704 62c56b4-62c56d1 701->704 705 62c56d6-62c56d9 701->705 702->701 706 62c57c5-62c57c8 703->706 704->705 710 62c56db-62c56de 705->710 711 62c56e3-62c56e6 705->711 708 62c57ca-62c57d3 706->708 709 62c57d4-62c57d7 706->709 714 62c57d9-62c57e6 709->714 715 62c57eb-62c57ee 709->715 710->711 712 62c56e8-62c56eb 711->712 713 62c56f0-62c56f3 711->713 712->713 717 62c5709-62c570c 713->717 718 62c56f5-62c5704 713->718 714->715 720 62c57f0-62c57f6 715->720 721 62c5801-62c5803 715->721 722 62c570e-62c5723 717->722 723 62c5728-62c572b 717->723 718->717 724 62c587a-62c587d 719->724 725 62c585a-62c585e 719->725 727 62c57fc 720->727 728 62c5763-62c576d 720->728 730 62c580a-62c580d 721->730 731 62c5805 721->731 722->723 735 62c572d-62c5743 723->735 736 62c5748-62c574b 723->736 737 62c587f-62c5886 724->737 738 62c5887-62c588a 724->738 733 62c594a-62c5984 725->733 734 62c5864-62c586c 725->734 727->721 739 62c5774-62c5776 728->739 730->685 730->700 731->730 759 62c5986-62c5989 733->759 734->733 741 62c5872-62c5875 734->741 735->736 742 62c574d-62c5750 736->742 743 62c5755-62c5758 736->743 744 62c58ac-62c58af 738->744 745 62c588c-62c5890 738->745 749 62c577b-62c577e 739->749 741->724 742->743 743->720 746 62c575e-62c5761 743->746 747 62c58d1-62c58d4 744->747 748 62c58b1-62c58b5 744->748 745->733 752 62c5896-62c589e 745->752 746->728 746->749 757 62c58ec-62c58ef 747->757 758 62c58d6-62c58e7 747->758 748->733 754 62c58bb-62c58c3 748->754 755 62c578c-62c578f 749->755 756 62c5780-62c5785 749->756 752->733 753 62c58a4-62c58a7 752->753 753->744 754->733 760 62c58c9-62c58cc 754->760 755->689 755->706 756->742 761 62c5787 756->761 762 62c58ff-62c5902 757->762 763 62c58f1-62c58f8 757->763 758->757 764 62c598b-62c598e 759->764 765 62c59d4-62c5b68 759->765 760->747 761->755 769 62c591c-62c591f 762->769 770 62c5904-62c5908 762->770 767 62c58fa 763->767 768 62c5942-62c5949 763->768 771 62c59a8-62c59ab 764->771 772 62c5990-62c59a1 764->772 834 62c5b6e-62c5b75 765->834 835 62c5ca1-62c5cb4 765->835 767->762 773 62c5930-62c5932 769->773 774 62c5921-62c592b 769->774 770->733 778 62c590a-62c5912 770->778 775 62c59ad-62c59b2 771->775 776 62c59b5-62c59b8 771->776 784 62c59bf-62c59c6 772->784 785 62c59a3 772->785 780 62c5939-62c593c 773->780 781 62c5934 773->781 774->773 775->776 776->765 779 62c59ba-62c59bd 776->779 778->733 782 62c5914-62c5917 778->782 779->784 787 62c59cb-62c59ce 779->787 780->719 780->768 781->780 782->769 784->787 785->771 787->765 789 62c5cb7-62c5cba 787->789 790 62c5cbc-62c5cc3 789->790 791 62c5cc8-62c5ccb 789->791 790->791 793 62c5ccd-62c5cde 791->793 794 62c5ce9-62c5cec 791->794 793->784 804 62c5ce4 793->804 795 62c5cee-62c5cff 794->795 796 62c5d06-62c5d09 794->796 802 62c5d26-62c5d37 795->802 809 62c5d01 795->809 798 62c5d0b-62c5d1e 796->798 799 62c5d21-62c5d24 796->799 799->802 803 62c5d42-62c5d45 799->803 802->784 815 62c5d3d 802->815 807 62c5d5f-62c5d61 803->807 808 62c5d47-62c5d58 803->808 804->794 812 62c5d68-62c5d6b 807->812 813 62c5d63 807->813 808->798 818 62c5d5a 808->818 809->796 812->759 814 62c5d71-62c5d7a 812->814 813->812 815->803 818->807 836 62c5c29-62c5c30 834->836 837 62c5b7b-62c5bae 834->837 836->835 839 62c5c32-62c5c65 836->839 848 62c5bb0 837->848 849 62c5bb3-62c5bf4 837->849 850 62c5c6a-62c5c97 839->850 851 62c5c67 839->851 848->849 859 62c5c0c-62c5c13 849->859 860 62c5bf6-62c5c07 849->860 850->814 851->850 862 62c5c1b-62c5c1d 859->862 860->814 862->814
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $
                                              • API String ID: 0-3993045852
                                              • Opcode ID: ec6af847e1af3248b09a98f684527a5197f4ae5cd2df73dcc64f14d315d826e7
                                              • Instruction ID: 8a6066cafd75da630c014716ae4566eff368f9d412cbfb01db7cadb1eaac6c5a
                                              • Opcode Fuzzy Hash: ec6af847e1af3248b09a98f684527a5197f4ae5cd2df73dcc64f14d315d826e7
                                              • Instruction Fuzzy Hash: 5122C175F202568FDB60DBA4D4446AEB7B2FF84320F208669D845BB345DB31ED51CB90
                                              Function 062C2420 Relevance: 1.0, Instructions: 985COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a3df30a5daa43425e2ca9d52b1399459ae33e64d1773114a6898aaaa5c00bc98
                                              • Instruction ID: 75d9fc2eb45275ff906b5b10f7f03bbc8f049380306c06615f8af90c7300b6f8
                                              • Opcode Fuzzy Hash: a3df30a5daa43425e2ca9d52b1399459ae33e64d1773114a6898aaaa5c00bc98
                                              • Instruction Fuzzy Hash: 27924730A11206CFDB64DF68C584A5DB7F2EB45324F54CAA9D809AB3A1DB75ED81CB80
                                              Function 062C6690 Relevance: .8, Instructions: 822COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a1b2d34ad7dbe7e4c7cf952b4b2be5e336c8ba8c31f7398c1041ef4b75b82319
                                              • Instruction ID: 30bd21db71aba7189db4a7303ed1a4572f42dc2f8399f2ddd21ed7aeaafac86b
                                              • Opcode Fuzzy Hash: a1b2d34ad7dbe7e4c7cf952b4b2be5e336c8ba8c31f7398c1041ef4b75b82319
                                              • Instruction Fuzzy Hash: 3662BF30B202168FDB54DB68D554BADB7F2EF88320F148669D806EB395DB35ED42CB90
                                              Function 062CC228 Relevance: .6, Instructions: 639COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1941 62cc228-62cc248 1942 62cc24a-62cc24d 1941->1942 1943 62cc24f-62cc275 1942->1943 1944 62cc27a-62cc27d 1942->1944 1943->1944 1945 62cc27f-62cc288 1944->1945 1946 62cc293-62cc296 1944->1946 1948 62cc32e-62cc337 1945->1948 1949 62cc28e 1945->1949 1950 62cc2f8-62cc2fb 1946->1950 1951 62cc298-62cc2f3 1946->1951 1952 62cc33d-62cc344 1948->1952 1953 62cc5b7-62cc5ed 1948->1953 1949->1946 1954 62cc31c-62cc31f 1950->1954 1955 62cc2fd-62cc317 1950->1955 1951->1950 1956 62cc349-62cc34c 1952->1956 1965 62cc5ef-62cc5f2 1953->1965 1959 62cc329-62cc32c 1954->1959 1960 62cc321-62cc324 1954->1960 1955->1954 1962 62cc34e-62cc351 1956->1962 1963 62cc363-62cc366 1956->1963 1959->1948 1959->1956 1960->1959 1962->1953 1966 62cc357-62cc35e 1962->1966 1968 62cc368-62cc38d 1963->1968 1969 62cc392-62cc395 1963->1969 1971 62cc5ff-62cc602 1965->1971 1972 62cc5f4-62cc5fe 1965->1972 1966->1963 1968->1969 1969->1945 1973 62cc39b-62cc39e 1969->1973 1975 62cc62e-62cc631 1971->1975 1976 62cc604-62cc61d 1971->1976 1978 62cc3ab-62cc3ae 1973->1978 1979 62cc3a0-62cc3a6 1973->1979 1982 62cc648-62cc64b 1975->1982 1983 62cc633-62cc641 1975->1983 2009 62cc6a3-62cc6af 1976->2009 2013 62cc623-62cc62d 1976->2013 1980 62cc3da-62cc3dd 1978->1980 1981 62cc3b0-62cc3d5 1978->1981 1979->1978 1988 62cc3df-62cc3fb 1980->1988 1989 62cc400-62cc403 1980->1989 1981->1980 1985 62cc64d-62cc666 1982->1985 1986 62cc66b-62cc66e 1982->1986 1983->1976 1997 62cc643 1983->1997 1985->1986 1992 62cc670-62cc68c 1986->1992 1993 62cc691-62cc693 1986->1993 1988->1989 1994 62cc41c-62cc41f 1989->1994 1995 62cc405-62cc417 1989->1995 1992->1993 2005 62cc69a-62cc69d 1993->2005 2006 62cc695 1993->2006 1998 62cc449-62cc44c 1994->1998 1999 62cc421-62cc444 1994->1999 1995->1994 1997->1982 2011 62cc44e-62cc45d 1998->2011 2012 62cc464-62cc467 1998->2012 1999->1998 2005->1965 2005->2009 2006->2005 2016 62cc84e-62cc858 2009->2016 2017 62cc6b5-62cc6be 2009->2017 2023 62cc47c-62cc47f 2011->2023 2034 62cc45f 2011->2034 2014 62cc469-62cc46c 2012->2014 2015 62cc477-62cc47a 2012->2015 2014->1962 2022 62cc472 2014->2022 2015->2023 2024 62cc484-62cc487 2015->2024 2027 62cc859-62cc88e 2017->2027 2028 62cc6c4-62cc6e3 2017->2028 2022->2015 2023->2024 2030 62cc489-62cc4af 2024->2030 2031 62cc4b4-62cc4b7 2024->2031 2039 62cc890-62cc893 2027->2039 2051 62cc83c-62cc848 2028->2051 2052 62cc6e9-62cc6f2 2028->2052 2030->2031 2031->2014 2036 62cc4b9-62cc4bc 2031->2036 2034->2012 2041 62cc4dd-62cc4e0 2036->2041 2042 62cc4be-62cc4d8 2036->2042 2043 62cc895-62cc8b1 2039->2043 2044 62cc8b6-62cc8b9 2039->2044 2045 62cc4ed-62cc4f0 2041->2045 2046 62cc4e2-62cc4e8 2041->2046 2042->2041 2043->2044 2054 62cc8bf-62cc8cd 2044->2054 2055 62cca73-62cca75 2044->2055 2049 62cc511-62cc514 2045->2049 2050 62cc4f2-62cc50c 2045->2050 2046->2045 2059 62cc526-62cc529 2049->2059 2060 62cc516-62cc521 2049->2060 2050->2049 2051->2016 2051->2017 2052->2027 2061 62cc6f8-62cc727 call 62c6640 2052->2061 2063 62cc8d4-62cc8d6 2054->2063 2057 62cca7c-62cca7f 2055->2057 2058 62cca77 2055->2058 2057->2039 2062 62cca85-62cca8e 2057->2062 2058->2057 2066 62cc52b-62cc530 2059->2066 2067 62cc533-62cc536 2059->2067 2060->2059 2095 62cc769-62cc77f 2061->2095 2096 62cc729-62cc761 2061->2096 2069 62cc8ed-62cc917 2063->2069 2070 62cc8d8-62cc8db 2063->2070 2066->2067 2073 62cc54e-62cc551 2067->2073 2074 62cc538-62cc549 2067->2074 2091 62cc91d-62cc926 2069->2091 2092 62cca68-62cca72 2069->2092 2070->2062 2075 62cc572-62cc575 2073->2075 2076 62cc553-62cc56d 2073->2076 2074->2073 2079 62cc585-62cc588 2075->2079 2080 62cc577-62cc57e 2075->2080 2076->2075 2086 62cc58f-62cc592 2079->2086 2087 62cc58a-62cc58c 2079->2087 2084 62cc594-62cc595 2080->2084 2085 62cc580 2080->2085 2088 62cc59a-62cc59c 2084->2088 2085->2079 2086->2084 2086->2088 2087->2086 2093 62cc59e 2088->2093 2094 62cc5a3-62cc5a6 2088->2094 2098 62cc92c-62cca39 call 62c6640 2091->2098 2099 62cca41-62cca66 2091->2099 2093->2094 2094->1942 2097 62cc5ac-62cc5b6 2094->2097 2103 62cc79d-62cc7b3 2095->2103 2104 62cc781-62cc795 2095->2104 2096->2095 2098->2091 2148 62cca3f 2098->2148 2099->2062 2111 62cc7b5-62cc7c9 2103->2111 2112 62cc7d1-62cc7e4 2103->2112 2104->2103 2111->2112 2120 62cc7e6-62cc7f0 2112->2120 2121 62cc7f2 2112->2121 2122 62cc7f7-62cc7f9 2120->2122 2121->2122 2124 62cc82a-62cc836 2122->2124 2125 62cc7fb-62cc800 2122->2125 2124->2051 2124->2052 2126 62cc80e 2125->2126 2127 62cc802-62cc80c 2125->2127 2129 62cc813-62cc815 2126->2129 2127->2129 2129->2124 2130 62cc817-62cc823 2129->2130 2130->2124 2148->2092
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 53e59abb94087fce1ff2e6984b1d97b1b22549b271f622168ab8333ff26451e3
                                              • Instruction ID: 8bdeb8515049c3e6c64629e31af8e34b7310353fb138873367b99d99c3272788
                                              • Opcode Fuzzy Hash: 53e59abb94087fce1ff2e6984b1d97b1b22549b271f622168ab8333ff26451e3
                                              • Instruction Fuzzy Hash: CD326535B102068FDB54DB68D890BADB7B2FB89320F148629D909EB355DB35DC42CF91
                                              Function 062CB2C8 Relevance: .6, Instructions: 562COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 60606e58f5215a0661f9350fcbeb38715386e7bc152b9f9f128e88a13aa32c57
                                              • Instruction ID: d396a3b28be8fc6e992a39c338ba4ebaa8793bfa0325992a4a41f6cca2dd58fb
                                              • Opcode Fuzzy Hash: 60606e58f5215a0661f9350fcbeb38715386e7bc152b9f9f128e88a13aa32c57
                                              • Instruction Fuzzy Hash: 84228A30E2010A8FEF64DB68D4917ADB7B2FB49321F208629E849DB355DB35DC81DB91
                                              Function 062C30F8 Relevance: .5, Instructions: 545COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2880 62c30f8-62c3119 2881 62c311b-62c311e 2880->2881 2882 62c38bf-62c38c2 2881->2882 2883 62c3124-62c3143 2881->2883 2884 62c38e8-62c38ea 2882->2884 2885 62c38c4-62c38e3 2882->2885 2892 62c315c-62c3166 2883->2892 2893 62c3145-62c3148 2883->2893 2887 62c38ec 2884->2887 2888 62c38f1-62c38f4 2884->2888 2885->2884 2887->2888 2888->2881 2890 62c38fa-62c3903 2888->2890 2898 62c316c-62c317b 2892->2898 2893->2892 2895 62c314a-62c315a 2893->2895 2895->2898 3006 62c317d call 62c3918 2898->3006 3007 62c317d call 62c3910 2898->3007 2899 62c3182-62c3187 2900 62c3189-62c318f 2899->2900 2901 62c3194-62c3471 2899->2901 2900->2890 2922 62c3477-62c3526 2901->2922 2923 62c38b1-62c38be 2901->2923 2932 62c354f 2922->2932 2933 62c3528-62c354d 2922->2933 2934 62c3558-62c356b 2932->2934 2933->2934 2937 62c3898-62c38a4 2934->2937 2938 62c3571-62c3593 2934->2938 2937->2922 2939 62c38aa 2937->2939 2938->2937 2941 62c3599-62c35a3 2938->2941 2939->2923 2941->2937 2942 62c35a9-62c35b4 2941->2942 2942->2937 2943 62c35ba-62c3690 2942->2943 2955 62c369e-62c36ce 2943->2955 2956 62c3692-62c3694 2943->2956 2960 62c36dc-62c36e8 2955->2960 2961 62c36d0-62c36d2 2955->2961 2956->2955 2962 62c3748-62c374c 2960->2962 2963 62c36ea-62c36ee 2960->2963 2961->2960 2964 62c3889-62c3892 2962->2964 2965 62c3752-62c378e 2962->2965 2963->2962 2966 62c36f0-62c371a 2963->2966 2964->2937 2964->2943 2976 62c379c-62c37aa 2965->2976 2977 62c3790-62c3792 2965->2977 2973 62c371c-62c371e 2966->2973 2974 62c3728-62c3745 2966->2974 2973->2974 2974->2962 2980 62c37ac-62c37b7 2976->2980 2981 62c37c1-62c37cc 2976->2981 2977->2976 2980->2981 2984 62c37b9 2980->2984 2985 62c37ce-62c37d4 2981->2985 2986 62c37e4-62c37f5 2981->2986 2984->2981 2987 62c37d8-62c37da 2985->2987 2988 62c37d6 2985->2988 2990 62c380d-62c3819 2986->2990 2991 62c37f7-62c37fd 2986->2991 2987->2986 2988->2986 2995 62c381b-62c3821 2990->2995 2996 62c3831-62c3882 2990->2996 2992 62c37ff 2991->2992 2993 62c3801-62c3803 2991->2993 2992->2990 2993->2990 2997 62c3825-62c3827 2995->2997 2998 62c3823 2995->2998 2996->2964 2997->2996 2998->2996 3006->2899 3007->2899
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e41d22582e70d2b865b97ac6be43a6df4a3afe3dde4ccb522a3ac4089285710f
                                              • Instruction ID: e5477c34ddf3830d11ff0e12557f63bc368dcbbe3b443ed081b2a2631e75f158
                                              • Opcode Fuzzy Hash: e41d22582e70d2b865b97ac6be43a6df4a3afe3dde4ccb522a3ac4089285710f
                                              • Instruction Fuzzy Hash: 0B321F31E1075ACFDB14EB74C85459DB7B2FF89310F60CB6AD40AAB254EB70A985CB80
                                              Function 062C7E20 Relevance: .5, Instructions: 475COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 3008 62c7e20-62c7e3e 3009 62c7e40-62c7e43 3008->3009 3010 62c7e45-62c7e4f 3009->3010 3011 62c7e50-62c7e53 3009->3011 3012 62c7e55-62c7e71 3011->3012 3013 62c7e76-62c7e79 3011->3013 3012->3013 3014 62c7e9a-62c7e9d 3013->3014 3015 62c7e7b-62c7e95 3013->3015 3016 62c7e9f-62c7ead 3014->3016 3017 62c7eb4-62c7eb6 3014->3017 3015->3014 3023 62c7ec6-62c7edc 3016->3023 3026 62c7eaf 3016->3026 3019 62c7ebd-62c7ec0 3017->3019 3020 62c7eb8 3017->3020 3019->3009 3019->3023 3020->3019 3028 62c80f7-62c8101 3023->3028 3029 62c7ee2-62c7eeb 3023->3029 3026->3017 3030 62c7ef1-62c7f0e 3029->3030 3031 62c8102-62c8137 3029->3031 3038 62c80e4-62c80f1 3030->3038 3039 62c7f14-62c7f3c 3030->3039 3034 62c8139-62c813c 3031->3034 3036 62c8371-62c8374 3034->3036 3037 62c8142-62c8151 3034->3037 3040 62c8376-62c8392 3036->3040 3041 62c8397-62c839a 3036->3041 3048 62c8170-62c81b4 3037->3048 3049 62c8153-62c816e 3037->3049 3038->3028 3038->3029 3039->3038 3065 62c7f42-62c7f4b 3039->3065 3040->3041 3043 62c8445-62c8447 3041->3043 3044 62c83a0-62c83ac 3041->3044 3045 62c844e-62c8451 3043->3045 3046 62c8449 3043->3046 3051 62c83b7-62c83b9 3044->3051 3045->3034 3052 62c8457-62c8460 3045->3052 3046->3045 3059 62c81ba-62c81cb 3048->3059 3060 62c8345-62c835b 3048->3060 3049->3048 3054 62c83bb-62c83c1 3051->3054 3055 62c83d1-62c83d5 3051->3055 3061 62c83c5-62c83c7 3054->3061 3062 62c83c3 3054->3062 3063 62c83d7-62c83e1 3055->3063 3064 62c83e3 3055->3064 3073 62c8330-62c833f 3059->3073 3074 62c81d1-62c81ee 3059->3074 3060->3036 3061->3055 3062->3055 3066 62c83e8-62c83ea 3063->3066 3064->3066 3065->3031 3067 62c7f51-62c7f6d 3065->3067 3071 62c83ec-62c83ef 3066->3071 3072 62c83fb-62c8434 3066->3072 3078 62c80d2-62c80de 3067->3078 3079 62c7f73-62c7f9d 3067->3079 3071->3052 3072->3037 3091 62c843a-62c8444 3072->3091 3073->3059 3073->3060 3074->3073 3086 62c81f4-62c82ea call 62c6640 3074->3086 3078->3038 3078->3065 3092 62c80c8-62c80cd 3079->3092 3093 62c7fa3-62c7fcb 3079->3093 3141 62c82ec-62c82f6 3086->3141 3142 62c82f8 3086->3142 3092->3078 3093->3092 3100 62c7fd1-62c7fff 3093->3100 3100->3092 3105 62c8005-62c800e 3100->3105 3105->3092 3107 62c8014-62c8046 3105->3107 3114 62c8048-62c804c 3107->3114 3115 62c8051-62c806d 3107->3115 3114->3092 3116 62c804e 3114->3116 3115->3078 3117 62c806f-62c80c6 call 62c6640 3115->3117 3116->3115 3117->3078 3143 62c82fd-62c82ff 3141->3143 3142->3143 3143->3073 3144 62c8301-62c8306 3143->3144 3145 62c8308-62c8312 3144->3145 3146 62c8314 3144->3146 3147 62c8319-62c831b 3145->3147 3146->3147 3147->3073 3148 62c831d-62c8329 3147->3148 3148->3073
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 43822e8b5b27989ed342e82ce0e874ea9b93f0dfee5e2bec07439ae737ddb9ee
                                              • Instruction ID: 763a3435d4b4b0518deb4939458ef4cda095b901b6daa575e20255419d59bbe6
                                              • Opcode Fuzzy Hash: 43822e8b5b27989ed342e82ce0e874ea9b93f0dfee5e2bec07439ae737ddb9ee
                                              • Instruction Fuzzy Hash: 3D029030B112168FDB54DB68E4946AEBBF2FF84310F14C669E905AB345DB75EC42CB90
                                              Function 062CAD70 Relevance: 2.9, Strings: 2, Instructions: 393COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 62cad70-62cad8e 1 62cad90-62cad93 0->1 2 62cadad-62cadb0 1->2 3 62cad95-62cad9e 1->3 6 62caf8d-62caf96 2->6 7 62cadb6-62cadb9 2->7 4 62cada4-62cada8 3->4 5 62cafa7-62cafde 3->5 4->2 17 62cafe0-62cafe3 5->17 6->3 8 62caf9c-62cafa6 6->8 9 62cadcd-62cadd0 7->9 10 62cadbb-62cadc8 7->10 11 62cadda-62caddd 9->11 12 62cadd2-62cadd7 9->12 10->9 15 62cadee-62cadf1 11->15 16 62caddf-62cade3 11->16 12->11 19 62cae01-62cae04 15->19 20 62cadf3-62cadfc 15->20 16->8 18 62cade9 16->18 21 62cafe5-62cb001 17->21 22 62cb006-62cb009 17->22 18->15 23 62cae06-62cae22 19->23 24 62cae27-62cae2a 19->24 20->19 21->22 25 62cb00f-62cb04a 22->25 26 62cb272-62cb275 22->26 23->24 30 62cae2c-62cae3f 24->30 31 62cae44-62cae46 24->31 39 62cb23d-62cb250 25->39 40 62cb050-62cb05c 25->40 27 62cb277-62cb281 26->27 28 62cb282-62cb285 26->28 35 62cb296-62cb299 28->35 36 62cb287-62cb28b 28->36 30->31 33 62cae4d-62cae50 31->33 34 62cae48 31->34 33->1 41 62cae56-62cae7a 33->41 34->33 44 62cb2a8-62cb2aa 35->44 45 62cb29b call 62cb2c8 35->45 36->25 42 62cb291 36->42 48 62cb252 39->48 55 62cb07c-62cb0c0 40->55 56 62cb05e-62cb077 40->56 58 62caf8a 41->58 59 62cae80-62cae8f 41->59 42->35 46 62cb2ac 44->46 47 62cb2b1-62cb2b4 44->47 53 62cb2a1-62cb2a3 45->53 46->47 47->17 50 62cb2ba-62cb2c4 47->50 54 62cb253 48->54 53->44 54->54 73 62cb0dc-62cb11b 55->73 74 62cb0c2-62cb0d4 55->74 56->48 58->6 63 62caea7-62caee2 call 62c6640 59->63 64 62cae91-62cae97 59->64 84 62caefa-62caf11 63->84 85 62caee4-62caeea 63->85 65 62cae99 64->65 66 62cae9b-62cae9d 64->66 65->63 66->63 79 62cb121-62cb1fc call 62c6640 73->79 80 62cb202-62cb217 73->80 74->73 79->80 80->39 94 62caf29-62caf3a 84->94 95 62caf13-62caf19 84->95 88 62caeec 85->88 89 62caeee-62caef0 85->89 88->84 89->84 100 62caf3c-62caf42 94->100 101 62caf52-62caf83 94->101 96 62caf1d-62caf1f 95->96 97 62caf1b 95->97 96->94 97->94 103 62caf44 100->103 104 62caf46-62caf48 100->104 101->58 103->101 104->101
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: dM$dM
                                              • API String ID: 0-2801238145
                                              • Opcode ID: 0c538359b1e3e6e3d63f053ba18f287ffb2033e2685627745174481a97b8f421
                                              • Instruction ID: b33d006ddb85be189f127d5b600e5181b548a047aa12fd9a47c0a6653c2afc6c
                                              • Opcode Fuzzy Hash: 0c538359b1e3e6e3d63f053ba18f287ffb2033e2685627745174481a97b8f421
                                              • Instruction Fuzzy Hash: E6E15E30E2030A8FDB64DB64D4906AEB7B2FF89311F20862ED805EB355DB719C46CB91
                                              Function 00EDE928 Relevance: 2.0, APIs: 1, Instructions: 543COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 660 ede928-edec73 661 edec9d-edecbc call ede858 660->661 662 edec75-edec9c 660->662 667 edecbe-edecc1 661->667 668 edecc2-eded21 661->668 675 eded27-ededb4 GlobalMemoryStatusEx 668->675 676 eded23-eded26 668->676 680 ededbd-edede5 675->680 681 ededb6-ededbc 675->681 681->680
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2200234740.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_ed0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 57f2928b74e88a07da953528e66354ff07d6738e04c4e6eb371684a18e3780bd
                                              • Instruction ID: 0cc6c021f21c57b5ad088a38e4a585cfe4ce7622814d70355bc8559bdaefbc83
                                              • Opcode Fuzzy Hash: 57f2928b74e88a07da953528e66354ff07d6738e04c4e6eb371684a18e3780bd
                                              • Instruction Fuzzy Hash: 1B413272D007898FCB14DFB9D80429ABBF1EF89310F14856BD804BB341EB389845CBA1
                                              Function 00EDED40 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 863 eded40-eded7e 864 eded86-ededb4 GlobalMemoryStatusEx 863->864 865 ededbd-edede5 864->865 866 ededb6-ededbc 864->866 866->865
                                              APIs
                                              • GlobalMemoryStatusEx.KERNELBASE ref: 00EDEDA7
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2200234740.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_ed0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID: GlobalMemoryStatus
                                              • String ID:
                                              • API String ID: 1890195054-0
                                              • Opcode ID: 9fa91c7bdce5a919654ace413ef17e910f357ef1cf80797f3ce1bdd829d111a5
                                              • Instruction ID: d16a4b2982be819ea93b777f61dcf4d3ba866b17104ffd4c9ed10db87b2a225c
                                              • Opcode Fuzzy Hash: 9fa91c7bdce5a919654ace413ef17e910f357ef1cf80797f3ce1bdd829d111a5
                                              • Instruction Fuzzy Hash: DA110DB1C0065ADBDB10DFAAD444B9EFBF4AF48320F11812AE918B7340D778A944CFA5
                                              Function 062CFD11 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 869 62cfd11-62cfd3f 870 62cfd41-62cfd44 869->870 871 62cfd58-62cfd5b 870->871 872 62cfd46-62cfd48 870->872 873 62cfd5d-62cfd76 call 62cf17c 871->873 874 62cfd7b-62cfd7e 871->874 927 62cfd4a call ede2f8 872->927 928 62cfd4a call ede308 872->928 873->874 875 62cfd88-62cfd8b 874->875 876 62cfd80-62cfd83 874->876 879 62cfeb4-62cfeb7 875->879 880 62cfd91-62cfd9c 875->880 876->875 877 62cfd50-62cfd57 881 62cfede-62cfee1 879->881 882 62cfeb9-62cfebd call 62cf18c 879->882 892 62cfd9e-62cfdd5 880->892 893 62cfdd7-62cfdea 880->893 886 62cff04-62cff11 881->886 887 62cfee3-62cfee6 881->887 889 62cfec2-62cfed9 882->889 890 62cfeff-62cff02 887->890 891 62cfee8-62cfefc 887->891 889->881 890->886 895 62cff12-62cff15 890->895 891->890 894 62cfdec-62cfdf0 892->894 893->894 896 62cfdfb 894->896 897 62cfdf2 894->897 901 62cff2b-62cff2d 895->901 902 62cff17-62cff1d 895->902 907 62cfdfe-62cfe04 896->907 897->896 905 62cff2f 901->905 906 62cff34-62cff37 901->906 903 62cff1f 902->903 904 62cff26 902->904 903->872 903->882 903->904 903->907 904->901 905->906 906->870 908 62cff3d-62cff47 906->908 911 62cfe2c-62cfe2f 907->911 912 62cfe06-62cfe24 907->912 924 62cfe31 call ede86a 911->924 925 62cfe31 call ede820 911->925 926 62cfe31 call ede830 911->926 912->911 914 62cfe37-62cfe9e 924->914 925->914 926->914 927->877 928->877
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: %
                                              • API String ID: 0-2567322570
                                              • Opcode ID: ff9b4260e6f60291820fa13acf58048a53354fca98a5431f11de922a598c20d5
                                              • Instruction ID: 708d2c006e541cd5e07e50ca3bd123178077cb547794816070a39914bb50a620
                                              • Opcode Fuzzy Hash: ff9b4260e6f60291820fa13acf58048a53354fca98a5431f11de922a598c20d5
                                              • Instruction Fuzzy Hash: 3F51F531E112069FDB14EB78E9486ADB7B3EF85321F10497EE906E7291DB358855CB80
                                              Function 062CCFD8 Relevance: .8, Instructions: 800COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1681 62ccfd8-62ccff3 1682 62ccff5-62ccff8 1681->1682 1683 62ccffa-62ccffc 1682->1683 1684 62cd007-62cd00a 1682->1684 1685 62cd37f-62cd388 1683->1685 1686 62cd002 1683->1686 1687 62cd00c-62cd04e 1684->1687 1688 62cd053-62cd056 1684->1688 1689 62cd38a-62cd38f 1685->1689 1690 62cd397-62cd3a3 1685->1690 1686->1684 1687->1688 1691 62cd058-62cd074 1688->1691 1692 62cd079-62cd07c 1688->1692 1689->1690 1696 62cd3a9-62cd3bd 1690->1696 1697 62cd4b4-62cd4b9 1690->1697 1691->1692 1694 62cd07e-62cd094 1692->1694 1695 62cd099-62cd09c 1692->1695 1694->1695 1699 62cd09e-62cd0e0 1695->1699 1700 62cd0e5-62cd0e8 1695->1700 1710 62cd4c1 1696->1710 1712 62cd3c3-62cd3d5 1696->1712 1697->1710 1699->1700 1704 62cd0ea-62cd12c 1700->1704 1705 62cd131-62cd134 1700->1705 1704->1705 1708 62cd17d-62cd180 1705->1708 1709 62cd136-62cd145 1705->1709 1719 62cd1c9-62cd1cc 1708->1719 1720 62cd182-62cd1c4 1708->1720 1714 62cd154-62cd160 1709->1714 1715 62cd147-62cd14c 1709->1715 1713 62cd4c4-62cd4d0 1710->1713 1728 62cd3f9-62cd3fb 1712->1728 1729 62cd3d7-62cd3dd 1712->1729 1721 62cd235-62cd244 1713->1721 1722 62cd4d6-62cd7c3 1713->1722 1723 62cd9f5-62cda2e 1714->1723 1724 62cd166-62cd178 1714->1724 1715->1714 1719->1713 1725 62cd1d2-62cd1d5 1719->1725 1720->1719 1730 62cd246-62cd24b 1721->1730 1731 62cd253-62cd25f 1721->1731 1893 62cd7c9-62cd7cf 1722->1893 1894 62cd9ea-62cd9f4 1722->1894 1749 62cda30-62cda33 1723->1749 1724->1708 1732 62cd1e4-62cd1e7 1725->1732 1733 62cd1d7-62cd1d9 1725->1733 1742 62cd405-62cd411 1728->1742 1737 62cd3df 1729->1737 1738 62cd3e1-62cd3ed 1729->1738 1730->1731 1731->1723 1743 62cd265-62cd277 1731->1743 1746 62cd1e9-62cd22b 1732->1746 1747 62cd230-62cd233 1732->1747 1733->1710 1745 62cd1df 1733->1745 1748 62cd3ef-62cd3f7 1737->1748 1738->1748 1765 62cd41f 1742->1765 1766 62cd413-62cd41d 1742->1766 1750 62cd27c-62cd27f 1743->1750 1745->1732 1746->1747 1747->1721 1747->1750 1748->1742 1756 62cda35 call 62cdb4d 1749->1756 1757 62cda42-62cda45 1749->1757 1760 62cd2c8-62cd2cb 1750->1760 1761 62cd281-62cd2c3 1750->1761 1776 62cda3b-62cda3d 1756->1776 1767 62cda68-62cda6b 1757->1767 1768 62cda47-62cda63 1757->1768 1770 62cd2cd-62cd30f 1760->1770 1771 62cd314-62cd317 1760->1771 1761->1760 1777 62cd424-62cd426 1765->1777 1766->1777 1779 62cda6d-62cda99 1767->1779 1780 62cda9e-62cdaa0 1767->1780 1768->1767 1770->1771 1773 62cd319-62cd31e 1771->1773 1774 62cd321-62cd324 1771->1774 1773->1774 1784 62cd36d-62cd36f 1774->1784 1785 62cd326-62cd368 1774->1785 1776->1757 1777->1710 1786 62cd42c-62cd448 call 62c6640 1777->1786 1779->1780 1789 62cdaa7-62cdaaa 1780->1789 1790 62cdaa2 1780->1790 1795 62cd376-62cd379 1784->1795 1796 62cd371 1784->1796 1785->1784 1816 62cd44a-62cd44f 1786->1816 1817 62cd457-62cd463 1786->1817 1789->1749 1797 62cdaac-62cdabb 1789->1797 1790->1789 1795->1682 1795->1685 1796->1795 1811 62cdabd-62cdb20 call 62c6640 1797->1811 1812 62cdb22-62cdb37 1797->1812 1811->1812 1816->1817 1817->1697 1821 62cd465-62cd4b2 1817->1821 1821->1710 1895 62cd7de-62cd7e7 1893->1895 1896 62cd7d1-62cd7d6 1893->1896 1895->1723 1897 62cd7ed-62cd800 1895->1897 1896->1895 1899 62cd9da-62cd9e4 1897->1899 1900 62cd806-62cd80c 1897->1900 1899->1893 1899->1894 1901 62cd80e-62cd813 1900->1901 1902 62cd81b-62cd824 1900->1902 1901->1902 1902->1723 1903 62cd82a-62cd84b 1902->1903 1906 62cd84d-62cd852 1903->1906 1907 62cd85a-62cd863 1903->1907 1906->1907 1907->1723 1908 62cd869-62cd886 1907->1908 1908->1899 1911 62cd88c-62cd892 1908->1911 1911->1723 1912 62cd898-62cd8b1 1911->1912 1914 62cd9cd-62cd9d4 1912->1914 1915 62cd8b7-62cd8de 1912->1915 1914->1899 1914->1911 1915->1723 1918 62cd8e4-62cd8ee 1915->1918 1918->1723 1919 62cd8f4-62cd90b 1918->1919 1921 62cd90d-62cd918 1919->1921 1922 62cd91a-62cd935 1919->1922 1921->1922 1922->1914 1927 62cd93b-62cd954 call 62c6640 1922->1927 1931 62cd956-62cd95b 1927->1931 1932 62cd963-62cd96c 1927->1932 1931->1932 1932->1723 1933 62cd972-62cd9c6 1932->1933 1933->1914
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e7787dc7853c890c39c2100983d880201770f5b35cf0250b3f83e51e0faa944e
                                              • Instruction ID: 5138fe4dedcab4a86c841f976017b1cec80a5fdc7da28a1d05291c6b9bc386b0
                                              • Opcode Fuzzy Hash: e7787dc7853c890c39c2100983d880201770f5b35cf0250b3f83e51e0faa944e
                                              • Instruction Fuzzy Hash: 05622D30A10246CFDB55EB78E590A9DB7B2FF85310F208A69D4099F359EB71ED46CB80
                                              Function 062CB6E8 Relevance: .5, Instructions: 468COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 3150 62cb6e8-62cb708 3151 62cb70a-62cb70d 3150->3151 3152 62cb945-62cb946 3151->3152 3153 62cb713-62cb716 3151->3153 3156 62cb94b-62cb94e 3152->3156 3154 62cb718-62cb71e 3153->3154 3155 62cb730-62cb733 3153->3155 3157 62cba8f-62cbac6 3154->3157 3158 62cb724-62cb72b 3154->3158 3159 62cb75a-62cb75d 3155->3159 3160 62cb735-62cb739 3155->3160 3161 62cb954-62cb957 3156->3161 3162 62cb802-62cb80b 3156->3162 3184 62cbac8-62cbacb 3157->3184 3158->3155 3166 62cb79c-62cb79f 3159->3166 3167 62cb75f-62cb774 3159->3167 3160->3157 3165 62cb73f-62cb74f 3160->3165 3168 62cb959-62cb95e 3161->3168 3169 62cb961-62cb964 3161->3169 3163 62cb976-62cb97f 3162->3163 3164 62cb811 3162->3164 3163->3157 3173 62cb985-62cb98c 3163->3173 3172 62cb816-62cb819 3164->3172 3194 62cb755 3165->3194 3195 62cb861-62cb865 3165->3195 3174 62cb7a1-62cb7a7 3166->3174 3175 62cb7b2-62cb7b5 3166->3175 3167->3157 3186 62cb77a-62cb797 3167->3186 3168->3169 3170 62cb966-62cb96c 3169->3170 3171 62cb971-62cb974 3169->3171 3170->3171 3171->3163 3177 62cb991-62cb994 3171->3177 3178 62cb81b-62cb81f 3172->3178 3179 62cb840-62cb843 3172->3179 3173->3177 3174->3154 3180 62cb7ad 3174->3180 3181 62cb7c5-62cb7c8 3175->3181 3182 62cb7b7-62cb7c0 3175->3182 3188 62cb9ab-62cb9ae 3177->3188 3189 62cb996-62cb99a 3177->3189 3178->3157 3187 62cb825-62cb835 3178->3187 3192 62cb845-62cb84e 3179->3192 3193 62cb853-62cb856 3179->3193 3180->3175 3190 62cb7ea-62cb7ed 3181->3190 3191 62cb7ca-62cb7e5 3181->3191 3182->3181 3196 62cbd37-62cbd3a 3184->3196 3197 62cbad1-62cbaf9 3184->3197 3186->3166 3187->3160 3221 62cb83b 3187->3221 3199 62cb9b0-62cb9fe call 62c6640 3188->3199 3200 62cba03-62cba06 3188->3200 3189->3157 3198 62cb9a0-62cb9a6 3189->3198 3205 62cb7fd-62cb800 3190->3205 3206 62cb7ef-62cb7f8 3190->3206 3191->3190 3192->3193 3193->3152 3201 62cb85c-62cb85f 3193->3201 3194->3159 3195->3157 3202 62cb86b-62cb87b 3195->3202 3203 62cbd3c-62cbd58 3196->3203 3204 62cbd5d-62cbd5f 3196->3204 3249 62cbafb-62cbafe 3197->3249 3250 62cbb03-62cbb47 3197->3250 3198->3188 3199->3200 3209 62cba08-62cba0b 3200->3209 3210 62cba10-62cba13 3200->3210 3201->3195 3211 62cb886-62cb889 3201->3211 3202->3152 3228 62cb881 3202->3228 3203->3204 3213 62cbd66-62cbd69 3204->3213 3214 62cbd61 3204->3214 3205->3162 3205->3172 3206->3205 3209->3210 3222 62cba15-62cba1e 3210->3222 3223 62cba23-62cba26 3210->3223 3218 62cb88b-62cb88f 3211->3218 3219 62cb8a0-62cb8a3 3211->3219 3213->3184 3220 62cbd6f-62cbd78 3213->3220 3214->3213 3218->3157 3229 62cb895-62cb89b 3218->3229 3230 62cb8a5-62cb8b1 3219->3230 3231 62cb8b6-62cb8b9 3219->3231 3221->3179 3222->3223 3226 62cba28-62cba44 3223->3226 3227 62cba49-62cba4c 3223->3227 3226->3227 3227->3152 3235 62cba52-62cba55 3227->3235 3228->3211 3229->3219 3230->3231 3236 62cb8bb-62cb8c1 3231->3236 3237 62cb8c6-62cb8c9 3231->3237 3241 62cba69-62cba6c 3235->3241 3242 62cba57-62cba5e 3235->3242 3236->3237 3244 62cb8cb-62cb8e0 3237->3244 3245 62cb907-62cb90a 3237->3245 3241->3174 3251 62cba72-62cba74 3241->3251 3242->3206 3248 62cba64 3242->3248 3244->3157 3264 62cb8e6-62cb902 3244->3264 3246 62cb90c-62cb90e 3245->3246 3247 62cb911-62cb914 3245->3247 3246->3247 3253 62cb926-62cb929 3247->3253 3254 62cb916 3247->3254 3248->3241 3249->3220 3272 62cbd2c-62cbd36 3250->3272 3273 62cbb4d-62cbb56 3250->3273 3256 62cba7b-62cba7e 3251->3256 3257 62cba76 3251->3257 3260 62cb92b-62cb92f 3253->3260 3261 62cb940-62cb943 3253->3261 3265 62cb91e-62cb921 3254->3265 3256->3151 3263 62cba84-62cba8e 3256->3263 3257->3256 3260->3157 3266 62cb935-62cb93b 3260->3266 3261->3152 3261->3156 3264->3245 3265->3253 3266->3261 3275 62cbb5c-62cbbc8 call 62c6640 3273->3275 3276 62cbd22-62cbd27 3273->3276 3284 62cbbce-62cbbd3 3275->3284 3285 62cbcc2-62cbcd7 3275->3285 3276->3272 3287 62cbbef 3284->3287 3288 62cbbd5-62cbbdb 3284->3288 3285->3276 3289 62cbbf1-62cbbf7 3287->3289 3290 62cbbdd-62cbbdf 3288->3290 3291 62cbbe1-62cbbe3 3288->3291 3292 62cbc0c-62cbc19 3289->3292 3293 62cbbf9-62cbbff 3289->3293 3294 62cbbed 3290->3294 3291->3294 3301 62cbc1b-62cbc21 3292->3301 3302 62cbc31-62cbc3e 3292->3302 3295 62cbcad-62cbcbc 3293->3295 3296 62cbc05 3293->3296 3294->3289 3295->3284 3295->3285 3296->3292 3297 62cbc74-62cbc81 3296->3297 3298 62cbc40-62cbc4d 3296->3298 3310 62cbc99-62cbca6 3297->3310 3311 62cbc83-62cbc89 3297->3311 3308 62cbc4f-62cbc55 3298->3308 3309 62cbc65-62cbc72 3298->3309 3304 62cbc25-62cbc27 3301->3304 3305 62cbc23 3301->3305 3302->3295 3304->3302 3305->3302 3312 62cbc59-62cbc5b 3308->3312 3313 62cbc57 3308->3313 3309->3295 3310->3295 3314 62cbc8d-62cbc8f 3311->3314 3315 62cbc8b 3311->3315 3312->3309 3313->3309 3314->3310 3315->3310
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6434236527e9160082f3b6cc47edeed11ac895f9de5baf1f346173e6365ce1d4
                                              • Instruction ID: 4248d421acf9069b50ee9d8b3bca82328d3e839d6b0bd6404917859e19d51260
                                              • Opcode Fuzzy Hash: 6434236527e9160082f3b6cc47edeed11ac895f9de5baf1f346173e6365ce1d4
                                              • Instruction Fuzzy Hash: B0026E30E2020A8FDFA4DB68D4917ADB7B2FF45321F208A2AD819DB255DB71DD45CB81
                                              Function 062C91F0 Relevance: .2, Instructions: 230COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: eeef9f45d58cf87f35efb95c3db37f589fd4f18bb338376c0c9e5c270261f459
                                              • Instruction ID: f6abbbe9389c9b9c96f6258a30cc95011c74c9347aa10996580de7e3709d2adb
                                              • Opcode Fuzzy Hash: eeef9f45d58cf87f35efb95c3db37f589fd4f18bb338376c0c9e5c270261f459
                                              • Instruction Fuzzy Hash: 59914030F1025A8FDB54DB69D850BAE73F6FF85310F108569D809AB348EF719D828B91
                                              Function 062C6290 Relevance: .2, Instructions: 229COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 329092f45269ade2d9161e92503c52a308c912418d7016e36cdd3282c4008927
                                              • Instruction ID: 6b0014ff0c2fa1421e161e298088e442ec412d78b502ed1a4fbb67ed446472ee
                                              • Opcode Fuzzy Hash: 329092f45269ade2d9161e92503c52a308c912418d7016e36cdd3282c4008927
                                              • Instruction Fuzzy Hash: DD61F472F101224BDF509A7DD8546AFBAD7EFC4620B25403AE80EDB320DEA5EC0287D1
                                              Function 062C4338 Relevance: .2, Instructions: 226COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c2904edd7ac59cd379b4a204c68947cf2619f2b452a428a38cde9360e36b43be
                                              • Instruction ID: 544e614eb3e723a2bd9b6d5ffbb76e012475b9937a79e1e112a28f2fcf64f3f1
                                              • Opcode Fuzzy Hash: c2904edd7ac59cd379b4a204c68947cf2619f2b452a428a38cde9360e36b43be
                                              • Instruction Fuzzy Hash: 9B813F30B116468FDB54EBA8D46479EB7F3EF89310F248529D80AEB344EB75DC428B91
                                              Function 062C4658 Relevance: .2, Instructions: 224COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cd6be9e1985aa4d2ec321fc43096d63034c28a919af54b473f7010f299cca469
                                              • Instruction ID: 9cbd9f0730474733ade2454dfc1897ed9b8084b2bfd1d8d1e3aaaf5be386927d
                                              • Opcode Fuzzy Hash: cd6be9e1985aa4d2ec321fc43096d63034c28a919af54b473f7010f299cca469
                                              • Instruction Fuzzy Hash: 09915F30E1021A8FDF60DF68C850B9EB7B1FF89310F208699D549BB255DB70AA85CF91
                                              Function 062C4670 Relevance: .2, Instructions: 210COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2ed3269993a6370361323f89411b178c178538c734c9637addd4f5f4588bf49d
                                              • Instruction ID: 6ca07ed3b4e6904fac0cd2641406b1d4cfe1daf34dacdfdbf5b05b72be527c96
                                              • Opcode Fuzzy Hash: 2ed3269993a6370361323f89411b178c178538c734c9637addd4f5f4588bf49d
                                              • Instruction Fuzzy Hash: D9911D34E1061A8BDF60DF68C850B9EB7B1FF89310F208699D949BB355DB70AA85CF50
                                              Function 062CEBA0 Relevance: .2, Instructions: 203COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 51059337ffc036ddbea60b3788a4f4ca69aa2b16c899c1b5a429ec4b694fa421
                                              • Instruction ID: 70059f98f9d44fd35d819809ff0f1d93cb985fa293040f9d4f9095ccc01d2427
                                              • Opcode Fuzzy Hash: 51059337ffc036ddbea60b3788a4f4ca69aa2b16c899c1b5a429ec4b694fa421
                                              • Instruction Fuzzy Hash: B0715F71A102498FDB54EFA8D890AADBBF6FF88310F258529E445EB355DB30ED46CB40
                                              Function 062CEBB0 Relevance: .2, Instructions: 201COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 14537ac0c71848553c8a0e99668ec86d6e15894c5427f683b64a0cd7fcd3f64d
                                              • Instruction ID: 4a82084e721d7a0817fbd06ece15aada81ab74a29fd1829bf1711fd1093bdc2b
                                              • Opcode Fuzzy Hash: 14537ac0c71848553c8a0e99668ec86d6e15894c5427f683b64a0cd7fcd3f64d
                                              • Instruction Fuzzy Hash: 4A714030A102098FDB54EFA8D890AADBBF6FF88310F158529E449EB355DB30ED46CB50
                                              Function 062C4C08 Relevance: .2, Instructions: 186COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cd602b405ebcd1cf495ad7b560cfd61732489fb8fe140a74cef4091b6a71db8b
                                              • Instruction ID: be796faeb523366324f9d478e2441812718e4f27159a0f4fde3d6813a835e825
                                              • Opcode Fuzzy Hash: cd602b405ebcd1cf495ad7b560cfd61732489fb8fe140a74cef4091b6a71db8b
                                              • Instruction Fuzzy Hash: 2F61B630F102199FDB54EBA5D4547AEBBF2EF88310F208529E50AEB395CB714D018B90
                                              Function 062CFAC0 Relevance: .2, Instructions: 164COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6d2b820cdf391a480df2304b28a963117472ad3de860c8c82cdac0c8dc0c1b82
                                              • Instruction ID: fefa5a02219a09fbe7fac259d7f4e2078e7468f2ff166d6c020f5b638683233a
                                              • Opcode Fuzzy Hash: 6d2b820cdf391a480df2304b28a963117472ad3de860c8c82cdac0c8dc0c1b82
                                              • Instruction Fuzzy Hash: 5851EE30B201158FFF64A66CD96472F3667DB9A350F20453EE90ADB3D5CA68CD418792
                                              Function 062CFAD0 Relevance: .2, Instructions: 163COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bdaa08146e1bc08789aeadfe7c7198b5fe2ad2da91ec2b69c22532ff8ee33a8f
                                              • Instruction ID: 4b0ab52eb9e9e9d2e8e3e5e55ce9e6404b56be4577a68492dd01a8db619ba5c7
                                              • Opcode Fuzzy Hash: bdaa08146e1bc08789aeadfe7c7198b5fe2ad2da91ec2b69c22532ff8ee33a8f
                                              • Instruction Fuzzy Hash: CF51CB30B201158FFF64A66CD96472F366BDB9A350F20453EED0ADB3D5CA68CD418B92
                                              Function 062C91E6 Relevance: .2, Instructions: 160COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2d3a846c95bcee0c368cc81bff70ee53ed045cd31a6221abad4b7e2d8f6fb205
                                              • Instruction ID: 7bd899c05d6a5688baee22a9a8aa5f16331ac7d85dd6f4e4e8f717499cc4607c
                                              • Opcode Fuzzy Hash: 2d3a846c95bcee0c368cc81bff70ee53ed045cd31a6221abad4b7e2d8f6fb205
                                              • Instruction Fuzzy Hash: 97512030B111468FDB95DB78D890BAE73F6FF89350F148569D809AB348EE319C428B91
                                              Function 062C4BF8 Relevance: .1, Instructions: 140COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4ca6b8e6d7363542977c2ad32895cd0000371c6bba6b982d168a9c32b03c4e50
                                              • Instruction ID: 416030d90a7017420b9dff4f21c3827c7fe2c27ed5d4d7b9f18c056e85c6a1ae
                                              • Opcode Fuzzy Hash: 4ca6b8e6d7363542977c2ad32895cd0000371c6bba6b982d168a9c32b03c4e50
                                              • Instruction Fuzzy Hash: B7518230F102589FDB54EBA5C854BAEBBF6FF88300F208529E506AB395DB719D018B91
                                              Function 062C5630 Relevance: .1, Instructions: 139COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 91c8e828ec5ac5d18f1d4600a006165ee404510e0a26c69a5439fde9ce64eb2f
                                              • Instruction ID: cdaa74e543e889e0e9b539bb200f729f8494a8f3c55743c3cfa614d05f1c32c3
                                              • Opcode Fuzzy Hash: 91c8e828ec5ac5d18f1d4600a006165ee404510e0a26c69a5439fde9ce64eb2f
                                              • Instruction Fuzzy Hash: 93416374E205178BDB648B68C480B7EB7B5FB45320F248A2AE815EB241C734E8A1DB91
                                              Function 062C54B0 Relevance: .1, Instructions: 132COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0be245a01feca9e55a704bfa71901992c7a1cb44ede4a0e4c2a1e59291e0d89a
                                              • Instruction ID: c0209c08c2babbefc2e0b7d18fa4fab033737aa278d89f6049eab484e6519832
                                              • Opcode Fuzzy Hash: 0be245a01feca9e55a704bfa71901992c7a1cb44ede4a0e4c2a1e59291e0d89a
                                              • Instruction Fuzzy Hash: C1415F71E206068FDF70CFA9D8806AFF7B2EB85220F104A2ED556E7650D330F9658B91
                                              Function 062CDB4D Relevance: .1, Instructions: 124COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 38cde57a8a4d5081d98811b07bd08b6efa6df11075cabfaa5e822f827676cb18
                                              • Instruction ID: 7480fceba13937bb29f5a9a132037145b73d97ba4fcc5b7dfff62926551e3824
                                              • Opcode Fuzzy Hash: 38cde57a8a4d5081d98811b07bd08b6efa6df11075cabfaa5e822f827676cb18
                                              • Instruction Fuzzy Hash: 2F417431E2064A9FDB55DF75D8547AEBBB2EF85310F108A2ED805EB240DB709945CB90
                                              Function 062C2295 Relevance: .1, Instructions: 106COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b49428e78b1713d245c25f6562b459722c4a8adaa1e4b24d5641e1d003172333
                                              • Instruction ID: 43438ca41e1288e104a0e6acacfe5271e05ebc98e70780a3c8f8a65138c80424
                                              • Opcode Fuzzy Hash: b49428e78b1713d245c25f6562b459722c4a8adaa1e4b24d5641e1d003172333
                                              • Instruction Fuzzy Hash: BD31F030B11202CFDB44AB75D8502AE7BB2BF89210B14896DC806EB385EF35CD02C791
                                              Function 062C22A8 Relevance: .1, Instructions: 105COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4f9a95f690c78da7ba2e263fddb98a0d6130d8a0b83c10b425ced0465727fbbf
                                              • Instruction ID: 48bd3cf24c2fe903b81436f1358fd90dcac3b66561c3773dc4cdb2fe0678ad67
                                              • Opcode Fuzzy Hash: 4f9a95f690c78da7ba2e263fddb98a0d6130d8a0b83c10b425ced0465727fbbf
                                              • Instruction Fuzzy Hash: 8C31D030B11206CFDB44AB75D4646AE7BA7BF89610F50492DD806EB385EF35CD02CB91
                                              Function 062C2158 Relevance: .1, Instructions: 93COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f812067d5b2043d59f09d79ec1159108905308f8ec1848eb797e7ba30dfb7a7f
                                              • Instruction ID: 2dc962a6ce2c0b110c4dfc49e6ebafe7e8fa9409b8af1de06641dc975468528a
                                              • Opcode Fuzzy Hash: f812067d5b2043d59f09d79ec1159108905308f8ec1848eb797e7ba30dfb7a7f
                                              • Instruction Fuzzy Hash: 16316E30E21216DBCB55DFA4D89469EB7B2BF89310F10851DE916E7740DF719A42CB50
                                              Function 062C2168 Relevance: .1, Instructions: 91COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 951ef4ed101c9eb9380aa96f288df9dd8248111f5dad99029d564d941cb864af
                                              • Instruction ID: 9930692bae6b6df7ff3a323dfeec2a2ff756daa10a20820faddfacbc3f7b2237
                                              • Opcode Fuzzy Hash: 951ef4ed101c9eb9380aa96f288df9dd8248111f5dad99029d564d941cb864af
                                              • Instruction Fuzzy Hash: 86315030E21616DBCB55CFA8D85469EB7B2FF89310F10851DE916E7741DB71AD41CB40
                                              Function 062C3B38 Relevance: .1, Instructions: 83COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c514b535547229e24f065ce89f9c0d3965b68ad46cad05cf004ead62959e61ca
                                              • Instruction ID: 537be0b6ccc737e5ca260f3e983c04f2f2bb890191bcc3b4252b2d7c7717e347
                                              • Opcode Fuzzy Hash: c514b535547229e24f065ce89f9c0d3965b68ad46cad05cf004ead62959e61ca
                                              • Instruction Fuzzy Hash: 6E218E75F112159FDB90DFA8E880AEEBBF1EB48710F148529E906E7390E731D9428B90
                                              Function 062C3B48 Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 357dc8cd7c477803c232043774a6f9bebcfd0118e1fd09564a46b2685733aca9
                                              • Instruction ID: f48afd789602e812e2e6571d8bc2df1e186352094c87e4f904fb7d02bd243af0
                                              • Opcode Fuzzy Hash: 357dc8cd7c477803c232043774a6f9bebcfd0118e1fd09564a46b2685733aca9
                                              • Instruction Fuzzy Hash: A2219275F116159FDB40DFA9E880AADB7F1EB48710F108529E905E7380E731DD418B90
                                              Function 062C3C58 Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5e9ee913760d099bb808137b33b734b136f441aefc426dbbbd5e2dc0f237e9ce
                                              • Instruction ID: 9b42f9845e3b4e077ca8dc3c257ae67fb5ae3be87060a1f963cdc8eb45b8e809
                                              • Opcode Fuzzy Hash: 5e9ee913760d099bb808137b33b734b136f441aefc426dbbbd5e2dc0f237e9ce
                                              • Instruction Fuzzy Hash: 1F11E131B201264BDB54D668D8146AEB3EBEBC9360F008939C806E7344EE34CC028BD0
                                              Function 062C4298 Relevance: .1, Instructions: 57COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b0bb9016e88daba1c1db85696b4ae4d12312775e72b5e25e99ec0a1bf68109e8
                                              • Instruction ID: 36374664bba0f757e9cb09211eb31e01278bdd30a18bb258471cc5a286666c1e
                                              • Opcode Fuzzy Hash: b0bb9016e88daba1c1db85696b4ae4d12312775e72b5e25e99ec0a1bf68109e8
                                              • Instruction Fuzzy Hash: 44012831B101120FDB71A6BDE42576BB7D6DBC9720F24893EE90AC7745E961CC018791
                                              Function 062C3910 Relevance: .1, Instructions: 55COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7241cb7eecc1458907e6c7d906bafe98a40fde7523baf9551eac79351314ba0e
                                              • Instruction ID: b61fa96735fdedf0fa0f29a194e5ce61389a3bb5e48cff2a629045eaca1e24c5
                                              • Opcode Fuzzy Hash: 7241cb7eecc1458907e6c7d906bafe98a40fde7523baf9551eac79351314ba0e
                                              • Instruction Fuzzy Hash: 1821E3B1C01259AFCB10CF9AD884ADEFBB4BB48310F10811AE918A7200C3746544CBA5
                                              Function 062CA3A9 Relevance: .1, Instructions: 54COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b1d5a301d8eac8bf3622e2553c7289108942b57d95182a26e51eea4552792316
                                              • Instruction ID: 36b5879ae874aa379e5093c48cb9d6407372b7bf6bb488a9b947860c71917b87
                                              • Opcode Fuzzy Hash: b1d5a301d8eac8bf3622e2553c7289108942b57d95182a26e51eea4552792316
                                              • Instruction Fuzzy Hash: FA01DB71B202154FD7A1DA78E96476A77E5EBCA720F14893DE50AC7381EE21DC038791
                                              Function 062C3C48 Relevance: .1, Instructions: 54COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9581870bcac192d789b5efbea385100d609435cd2910eecf661d56dca9b48277
                                              • Instruction ID: 13f151fc0c1cd1c7563ecb93826b1dda1be1e426c801a5e4eb3079e5b3fce071
                                              • Opcode Fuzzy Hash: 9581870bcac192d789b5efbea385100d609435cd2910eecf661d56dca9b48277
                                              • Instruction Fuzzy Hash: E401F736B201254BDB94D578DC157EFB7EBEBC9260F014939D906E7284EE64CD0247D2
                                              Function 062CEE21 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 007768be288b9c440a6e1ff8bf716e1204612d6fd2fb12e8f7437b6e8dddffd9
                                              • Instruction ID: ce082f8a9208e161fa7d41e39cc415ecdefc10167636a1cf2ee226587a9bcbf5
                                              • Opcode Fuzzy Hash: 007768be288b9c440a6e1ff8bf716e1204612d6fd2fb12e8f7437b6e8dddffd9
                                              • Instruction Fuzzy Hash: AB01A231B201114BDB75AA7CA850B2F77E6EBC9770F15893EE50ACB340EA25DC024795
                                              Function 062C3918 Relevance: .1, Instructions: 52COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2cb295a48a4570095f4caa578d30cc82ba6390fd5d5531924820f8eb668f2931
                                              • Instruction ID: d6e7c707382b642b7e2a6e8b20eaf9b3fca96eee35b33ec45656a0ed10f9eda0
                                              • Opcode Fuzzy Hash: 2cb295a48a4570095f4caa578d30cc82ba6390fd5d5531924820f8eb668f2931
                                              • Instruction Fuzzy Hash: 7511C2B1D01259EFCB00CF9AD884ADEFBB4FB48310F10862AE918A7300C375A554CBA5
                                              Function 062C42A8 Relevance: .1, Instructions: 51COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f787c8a434f48433570b7a378f4a29c380ce6250f0e0aafbcf9b085ad8169de5
                                              • Instruction ID: b00230efe496afedab61b8e696a144abd5581a15f28be3e4010422e5a37ea8a5
                                              • Opcode Fuzzy Hash: f787c8a434f48433570b7a378f4a29c380ce6250f0e0aafbcf9b085ad8169de5
                                              • Instruction Fuzzy Hash: D401D130B100220BEB71A6BDA42476FB2DADBC9720F24893EE90AC7744EA61DC024791
                                              Function 062CEE30 Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bff896cc08aace9afd97ae830116e4d8e0ffd667447728049fdd2815b43a70f0
                                              • Instruction ID: 12616f2f4c4e4abe9f84809171cca201c22a2abd7282a8efb0513ff5816421e9
                                              • Opcode Fuzzy Hash: bff896cc08aace9afd97ae830116e4d8e0ffd667447728049fdd2815b43a70f0
                                              • Instruction Fuzzy Hash: 2701AF31B201124BDBA5A67CA45472F76D6DBC9770F11893EEA0ECB340EE21DC024791
                                              Function 062CA3B8 Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5958920e9241bcb415bca7eb341a8bf147cf76be85cc0034470dc4aad16814ba
                                              • Instruction ID: 129f7a6d94c9b565bb751725a1dd936bfc1325476f14ea6cd9811128eca510fc
                                              • Opcode Fuzzy Hash: 5958920e9241bcb415bca7eb341a8bf147cf76be85cc0034470dc4aad16814ba
                                              • Instruction Fuzzy Hash: 97014431B101154FDB61EA7CE46476B73D6EB89720F50893DE50AD7384EE22DC428790
                                              Function 062CC870 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a26eb467ee0a21cd0d4521eae4137937d722e73fd73ea87037a5dfc043b4526a
                                              • Instruction ID: 44bda7b067b5175eff4482f8af8adc38585875270308fff4638530a1c34bc377
                                              • Opcode Fuzzy Hash: a26eb467ee0a21cd0d4521eae4137937d722e73fd73ea87037a5dfc043b4526a
                                              • Instruction Fuzzy Hash: D901F931F201149BDB54AA79E840A9E7775F785310F00423EED05EB344DB31980487C0
                                              Function 062C8370 Relevance: .0, Instructions: 40COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ea038fa8dbc27ce0f56917677758a7baae586c2f5fcbcf770764bbe9128fe260
                                              • Instruction ID: 9cf65654886ea9750ebfbf8f9eb97c7f184c91f197ce65b1080fb9f0a377b5b5
                                              • Opcode Fuzzy Hash: ea038fa8dbc27ce0f56917677758a7baae586c2f5fcbcf770764bbe9128fe260
                                              • Instruction Fuzzy Hash: 9DF0F432A34206CFDF649A54E9802ED7FA4EB41320F10926EDD04DB241DA7AD901C780
                                              Function 062C6511 Relevance: .0, Instructions: 26COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2208807270.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_62c0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 034b141f07c7db9e93d057a0369f9b8deefb10e70d68a2a36daf5ed116742cd8
                                              • Instruction ID: 80c7e441064d4e82c90313981280fd8d8a13862acd9b63c103ef9e2b1658d7f2
                                              • Opcode Fuzzy Hash: 034b141f07c7db9e93d057a0369f9b8deefb10e70d68a2a36daf5ed116742cd8
                                              • Instruction Fuzzy Hash: DDE026B2E34209ABDB50CEB0C94571F7BEDDB42264F3089BADC08D7202E136CD028740

                                              Execution Graph

                                              Execution Coverage:11.1%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:243
                                              Total number of Limit Nodes:8
                                              execution_graph 34918 160d080 34919 160d0c6 GetCurrentProcess 34918->34919 34921 160d111 34919->34921 34922 160d118 GetCurrentThread 34919->34922 34921->34922 34923 160d155 GetCurrentProcess 34922->34923 34924 160d14e 34922->34924 34925 160d18b 34923->34925 34924->34923 34926 160d1b3 GetCurrentThreadId 34925->34926 34927 160d1e4 34926->34927 34935 160d6d0 DuplicateHandle 34936 160d766 34935->34936 34928 7698248 34929 76983d3 34928->34929 34930 769826e 34928->34930 34930->34929 34932 7697e44 34930->34932 34933 76984c8 PostMessageW 34932->34933 34934 7698534 34933->34934 34934->34930 34750 7694efd 34751 7694e7e 34750->34751 34752 7694e93 34751->34752 34756 7696c08 34751->34756 34770 7696c6e 34751->34770 34785 7696bfa 34751->34785 34752->34752 34757 7696c22 34756->34757 34758 7696c2a 34757->34758 34799 769777f 34757->34799 34804 769705b 34757->34804 34809 7697186 34757->34809 34813 7697207 34757->34813 34817 76974c4 34757->34817 34822 7697363 34757->34822 34827 769744f 34757->34827 34832 769752f 34757->34832 34837 769754d 34757->34837 34845 76975ab 34757->34845 34850 7697515 34757->34850 34758->34752 34771 7696bfc 34770->34771 34773 7696c71 34770->34773 34772 7696c2a 34771->34772 34774 76975ab 2 API calls 34771->34774 34775 769754d 4 API calls 34771->34775 34776 769752f 2 API calls 34771->34776 34777 769744f 2 API calls 34771->34777 34778 7697363 2 API calls 34771->34778 34779 76974c4 2 API calls 34771->34779 34780 7697207 2 API calls 34771->34780 34781 7697186 2 API calls 34771->34781 34782 769705b 2 API calls 34771->34782 34783 769777f 2 API calls 34771->34783 34784 7697515 2 API calls 34771->34784 34772->34752 34773->34752 34774->34772 34775->34772 34776->34772 34777->34772 34778->34772 34779->34772 34780->34772 34781->34772 34782->34772 34783->34772 34784->34772 34786 7696c22 34785->34786 34787 76975ab 2 API calls 34786->34787 34788 769754d 4 API calls 34786->34788 34789 769752f 2 API calls 34786->34789 34790 769744f 2 API calls 34786->34790 34791 7696c2a 34786->34791 34792 7697363 2 API calls 34786->34792 34793 76974c4 2 API calls 34786->34793 34794 7697207 2 API calls 34786->34794 34795 7697186 2 API calls 34786->34795 34796 769705b 2 API calls 34786->34796 34797 769777f 2 API calls 34786->34797 34798 7697515 2 API calls 34786->34798 34787->34791 34788->34791 34789->34791 34790->34791 34791->34752 34792->34791 34793->34791 34794->34791 34795->34791 34796->34791 34797->34791 34798->34791 34800 7697788 34799->34800 34855 76947d8 34800->34855 34859 76947e0 34800->34859 34801 7697a50 34805 769706b 34804->34805 34863 7694a68 34805->34863 34867 7694a5c 34805->34867 34871 769420a 34809->34871 34875 7694210 34809->34875 34810 7697115 34810->34758 34879 76948d0 34813->34879 34883 76948c9 34813->34883 34814 769722c 34814->34758 34818 76974c8 34817->34818 34820 769420a Wow64SetThreadContext 34818->34820 34821 7694210 Wow64SetThreadContext 34818->34821 34819 76974e3 34819->34758 34820->34819 34821->34819 34823 7697386 34822->34823 34825 76947d8 WriteProcessMemory 34823->34825 34826 76947e0 WriteProcessMemory 34823->34826 34824 769711e 34824->34758 34825->34824 34826->34824 34828 7697470 34827->34828 34887 769471a 34828->34887 34891 7694720 34828->34891 34829 7697a90 34833 7697536 34832->34833 34835 76947d8 WriteProcessMemory 34833->34835 34836 76947e0 WriteProcessMemory 34833->34836 34834 7697b0a 34835->34834 34836->34834 34838 76974c8 34837->34838 34840 76975c6 34837->34840 34841 769420a Wow64SetThreadContext 34838->34841 34842 7694210 Wow64SetThreadContext 34838->34842 34839 76974e3 34839->34758 34840->34839 34895 769415a 34840->34895 34899 7694160 34840->34899 34841->34839 34842->34839 34846 76975c6 34845->34846 34847 7697779 34846->34847 34848 769415a ResumeThread 34846->34848 34849 7694160 ResumeThread 34846->34849 34847->34758 34848->34846 34849->34846 34851 769751d 34850->34851 34853 76947d8 WriteProcessMemory 34851->34853 34854 76947e0 WriteProcessMemory 34851->34854 34852 7697b0a 34853->34852 34854->34852 34856 7694828 WriteProcessMemory 34855->34856 34858 769487f 34856->34858 34858->34801 34860 7694828 WriteProcessMemory 34859->34860 34862 769487f 34860->34862 34862->34801 34864 7694af1 CreateProcessA 34863->34864 34866 7694cb3 34864->34866 34868 7694af1 CreateProcessA 34867->34868 34870 7694cb3 34868->34870 34872 7694255 Wow64SetThreadContext 34871->34872 34874 769429d 34872->34874 34874->34810 34876 7694255 Wow64SetThreadContext 34875->34876 34878 769429d 34876->34878 34878->34810 34880 769491b ReadProcessMemory 34879->34880 34882 769495f 34880->34882 34882->34814 34884 769491b ReadProcessMemory 34883->34884 34886 769495f 34884->34886 34886->34814 34888 7694760 VirtualAllocEx 34887->34888 34890 769479d 34888->34890 34890->34829 34892 7694760 VirtualAllocEx 34891->34892 34894 769479d 34892->34894 34894->34829 34896 76941a0 ResumeThread 34895->34896 34898 76941d1 34896->34898 34898->34840 34900 76941a0 ResumeThread 34899->34900 34902 76941d1 34900->34902 34902->34840 34937 567e690 34938 567e6a7 34937->34938 34942 567e959 34938->34942 34946 567e968 34938->34946 34939 567e6fd 34943 567e968 34942->34943 34950 567db3c 34943->34950 34945 567e97f 34945->34939 34947 567e976 34946->34947 34948 567db3c 3 API calls 34947->34948 34949 567e97f 34948->34949 34949->34939 34951 567db47 34950->34951 34954 567e624 34951->34954 34953 567e9ce 34953->34945 34955 567e62f 34954->34955 34956 567ea22 34955->34956 34957 1605cc4 3 API calls 34955->34957 34959 1608348 34955->34959 34956->34953 34957->34956 34960 1608358 34959->34960 34962 160860b 34960->34962 34963 160acb8 3 API calls 34960->34963 34961 1608649 34961->34956 34962->34961 34964 160cda8 3 API calls 34962->34964 34963->34962 34964->34961 34648 1604668 34649 160467a 34648->34649 34650 1604686 34649->34650 34654 1604778 34649->34654 34659 1603e34 34650->34659 34652 16046a5 34655 160479d 34654->34655 34663 1604888 34655->34663 34667 1604879 34655->34667 34660 1603e3f 34659->34660 34675 1605c44 34660->34675 34662 1607089 34662->34652 34664 16048af 34663->34664 34666 160498c 34664->34666 34671 16044b4 34664->34671 34669 16048af 34667->34669 34668 160498c 34668->34668 34669->34668 34670 16044b4 CreateActCtxA 34669->34670 34670->34668 34672 1605918 CreateActCtxA 34671->34672 34674 16059db 34672->34674 34676 1605c4f 34675->34676 34679 1605c64 34676->34679 34678 1607135 34678->34662 34680 1605c6f 34679->34680 34683 1605c94 34680->34683 34682 160721a 34682->34678 34684 1605c9f 34683->34684 34687 1605cc4 34684->34687 34686 160730d 34686->34682 34688 1605ccf 34687->34688 34690 160860b 34688->34690 34693 160acb8 34688->34693 34689 1608649 34689->34686 34690->34689 34697 160cda8 34690->34697 34701 160ace0 34693->34701 34706 160acf0 34693->34706 34694 160acce 34694->34690 34698 160cdd9 34697->34698 34699 160cdfd 34698->34699 34738 160cf68 34698->34738 34699->34689 34702 160acf0 34701->34702 34710 160add7 34702->34710 34718 160ade8 34702->34718 34703 160acff 34703->34694 34708 160add7 2 API calls 34706->34708 34709 160ade8 2 API calls 34706->34709 34707 160acff 34707->34694 34708->34707 34709->34707 34711 160adf9 34710->34711 34712 160ae1c 34710->34712 34711->34712 34726 160b080 34711->34726 34730 160b071 34711->34730 34712->34703 34713 160ae14 34713->34712 34714 160b020 GetModuleHandleW 34713->34714 34715 160b04d 34714->34715 34715->34703 34719 160adf9 34718->34719 34720 160ae1c 34718->34720 34719->34720 34724 160b080 LoadLibraryExW 34719->34724 34725 160b071 LoadLibraryExW 34719->34725 34720->34703 34721 160ae14 34721->34720 34722 160b020 GetModuleHandleW 34721->34722 34723 160b04d 34722->34723 34723->34703 34724->34721 34725->34721 34727 160b094 34726->34727 34729 160b0b9 34727->34729 34734 160a170 34727->34734 34729->34713 34731 160b094 34730->34731 34732 160a170 LoadLibraryExW 34731->34732 34733 160b0b9 34731->34733 34732->34733 34733->34713 34735 160b260 LoadLibraryExW 34734->34735 34737 160b2d9 34735->34737 34737->34729 34739 160cf75 34738->34739 34740 160cfaf 34739->34740 34742 160bb20 34739->34742 34740->34699 34743 160bb2b 34742->34743 34745 160dcc8 34743->34745 34746 160d31c 34743->34746 34747 160d327 34746->34747 34748 1605cc4 3 API calls 34747->34748 34749 160dd37 34748->34749 34749->34745 34903 567cdb8 34904 567cdd3 34903->34904 34907 567b258 34904->34907 34906 567cdf1 34908 567b263 34907->34908 34911 567b2c0 34908->34911 34912 567b2cb 34911->34912 34913 567ce7d 34912->34913 34915 567b2d0 34912->34915 34913->34906 34916 567d030 OleInitialize 34915->34916 34917 567d094 34916->34917 34917->34913

                                              Executed Functions

                                              Function 0160D070 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 0160D0FE
                                              • GetCurrentThread.KERNEL32 ref: 0160D13B
                                              • GetCurrentProcess.KERNEL32 ref: 0160D178
                                              • GetCurrentThreadId.KERNEL32 ref: 0160D1D1
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2221322857.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_1600000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: 1fbbc2720a3802b254bc4b14ebe55ef6ba2f7fc830ce03c85edfe460541a2f81
                                              • Instruction ID: 870b6affc5938f5a6912e4556c262ae7d192f4058b73fe477f5c900ddbd5b1f8
                                              • Opcode Fuzzy Hash: 1fbbc2720a3802b254bc4b14ebe55ef6ba2f7fc830ce03c85edfe460541a2f81
                                              • Instruction Fuzzy Hash: E15167B0900749DFEB09DFA9D948BDEBBF1BF48304F208459D008A73A0D7749884CB65
                                              Function 0160D080 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 0160D0FE
                                              • GetCurrentThread.KERNEL32 ref: 0160D13B
                                              • GetCurrentProcess.KERNEL32 ref: 0160D178
                                              • GetCurrentThreadId.KERNEL32 ref: 0160D1D1
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2221322857.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_1600000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: 2010af9ca0a70a4b47b0802f551c8bb3d00571cd9a33353b2443281528abcec8
                                              • Instruction ID: d745bf2e8edc07fc845c046a75b703e6cfbd39701f446d0393eca4f4ff8ef559
                                              • Opcode Fuzzy Hash: 2010af9ca0a70a4b47b0802f551c8bb3d00571cd9a33353b2443281528abcec8
                                              • Instruction Fuzzy Hash: F95166B0900709DFEB08DFA9D948B9EBBF1FF88314F208459E009A73A0DB745884CB65
                                              Function 07694A5C Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 44 7694a5c-7694afd 46 7694aff-7694b09 44->46 47 7694b36-7694b56 44->47 46->47 48 7694b0b-7694b0d 46->48 54 7694b58-7694b62 47->54 55 7694b8f-7694bbe 47->55 50 7694b0f-7694b19 48->50 51 7694b30-7694b33 48->51 52 7694b1b 50->52 53 7694b1d-7694b2c 50->53 51->47 52->53 53->53 56 7694b2e 53->56 54->55 57 7694b64-7694b66 54->57 61 7694bc0-7694bca 55->61 62 7694bf7-7694cb1 CreateProcessA 55->62 56->51 59 7694b89-7694b8c 57->59 60 7694b68-7694b72 57->60 59->55 63 7694b74 60->63 64 7694b76-7694b85 60->64 61->62 65 7694bcc-7694bce 61->65 75 7694cba-7694d40 62->75 76 7694cb3-7694cb9 62->76 63->64 64->64 66 7694b87 64->66 67 7694bf1-7694bf4 65->67 68 7694bd0-7694bda 65->68 66->59 67->62 70 7694bdc 68->70 71 7694bde-7694bed 68->71 70->71 71->71 72 7694bef 71->72 72->67 86 7694d50-7694d54 75->86 87 7694d42-7694d46 75->87 76->75 89 7694d64-7694d68 86->89 90 7694d56-7694d5a 86->90 87->86 88 7694d48 87->88 88->86 92 7694d78-7694d7c 89->92 93 7694d6a-7694d6e 89->93 90->89 91 7694d5c 90->91 91->89 94 7694d8e-7694d95 92->94 95 7694d7e-7694d84 92->95 93->92 96 7694d70 93->96 97 7694dac 94->97 98 7694d97-7694da6 94->98 95->94 96->92 100 7694dad 97->100 98->97 100->100
                                              APIs
                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07694C9E
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2227017943.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_7690000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: af86dd8f1089050aae39db965b898ef43e3ee9ae81626bf11133589b57cba048
                                              • Instruction ID: e220aea8344287ae08403f30aaf2a7eca94a23f9d2f19a73a5b170e70e93ed3f
                                              • Opcode Fuzzy Hash: af86dd8f1089050aae39db965b898ef43e3ee9ae81626bf11133589b57cba048
                                              • Instruction Fuzzy Hash: C7916CB1D0165ACFEF24CFA8C8417DEBBB6BF48314F0481A9D809A7254DB749986CF91
                                              Function 07694A68 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 101 7694a68-7694afd 103 7694aff-7694b09 101->103 104 7694b36-7694b56 101->104 103->104 105 7694b0b-7694b0d 103->105 111 7694b58-7694b62 104->111 112 7694b8f-7694bbe 104->112 107 7694b0f-7694b19 105->107 108 7694b30-7694b33 105->108 109 7694b1b 107->109 110 7694b1d-7694b2c 107->110 108->104 109->110 110->110 113 7694b2e 110->113 111->112 114 7694b64-7694b66 111->114 118 7694bc0-7694bca 112->118 119 7694bf7-7694cb1 CreateProcessA 112->119 113->108 116 7694b89-7694b8c 114->116 117 7694b68-7694b72 114->117 116->112 120 7694b74 117->120 121 7694b76-7694b85 117->121 118->119 122 7694bcc-7694bce 118->122 132 7694cba-7694d40 119->132 133 7694cb3-7694cb9 119->133 120->121 121->121 123 7694b87 121->123 124 7694bf1-7694bf4 122->124 125 7694bd0-7694bda 122->125 123->116 124->119 127 7694bdc 125->127 128 7694bde-7694bed 125->128 127->128 128->128 129 7694bef 128->129 129->124 143 7694d50-7694d54 132->143 144 7694d42-7694d46 132->144 133->132 146 7694d64-7694d68 143->146 147 7694d56-7694d5a 143->147 144->143 145 7694d48 144->145 145->143 149 7694d78-7694d7c 146->149 150 7694d6a-7694d6e 146->150 147->146 148 7694d5c 147->148 148->146 151 7694d8e-7694d95 149->151 152 7694d7e-7694d84 149->152 150->149 153 7694d70 150->153 154 7694dac 151->154 155 7694d97-7694da6 151->155 152->151 153->149 157 7694dad 154->157 155->154 157->157
                                              APIs
                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07694C9E
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2227017943.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_7690000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 5f36c4a6e42e61f4be1a33129232366a5a9bfea5c91152062f7ae6d8b5a3027b
                                              • Instruction ID: 0873b72e54cdf3055a46e9e9fbbc502030b223c9c369dddb90a62f53a414e0ff
                                              • Opcode Fuzzy Hash: 5f36c4a6e42e61f4be1a33129232366a5a9bfea5c91152062f7ae6d8b5a3027b
                                              • Instruction Fuzzy Hash: 62916DB1D0065ACFEF24DFA8C8417DEBBB6BF48314F0481A9D809A7244DB749986CF91
                                              Function 0160ADE8 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 158 160ade8-160adf7 159 160ae23-160ae27 158->159 160 160adf9-160ae06 call 160a10c 158->160 162 160ae29-160ae33 159->162 163 160ae3b-160ae7c 159->163 165 160ae08 160->165 166 160ae1c 160->166 162->163 169 160ae89-160ae97 163->169 170 160ae7e-160ae86 163->170 215 160ae0e call 160b080 165->215 216 160ae0e call 160b071 165->216 166->159 171 160ae99-160ae9e 169->171 172 160aebb-160aebd 169->172 170->169 174 160aea0-160aea7 call 160a118 171->174 175 160aea9 171->175 177 160aec0-160aec7 172->177 173 160ae14-160ae16 173->166 176 160af58-160af6f 173->176 179 160aeab-160aeb9 174->179 175->179 189 160af71-160afd0 176->189 180 160aed4-160aedb 177->180 181 160aec9-160aed1 177->181 179->177 183 160aee8-160aeea call 160a128 180->183 184 160aedd-160aee5 180->184 181->180 187 160aeef-160aef1 183->187 184->183 190 160aef3-160aefb 187->190 191 160aefe-160af03 187->191 209 160afd2-160b018 189->209 190->191 192 160af21-160af2e 191->192 193 160af05-160af0c 191->193 200 160af30-160af4e 192->200 201 160af51-160af57 192->201 193->192 194 160af0e-160af1e call 160a138 call 160a148 193->194 194->192 200->201 210 160b020-160b04b GetModuleHandleW 209->210 211 160b01a-160b01d 209->211 212 160b054-160b068 210->212 213 160b04d-160b053 210->213 211->210 213->212 215->173 216->173
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0160B03E
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2221322857.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_1600000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 35c1c0eb5f48ad1e3d6e42c2a8657c64dfe7d48372ddaf17500ac9b8cad296ff
                                              • Instruction ID: 05c334adf02e37b3baac124092f165b5e4a808eb82643df6bd602a7fb12bcc85
                                              • Opcode Fuzzy Hash: 35c1c0eb5f48ad1e3d6e42c2a8657c64dfe7d48372ddaf17500ac9b8cad296ff
                                              • Instruction Fuzzy Hash: 9C714470A00B068FE729DF69D84475BBBF1BF88240F008A2DD58AD7B80D735E845CB94
                                              Function 0160590C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 217 160590c-16059d9 CreateActCtxA 219 16059e2-1605a3c 217->219 220 16059db-16059e1 217->220 227 1605a4b-1605a4f 219->227 228 1605a3e-1605a41 219->228 220->219 229 1605a60 227->229 230 1605a51-1605a5d 227->230 228->227 232 1605a61 229->232 230->229 232->232
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 016059C9
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2221322857.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_1600000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 47736cf8cead89946fb79a88c52d1083209f41096ee5bcc59435dfc38de150e8
                                              • Instruction ID: be73cacb0d432287de8bb797f43b7f54d2c34222914396af977a8f7cc4b3ad44
                                              • Opcode Fuzzy Hash: 47736cf8cead89946fb79a88c52d1083209f41096ee5bcc59435dfc38de150e8
                                              • Instruction Fuzzy Hash: 0141EF70C00719CFEB24CFA9C885BDEBBB1BF89704F20815AD409AB255DB756986CF90
                                              Function 016044B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 233 16044b4-16059d9 CreateActCtxA 236 16059e2-1605a3c 233->236 237 16059db-16059e1 233->237 244 1605a4b-1605a4f 236->244 245 1605a3e-1605a41 236->245 237->236 246 1605a60 244->246 247 1605a51-1605a5d 244->247 245->244 249 1605a61 246->249 247->246 249->249
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 016059C9
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2221322857.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_1600000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 52f9bd16346c7b960ed75907fdffd1aaf917e0eb334e78728cb257599876b9e2
                                              • Instruction ID: 6f0b7f155c893a1d6202a046e6c8c9fa5976fe1e3a7c7efd07f3622677f212f3
                                              • Opcode Fuzzy Hash: 52f9bd16346c7b960ed75907fdffd1aaf917e0eb334e78728cb257599876b9e2
                                              • Instruction Fuzzy Hash: A941D070C0071DCBEB24DFA9C884BCEBBB5BF49704F20816AD409AB255DB756985CF90
                                              Function 076947D8 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 250 76947d8-769482e 252 769483e-769487d WriteProcessMemory 250->252 253 7694830-769483c 250->253 255 769487f-7694885 252->255 256 7694886-76948b6 252->256 253->252 255->256
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07694870
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2227017943.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_7690000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: 665e478587842a707c92e86669ecc69263c9a7a7b4dc48f09cfe34e3aafd9ffc
                                              • Instruction ID: d806607719382e5d16a28ed821d39a5cf6a7ddfecda74cb5ec8663364d505232
                                              • Opcode Fuzzy Hash: 665e478587842a707c92e86669ecc69263c9a7a7b4dc48f09cfe34e3aafd9ffc
                                              • Instruction Fuzzy Hash: 952122B19003499FDF10CFA9C981BEEBBF5BF48310F10842AE919A7340C7789A51CBA4
                                              Function 076947E0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 260 76947e0-769482e 262 769483e-769487d WriteProcessMemory 260->262 263 7694830-769483c 260->263 265 769487f-7694885 262->265 266 7694886-76948b6 262->266 263->262 265->266
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07694870
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2227017943.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_7690000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: bbfaa6618dfb6a27738dc746198225a16591789acb88afdf107c5c98e0f1f8d5
                                              • Instruction ID: 416bbd352f054f6f9707a1746b1b1934cd5f3c3318099611548b960605106202
                                              • Opcode Fuzzy Hash: bbfaa6618dfb6a27738dc746198225a16591789acb88afdf107c5c98e0f1f8d5
                                              • Instruction Fuzzy Hash: 552113B19003599FDF10CFAAC981BEEBBF5BF48310F10842AE919A7340C7789955CBA4
                                              Function 0769420A Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 270 769420a-769425b 272 769426b-769429b Wow64SetThreadContext 270->272 273 769425d-7694269 270->273 275 769429d-76942a3 272->275 276 76942a4-76942d4 272->276 273->272 275->276
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0769428E
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2227017943.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_7690000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: 5e3a2938a6c7cfde1aea6809ea8acef22b4b194a545db4ad4fbbc2890ed0a764
                                              • Instruction ID: 8cfee7a76f573a7eb3bc0b4884fe9933a84a19ecec2953fb09ef9fccb15c55c0
                                              • Opcode Fuzzy Hash: 5e3a2938a6c7cfde1aea6809ea8acef22b4b194a545db4ad4fbbc2890ed0a764
                                              • Instruction Fuzzy Hash: 8F2125B19003499FDB10DFAAC9857EEBBF4BF88314F14842AD559A7340CB789A45CFA4
                                              Function 076948C9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 280 76948c9-769495d ReadProcessMemory 283 769495f-7694965 280->283 284 7694966-7694996 280->284 283->284
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07694950
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2227017943.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_7690000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: 6c43eb21543535e4ca2c663fdc23a92e21d3e8d9e419896591bb1359c5f5022d
                                              • Instruction ID: 9c4f845f32fd0a41621047093bfd36c85d465bfc7ec9d117758bd7abbb6437f4
                                              • Opcode Fuzzy Hash: 6c43eb21543535e4ca2c663fdc23a92e21d3e8d9e419896591bb1359c5f5022d
                                              • Instruction Fuzzy Hash: 3E2105B18003499FDF10DFAAC881AEEBBF5FF48310F10842AE959A7250C7799951CBA5
                                              Function 07694210 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 293 7694210-769425b 295 769426b-769429b Wow64SetThreadContext 293->295 296 769425d-7694269 293->296 298 769429d-76942a3 295->298 299 76942a4-76942d4 295->299 296->295 298->299
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0769428E
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2227017943.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_7690000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: 0664e5bd5b5e6b187e859d3ca9f8e7f8f574616c0856b1531b88a0f0c112583a
                                              • Instruction ID: 8ed3f7543a06a88023f2b9ba7c7e3e240b8642e28d489a5aaa91f83e15ec4438
                                              • Opcode Fuzzy Hash: 0664e5bd5b5e6b187e859d3ca9f8e7f8f574616c0856b1531b88a0f0c112583a
                                              • Instruction Fuzzy Hash: BC2135B19003499FEB10CFAAC4857EEBBF4BF88324F14842AD519A7340CB789945CFA5
                                              Function 076948D0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 303 76948d0-769495d ReadProcessMemory 306 769495f-7694965 303->306 307 7694966-7694996 303->307 306->307
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07694950
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2227017943.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_7690000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: a905a59ee62e1cc83f5079821087d28313cb0138d45462636fdba1fa9f1f2c04
                                              • Instruction ID: 97e1e5fc8d236825920c1bcb4aa961c636c55b0014f724e0abad1379092dbc5b
                                              • Opcode Fuzzy Hash: a905a59ee62e1cc83f5079821087d28313cb0138d45462636fdba1fa9f1f2c04
                                              • Instruction Fuzzy Hash: C72116B18003499FDF10CFAAC881ADEBBF5FF48310F108429E559A7240C7799900CBA5
                                              Function 0160D6C8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 288 160d6c8-160d764 DuplicateHandle 289 160d766-160d76c 288->289 290 160d76d-160d78a 288->290 289->290
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0160D757
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2221322857.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_1600000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 3efc351fab189c8cd1347f258ea7546e819c40197b38c99a299d589f7fef29b9
                                              • Instruction ID: f96ffdd5cf6ed7eb3f2b650a9e1beb48862c71b146be44f440dbccee348c9ace
                                              • Opcode Fuzzy Hash: 3efc351fab189c8cd1347f258ea7546e819c40197b38c99a299d589f7fef29b9
                                              • Instruction Fuzzy Hash: D221E3B5900249DFDB10CFA9D985AEEBBF4EF48310F14841AE918B7350D378A954CF65
                                              Function 0160D6D0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 311 160d6d0-160d764 DuplicateHandle 312 160d766-160d76c 311->312 313 160d76d-160d78a 311->313 312->313
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0160D757
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2221322857.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_1600000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: f27002331cb568ee89ff27184da786e65cc609334b44600804d036ffee278ffc
                                              • Instruction ID: e14254913154429559cead951c4614d1071246f4b11987002c19da5141621dd2
                                              • Opcode Fuzzy Hash: f27002331cb568ee89ff27184da786e65cc609334b44600804d036ffee278ffc
                                              • Instruction Fuzzy Hash: 7C21E3B5900248DFDB10CFAAD984ADEBBF8EB48310F14801AE918A3350D378A954CFA5
                                              Function 0160A170 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0160B0B9,00000800,00000000,00000000), ref: 0160B2CA
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2221322857.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_1600000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 69ebf3bb3f7b2164fe019d7a26a447eea42c0e58e00e7830dce00cd8233e7bd7
                                              • Instruction ID: 35e5948df2bdc55374315ed38576998f6313723f897602ebf4feda61b8cc4d8f
                                              • Opcode Fuzzy Hash: 69ebf3bb3f7b2164fe019d7a26a447eea42c0e58e00e7830dce00cd8233e7bd7
                                              • Instruction Fuzzy Hash: 5F11E4B6904349DFDB14CF9AC844AAFFBF4EB88310F10852AE519A7340C375A545CFA5
                                              Function 0769471A Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0769478E
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2227017943.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_7690000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 490e913add44fe97ef7df0c2767f876007dd95419fd8b9ad9e636cafbc214430
                                              • Instruction ID: 6156bc7eb41c490ab0fd6a2b87247f71b52bd4427726824f753d99a908e4c6c3
                                              • Opcode Fuzzy Hash: 490e913add44fe97ef7df0c2767f876007dd95419fd8b9ad9e636cafbc214430
                                              • Instruction Fuzzy Hash: 4A114475800249DFDF10DFAAD845BEEBBF5AF88320F148819E515A7250CB7A9510CFA0
                                              Function 07694720 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0769478E
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2227017943.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_7690000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 91c0474ad27d126068f6bb74ae911e9bdb52b2a7dbcea17b1ca89610973135af
                                              • Instruction ID: 77055b55334d670c4a42f50c6519a352e5f4eee110eca588ca6286fac14f41ff
                                              • Opcode Fuzzy Hash: 91c0474ad27d126068f6bb74ae911e9bdb52b2a7dbcea17b1ca89610973135af
                                              • Instruction Fuzzy Hash: 56115671800349DFDF10CFAAC845BDFBBF5AF88320F108819E515A7250CB769500CBA4
                                              Function 0160B258 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0160B0B9,00000800,00000000,00000000), ref: 0160B2CA
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2221322857.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_1600000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: c5bf002730c08891b84fc01e89cdc917c676f5e08694ce02c707e4273931288c
                                              • Instruction ID: df13cea79155d62a98917927cbefb791928188f5244c3e640cf8f5c2d38dfa6c
                                              • Opcode Fuzzy Hash: c5bf002730c08891b84fc01e89cdc917c676f5e08694ce02c707e4273931288c
                                              • Instruction Fuzzy Hash: CC11E4B6800249DFDB14CFAAC845ADEFBF4EB88310F14852AD519A7350C375A545CFA5
                                              Function 0769415A Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2227017943.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_7690000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: 82d8d361cf3ae1dc43b7aa1c599c7d22fe5b7262a8706eac11b8ee04c12079c1
                                              • Instruction ID: 5c2a734a560fa628d21288c066aa50437e3ff483a3d9293abff48cab5dc2cb5a
                                              • Opcode Fuzzy Hash: 82d8d361cf3ae1dc43b7aa1c599c7d22fe5b7262a8706eac11b8ee04c12079c1
                                              • Instruction Fuzzy Hash: 2F1113B1900349CFDB20DFAAC9457AEBBF5AF88610F24882AD519A7340CB799544CBA5
                                              Function 07694160 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2227017943.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_7690000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: 73e92aedc32d4407e04660a99a8d580a050aeb7cffeb31487b92d66fa8c353fb
                                              • Instruction ID: a4a658805d5317ca090a9e5b157b73ff0a2bfe89bd7a36ff02b15bc67eba6aa0
                                              • Opcode Fuzzy Hash: 73e92aedc32d4407e04660a99a8d580a050aeb7cffeb31487b92d66fa8c353fb
                                              • Instruction Fuzzy Hash: C91128B1900349CFDB10DFAAC8457AFFBF8AF88610F24842AD519A7240CB79A544CBA5
                                              Function 076984C1 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 07698525
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2227017943.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_7690000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: f6bf8739db8436bbdc335b0ae9acafff77ef16445dc78d64a80516357c19bfae
                                              • Instruction ID: e132880e1a450a924a8148f33be5c8bcdedf9a89420638c1e39964ed5563a85a
                                              • Opcode Fuzzy Hash: f6bf8739db8436bbdc335b0ae9acafff77ef16445dc78d64a80516357c19bfae
                                              • Instruction Fuzzy Hash: 0711F2B5800349EFDB10DF9AD845BDEBBF8EB48320F20845AE519A7700C379A944CFA5
                                              Function 07697E44 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 07698525
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2227017943.0000000007690000.00000040.00000800.00020000.00000000.sdmp, Offset: 07690000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_7690000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: ff598262fd61ecb2a168714048befe0d95dcde2a620038c3a9d4a54d4f787a5b
                                              • Instruction ID: 6db5b96c9cbe95ad042b892c535911caa4229e0e0dc1313b512bb2345afe42f7
                                              • Opcode Fuzzy Hash: ff598262fd61ecb2a168714048befe0d95dcde2a620038c3a9d4a54d4f787a5b
                                              • Instruction Fuzzy Hash: 6F11F2B5800749DFDB20DF9AD845BDEBBF8EB49310F10845AE519A7300C379A948CFA5
                                              Function 0160AFD8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0160B03E
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2221322857.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_1600000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 16054f45279e4e646555e066c2f1cdda1cdafeb696b7309d717f448203a8e28b
                                              • Instruction ID: aa03fec0149b698e8d69c4b796b5d3e13e35ed2edbfb86b7dbba2e21e24a68c2
                                              • Opcode Fuzzy Hash: 16054f45279e4e646555e066c2f1cdda1cdafeb696b7309d717f448203a8e28b
                                              • Instruction Fuzzy Hash: 8A11FDB68006498FDB14CF9AC844A9FFBF4AB88210F10841AD529A7340D379A545CFA5
                                              Function 0567B2D0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OleInitialize.OLE32(00000000), ref: 0567D085
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2225811675.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_5670000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID: Initialize
                                              • String ID:
                                              • API String ID: 2538663250-0
                                              • Opcode ID: 4f1df969a5b994291bec8e724573e98c59ff6456117fa6cd133a0f99db873d09
                                              • Instruction ID: 55519bb93661a0e95319e0fecf2b8111b818c9982d7ef979d065d1a4a30208fe
                                              • Opcode Fuzzy Hash: 4f1df969a5b994291bec8e724573e98c59ff6456117fa6cd133a0f99db873d09
                                              • Instruction Fuzzy Hash: A11103B5804748CFDB20DFAAD445B9EBFF4EB48220F108459D559A7300C379A944CFA5
                                              Function 0567D029 Relevance: 1.5, APIs: 1, Instructions: 42comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OleInitialize.OLE32(00000000), ref: 0567D085
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2225811675.0000000005670000.00000040.00000800.00020000.00000000.sdmp, Offset: 05670000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_5670000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID: Initialize
                                              • String ID:
                                              • API String ID: 2538663250-0
                                              • Opcode ID: 31c8da31d6c116d51a93ec4eee5e35f463403d8f6e5b356cd54881c24c03030e
                                              • Instruction ID: f94a65565c2df7fffe2baf4e35e7f14243caf3b98e51918175f441937f84b8b5
                                              • Opcode Fuzzy Hash: 31c8da31d6c116d51a93ec4eee5e35f463403d8f6e5b356cd54881c24c03030e
                                              • Instruction Fuzzy Hash: C9110DB5800249CFDB20CFAAC589B9EFBF4AF48224F20881AD558A7700C379A544CFA5
                                              Function 0157D1FC Relevance: .1, Instructions: 76COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2220601075.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_157d000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 14613768d4891bb52678b90badb16e7b41a5ca45b4d70d121fbb54f5d6766628
                                              • Instruction ID: efdb02e465d291410102980e67bf8822e49e44fb99bd913914cd814b66c6cb4a
                                              • Opcode Fuzzy Hash: 14613768d4891bb52678b90badb16e7b41a5ca45b4d70d121fbb54f5d6766628
                                              • Instruction Fuzzy Hash: EF21E072604200EFDB059F94E9C1B2ABBB5FF88324F248569E9090E246C336D857CAA1
                                              Function 0157D4C4 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2220601075.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_157d000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7864a8f1b57bc51cb0ac0bddcd12ecd0009877addfa7d223e118b99dff21bb5f
                                              • Instruction ID: 51884708402bf37d140f103b4eae594c4b180f5eb69eead2b6f7b1fb7ee0b3ae
                                              • Opcode Fuzzy Hash: 7864a8f1b57bc51cb0ac0bddcd12ecd0009877addfa7d223e118b99dff21bb5f
                                              • Instruction Fuzzy Hash: 8D210372500240EFDB05DF58E9C1B2ABFB6FF88318F24C569E9090F256C336D456CAA2
                                              Function 0158D01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2220847353.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_158d000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: eb4d6368421f0f5e2e458524cfd29780bae45fe4ee85ecf1d280ab322ce9b7e7
                                              • Instruction ID: eecd30c74ed144294a3542e57db86ac6a234a68a311a5cab4c2864b2c8ed67c1
                                              • Opcode Fuzzy Hash: eb4d6368421f0f5e2e458524cfd29780bae45fe4ee85ecf1d280ab322ce9b7e7
                                              • Instruction Fuzzy Hash: DB210371604204EFDB15EF64D980B26BBF1FB84314F20C96DD9095F282D33AD447CA61
                                              Function 0158D1D4 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2220847353.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_158d000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dc4e48e921c0bbf3e9ad50e27cc7182e410b2cdf634bee4269798815d973d01a
                                              • Instruction ID: 9d51211332e37e462bd6bc23c3db2ca455c59b829c74627186a24bd1e9431c92
                                              • Opcode Fuzzy Hash: dc4e48e921c0bbf3e9ad50e27cc7182e410b2cdf634bee4269798815d973d01a
                                              • Instruction Fuzzy Hash: 5E21C571604204EFDB05EF94D5C0B25BBF5FB84324F24C96DD94A5F292C37AD846CA61
                                              Function 0158D006 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2220847353.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_158d000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 81da78614c59f330b60ccf14f4ace49fbc0832e9002b7433debd805aab998cee
                                              • Instruction ID: 135c3549529cc6c2dccf504e5119197a50c2df697211eacb801e8b9758598259
                                              • Opcode Fuzzy Hash: 81da78614c59f330b60ccf14f4ace49fbc0832e9002b7433debd805aab998cee
                                              • Instruction Fuzzy Hash: 61217C75509384DFDB02DF64D990715BFB1FB46214F28C5EAD8498F2A7C33A980ACB62
                                              Function 0157D1F7 Relevance: .1, Instructions: 57COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2220601075.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_157d000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8a958cd7c859b04241e3965f2995fa9ff46dd324e9e88069bdc96e2e9819e0d2
                                              • Instruction ID: d4b5257f15070909f70ae285c130ae2e49f6947a2f98b8eeecd3a95de512a612
                                              • Opcode Fuzzy Hash: 8a958cd7c859b04241e3965f2995fa9ff46dd324e9e88069bdc96e2e9819e0d2
                                              • Instruction Fuzzy Hash: F4218C76504244DFDB06CF54D9C4B1ABF72FB84224F2485A9DD090A656C33AD42ACBA2
                                              Function 0157D4BF Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2220601075.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_157d000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                                              • Instruction ID: a97dec8e77a154bf342fb7db16009cd0bc3f0e7864e950a82d6be621032f9766
                                              • Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                                              • Instruction Fuzzy Hash: 05119D76504280DFCB16CF54D5C5B1ABF71FB84224F2486A9D8490F656C33AD45ACBA2
                                              Function 0158D1CF Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2220847353.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_158d000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
                                              • Instruction ID: 9cea35513eece823e17f83d295d6f12e7f1329261889998c84819c7b067a65fc
                                              • Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
                                              • Instruction Fuzzy Hash: 7511A975904284DFCB02DF54C5C0B19BBB1FB84224F24C6A9D84A4F296C33AD40ACB62
                                              Function 0157D745 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2220601075.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_157d000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ba870901ff38b93ed40828c86e05eb4bb9268db4db561926dc373180124dfb68
                                              • Instruction ID: ac8f4b7a80251ea643e02b05ce8eeff030fcf2e4ee136027c8109023e23fe28d
                                              • Opcode Fuzzy Hash: ba870901ff38b93ed40828c86e05eb4bb9268db4db561926dc373180124dfb68
                                              • Instruction Fuzzy Hash: 4A01F731005380DAE7104E69ED85B6AFFF8FF81220F04891AEE090E286C6799840C6B1
                                              Function 0157D744 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000C.00000002.2220601075.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_12_2_157d000_qHqJcuLw.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ecfdf25143674afd0c71b2f81c200cdb291877ea7d41b84be35b3c39e80b460c
                                              • Instruction ID: 7f6d186cad796f2c10fe57c76cb80501258757d285a94631847c26b4d0daf798
                                              • Opcode Fuzzy Hash: ecfdf25143674afd0c71b2f81c200cdb291877ea7d41b84be35b3c39e80b460c
                                              • Instruction Fuzzy Hash: CEF06D72405384AEE7118E1AD988B66FFA8EF81634F18C55AED084E287C2799844CAB1

                                              Execution Graph

                                              Execution Coverage:10.8%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:153
                                              Total number of Limit Nodes:17
                                              execution_graph 37927 6392e08 37928 6392e4e GetCurrentProcess 37927->37928 37930 6392e99 37928->37930 37931 6392ea0 GetCurrentThread 37928->37931 37930->37931 37932 6392edd GetCurrentProcess 37931->37932 37933 6392ed6 37931->37933 37934 6392f13 37932->37934 37933->37932 37935 6392f3b GetCurrentThreadId 37934->37935 37936 6392f6c 37935->37936 37937 dd0848 37939 dd084e 37937->37939 37938 dd091b 37939->37938 37945 dd14a8 37939->37945 37951 dd1392 37939->37951 37956 6391d00 37939->37956 37960 6391cf0 37939->37960 37964 6391d82 37939->37964 37947 dd14ab 37945->37947 37949 dd13a6 37945->37949 37946 dd14a0 37946->37939 37947->37939 37949->37946 37950 dd14a8 GlobalMemoryStatusEx 37949->37950 37970 dd7fa0 37949->37970 37950->37949 37953 dd13a6 37951->37953 37952 dd14a0 37952->37939 37953->37952 37954 dd7fa0 GlobalMemoryStatusEx 37953->37954 37955 dd14a8 GlobalMemoryStatusEx 37953->37955 37954->37953 37955->37953 37957 6391d0f 37956->37957 37983 6391444 37957->37983 37961 6391d0f 37960->37961 37962 6391444 2 API calls 37961->37962 37963 6391d30 37962->37963 37963->37939 37965 6391d18 37964->37965 37969 6391d8a 37964->37969 37966 6391d57 37965->37966 37967 6391444 2 API calls 37965->37967 37966->37939 37968 6391d30 37967->37968 37968->37939 37969->37939 37971 dd7faa 37970->37971 37972 dd7fc4 37971->37972 37975 63afad0 37971->37975 37979 63afac0 37971->37979 37972->37949 37976 63afae5 37975->37976 37977 63afcfa 37976->37977 37978 63afd11 GlobalMemoryStatusEx 37976->37978 37977->37972 37978->37976 37980 63afae5 37979->37980 37981 63afcfa 37980->37981 37982 63afd11 GlobalMemoryStatusEx 37980->37982 37981->37972 37982->37980 37984 639144f 37983->37984 37987 6392ba4 37984->37987 37986 63936b6 37986->37986 37988 6392baf 37987->37988 37989 6393ddc 37988->37989 37991 6395660 37988->37991 37989->37986 37992 6395681 37991->37992 37993 63956a5 37992->37993 37995 6395c1e 37992->37995 37993->37989 37996 6395c25 37995->37996 37997 6395c5e 37996->37997 37999 6395804 37996->37999 37997->37993 38000 639580f 37999->38000 38002 6395cd0 38000->38002 38003 6395838 38000->38003 38002->38002 38004 6395843 38003->38004 38010 6395848 38004->38010 38006 6395d3f 38014 639b060 38006->38014 38020 639b048 38006->38020 38007 6395d79 38007->38002 38013 6395853 38010->38013 38011 6396fc8 38011->38006 38012 6395660 2 API calls 38012->38011 38013->38011 38013->38012 38016 639b091 38014->38016 38017 639b0dd 38014->38017 38015 639b09d 38015->38007 38016->38015 38025 639b2d8 38016->38025 38028 639b2d7 38016->38028 38017->38007 38022 639b060 38020->38022 38021 639b09d 38021->38007 38022->38021 38023 639b2d8 2 API calls 38022->38023 38024 639b2d7 2 API calls 38022->38024 38023->38021 38024->38021 38032 639b318 38025->38032 38026 639b2e2 38026->38017 38029 639b2d8 38028->38029 38031 639b318 2 API calls 38029->38031 38030 639b2e2 38030->38017 38031->38030 38033 639b31d 38032->38033 38034 639b35c 38033->38034 38038 639b5c0 LoadLibraryExW 38033->38038 38039 639b5b2 LoadLibraryExW 38033->38039 38034->38026 38035 639b354 38035->38034 38036 639b560 GetModuleHandleW 38035->38036 38037 639b58d 38036->38037 38037->38026 38038->38035 38039->38035 37852 d7d030 37854 d7d048 37852->37854 37853 d7d0a2 37854->37853 37860 639d718 37854->37860 37865 639d6c8 37854->37865 37869 639d6b7 37854->37869 37873 639a4ac 37854->37873 37882 639e818 37854->37882 37861 639d727 37860->37861 37862 639d6c6 37860->37862 37861->37853 37863 639a4ac CallWindowProcW 37862->37863 37864 639d70f 37863->37864 37864->37853 37866 639d6ee 37865->37866 37867 639a4ac CallWindowProcW 37866->37867 37868 639d70f 37867->37868 37868->37853 37870 639d6c5 37869->37870 37871 639a4ac CallWindowProcW 37870->37871 37872 639d70f 37871->37872 37872->37853 37874 639a4b7 37873->37874 37875 639e889 37874->37875 37877 639e879 37874->37877 37907 639e47c 37875->37907 37891 639ea7c 37877->37891 37897 639e9a0 37877->37897 37902 639e9b0 37877->37902 37878 639e887 37885 639e855 37882->37885 37883 639e889 37884 639e47c CallWindowProcW 37883->37884 37887 639e887 37884->37887 37885->37883 37886 639e879 37885->37886 37888 639ea7c CallWindowProcW 37886->37888 37889 639e9b0 CallWindowProcW 37886->37889 37890 639e9a0 CallWindowProcW 37886->37890 37888->37887 37889->37887 37890->37887 37892 639ea3a 37891->37892 37893 639ea8a 37891->37893 37911 639ea68 37892->37911 37914 639ea58 37892->37914 37894 639ea50 37894->37878 37899 639e9ae 37897->37899 37898 639ea50 37898->37878 37900 639ea68 CallWindowProcW 37899->37900 37901 639ea58 CallWindowProcW 37899->37901 37900->37898 37901->37898 37904 639e9c4 37902->37904 37903 639ea50 37903->37878 37905 639ea68 CallWindowProcW 37904->37905 37906 639ea58 CallWindowProcW 37904->37906 37905->37903 37906->37903 37908 639e487 37907->37908 37909 639fcea CallWindowProcW 37908->37909 37910 639fc99 37908->37910 37909->37910 37910->37878 37912 639ea79 37911->37912 37918 639fc20 37911->37918 37912->37894 37915 639ea68 37914->37915 37916 639ea79 37915->37916 37917 639fc20 CallWindowProcW 37915->37917 37916->37894 37917->37916 37919 639e47c CallWindowProcW 37918->37919 37920 639fc3a 37919->37920 37920->37912 37921 6393050 DuplicateHandle 37922 63930e6 37921->37922 37923 639d510 37924 639d578 CreateWindowExW 37923->37924 37926 639d634 37924->37926

                                              Executed Functions

                                              Function 063A5640 Relevance: 1.8, Strings: 1, Instructions: 597COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1093 63a5640-63a565d 1094 63a565f-63a5662 1093->1094 1095 63a5678-63a567b 1094->1095 1096 63a5664-63a566d 1094->1096 1095->1096 1099 63a567d-63a5680 1095->1099 1097 63a5673 1096->1097 1098 63a5791-63a579a 1096->1098 1097->1095 1100 63a57a0-63a57a8 1098->1100 1101 63a5821-63a584b 1098->1101 1102 63a568a-63a568d 1099->1102 1103 63a5682-63a5687 1099->1103 1100->1101 1106 63a57aa-63a57ba 1100->1106 1128 63a5855-63a5858 1101->1128 1104 63a569e-63a56a1 1102->1104 1105 63a568f-63a5693 1102->1105 1103->1102 1110 63a56af-63a56b2 1104->1110 1111 63a56a3-63a56aa 1104->1111 1108 63a5699 1105->1108 1109 63a5813-63a5820 1105->1109 1106->1101 1112 63a57bc-63a57c0 1106->1112 1108->1104 1113 63a56d6-63a56d9 1110->1113 1114 63a56b4-63a56d1 1110->1114 1111->1110 1115 63a57c5-63a57c8 1112->1115 1119 63a56db-63a56de 1113->1119 1120 63a56e3-63a56e6 1113->1120 1114->1113 1117 63a57ca-63a57d3 1115->1117 1118 63a57d4-63a57d7 1115->1118 1121 63a57eb-63a57ee 1118->1121 1122 63a57d9-63a57e6 1118->1122 1119->1120 1124 63a56e8-63a56eb 1120->1124 1125 63a56f0-63a56f3 1120->1125 1129 63a57f0-63a57f6 1121->1129 1130 63a5801-63a5803 1121->1130 1122->1121 1124->1125 1126 63a5709-63a570c 1125->1126 1127 63a56f5-63a5704 1125->1127 1131 63a5728-63a572b 1126->1131 1132 63a570e-63a5723 1126->1132 1127->1126 1133 63a587a-63a587d 1128->1133 1134 63a585a-63a585e 1128->1134 1137 63a57fc 1129->1137 1138 63a5763-63a576d 1129->1138 1139 63a580a-63a580d 1130->1139 1140 63a5805 1130->1140 1142 63a5748-63a574b 1131->1142 1143 63a572d-63a5743 1131->1143 1132->1131 1146 63a587f-63a5886 1133->1146 1147 63a5887-63a588a 1133->1147 1144 63a594a-63a5984 1134->1144 1145 63a5864-63a586c 1134->1145 1137->1130 1148 63a5774-63a5776 1138->1148 1139->1094 1139->1109 1140->1139 1151 63a574d-63a5750 1142->1151 1152 63a5755-63a5758 1142->1152 1143->1142 1167 63a5986-63a5989 1144->1167 1145->1144 1150 63a5872-63a5875 1145->1150 1153 63a58ac-63a58af 1147->1153 1154 63a588c-63a5890 1147->1154 1157 63a577b-63a577e 1148->1157 1150->1133 1151->1152 1152->1129 1160 63a575e-63a5761 1152->1160 1155 63a58d1-63a58d4 1153->1155 1156 63a58b1-63a58b5 1153->1156 1154->1144 1161 63a5896-63a589e 1154->1161 1165 63a58ec-63a58ef 1155->1165 1166 63a58d6-63a58e7 1155->1166 1156->1144 1162 63a58bb-63a58c3 1156->1162 1163 63a578c-63a578f 1157->1163 1164 63a5780-63a5785 1157->1164 1160->1138 1160->1157 1161->1144 1168 63a58a4-63a58a7 1161->1168 1162->1144 1169 63a58c9-63a58cc 1162->1169 1163->1098 1163->1115 1164->1151 1170 63a5787 1164->1170 1171 63a58ff-63a5902 1165->1171 1172 63a58f1-63a58f8 1165->1172 1166->1165 1173 63a598b-63a598e 1167->1173 1174 63a59d4-63a5b68 1167->1174 1168->1153 1169->1155 1170->1163 1178 63a591c-63a591f 1171->1178 1179 63a5904-63a5908 1171->1179 1176 63a58fa 1172->1176 1177 63a5942-63a5949 1172->1177 1180 63a59a8-63a59ab 1173->1180 1181 63a5990-63a59a1 1173->1181 1243 63a5b6e-63a5b75 1174->1243 1244 63a5ca1-63a5cb4 1174->1244 1176->1171 1182 63a5930-63a5932 1178->1182 1183 63a5921-63a592b 1178->1183 1179->1144 1187 63a590a-63a5912 1179->1187 1184 63a59ad-63a59b2 1180->1184 1185 63a59b5-63a59b8 1180->1185 1195 63a59bf-63a59c6 1181->1195 1197 63a59a3 1181->1197 1189 63a5939-63a593c 1182->1189 1190 63a5934 1182->1190 1183->1182 1184->1185 1185->1174 1188 63a59ba-63a59bd 1185->1188 1187->1144 1191 63a5914-63a5917 1187->1191 1194 63a59cb-63a59ce 1188->1194 1188->1195 1189->1128 1189->1177 1190->1189 1191->1178 1194->1174 1198 63a5cb7-63a5cba 1194->1198 1195->1194 1197->1180 1199 63a5cc8-63a5ccb 1198->1199 1200 63a5cbc-63a5cc3 1198->1200 1202 63a5ce9-63a5cec 1199->1202 1203 63a5ccd-63a5cde 1199->1203 1200->1199 1204 63a5cee-63a5cff 1202->1204 1205 63a5d06-63a5d09 1202->1205 1203->1195 1213 63a5ce4 1203->1213 1212 63a5d26-63a5d37 1204->1212 1218 63a5d01 1204->1218 1208 63a5d0b-63a5d1e 1205->1208 1209 63a5d21-63a5d24 1205->1209 1211 63a5d42-63a5d45 1209->1211 1209->1212 1216 63a5d5f-63a5d61 1211->1216 1217 63a5d47-63a5d58 1211->1217 1212->1195 1223 63a5d3d 1212->1223 1213->1202 1221 63a5d68-63a5d6b 1216->1221 1222 63a5d63 1216->1222 1217->1208 1227 63a5d5a 1217->1227 1218->1205 1221->1167 1225 63a5d71-63a5d7a 1221->1225 1222->1221 1223->1211 1227->1216 1245 63a5b7b-63a5bae 1243->1245 1246 63a5c29-63a5c30 1243->1246 1257 63a5bb3-63a5bf4 1245->1257 1258 63a5bb0 1245->1258 1246->1244 1248 63a5c32-63a5c65 1246->1248 1259 63a5c6a-63a5c97 1248->1259 1260 63a5c67 1248->1260 1268 63a5c0c-63a5c13 1257->1268 1269 63a5bf6-63a5c07 1257->1269 1258->1257 1259->1225 1260->1259 1271 63a5c1b-63a5c1d 1268->1271 1269->1225 1271->1225
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $
                                              • API String ID: 0-3993045852
                                              • Opcode ID: e13837431f38a43eb902a7698ff8be9d8db51924c3c15b62c349fe7b3de7d220
                                              • Instruction ID: 023815a986c2495410c4ee513d1585ab841a1e0a16948166aa403b3d802ac935
                                              • Opcode Fuzzy Hash: e13837431f38a43eb902a7698ff8be9d8db51924c3c15b62c349fe7b3de7d220
                                              • Instruction Fuzzy Hash: 9022BE75F002158FDB64DBA4C4806AEBBB6EF89320F24856AE845EB345DB31DC46DBD0
                                              Function 063A2420 Relevance: 1.0, Instructions: 991COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2f4b8ab1075ea91a58ea539b8a7b8f0186cefe0f07a5a4fe86e6ddc5109963c2
                                              • Instruction ID: b0782a7f8a0354393adacc84fc38ffb824abca0e16a16d265b75d6c4d45bde8d
                                              • Opcode Fuzzy Hash: 2f4b8ab1075ea91a58ea539b8a7b8f0186cefe0f07a5a4fe86e6ddc5109963c2
                                              • Instruction Fuzzy Hash: 59924734E003048FDB64DF68C584A5EB7F2EB49314F5885A9D40AEB3A1DB75ED89DB80
                                              Function 063A6690 Relevance: .8, Instructions: 825COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 753d617f5c5a31feb797f14c9ca479729c4f3295a7c210387f48c13d838fd096
                                              • Instruction ID: a63c78be879a35f860246d58f122e46ceb9b146a7780385dc4e337c7eec563c1
                                              • Opcode Fuzzy Hash: 753d617f5c5a31feb797f14c9ca479729c4f3295a7c210387f48c13d838fd096
                                              • Instruction Fuzzy Hash: C462BC34B002048FDB54DB68D594AAEB7F6EF8A300F288469E406DB391DB35ED46DBD0
                                              Function 063ACFD8 Relevance: .8, Instructions: 803COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a681d5b02b5b6305218c361c535f97deb8b3c606d5dbd7b2112fd77dd4ee1d98
                                              • Instruction ID: a4d51da1fe52bcefb3295daa02d20567e4a556cbe130c63cb678b6c5064f69b1
                                              • Opcode Fuzzy Hash: a681d5b02b5b6305218c361c535f97deb8b3c606d5dbd7b2112fd77dd4ee1d98
                                              • Instruction Fuzzy Hash: CF622F30B012068FDB55EB68E590A9EB7B2FF85700F208629D0059F759DB75ED4ACBD0
                                              Function 063AC228 Relevance: .6, Instructions: 639COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 21a7d670df30974dbce2becf55aa2ab1c362737e2ec21d7272ddacb8ba0be160
                                              • Instruction ID: 4825ef28a9ca7b3be0f6259faa832e8185d3f4807cd458c537cf65868e3437df
                                              • Opcode Fuzzy Hash: 21a7d670df30974dbce2becf55aa2ab1c362737e2ec21d7272ddacb8ba0be160
                                              • Instruction Fuzzy Hash: 2D327E30B102058FDB64DB68D890BAEB7B6FB89310F209529E505EB395DB35EC46DBD0
                                              Function 063AB2C8 Relevance: .6, Instructions: 562COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 258e0db14429bce54b8587847e96696d1a629631b03168d44b30b4931223edbc
                                              • Instruction ID: 0ad7ef08d897da08a7ea9df4835c00006846d7290fd6e673b5fb0d15b43228d4
                                              • Opcode Fuzzy Hash: 258e0db14429bce54b8587847e96696d1a629631b03168d44b30b4931223edbc
                                              • Instruction Fuzzy Hash: 6B224F30E102098BEFA4DB68D5907ADF7B2FB49310F208929E446DB395DA35DC85EB91
                                              Function 063A30F8 Relevance: .5, Instructions: 545COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 73b56388b849ae7aba77a5e79227a276cc08784787df820c8af24b2c0231e39f
                                              • Instruction ID: bdf7a2424f76a0e9cc4c8d4d8fb784ad5514787f2d141d878486104f7e270f64
                                              • Opcode Fuzzy Hash: 73b56388b849ae7aba77a5e79227a276cc08784787df820c8af24b2c0231e39f
                                              • Instruction Fuzzy Hash: 1A322031E1075ACFDB14EF74C8545ADB7B6FFC9300F6086AAD409A7254EB30A985CB91
                                              Function 063A7E20 Relevance: .5, Instructions: 475COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 642f4b69095a798789f0a33ca1dcbe569da545efeff7db6b4fb2e5afc38ace25
                                              • Instruction ID: ddb1c4a3f097c398fb80abfc3b4dda03dd0226429457ef683e0fdef30f925141
                                              • Opcode Fuzzy Hash: 642f4b69095a798789f0a33ca1dcbe569da545efeff7db6b4fb2e5afc38ace25
                                              • Instruction Fuzzy Hash: 32029D34B012169FDB54DB68D894AAEB7F6FF89300F248529E4059B395DB31EC46CBD0
                                              Function 06392E07 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 06392E86
                                              • GetCurrentThread.KERNEL32 ref: 06392EC3
                                              • GetCurrentProcess.KERNEL32 ref: 06392F00
                                              • GetCurrentThreadId.KERNEL32 ref: 06392F59
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369495382.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_6390000_RegSvcs.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: aefd7226493a9e7ecc3c27641f247e7113250709f0205c47befda3ecd263f7b8
                                              • Instruction ID: 4690ade293e3d6a80a0b53e28463845bf529f91172d852736c76aa8b2cf8d1ee
                                              • Opcode Fuzzy Hash: aefd7226493a9e7ecc3c27641f247e7113250709f0205c47befda3ecd263f7b8
                                              • Instruction Fuzzy Hash: AB5143B4900709DFDB54DFAAD848BEEBBF1EB88304F208059E119A7290D7345944CBA5
                                              Function 06392E08 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 06392E86
                                              • GetCurrentThread.KERNEL32 ref: 06392EC3
                                              • GetCurrentProcess.KERNEL32 ref: 06392F00
                                              • GetCurrentThreadId.KERNEL32 ref: 06392F59
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369495382.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_6390000_RegSvcs.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: 5b21b87e145638d3b81c7c5a0923828ca3cd63acac8826e81fc3b12e26b3fbac
                                              • Instruction ID: fff085de72ad503a7fab561783eadcf42c6e2a07a8e0a91f0ca0e9b22e069dd2
                                              • Opcode Fuzzy Hash: 5b21b87e145638d3b81c7c5a0923828ca3cd63acac8826e81fc3b12e26b3fbac
                                              • Instruction Fuzzy Hash: B05143B4900709DFDB54DFAAD848BEEBBF1EB88304F208059E119A7290D7345944CBA5
                                              Function 0639B318 Relevance: 1.7, APIs: 1, Instructions: 207COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1272 639b318-639b337 1274 639b339-639b346 call 639a2c8 1272->1274 1275 639b363-639b367 1272->1275 1280 639b348 1274->1280 1281 639b35c 1274->1281 1276 639b369-639b373 1275->1276 1277 639b37b-639b3bc 1275->1277 1276->1277 1284 639b3c9-639b3d7 1277->1284 1285 639b3be-639b3c6 1277->1285 1329 639b34e call 639b5c0 1280->1329 1330 639b34e call 639b5b2 1280->1330 1281->1275 1287 639b3d9-639b3de 1284->1287 1288 639b3fb-639b3fd 1284->1288 1285->1284 1286 639b354-639b356 1286->1281 1291 639b498-639b558 1286->1291 1289 639b3e9 1287->1289 1290 639b3e0-639b3e7 call 639a2d4 1287->1290 1292 639b400-639b407 1288->1292 1294 639b3eb-639b3f9 1289->1294 1290->1294 1324 639b55a-639b55d 1291->1324 1325 639b560-639b58b GetModuleHandleW 1291->1325 1295 639b409-639b411 1292->1295 1296 639b414-639b41b 1292->1296 1294->1292 1295->1296 1298 639b428-639b431 call 6393914 1296->1298 1299 639b41d-639b425 1296->1299 1304 639b43e-639b443 1298->1304 1305 639b433-639b43b 1298->1305 1299->1298 1307 639b461-639b46e 1304->1307 1308 639b445-639b44c 1304->1308 1305->1304 1314 639b491-639b497 1307->1314 1315 639b470-639b48e 1307->1315 1308->1307 1309 639b44e-639b45e call 6398ae8 call 639a2e4 1308->1309 1309->1307 1315->1314 1324->1325 1326 639b58d-639b593 1325->1326 1327 639b594-639b5a8 1325->1327 1326->1327 1329->1286 1330->1286
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0639B57E
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369495382.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_6390000_RegSvcs.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 8916ea397a78b7447cc2947a54e4c340bb1343d079f4f74de2cda8b9829b5f13
                                              • Instruction ID: e4f70904354566dfce5a040407b99a6734a5a1364aaf97ff855e1562402beb1f
                                              • Opcode Fuzzy Hash: 8916ea397a78b7447cc2947a54e4c340bb1343d079f4f74de2cda8b9829b5f13
                                              • Instruction Fuzzy Hash: 2F811270A00B058FDBA4DF2AD44075BBBF1FB88204F04892DD49AD7A50E735E849CFA1
                                              Function 00DDEC58 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1331 ddec58-ddec73 1332 ddec9d-ddecbc call dde3d0 1331->1332 1333 ddec75-ddec9c 1331->1333 1338 ddecbe-ddecc1 1332->1338 1339 ddecc2-dded21 1332->1339 1346 dded27-ddedb4 GlobalMemoryStatusEx 1339->1346 1347 dded23-dded26 1339->1347 1351 ddedbd-ddede5 1346->1351 1352 ddedb6-ddedbc 1346->1352 1352->1351
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3361291909.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_dd0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 40ea7a13cb469884de92599fe30f2197fcb7d6726a54450864b152b5b12079f7
                                              • Instruction ID: 1140c653940c8f847ce4438deb5e4e736a16ab492e3eeccdfa63fd48bbf843b8
                                              • Opcode Fuzzy Hash: 40ea7a13cb469884de92599fe30f2197fcb7d6726a54450864b152b5b12079f7
                                              • Instruction Fuzzy Hash: D0412232D003998FDB14DF79D8102AABBF5EF89310F14856BD904AB341EB789945CBE0
                                              Function 0639D504 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1355 639d504-639d576 1357 639d578-639d57e 1355->1357 1358 639d581-639d588 1355->1358 1357->1358 1359 639d58a-639d590 1358->1359 1360 639d593-639d5cb 1358->1360 1359->1360 1361 639d5d3-639d632 CreateWindowExW 1360->1361 1362 639d63b-639d673 1361->1362 1363 639d634-639d63a 1361->1363 1367 639d680 1362->1367 1368 639d675-639d678 1362->1368 1363->1362 1369 639d681 1367->1369 1368->1367 1369->1369
                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0639D622
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369495382.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_6390000_RegSvcs.jbxd
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: 6ec82f3e39704bb8416d520c551b85293a9736a2d5ec904364198f828f0a93da
                                              • Instruction ID: 73c3a5a5868793cf0a3f561ce02bc1346448e9c209dc074f65e376fc50231d07
                                              • Opcode Fuzzy Hash: 6ec82f3e39704bb8416d520c551b85293a9736a2d5ec904364198f828f0a93da
                                              • Instruction Fuzzy Hash: 6551DFB1D00749AFDF14CFA9C884ADEBFB5BF48300F64812AE819AB210D775A845CF90
                                              Function 0639D510 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1370 639d510-639d576 1371 639d578-639d57e 1370->1371 1372 639d581-639d588 1370->1372 1371->1372 1373 639d58a-639d590 1372->1373 1374 639d593-639d632 CreateWindowExW 1372->1374 1373->1374 1376 639d63b-639d673 1374->1376 1377 639d634-639d63a 1374->1377 1381 639d680 1376->1381 1382 639d675-639d678 1376->1382 1377->1376 1383 639d681 1381->1383 1382->1381 1383->1383
                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0639D622
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369495382.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_6390000_RegSvcs.jbxd
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: c7d628c4df3339fd31b6802e79deef665a60f161d3d3bf6d8cfa72f005008451
                                              • Instruction ID: 285d36536150d2a2b0219903abc8a385c50f3dba8b927be3c0221536017363b3
                                              • Opcode Fuzzy Hash: c7d628c4df3339fd31b6802e79deef665a60f161d3d3bf6d8cfa72f005008451
                                              • Instruction Fuzzy Hash: EC41BEB1D00749DFDF14CFA9D884ADEBBB5BF48310F64852AE818AB210D7759845CF90
                                              Function 0639E47C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1384 639e47c-639fc8c 1387 639fd3c-639fd5c call 639a4ac 1384->1387 1388 639fc92-639fc97 1384->1388 1395 639fd5f-639fd6c 1387->1395 1390 639fc99-639fcd0 1388->1390 1391 639fcea-639fd22 CallWindowProcW 1388->1391 1398 639fcd9-639fce8 1390->1398 1399 639fcd2-639fcd8 1390->1399 1393 639fd2b-639fd3a 1391->1393 1394 639fd24-639fd2a 1391->1394 1393->1395 1394->1393 1398->1395 1399->1398
                                              APIs
                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 0639FD11
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369495382.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_6390000_RegSvcs.jbxd
                                              Similarity
                                              • API ID: CallProcWindow
                                              • String ID:
                                              • API String ID: 2714655100-0
                                              • Opcode ID: 75a63c05085eedec1bdd5cb666138e298297e03e41360b27af873a75da8e253e
                                              • Instruction ID: 47f1597c458c3a51c35f8e7760956472fa1dfa1ffcf10e573da6999684944f5d
                                              • Opcode Fuzzy Hash: 75a63c05085eedec1bdd5cb666138e298297e03e41360b27af873a75da8e253e
                                              • Instruction Fuzzy Hash: 524115B4A00309DFDB94CF99C448AAABBF5FF88314F24C859D519AB321D374A845CFA0
                                              Function 06393048 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1401 6393048-639304e 1402 6393050-63930e4 DuplicateHandle 1401->1402 1403 63930ed-639310a 1402->1403 1404 63930e6-63930ec 1402->1404 1404->1403
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 063930D7
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369495382.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_6390000_RegSvcs.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 83c8947772747c10e3124fa8df3db33a55a108f90517206a2fc4e51718996df4
                                              • Instruction ID: ff32b5f2e39a50c5dbcfbf81f0ad0390d784e3c89f5e02ba09ed94a090735105
                                              • Opcode Fuzzy Hash: 83c8947772747c10e3124fa8df3db33a55a108f90517206a2fc4e51718996df4
                                              • Instruction Fuzzy Hash: 4421F4B5D00248EFDB10CFAAD884ADEBBF8EB48310F14841AE914A3350C378A954CFA5
                                              Function 06393050 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1407 6393050-63930e4 DuplicateHandle 1408 63930ed-639310a 1407->1408 1409 63930e6-63930ec 1407->1409 1409->1408
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 063930D7
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369495382.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_6390000_RegSvcs.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 2e24aeeda6ed7a722ae05efff0c9b9583aa30a510f7f6fe4c2e6207c655a9686
                                              • Instruction ID: 03ade454300bb5a0ede7e6cc5bf08e343627b860c3ea9c5270e2715d0ca8c963
                                              • Opcode Fuzzy Hash: 2e24aeeda6ed7a722ae05efff0c9b9583aa30a510f7f6fe4c2e6207c655a9686
                                              • Instruction Fuzzy Hash: 2B21E6B5D00248DFDB10CFAAD884ADEFBF4EB48310F14841AE914A3350C379A944CFA5
                                              Function 0639B77A Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1412 639b77a-639b7c0 1414 639b7c8-639b7f7 LoadLibraryExW 1412->1414 1415 639b7c2-639b7c5 1412->1415 1416 639b7f9-639b7ff 1414->1416 1417 639b800-639b81d 1414->1417 1415->1414 1416->1417
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0639B5F9,00000800,00000000,00000000), ref: 0639B7EA
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369495382.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_6390000_RegSvcs.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 37fb366ae8a9a647178f5c58da8a1a312d9866feef7077becee430980e4b886c
                                              • Instruction ID: ad7d7c3242a73a0485c908632469eb7b3258c4affe7185bcd5aeafcc51f97198
                                              • Opcode Fuzzy Hash: 37fb366ae8a9a647178f5c58da8a1a312d9866feef7077becee430980e4b886c
                                              • Instruction Fuzzy Hash: DA11D3B6C003499FDB14CFAAD844ADEFBF8AF48710F14842AE519A7250C379A545CFA5
                                              Function 0639A310 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1420 639a310-639b7c0 1422 639b7c8-639b7f7 LoadLibraryExW 1420->1422 1423 639b7c2-639b7c5 1420->1423 1424 639b7f9-639b7ff 1422->1424 1425 639b800-639b81d 1422->1425 1423->1422 1424->1425
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0639B5F9,00000800,00000000,00000000), ref: 0639B7EA
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369495382.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_6390000_RegSvcs.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: fb5254ddd076e04467eb8cb077af10ffb564c41aa91a1a2541f62c5f04931441
                                              • Instruction ID: c48e9acca4d039f472df1a3c117459f782172bd86c836b0303de5466301689d9
                                              • Opcode Fuzzy Hash: fb5254ddd076e04467eb8cb077af10ffb564c41aa91a1a2541f62c5f04931441
                                              • Instruction Fuzzy Hash: EA1103B6D003499FDB10CFAAD844A9EFBF8AF48710F10852AD519A7200C379A545CFA5
                                              Function 00DDED40 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1428 dded40-dded7e 1429 dded86-ddedb4 GlobalMemoryStatusEx 1428->1429 1430 ddedbd-ddede5 1429->1430 1431 ddedb6-ddedbc 1429->1431 1431->1430
                                              APIs
                                              • GlobalMemoryStatusEx.KERNELBASE ref: 00DDEDA7
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3361291909.0000000000DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DD0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_dd0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID: GlobalMemoryStatus
                                              • String ID:
                                              • API String ID: 1890195054-0
                                              • Opcode ID: a3ffd2b2a697db55e35a9be41d53740e9f5d60a716efa356a6145c875f148e85
                                              • Instruction ID: 80367562b58aa52ff2f8a37f201d79552a16610074b00617e1f25d040fcf44a5
                                              • Opcode Fuzzy Hash: a3ffd2b2a697db55e35a9be41d53740e9f5d60a716efa356a6145c875f148e85
                                              • Instruction Fuzzy Hash: 4A110DB1C0065A9BDB10DFAAD444B9EFBF4AF48320F15812AD918A7340D778A944CFA5
                                              Function 0639B518 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1434 639b518-639b558 1435 639b55a-639b55d 1434->1435 1436 639b560-639b58b GetModuleHandleW 1434->1436 1435->1436 1437 639b58d-639b593 1436->1437 1438 639b594-639b5a8 1436->1438 1437->1438
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0639B57E
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369495382.0000000006390000.00000040.00000800.00020000.00000000.sdmp, Offset: 06390000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_6390000_RegSvcs.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 48f8d44e187a97bd22ee49837651d6f2804ccf0d075b82ca135d73066219abea
                                              • Instruction ID: b678b74cf7bd7efa1660e842b7b189d685be27b1d1d58006deba779200e63dc3
                                              • Opcode Fuzzy Hash: 48f8d44e187a97bd22ee49837651d6f2804ccf0d075b82ca135d73066219abea
                                              • Instruction Fuzzy Hash: 50110FB5C00749CFDB10CF9AD444A9EFBF4AB88710F14841AD419A7210D379A549CFA5
                                              Function 063AFD11 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1440 63afd11-63afd3f 1441 63afd41-63afd44 1440->1441 1442 63afd58-63afd5b 1441->1442 1443 63afd46-63afd48 1441->1443 1444 63afd7b-63afd7e 1442->1444 1445 63afd5d-63afd76 call 63af18c 1442->1445 1495 63afd4a call dde2f8 1443->1495 1496 63afd4a call dde308 1443->1496 1446 63afd88-63afd8b 1444->1446 1447 63afd80-63afd83 1444->1447 1445->1444 1449 63afd91-63afd9c 1446->1449 1450 63afeb4-63afeb7 1446->1450 1447->1446 1448 63afd50-63afd57 1462 63afd9e-63afdd5 1449->1462 1463 63afdd7-63afdea 1449->1463 1452 63afeb9-63afebd call 63af19c 1450->1452 1453 63afede-63afee1 1450->1453 1464 63afec2-63afed9 1452->1464 1456 63afee3-63afee6 1453->1456 1457 63aff04-63aff11 1453->1457 1460 63afee8-63afefc 1456->1460 1461 63afeff-63aff02 1456->1461 1460->1461 1461->1457 1465 63aff12-63aff15 1461->1465 1466 63afdec-63afdf0 1462->1466 1463->1466 1464->1453 1472 63aff2b-63aff2d 1465->1472 1473 63aff17-63aff1d 1465->1473 1467 63afdfb 1466->1467 1468 63afdf2 1466->1468 1480 63afdfe-63afe04 1467->1480 1468->1467 1474 63aff2f 1472->1474 1475 63aff34-63aff37 1472->1475 1476 63aff1f 1473->1476 1477 63aff26 1473->1477 1474->1475 1475->1441 1478 63aff3d-63aff47 1475->1478 1476->1443 1476->1452 1476->1477 1476->1480 1477->1472 1482 63afe2c-63afe2f 1480->1482 1483 63afe06-63afe24 1480->1483 1497 63afe31 call ddec30 1482->1497 1498 63afe31 call ddec20 1482->1498 1483->1482 1486 63afe37-63afe9e 1495->1448 1496->1448 1497->1486 1498->1486
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 3
                                              • API String ID: 0-1842515611
                                              • Opcode ID: c2101518e17a40b5c64c0574e51b6c0c67710c3022725efdb430c439df3987e5
                                              • Instruction ID: ac92449a767488a7966095c4d00fc5ea80119ab9ffaf8c6bff9a2af8ef497fa2
                                              • Opcode Fuzzy Hash: c2101518e17a40b5c64c0574e51b6c0c67710c3022725efdb430c439df3987e5
                                              • Instruction Fuzzy Hash: CC510131E01205DFDB64AB78E8846ADBBB2FF85311F20886DE106EB254DB358949DBD0
                                              Function 063AB6E8 Relevance: .5, Instructions: 469COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9bb6cec46733f24c18e8ced3f25b6436996239d7f1cc316acbdc5e55fa01b650
                                              • Instruction ID: 5b7a6c66687bdf213ca5047b06b2cd77767a4a33ad5c2be26165cf1f58de90e7
                                              • Opcode Fuzzy Hash: 9bb6cec46733f24c18e8ced3f25b6436996239d7f1cc316acbdc5e55fa01b650
                                              • Instruction Fuzzy Hash: FD025A30E1020A8FEBA4DF68D490BADF7B6FB45310F20892AE416DB251DB75D849DBD1
                                              Function 063AAD70 Relevance: .4, Instructions: 393COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7a20aca5f611933f4aca209d6e513593bb68f53a4eb33d62381bca468fa851a5
                                              • Instruction ID: 441328e46995ce5abaaa04d278a3093cf7408becb5ba90d6e9f5cce337cc9b08
                                              • Opcode Fuzzy Hash: 7a20aca5f611933f4aca209d6e513593bb68f53a4eb33d62381bca468fa851a5
                                              • Instruction Fuzzy Hash: E7E15031E103068FDB69DF68D8906AEB7B6FF89300F20852AE506DB355DB319846DBD1
                                              Function 063A91F0 Relevance: .2, Instructions: 230COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5bff016c521a3e7fc0420563441e6391844e360dcad1bcd733fc11f020dea272
                                              • Instruction ID: c3b23188fae094e843126164fbbb54796acb83cb7424f40fd4c5c612ef0f1b02
                                              • Opcode Fuzzy Hash: 5bff016c521a3e7fc0420563441e6391844e360dcad1bcd733fc11f020dea272
                                              • Instruction Fuzzy Hash: E4913130B1025A8FDB54DF68D890BAE77F6FFC5200F108569C809AB788EF319D469B90
                                              Function 063A6290 Relevance: .2, Instructions: 229COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 20c28699fb46dce25fcee06fcdb30499172031824eed991a694aac9981f0c08e
                                              • Instruction ID: ce8b5087f7de78b26b3e9a18f4311522d1e339fc746e7961c94b8b9e0c5dd802
                                              • Opcode Fuzzy Hash: 20c28699fb46dce25fcee06fcdb30499172031824eed991a694aac9981f0c08e
                                              • Instruction Fuzzy Hash: 8F61D272F002214BDF509A7DD84466EBAD7EFD5220B194039D90EDB360DE65DC0287D1
                                              Function 063A4338 Relevance: .2, Instructions: 227COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 05a829ee383248bb57e53eb80ec7016d109cdd7c6eaa2b3a64351097b0501098
                                              • Instruction ID: 7f7f259f8e6d5979724e582abe8265545d028c2147a60b6b5fba2acf7bb8aafe
                                              • Opcode Fuzzy Hash: 05a829ee383248bb57e53eb80ec7016d109cdd7c6eaa2b3a64351097b0501098
                                              • Instruction Fuzzy Hash: 9D816C30B012468FDB54DFA8D8507AEB7F6EF89300F208528D40AEB395EB75DC469B91
                                              Function 063A4658 Relevance: .2, Instructions: 224COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8f72462e3befddd090a99d4a5528524f43d27a6fc8e47c836bb17ce8fe0ab230
                                              • Instruction ID: e1f1d774e375d81017416cec140e4d25d47d4a85fc2a75700809c96928ba6396
                                              • Opcode Fuzzy Hash: 8f72462e3befddd090a99d4a5528524f43d27a6fc8e47c836bb17ce8fe0ab230
                                              • Instruction Fuzzy Hash: FB914C34E103598FDF60CF68C890B9DB7B1FF89310F208699D549AB256DB71AA85CF90
                                              Function 063A4670 Relevance: .2, Instructions: 210COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6b4652da241eda298e9e906daed53334b90f930fb7ea952ec1724d0ae311903a
                                              • Instruction ID: 538f864770791f85b6ca30e6df4595ad4d2d454dc18c5285f31b36ca6da0f1cb
                                              • Opcode Fuzzy Hash: 6b4652da241eda298e9e906daed53334b90f930fb7ea952ec1724d0ae311903a
                                              • Instruction Fuzzy Hash: 51913C34E102198BDF60DF68C890B9DB7B1FF89310F208699D549BB355EB71AA85CF90
                                              Function 063AEBA0 Relevance: .2, Instructions: 207COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: eb0f20c23110330b0296cbcafda1a599e6b7cabe8f299256cbb0ad181170cbee
                                              • Instruction ID: 91b9a271b51b7a66b0ea76dacfebcfdc4f172ebeb739371db8ac35e974531eca
                                              • Opcode Fuzzy Hash: eb0f20c23110330b0296cbcafda1a599e6b7cabe8f299256cbb0ad181170cbee
                                              • Instruction Fuzzy Hash: 41811A30E002499FDB54DFA8D994AADBBF6FF88300F248529E415EB355DB30E946DB90
                                              Function 063AEBB0 Relevance: .2, Instructions: 201COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a1b3cf232e9e0255c2d8471d07a28227aefdecfce8970eaac6224235456b65f5
                                              • Instruction ID: fd9db8fd5e14dbeaeb03aafdd9b87e3a1ebd4a6dc0488a08e34ed1e9af9f2826
                                              • Opcode Fuzzy Hash: a1b3cf232e9e0255c2d8471d07a28227aefdecfce8970eaac6224235456b65f5
                                              • Instruction Fuzzy Hash: B6710930E002499FDB54EFA9D990AADBBF6FF88300F148529E415EB355DB30E946DB90
                                              Function 063A4C08 Relevance: .2, Instructions: 186COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d81e8ad5e53c12d70fa61eb4fdce5b7b0dbf197914f546200f0a8aa8b347b0b2
                                              • Instruction ID: fc1989da9cac4d2533aa400eefd23b243a2be2fb853476fab386ba368ce3f559
                                              • Opcode Fuzzy Hash: d81e8ad5e53c12d70fa61eb4fdce5b7b0dbf197914f546200f0a8aa8b347b0b2
                                              • Instruction Fuzzy Hash: C8617330F002189FEB54DFA9C8547AEBBF6EF88310F208429E506EB395DB758D459B90
                                              Function 063AFAC0 Relevance: .2, Instructions: 166COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8df99bcf3b65a114a4e8970396f58b5c487e0213d9cdc13b32aaeebb6e264519
                                              • Instruction ID: 3593671085fced7391dc39b4b769301bdd22084618e46dd78fddde3fbe3e40ae
                                              • Opcode Fuzzy Hash: 8df99bcf3b65a114a4e8970396f58b5c487e0213d9cdc13b32aaeebb6e264519
                                              • Instruction Fuzzy Hash: 62518330F102148BEF64666CD8A477F76BAD79A700F20452EE50AC73D5CA6CCC9697E1
                                              Function 063AFAD0 Relevance: .2, Instructions: 163COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f924d020476693723567dbad3279578679b3f656b504c6c6fbfe0630d9d16639
                                              • Instruction ID: 5ffadc0cebf5c5ff18b3e9bec58f2e1af4f2eb2ecd9dd2682683b35ccfff418a
                                              • Opcode Fuzzy Hash: f924d020476693723567dbad3279578679b3f656b504c6c6fbfe0630d9d16639
                                              • Instruction Fuzzy Hash: 8051A130F102049BEF64666CD86477F76BAE79A700F20453EE50AC7395CA6CCC9697E2
                                              Function 063A91E6 Relevance: .2, Instructions: 160COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 947e3085a9557e941911e7b0e085365fc649fdfe2c7eeec4c738fac6776a03ee
                                              • Instruction ID: e02c3b8e0d25b608b40ffe28f73dbbf13a2a360992c7ce35f518fbd4a6a15a05
                                              • Opcode Fuzzy Hash: 947e3085a9557e941911e7b0e085365fc649fdfe2c7eeec4c738fac6776a03ee
                                              • Instruction Fuzzy Hash: 57514430B112468FDB54EB78D890BAE77F6FFC9240F148569C805EB788EA31DC429B90
                                              Function 063A4BF8 Relevance: .1, Instructions: 141COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 29d86c607a6717dbb28b8783d0cdcb97e1d92f76e1684eed75a6cbd84321f4b5
                                              • Instruction ID: cadfa15d59f39bd01005818e638ba14a2d43e71f03fbd1efd06e7ffc20dd00ee
                                              • Opcode Fuzzy Hash: 29d86c607a6717dbb28b8783d0cdcb97e1d92f76e1684eed75a6cbd84321f4b5
                                              • Instruction Fuzzy Hash: 16516330F102189FEB54DFA5C8547AEBBF6EF88700F208529E505EB395DB755C058BA1
                                              Function 063A5630 Relevance: .1, Instructions: 139COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0ab1da9d6525237f30211d82fdbf41e4ed6a69d7e042024cd896e75d9d67064d
                                              • Instruction ID: b3407083798ef4656fa97e1a9216ee5f83124ad3f7975e6c23358124d1630e82
                                              • Opcode Fuzzy Hash: 0ab1da9d6525237f30211d82fdbf41e4ed6a69d7e042024cd896e75d9d67064d
                                              • Instruction Fuzzy Hash: 08418D75E102068BDF648BA8C480B7EFBB5FB45320F248926E415EB291C735EC85DBD1
                                              Function 063A54B0 Relevance: .1, Instructions: 134COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b92280a44d2f888308ac87dff0e7ba8f6cd727d80fca31e242f7df08d83fc796
                                              • Instruction ID: 495e11d7ff5ca5e997e8346aceb064fef40afbb25341936bbbace3d07a336bed
                                              • Opcode Fuzzy Hash: b92280a44d2f888308ac87dff0e7ba8f6cd727d80fca31e242f7df08d83fc796
                                              • Instruction Fuzzy Hash: 09414C72E007058FDF60CEA9D880AAEFBB2FB85220F10492AE156D7650D330E9599BD0
                                              Function 063ADB4D Relevance: .1, Instructions: 126COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b7a44e6be602b737ff6db9e9dec17d6f131dc3d93faf1a7b99e86991ff62d3da
                                              • Instruction ID: f0c5de2726fdfaf388ce3698df9689991819c8375359a71a8dcd627bd50998b6
                                              • Opcode Fuzzy Hash: b7a44e6be602b737ff6db9e9dec17d6f131dc3d93faf1a7b99e86991ff62d3da
                                              • Instruction Fuzzy Hash: 57418F30E10349DFDB659F79D8946AEBBB6EF86300F204529D402DB741DB70984ADBD1
                                              Function 063A22A8 Relevance: .1, Instructions: 105COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f1f33e19427e7e4b29f2973a3c28eaebe6aac0ce90bddf1a43fafbbe58bc71c4
                                              • Instruction ID: 72e55e7fa02c758a3af6e7855872e62bd263ff2c0ec1deefad2c9b96f7d94b6f
                                              • Opcode Fuzzy Hash: f1f33e19427e7e4b29f2973a3c28eaebe6aac0ce90bddf1a43fafbbe58bc71c4
                                              • Instruction Fuzzy Hash: 74319E30B103058FDB94AB79D85466F7AA7FB8A600F244428D406DB395EE35DD0ADBE1
                                              Function 063A2158 Relevance: .1, Instructions: 97COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 528c7bb5228a37c1acc60e2c31f56d5f8bf0bba2a19b95c22724663ac72fa4f8
                                              • Instruction ID: ac3f44a031bdb21f5b49df6c3dec5c4f17261b8c6bc15564445fac5e68a9dc11
                                              • Opcode Fuzzy Hash: 528c7bb5228a37c1acc60e2c31f56d5f8bf0bba2a19b95c22724663ac72fa4f8
                                              • Instruction Fuzzy Hash: 59316E34E102069BCB99CFA4D8546AFB7F6FF89300F148519E916EB740DB31AE46CB90
                                              Function 063A2168 Relevance: .1, Instructions: 91COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e3d7284a1fe8b14c3059cb35d37d5dc1b8bc7708be1011d84e6a71972408b21c
                                              • Instruction ID: ed05c7be0e5e9f40f366d9e36f915f0da41677a79c0395860efc655edfb7e7da
                                              • Opcode Fuzzy Hash: e3d7284a1fe8b14c3059cb35d37d5dc1b8bc7708be1011d84e6a71972408b21c
                                              • Instruction Fuzzy Hash: 20316E30E106069BCB59CFA4D8546AFB7F6FF89300F148529E916EB740DB71AE46CB90
                                              Function 063A3B38 Relevance: .1, Instructions: 83COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a102d1ab5b15f995391047a5edd2d13eb236bb45c4c4cc48355cfa29342911e4
                                              • Instruction ID: 24dce276defff21db3a3deda098bda1ad75d9465a7943f70f99f1a4eced34f7b
                                              • Opcode Fuzzy Hash: a102d1ab5b15f995391047a5edd2d13eb236bb45c4c4cc48355cfa29342911e4
                                              • Instruction Fuzzy Hash: DE217A71F003559FEB50DFA8D840AEEBBF2EB88310F248029E905E7380E735D8029B90
                                              Function 063A3B48 Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: eca414a1be77478619581ca70c6fd1c823b1f9eebe7222ba271cf83f8cc492eb
                                              • Instruction ID: 68b1839b6cc6ab3822f0d2f5dcf75b436261401e9c54f2b7fef82799f3e5586e
                                              • Opcode Fuzzy Hash: eca414a1be77478619581ca70c6fd1c823b1f9eebe7222ba271cf83f8cc492eb
                                              • Instruction Fuzzy Hash: 09218975F017599FEB50DFA9D880AAEBBF6EB48710F208129E905E7380E735D905CB90
                                              Function 00D7D030 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3360976337.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_d7d000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e8791def8987c0e3280e4ff5c5a93655cbf8d3902f204a7a8b183b2678538b25
                                              • Instruction ID: df070bd113d1d65daf59ac0b0ea5d8741974f9d7056b50fede95b4e01475a2c0
                                              • Opcode Fuzzy Hash: e8791def8987c0e3280e4ff5c5a93655cbf8d3902f204a7a8b183b2678538b25
                                              • Instruction Fuzzy Hash: C721DE71604204EFDB14DF24D980B26BBB6FF84314F28C56DE94E4B292D37AD846CA72
                                              Function 00D7D005 Relevance: .1, Instructions: 71COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3360976337.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_d7d000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 089f979ed8e81b481fb65d26878b497f31e3e46c15e9437b63f99d8895cb6b59
                                              • Instruction ID: 32d48864442c8574519344c7b9775eacd425c30a624473d0fc82ae1fe8335bcb
                                              • Opcode Fuzzy Hash: 089f979ed8e81b481fb65d26878b497f31e3e46c15e9437b63f99d8895cb6b59
                                              • Instruction Fuzzy Hash: B8214B7150D3C09FC703CB24D990711BF71AF46214F29C5EBD8898F2A7D23A980ACB62
                                              Function 063A3C58 Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3479ae2cabcfe7171b911a8e48f38d7b98462312964dc4317f94c55ab93c57bd
                                              • Instruction ID: a075eebf9fdbffb37070fb9b3b38ec36e2f33a33f11bef2f57d3e5f7dd42bbb4
                                              • Opcode Fuzzy Hash: 3479ae2cabcfe7171b911a8e48f38d7b98462312964dc4317f94c55ab93c57bd
                                              • Instruction Fuzzy Hash: 8D11E131F102258FEB549668DC14AEE73BAEBC9710F004439C506E7344EE24DC029BD0
                                              Function 063AEE21 Relevance: .1, Instructions: 58COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8915598a18ec0b49c74797b6d8ce6fd3a0489a92529d89c545691154689fa9f9
                                              • Instruction ID: 46df1dbade5042191907c06ce2f60fb8f6f9c9327b182797e51ff104f7235b51
                                              • Opcode Fuzzy Hash: 8915598a18ec0b49c74797b6d8ce6fd3a0489a92529d89c545691154689fa9f9
                                              • Instruction Fuzzy Hash: 4801D431B102215FDBA59A7C9460B2B77EAEBCA710F10483AE50ACB380DA20DC0697D1
                                              Function 063A4298 Relevance: .1, Instructions: 57COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5a088acdeb0d25e4ac7d7725f4e6c69ea38cad87938eca9956bdc1a22d40e6a3
                                              • Instruction ID: 1640a271b480d48d648b28b5cea901251f35d92d8d0f1cd1c402978a72c28e56
                                              • Opcode Fuzzy Hash: 5a088acdeb0d25e4ac7d7725f4e6c69ea38cad87938eca9956bdc1a22d40e6a3
                                              • Instruction Fuzzy Hash: 0E019231B002511BDBB59ABD941472AB7DADBCA710F14883EE54ACB386EDA1DC4643D1
                                              Function 063A3910 Relevance: .1, Instructions: 55COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 34d71a07f74a7777732eb9781bd0d701ce3b129e7fdf5b80cbe73d05c22ad522
                                              • Instruction ID: 6e8fcfcd25eb83b037cbc3bf6a62dc18383a1987b6d98db71e1f9e2779ef2271
                                              • Opcode Fuzzy Hash: 34d71a07f74a7777732eb9781bd0d701ce3b129e7fdf5b80cbe73d05c22ad522
                                              • Instruction Fuzzy Hash: 4A21E0B5C01259AFDB10CF9AD885ACEFFB4FB49310F10812AE918A7340C374A944CBA5
                                              Function 063AA3A9 Relevance: .1, Instructions: 54COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 126ab0cad3effa3dfd571ed0ca378bb2bf5a2bf9f72bfb09dd5fd90f1dee60a6
                                              • Instruction ID: 565fc3c690ce1511cc33a5d3016160bde481c617fb80893f558d4bc1d6e78c8b
                                              • Opcode Fuzzy Hash: 126ab0cad3effa3dfd571ed0ca378bb2bf5a2bf9f72bfb09dd5fd90f1dee60a6
                                              • Instruction Fuzzy Hash: DD01D431B102504FDB659B7CD96472AB7E6EB8A710F204869F18ACB391EE21DC06C7E0
                                              Function 063A3C48 Relevance: .1, Instructions: 54COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a2168585b9a9a8bda809866004f092c850e3deaf56b376eebe91006fb032ef73
                                              • Instruction ID: 283d0b331e9444c9e49444ea316bc4bfb8fae40347bac22bcddee00f8d361b03
                                              • Opcode Fuzzy Hash: a2168585b9a9a8bda809866004f092c850e3deaf56b376eebe91006fb032ef73
                                              • Instruction Fuzzy Hash: 65012431B102654BEB54AA78DC60AEBB7FAEFCA350F104439D446D7284EA20CC02A7E1
                                              Function 063A3918 Relevance: .1, Instructions: 52COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1a9976f31d811111d81e353a6ae67a28d343a4859c014d6010c0c6512cb6b6fa
                                              • Instruction ID: 7c1d9e9e7f644fc760f5ffb08930ac14d59244b300cfb2f1de9b890d99841f06
                                              • Opcode Fuzzy Hash: 1a9976f31d811111d81e353a6ae67a28d343a4859c014d6010c0c6512cb6b6fa
                                              • Instruction Fuzzy Hash: 7611CFB5D01619AFDB00CF9AD984ADEFBF4FB48310F10812AE918A7340C374A954CBA5
                                              Function 063A42A8 Relevance: .1, Instructions: 51COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: adfa6aca7bd350739cb5cf8431d0d8f780eefe6a288c157ccecfb5ada18944ef
                                              • Instruction ID: ab6dab45bf74ef7a9cf14baefb50a7f6d350dc7fe0ab4ccad9dff3da48e1a7c3
                                              • Opcode Fuzzy Hash: adfa6aca7bd350739cb5cf8431d0d8f780eefe6a288c157ccecfb5ada18944ef
                                              • Instruction Fuzzy Hash: 79018631B102140BDB7999AD945472FB2DADBC9710F148439E10AC7385EDA1DC4643D1
                                              Function 063AEE30 Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 32b2ac8a10fc08f6e27447c44f60836461e1b941cac8123238e6515f59b22a0a
                                              • Instruction ID: 1cc033dd1dc9134a2fd6209f86ba52ee5c6db31ca96bd97bf063bdbc16b92ad3
                                              • Opcode Fuzzy Hash: 32b2ac8a10fc08f6e27447c44f60836461e1b941cac8123238e6515f59b22a0a
                                              • Instruction Fuzzy Hash: AF01AF31B102114BDBB9967D9450B2F73DAEBCA720F10883EE20ACB380EE21DC0663D5
                                              Function 063AA3B8 Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7ffc81c3ada8ee91a1e5cca0a12173d8d0b9888e9b76edec7ee7c9a2cc9cc264
                                              • Instruction ID: 584a8029706f3782feb8ef3eb655e19b4f43faf37e9411c570f0bc7420213d46
                                              • Opcode Fuzzy Hash: 7ffc81c3ada8ee91a1e5cca0a12173d8d0b9888e9b76edec7ee7c9a2cc9cc264
                                              • Instruction Fuzzy Hash: 5E014431B106104BDBA9EA7CD85472A73D6EB89710F508838F10ACB3D4EE22DC4687E0
                                              Function 063AC870 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0baa641caddca158dd03695271a48d435085b40fd1ff0da22aeb325cf89cb431
                                              • Instruction ID: a671dfb4462dd208833000a095de6b20939bc37931b34adfcba33ad7ac787b38
                                              • Opcode Fuzzy Hash: 0baa641caddca158dd03695271a48d435085b40fd1ff0da22aeb325cf89cb431
                                              • Instruction Fuzzy Hash: F901A931F102149BDB68AA7DE8416AEB77AF785310F004539E905EB385DB31A905C7D4
                                              Function 063A8370 Relevance: .0, Instructions: 40COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6dcf01f410f6089c9a8c2865f6ed9ef2103cc1769a7b0da07085e2abc7b92591
                                              • Instruction ID: 6ee3c689570dcf644197e45e222fbbfd47367d9728e56e65455b4717d5bbad7a
                                              • Opcode Fuzzy Hash: 6dcf01f410f6089c9a8c2865f6ed9ef2103cc1769a7b0da07085e2abc7b92591
                                              • Instruction Fuzzy Hash: 52F0C239B00301CFEFA89E58ED8467DB3A8EB41314F244466DA85CB6C5D672D90AD7D1
                                              Function 063A6511 Relevance: .0, Instructions: 26COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000F.00000002.3369580975.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_15_2_63a0000_RegSvcs.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7ef01574f45351863d6d9099d006fcf9e5b19cc80c00686fc990ee12f96e1196
                                              • Instruction ID: 78f3fdf7a403ac574a3f8bf3b5c564a9afe9272972f75e2dcaa2860b4747eea8
                                              • Opcode Fuzzy Hash: 7ef01574f45351863d6d9099d006fcf9e5b19cc80c00686fc990ee12f96e1196
                                              • Instruction Fuzzy Hash: 82E0DF72E14309ABEB90CEB0C95671B7BAADB43204F2488A6D405C7202E136CE06ABC0